- Added an option to eagerly evaluate entity attributes and re-use across calls to
is_authorized - Adds APIs to
Entitiesto make it easy to add a collection of entities to an existingEntitiesstructure - Export the
cedar_policy_core::evaluator::{EvaluationError, EvaluationErrorKind}andcedar_policy_core::authorizer::AuthorizationErrorerror types. - Added an API to
ParseErrorto quickly get the primary source span - Added an API,
unknown_entities, toPolicySetto collect unknown entity UIDs fromPartialResponse. - Added APIs
remove,remove_templateandunlinkto remove policies from thePolicySet - Added API
get_linked_policiesto get the policies linked to aTemplate
- Renamed
cedar_policy_core::est::EstToAstErrortocedar_policy_core::est::FromJsonError - Renamed
cedar_policy_core::entities::JsonDeserializationError::ExtensionsErrortocedar_policy_core::entities::JsonDeserializationError::FailedExtensionsFunctionLookup. - Renamed variants in
cedar_policy::SchemaError - The
Diagnostics::errors()function now returns an iterator overAuthorizationErrors. - The
Response::new()constructor now expects aVec<AuthorizationError>as its third argument. - Implements RFC #19, making validation slightly more strict, but more explainable.
- Improved formatting for error messages.
- Changed the semantics of equality for IP ranges. For example,
ip("192.168.0.1/24") == ip("192.168.0.3/24")was previouslytrueand is nowfalse. The behavior of equality on single IP addresses is unchanged, and so is the behavior of.isInRange(). - Standardized on duplicates being errors instead of last-write-wins in the following APIs:
- Policy set JSONs
- Template set JSONs
- Template instantiation records
- Entity slice JSONs
- Context JSONs
<EntityId as FromStr>::Erroris nowInfallibleinstead ofParseErrors- Fixed bug (#370) related to how the validator handles template-linked policies
- New experimental API to construct queries with
Unknownfields for partial evaluation.
- Improved validation error messages for access to undeclared attributes and unsafe access to optional attributes to report the target of the access (fix #175).
EntityUid's impl ofFromStris no longer marked as deprecated.- Fixed #299, condition of
ifnot being partial evaluated. - Update the behavior of
Request::principal(),Request::action(), andRequest::resource()to returnNoneif the entities are unspecified (i.e., constructed by passingNonetoRequest::new()).
- New methods exported for
EntityTypeName.basenameto get the basename (without namespaces).namespace_componentsto get the namespace as an iterator over its components.namespaceto get the namespace as a single string.
- Some error types now carry more information about the error, with error
messages updated appropriately. For instance, added list of attributes that do
exist to the
RecordAttrDoesNotExisterror message. - Improved error messages for some schema type parsing errors.
- When an entity type shape or action context is declared with type other than
Record, the error message will indicated the affected entity type or action.
- When an entity type shape or action context is declared with type other than
- Improved a variety of other error messages
- Increased precision for validating records. Previously,
permit(principal, action, resource) when {{"foo": 5} has bar};would validate. Now it will not, since we know{"foo": 5} has barisFalse, and the validator will return an error for a policy that can never fire. - Removed deprecated
__exprescapes from integration tests.
- Re-export
cedar_policy_core::entities::EntitiesError. - Fixed bug (#150) around implicit namespaces for actions in
memberOflists in schemas. An action without an explicit namespace in amemberOfnow correctly uses the default namespace.
- Improved error messages and documentation for some errors raised during policy parsing, validation, and evaluation.
- More precise "expected tokens" lists in some parse errors.
- Move public API for partial evaluation behind experimental feature flag. To
continue using this feature you must enable the
partial-evalfeature flag.
- Improved error detection in schema based parsing (fix issues #73, #74).
- Detect entities with parents of an incorrect entity type.
- Detect entities with an undeclared entity type.
- Slightly improved error text on some validation type errors
- Improved error messages for some schema type parsing errors
- Parsing a schema type without the
"type"field will generate an error stating that"type"is a required field instead of an inscrutable error complaining about the untagged enumSchemaType. - Parsing a schema type with a
"type"field corresponding to one of the builtin types but missing a required field for that type will generate an error stating that a required field is missing instead of claiming that it could not find "common types" definition for that builtin type.
- Parsing a schema type without the
- Fix a panic in
PolicySet::link()that could occur when the function was called with a policy id corresponding to a static policy.
- Implementation of
RFC 9
which disallows embedded whitespace, comments, and control characters in the
inputs to several Rust API functions including
EntityTypeName::from_str()andEntityNamespace::from_str(), as well as in some fields of the Cedar JSON schema format (e.g., namespace declarations, entity type names), Cedar JSON entities format (e.g., entity type names, extension function names) and the Cedar JSON policy format used byPolicy::from_json()(e.g., entity type names, extension function names). The risk that this may be a breaking change for some Cedar users was accepted due to the potential security ramifications; see discussion in the RFC.
Entities::write_to_jsonfunction to api.rs
Schema::action_entitiesto provide access to action entities defined in a schema.
- Update
cedar-policy-coredependency.
- Resolve warning in
Cargo.tomldue to having bothlicenseandlicense-filemetadata entries.
- Update
Cargo.tomlmetadata to correctly represent this crate as Apache-2.0 licensed.
Initial release of cedar-policy.