restructure slice & change instantiation to link (#169)

cedar-policy · Jul 2, 2024 · 59fb8ef · 59fb8ef
1 parent 4aa1097
commit 59fb8ef
Show file tree

Hide file tree

Showing 30 changed files with 156 additions and 109 deletions.
diff --git a/CedarJava/build.gradle b/CedarJava/build.gradle
@@ -76,7 +76,7 @@ configurations {
 }
 
 dependencies {
-    // Do not upgrade to Jackson 3.x without addressing stack overflow issues in ValueCedarDeserializer
+    // Do not upgrade to Jackson 3.x without addressing stack overflow issues in ValueDeserializer
     // The upgrade should be reviewed by AppSec
     implementation 'com.fasterxml.jackson.core:jackson-databind:2.17.1'
     implementation 'com.fasterxml.jackson.datatype:jackson-datatype-jdk8:2.17.1'

diff --git a/CedarJava/src/main/java/com/cedarpolicy/AuthorizationEngine.java b/CedarJava/src/main/java/com/cedarpolicy/AuthorizationEngine.java
@@ -19,8 +19,8 @@
 import com.cedarpolicy.model.*;
 import com.cedarpolicy.model.exception.AuthException;
 import com.cedarpolicy.model.exception.BadRequestException;
-import com.cedarpolicy.model.slice.Entity;
-import com.cedarpolicy.model.slice.PolicySet;
+import com.cedarpolicy.model.entity.Entity;
+import com.cedarpolicy.model.policy.PolicySet;
 
 import java.util.Set;
 

diff --git a/CedarJava/src/main/java/com/cedarpolicy/BasicAuthorizationEngine.java b/CedarJava/src/main/java/com/cedarpolicy/BasicAuthorizationEngine.java
@@ -27,8 +27,8 @@
 import com.cedarpolicy.model.exception.InternalException;
 import com.cedarpolicy.model.exception.MissingExperimentalFeatureException;
 import com.cedarpolicy.model.slice.BasicSlice;
-import com.cedarpolicy.model.slice.Entity;
-import com.cedarpolicy.model.slice.PolicySet;
+import com.cedarpolicy.model.entity.Entity;
+import com.cedarpolicy.model.policy.PolicySet;
 import com.cedarpolicy.model.slice.Slice;
 import com.fasterxml.jackson.annotation.JsonInclude;
 import com.fasterxml.jackson.annotation.JsonProperty;
@@ -113,7 +113,7 @@ private static class AuthorizationRequest extends com.cedarpolicy.model.Authoriz
                     request.context,
                     request.schema,
                     request.enableRequestValidation);
-            this.slice = new BasicSlice(policySet.policies, entities, policySet.templates, policySet.templateInstantiations);
+            this.slice = new BasicSlice(policySet.policies, entities, policySet.templates, policySet.templateLinks);
         }
     }
 
@@ -124,7 +124,7 @@ private static final class PartialAuthorizationRequest {
 
         PartialAuthorizationRequest(com.cedarpolicy.model.PartialAuthorizationRequest request, PolicySet policySet, Set<Entity> entities) {
             this.request = request;
-            this.slice = new BasicSlice(policySet.policies, entities, policySet.templates, policySet.templateInstantiations);
+            this.slice = new BasicSlice(policySet.policies, entities, policySet.templates, policySet.templateLinks);
         }
     }
 

diff --git a/CedarJava/src/main/java/com/cedarpolicy/CedarJson.java b/CedarJava/src/main/java/com/cedarpolicy/CedarJson.java
@@ -17,8 +17,9 @@
 package com.cedarpolicy;
 
 import com.cedarpolicy.model.slice.Slice;
-import com.cedarpolicy.serializer.ValueCedarDeserializer;
-import com.cedarpolicy.serializer.ValueCedarSerializer;
+import com.cedarpolicy.serializer.SliceSerializer;
+import com.cedarpolicy.serializer.ValueDeserializer;
+import com.cedarpolicy.serializer.ValueSerializer;
 import com.cedarpolicy.value.Value;
 import com.fasterxml.jackson.databind.ObjectMapper;
 import com.fasterxml.jackson.databind.ObjectReader;
@@ -49,9 +50,9 @@ private static ObjectMapper createObjectMapper() {
         final ObjectMapper mapper = new ObjectMapper();
 
         final SimpleModule module = new SimpleModule();
-        module.addSerializer(Slice.class, new SliceJsonSerializer());
-        module.addSerializer(Value.class, new ValueCedarSerializer());
-        module.addDeserializer(Value.class, new ValueCedarDeserializer());
+        module.addSerializer(Slice.class, new SliceSerializer());
+        module.addSerializer(Value.class, new ValueSerializer());
+        module.addDeserializer(Value.class, new ValueDeserializer());
         mapper.registerModule(module);
         mapper.registerModule(new Jdk8Module());
 

diff --git a/CedarJava/src/main/java/com/cedarpolicy/model/AuthorizationRequest.java b/CedarJava/src/main/java/com/cedarpolicy/model/AuthorizationRequest.java
@@ -17,7 +17,7 @@
 package com.cedarpolicy.model;
 
 import com.cedarpolicy.model.schema.Schema;
-import com.cedarpolicy.model.slice.Entity;
+import com.cedarpolicy.model.entity.Entity;
 import com.cedarpolicy.value.EntityUID;
 import com.cedarpolicy.value.Value;
 import com.fasterxml.jackson.annotation.JsonProperty;

diff --git a/CedarJava/src/main/java/com/cedarpolicy/model/ValidationRequest.java b/CedarJava/src/main/java/com/cedarpolicy/model/ValidationRequest.java
@@ -17,7 +17,7 @@
 package com.cedarpolicy.model;
 
 import com.cedarpolicy.model.schema.Schema;
-import com.cedarpolicy.model.slice.Policy;
+import com.cedarpolicy.model.policy.Policy;
 import com.fasterxml.jackson.annotation.JsonProperty;
 
 import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;

diff --git a/...a/com/cedarpolicy/model/slice/Entity.java → .../com/cedarpolicy/model/entity/Entity.java b/...a/com/cedarpolicy/model/slice/Entity.java → .../com/cedarpolicy/model/entity/Entity.java
@@ -14,7 +14,7 @@
  * limitations under the License.
  */
 
-package com.cedarpolicy.model.slice;
+package com.cedarpolicy.model.entity;
 
 import com.cedarpolicy.value.EntityUID;
 import com.cedarpolicy.value.Value;

diff --git a/CedarJava/src/main/java/com/cedarpolicy/model/entity/package-info.java b/CedarJava/src/main/java/com/cedarpolicy/model/entity/package-info.java
@@ -0,0 +1,20 @@
+/*
+ * Copyright 2022-2023 Amazon.com, Inc. or its affiliates. All Rights Reserved.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/**
+ * This module represents entities passed into Cedar
+ */
+package com.cedarpolicy.model.entity;
diff --git a/...ava/src/main/java/com/cedarpolicy/model/exception/InvalidValueSerializationException.java b/...ava/src/main/java/com/cedarpolicy/model/exception/InvalidValueSerializationException.java
@@ -17,7 +17,7 @@
 package com.cedarpolicy.model.exception;
 
 /** Error deserializing a value. This will be thrown if you extend the value class and don't
- * handle the new Value type in `ValueCedarSerializer.java` */
+ * handle the new Value type in `ValueSerializer.java` */
 public class InvalidValueSerializationException extends RuntimeException {
     /**
      * Construct InvalidValueSerializationException.

diff --git a/...arpolicy/model/slice/EntityTypeAndId.java → ...rpolicy/model/policy/EntityTypeAndId.java b/...arpolicy/model/slice/EntityTypeAndId.java → ...rpolicy/model/policy/EntityTypeAndId.java
@@ -14,7 +14,7 @@
  * limitations under the License.
  */
 
-package com.cedarpolicy.model.slice;
+package com.cedarpolicy.model.policy;
 
 import com.fasterxml.jackson.annotation.JsonCreator;
 import com.fasterxml.jackson.annotation.JsonProperty;

diff --git a/...edarpolicy/model/slice/Instantiation.java → ...m/cedarpolicy/model/policy/LinkValue.java b/...edarpolicy/model/slice/Instantiation.java → ...m/cedarpolicy/model/policy/LinkValue.java
@@ -14,24 +14,24 @@
  * limitations under the License.
  */
 
-package com.cedarpolicy.model.slice;
+package com.cedarpolicy.model.policy;
 
 import com.fasterxml.jackson.annotation.JsonCreator;
 import com.fasterxml.jackson.annotation.JsonProperty;
 
-/** Instantiation for policy template. */
-public class Instantiation {
+/** Link for policy template. */
+public class LinkValue {
     private final String slot;
     private final EntityTypeAndId value;
 
     /**
-     * Instantiation for policy template.
+     * Link for policy template.
      *
      * @param slot the slot in the template.
      * @param value the value to put in the slot
      */
     @JsonCreator
-    public Instantiation(
+    public LinkValue(
             @JsonProperty("slot") String slot, @JsonProperty("value") EntityTypeAndId value) {
         this.slot = slot;
         this.value = value;

diff --git a/...a/com/cedarpolicy/model/slice/Policy.java → .../com/cedarpolicy/model/policy/Policy.java b/...a/com/cedarpolicy/model/slice/Policy.java → .../com/cedarpolicy/model/policy/Policy.java
@@ -14,7 +14,7 @@
  * limitations under the License.
  */
 
-package com.cedarpolicy.model.slice;
+package com.cedarpolicy.model.policy;
 
 import com.cedarpolicy.loader.LibraryLoader;
 import com.cedarpolicy.model.exception.InternalException;
@@ -76,10 +76,10 @@ public static Policy parsePolicyTemplate(String templateStr)  throws InternalExc
     }
 
     /**
-     * This method takes in a Policy and a list of Instantiations and calls Cedar JNI to ensure those slots
-     * can be used to instantiate the template. If the Template is validated ahead of time by using Policy.parsePolicyTemplate
-     * and the Instantiations are also ensured to be valid (for example, by validating their parts using EntityTypeName.parse
-     * and EntityIdentifier.parse), then this should only fail because the slots in the template don't match the instantiations
+     * This method takes in a template and a list of link values and calls Cedar JNI to ensure those slots
+     * can be used to link the template. If the template is validated ahead of time by using Policy.parsePolicyTemplate
+     * and the link values are also ensured to be valid (for example, by validating their parts using EntityTypeName.parse
+     * and EntityIdentifier.parse), then this should only fail because the slots in the template don't match the link values
      * (barring JNI failures).
      * @param p Policy object constructed from a valid template. Best if built from Policy.parsePolicyTemplate
      * @param principal EntityUid to put into the principal slot. Leave null if there's no principal slot

diff --git a/...om/cedarpolicy/model/slice/PolicySet.java → ...m/cedarpolicy/model/policy/PolicySet.java b/...om/cedarpolicy/model/slice/PolicySet.java → ...m/cedarpolicy/model/policy/PolicySet.java
@@ -14,7 +14,7 @@
  * limitations under the License.
  */
 
-package com.cedarpolicy.model.slice;
+package com.cedarpolicy.model.policy;
 
 import com.cedarpolicy.loader.LibraryLoader;
 
@@ -28,43 +28,43 @@
 import java.nio.file.Files;
 import java.nio.file.Path;
 
-/** Policy Set containing policies in the Cedar language. */
+/** Policy set containing policies in the Cedar language. */
 public class PolicySet {
     static {
         LibraryLoader.loadLibrary();
     }
 
-    /** Policy set. */
+    /** Static policies */
     public Set<Policy> policies;
 
-    /** Template Instantiations. */
-    public List<TemplateInstantiation> templateInstantiations;
+    /** Template-linked policies */
+    public List<TemplateLink> templateLinks;
 
-    /** Templates. */
+    /** Policy templates */
     public Set<Policy> templates;
 
     public PolicySet() {
         this.policies = Collections.emptySet();
         this.templates = Collections.emptySet();
-        this.templateInstantiations = Collections.emptyList();
+        this.templateLinks = Collections.emptyList();
     }
 
     public PolicySet(Set<Policy> policies) {
         this.policies = policies;
         this.templates = Collections.emptySet();
-        this.templateInstantiations = Collections.emptyList();
+        this.templateLinks = Collections.emptyList();
     }
 
     public PolicySet(Set<Policy> policies, Set<Policy> templates) {
         this.policies = policies;
         this.templates = templates;
-        this.templateInstantiations = Collections.emptyList();
+        this.templateLinks = Collections.emptyList();
     }
 
-    public PolicySet(Set<Policy> policies, Set<Policy> templates, List<TemplateInstantiation> templateInstantiations) {
+    public PolicySet(Set<Policy> policies, Set<Policy> templates, List<TemplateLink> templateLinks) {
         this.policies = policies;
         this.templates = templates;
-        this.templateInstantiations = templateInstantiations;
+        this.templateLinks = templateLinks;
     }
 
     /**

diff --git a/...cy/model/slice/TemplateInstantiation.java → ...edarpolicy/model/policy/TemplateLink.java b/...cy/model/slice/TemplateInstantiation.java → ...edarpolicy/model/policy/TemplateLink.java
@@ -14,39 +14,40 @@
  * limitations under the License.
  */
 
-package com.cedarpolicy.model.slice;
+package com.cedarpolicy.model.policy;
 
 import com.fasterxml.jackson.annotation.JsonCreator;
 import com.fasterxml.jackson.annotation.JsonProperty;
 import java.util.List;
 import com.google.common.collect.ImmutableList;
 
-/** Template instantiation. */
-public class TemplateInstantiation {
+/** Template-linked policy. */
+public class TemplateLink {
 
     @JsonProperty("templateId")
     private final String templateId;
 
     @JsonProperty("resultPolicyId")
     private final String resultPolicyId;
 
-    private final List<Instantiation> instantiations;
+    @JsonProperty("instantiations")
+    private final List<LinkValue> linkValues;
 
     /**
-     * Template Instantiation.
+     * Template-linked policy.
      *
      * @param templateId the template ID.
      * @param resultPolicyId the id of the resulting policy.
-     * @param instantiations the instantiations.
+     * @param linkValues the link values.
      */
     @JsonCreator
-    public TemplateInstantiation(
+    public TemplateLink(
             @JsonProperty("templateId") String templateId,
             @JsonProperty("resultPolicyId") String resultPolicyId,
-            @JsonProperty("instantiations") List<Instantiation> instantiations) {
+            @JsonProperty("instantiations") List<LinkValue> linkValues) {
         this.templateId = templateId;
         this.resultPolicyId = resultPolicyId;
-        this.instantiations = ImmutableList.copyOf(instantiations);
+        this.linkValues = ImmutableList.copyOf(linkValues);
     }
 
     /** Get the template ID. */
@@ -59,8 +60,8 @@ public String getResultPolicyId() {
         return resultPolicyId;
     }
 
-    /** Get the instantiations to fill the slots. */
-    public List<Instantiation> getInstantiations() {
-        return instantiations;
+    /** Get the link values, which map slots to EUIDs. */
+    public List<LinkValue> getLinkValues() {
+        return linkValues;
     }
 }
diff --git a/CedarJava/src/main/java/com/cedarpolicy/model/policy/package-info.java b/CedarJava/src/main/java/com/cedarpolicy/model/policy/package-info.java
@@ -0,0 +1,20 @@
+/*
+ * Copyright 2022-2023 Amazon.com, Inc. or its affiliates. All Rights Reserved.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/**
+ * This module represents policies passed into Cedar
+ */
+package com.cedarpolicy.model.policy;
diff --git a/CedarJava/src/main/java/com/cedarpolicy/model/slice/BasicSlice.java b/CedarJava/src/main/java/com/cedarpolicy/model/slice/BasicSlice.java
@@ -16,6 +16,9 @@
 
 package com.cedarpolicy.model.slice;
 
+import com.cedarpolicy.model.entity.Entity;
+import com.cedarpolicy.model.policy.Policy;
+import com.cedarpolicy.model.policy.TemplateLink;
 import com.cedarpolicy.value.Value;
 import com.fasterxml.jackson.annotation.JsonProperty;
 import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
@@ -38,22 +41,22 @@ public class BasicSlice implements Slice {
     private final Map<String, String> templatePolicies;
 
     @JsonProperty("templateInstantiations")
-    private final List<TemplateInstantiation> templateInstantiations;
+    private final List<TemplateLink> templateLinks;
 
     /**
      * Construct a Slice from Entity and Policy objects.
      *
      * @param policies Set of policies.
      * @param entities Set of entities.
      * @param templates Set of policy templates.
-     * @param templateInstantiations List of TemplateInstantiations.
+     * @param templateLinks List of templateLinks.
      */
     @SuppressFBWarnings
     public BasicSlice(
             Set<Policy> policies,
             Set<Entity> entities,
             Set<Policy> templates,
-            List<TemplateInstantiation> templateInstantiations) {
+            List<TemplateLink> templateLinks) {
         // Copy of previous constructor. We can't call the previous constructor because fields are
         // final
         this.policies = new HashMap<>();
@@ -76,7 +79,7 @@ public BasicSlice(
 
         this.templatePolicies =
                 templates.stream().collect(Collectors.toMap(p -> p.policyID, p -> p.policySrc));
-        this.templateInstantiations = new ArrayList<TemplateInstantiation>(templateInstantiations);
+        this.templateLinks = new ArrayList<TemplateLink>(templateLinks);
     }
 
 
@@ -125,8 +128,8 @@ public Map<String, String> getTemplates() {
 
     @Override
     @SuppressFBWarnings
-    public List<TemplateInstantiation> getTemplateInstantiations() {
-        return templateInstantiations;
+    public List<TemplateLink> getTemplateLinks() {
+        return templateLinks;
     }
 
     @Override