search

cedar-policy / cedar

Implementation of the Cedar Policy Language
https://www.cedarpolicy.com
Apache License 2.0
832 stars 72 forks source link

CLI translate-schema in "json-to-cedar" direction fails if resourceTypes is omitted from action's appliesTo #1163

Closed adamrothman closed 3 weeks ago

adamrothman commented 3 weeks ago

Before opening, please confirm:

Bug Category

Schemas and Validation

Describe the bug

The CLI's translate-schema --direction json-to-cedar command fails when the supplied JSON schema defines actions without resourceTypes in their appliesTo object (i.e. actions that apply to unspecified resources):

$ cargo run -- translate-schema --schema ~/src/slauthz/pde/slauth.cedarschema.json --direction json-to-cedar
warning: /Users/adam.rothman/src/cedar/cedar-policy-core/Cargo.toml: unused manifest key: lints.rust.unexpected_cfgs.check-cfg
    Finished `dev` profile [unoptimized + debuginfo] target(s) in 0.10s
     Running `/Users/adam.rothman/src/cedar/target/debug/cedar translate-schema --schema /Users/adam.rothman/src/slauthz/pde/slauth.cedarschema.json --direction json-to-cedar`
  × missing field `resourceTypes` at line 63 column 17

Expected behavior

The JSON schema format documentation explicitly describes resourceTypes as optional:

If the principalTypes component is omitted from the appliesTo element, then an authorization request with this action must have an unspecified principal entity. The same is true for resourceTypes, for a request’s resource component. If the appliesTo component is omitted entirely, it’s the same as if it were present with both principalTypes and resourceTypes components omitted (i.e., a request must have both unspecified principal and resource entities).

translate-schema should successfully translate a JSON schema where any of principalTypes, resourceTypes, or even the entire appliesTo element is omitted from one or more actions.

Reproduction steps

  1. Clone https://github.com/cedar-policy/cedar at latest master (39ec5f4b7c457469782490daf708bb839550bc13 at time of report)
  2. Download this JSON format schema: slauth.cedarschema.json
  3. In the cedar-policy-cli directory, run cargo run -- translate-schema --schema ~/Downloads/slauth.cedarschema.json --direction json-to-cedar
  4. Error

Code Snippet

No response

Log output

No response

Additional configuration

No response

Operating System

macOS Sonoma 14.6.1

Additional information and screenshots

No response

cdisselkoen commented 3 weeks ago

Latest main Cedar includes the implementation of RFC 55, which removes support for unspecified entities; see discussion there. As a result, this is intended behavior.

khieta commented 3 weeks ago

The doc updates aren't released yet since the changes aren't released on crates.io (currently this behavior is only on main). The doc updates are in this PR though if you're curious: https://github.com/cedar-policy/cedar-docs/pull/113

adamrothman commented 3 weeks ago

Ah, OK! Thanks – I'll update our schema accordingly.

cdisselkoen commented 3 weeks ago

RFC 55 will not be released on 3.x as it is a breaking change. So, if you are designing something to work for Cedar 3, it is correct to have resourceTypes as optional, and you can use the Cedar 3.2 or 3.3 CLI to convert those schemas to JSON.

cdisselkoen commented 3 weeks ago

cargo install cedar-policy-cli@3.3.0