Documentation
¶
Overview ¶
Package ast provides functions for programmatically constructing a Cedar policy AST.
Programmatically generated policies are germinated by calling one of the following top-level functions:
Example ¶
This example shows a basic programmatic AST construction via the Permit() builder:
package main
import (
"fmt"
"github.com/cedar-policy/cedar-go/ast"
"github.com/cedar-policy/cedar-go/types"
)
func main() {
johnny := types.NewEntityUID("FolkHeroes", "johnnyChapman")
sow := types.NewEntityUID("Action", "sow")
cast := types.NewEntityUID("Action", "cast")
midwest := types.NewEntityUID("Locations::USA::Regions", "midwest")
policy := ast.Permit().
PrincipalEq(johnny).
ActionInSet(sow, cast).
ResourceIs("Crops::Apple").
When(ast.Context().Access("location").In(ast.Value(midwest))).
Unless(ast.Context().Access("season").Equal(ast.String("winter")))
fmt.Println(string(policy.MarshalCedar()))
}
Output: permit ( principal == FolkHeroes::"johnnyChapman", action in [Action::"sow", Action::"cast"], resource is Crops::Apple ) when { context.location in Locations::USA::Regions::"midwest" } unless { context.season == "winter" };
Example (Annotation) ¶
To programmatically create policies with annotations, use the Annotation() builder:
package main
import (
"fmt"
"github.com/cedar-policy/cedar-go/ast"
)
func main() {
policy := ast.Annotation("example1", "value").
Annotation("example2", "").
Forbid()
fmt.Println(string(policy.MarshalCedar()))
}
Output: @example1("value") @example2("") forbid ( principal, action, resource );
Example (ExplicitExtensionCall) ¶
Extension functions can be explicitly called by using the appropriate builder with the ExtensionCall suffix. This example demonstrates the use of DecimalExtensionCall():
package main
import (
"fmt"
"github.com/cedar-policy/cedar-go/ast"
)
func main() {
policy := ast.Forbid().
When(
ast.Resource().Access("angleRadians").DecimalGreaterThan(
ast.DecimalExtensionCall(ast.String("3.1415")),
),
)
fmt.Println(string(policy.MarshalCedar()))
}
Output: forbid ( principal, action, resource ) when { resource.angleRadians.greaterThan(decimal("3.1415")) };
Example (Precedence) ¶
This example shows how precedence can be expressed using the AST builder syntax:
package main
import (
"fmt"
"github.com/cedar-policy/cedar-go/ast"
)
func main() {
// The argument passed to .Add() is the entire right-hand side of the expression, so 1 + 5 is evaluated with
// higher precedence than the subsequent multiplication by 10.
policy := ast.Permit().
When(ast.Long(1).Add(ast.Long(5)).Multiply(ast.Long(10)).Equal(ast.Long(60)))
fmt.Println(string(policy.MarshalCedar()))
}
Output: permit ( principal, action, resource ) when { (1 + 5) * 10 == 60 };
Index ¶
- type Annotations
- type Node
- func Action() Node
- func Boolean[T ~bool](b T) Node
- func Context() Node
- func Datetime(t time.Time) Node
- func DatetimeExtensionCall(rhs Node) Node
- func DecimalExtensionCall(rhs Node) Node
- func Duration(d time.Duration) Node
- func DurationExtensionCall(rhs Node) Node
- func EntityUID(typ types.Ident, id types.String) Node
- func False() Node
- func IPAddr[T netip.Prefix | types.IPAddr](i T) Node
- func IPExtensionCall(rhs Node) Node
- func IfThenElse(condition Node, thenNode Node, elseNode Node) Node
- func Long[T ~int | ~int64](l T) Node
- func Negate(rhs Node) Node
- func Not(rhs Node) Node
- func Principal() Node
- func Record(elements Pairs) Node
- func Resource() Node
- func Set(nodes ...Node) Node
- func String[T ~string](s T) Node
- func True() Node
- func Value(v types.Value) Node
- func (lhs Node) Access(attr types.String) Node
- func (lhs Node) Add(rhs Node) Node
- func (lhs Node) And(rhs Node) Node
- func (lhs Node) Contains(rhs Node) Node
- func (lhs Node) ContainsAll(rhs Node) Node
- func (lhs Node) ContainsAny(rhs Node) Node
- func (lhs Node) DecimalGreaterThan(rhs Node) Node
- func (lhs Node) DecimalGreaterThanOrEqual(rhs Node) Node
- func (lhs Node) DecimalLessThan(rhs Node) Node
- func (lhs Node) DecimalLessThanOrEqual(rhs Node) Node
- func (lhs Node) DurationSince(rhs Node) Node
- func (lhs Node) Equal(rhs Node) Node
- func (lhs Node) GetTag(rhs Node) Node
- func (lhs Node) GreaterThan(rhs Node) Node
- func (lhs Node) GreaterThanOrEqual(rhs Node) Node
- func (lhs Node) Has(attr types.String) Node
- func (lhs Node) HasTag(rhs Node) Node
- func (lhs Node) In(rhs Node) Node
- func (lhs Node) Is(entityType types.EntityType) Node
- func (lhs Node) IsEmpty() Node
- func (lhs Node) IsIn(entityType types.EntityType, rhs Node) Node
- func (lhs Node) IsInRange(rhs Node) Node
- func (lhs Node) IsIpv4() Node
- func (lhs Node) IsIpv6() Node
- func (lhs Node) IsLoopback() Node
- func (lhs Node) IsMulticast() Node
- func (lhs Node) LessThan(rhs Node) Node
- func (lhs Node) LessThanOrEqual(rhs Node) Node
- func (lhs Node) Like(pattern types.Pattern) Node
- func (lhs Node) Multiply(rhs Node) Node
- func (lhs Node) NotEqual(rhs Node) Node
- func (lhs Node) Offset(rhs Node) Node
- func (lhs Node) Or(rhs Node) Node
- func (lhs Node) Subtract(rhs Node) Node
- func (lhs Node) ToDate() Node
- func (lhs Node) ToDays() Node
- func (lhs Node) ToHours() Node
- func (lhs Node) ToMilliseconds() Node
- func (lhs Node) ToMinutes() Node
- func (lhs Node) ToSeconds() Node
- func (lhs Node) ToTime() Node
- type Pair
- type Pairs
- type Policy
- func (p *Policy) ActionEq(entity types.EntityUID) *Policy
- func (p *Policy) ActionIn(entity types.EntityUID) *Policy
- func (p *Policy) ActionInSet(entities ...types.EntityUID) *Policy
- func (p *Policy) Annotate(key types.Ident, value types.String) *Policy
- func (p *Policy) MarshalCedar() []byte
- func (p *Policy) MarshalJSON() ([]byte, error)
- func (p *Policy) PrincipalEq(entity types.EntityUID) *Policy
- func (p *Policy) PrincipalIn(entity types.EntityUID) *Policy
- func (p *Policy) PrincipalIs(entityType types.EntityType) *Policy
- func (p *Policy) PrincipalIsIn(entityType types.EntityType, entity types.EntityUID) *Policy
- func (p *Policy) ResourceEq(entity types.EntityUID) *Policy
- func (p *Policy) ResourceIn(entity types.EntityUID) *Policy
- func (p *Policy) ResourceIs(entityType types.EntityType) *Policy
- func (p *Policy) ResourceIsIn(entityType types.EntityType, entity types.EntityUID) *Policy
- func (p *Policy) Unless(node Node) *Policy
- func (p *Policy) UnmarshalCedar(b []byte) error
- func (p *Policy) UnmarshalJSON(b []byte) error
- func (p *Policy) When(node Node) *Policy
Examples ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type Annotations ¶
type Annotations ast.Annotations
Annotations allows access to Cedar annotations on a policy
func Annotation ¶
func Annotation(key types.Ident, value types.String) *Annotations
Annotation allows AST constructors to make policy in a similar shape to textual Cedar with annotations appearing before the actual policy scope:
ast := Annotation("foo", "bar").
Annotation("baz", "quux").
Permit().
PrincipalEq(superUser)
func (*Annotations) Annotation ¶
func (a *Annotations) Annotation(key types.Ident, value types.String) *Annotations
Annotation adds an annotation. If a previous annotation exists with the same key, this builder will replace it.
func (*Annotations) Forbid ¶
func (a *Annotations) Forbid() *Policy
Forbid begins a forbid policy from the given annotations.
func (*Annotations) Permit ¶
func (a *Annotations) Permit() *Policy
Permit begins a permit policy from the given annotations.
type Node ¶
Node is a wrapper type for all the Cedar language operators. See the Cedar operators documentation for details.
func DatetimeExtensionCall ¶ added in v1.0.0
DatetimeExtensionCall wraps a node with the cedar `datetime()` extension call
func DecimalExtensionCall ¶ added in v1.0.0
DecimalExtensionCall wraps a node with the cedar `decimal()` extension call
func DurationExtensionCall ¶ added in v1.0.0
DurationExtensionCall wraps a node with the cedar `duration()` extension call
func IPExtensionCall ¶ added in v1.0.0
IPExtensionCall wraps a node with the cedar `ip()` extension call
func IfThenElse ¶
IfThenElse builds an AST node representing the if (CONDITIONAL) operator
func Record ¶
Record creates a record node. In the case where duplicate keys exist, the latter value will be preserved.
Example ¶
package main
import (
"fmt"
"github.com/cedar-policy/cedar-go/ast"
"github.com/cedar-policy/cedar-go/types"
)
func main() {
// Literal records can be constructed and passed via the ast.Value() builder
literalRecord := types.NewRecord(types.RecordMap{
"x": types.String("value1"),
"y": types.String("value2"),
})
// Records with internal expressions are constructed via the ast.Record() builder
exprRecord := ast.Record(ast.Pairs{
{
Key: "x",
Value: ast.Long(1).Add(ast.Context().Access("fooCount")),
},
{
Key: "y",
Value: ast.Long(8),
},
})
policy := ast.Forbid().
When(
ast.Value(literalRecord).Access("x").Equal(ast.String("value1")),
).
When(
exprRecord.Access("x").Equal(ast.Long(3)),
)
fmt.Println(string(policy.MarshalCedar()))
}
Output: forbid ( principal, action, resource ) when { {"x":"value1", "y":"value2"}.x == "value1" } when { {"x":(1 + context.fooCount), "y":8}.x == 3 };
func Set ¶
Set allows for a complex set definition with values potentially being Cedar expressions of their own. For example, this Cedar text:
[1, 2 + 3, context.fooCount]
could be expressed in Golang as:
ast.Set(
ast.Long(1),
ast.Long(2).Plus(ast.Long(3)),
ast.Context().Access("fooCount"),
)
func (Node) Access ¶
Access builds an AST node representing the . and [] operators to access entity attributes
func (Node) ContainsAll ¶
ContainsAll builds an AST node representing the .containsAll() operator
func (Node) ContainsAny ¶
ContainsAny builds an AST node representing the .containsAny() operator
func (Node) DecimalGreaterThan ¶
DecimalGreaterThan builds an AST node representing the .greaterThan() operator
func (Node) DecimalGreaterThanOrEqual ¶
DecimalGreaterThanOrEqual builds an AST node representing the .greaterThanOrEqual() operator
func (Node) DecimalLessThan ¶
DecimalLessThan builds an AST node representing the .lessThan() operator
func (Node) DecimalLessThanOrEqual ¶
DecimalLessThanOrEqual builds an AST node representing the .lessThanOrEqual() operator
func (Node) DurationSince ¶ added in v1.0.0
DurationSince builds an AST node representing the .durationSince() operator
func (Node) GreaterThan ¶
GreaterThan builds an AST node representing the > operator
func (Node) GreaterThanOrEqual ¶
GreaterThanOrEqual builds an AST node representing the >= operator
func (Node) Is ¶
func (lhs Node) Is(entityType types.EntityType) Node
Is builds an AST node representing the is operator
func (Node) IsEmpty ¶ added in v1.2.0
IsEmpty builds an AST node representing the .isEmpty() operator
func (Node) IsIn ¶
func (lhs Node) IsIn(entityType types.EntityType, rhs Node) Node
IsIn builds an AST node representing the "is in" operator
func (Node) IsLoopback ¶
IsLoopback builds an AST node representing the .isLoopback() operator
func (Node) IsMulticast ¶
IsMulticast builds an AST node representing the .isMulticast() operator
func (Node) LessThanOrEqual ¶
LessThanOrEqual builds an AST node representing the <= operator
func (Node) ToHours ¶ added in v1.0.0
ToHours builds an AST node representing the .toHours() operator
func (Node) ToMilliseconds ¶ added in v1.0.0
ToMilliseconds builds an AST node representing the .toMilliseconds() operator
func (Node) ToMinutes ¶ added in v1.0.0
ToMinutes builds an AST node representing the .toMinutes() operator
type Policy ¶
Policy represents a single Cedar policy statement
func (*Policy) ActionInSet ¶
ActionInSet replaces the action scope condition.
func (*Policy) Annotate ¶
Annotate adds an annotation to a Policy. If a previous annotation exists with the same key, this builder will replace it.
func (*Policy) MarshalCedar ¶ added in v1.0.0
MarshalCedar encodes a single Policy statement in the human-readable format specified by the Cedar documentation.
func (*Policy) MarshalJSON ¶ added in v1.0.0
MarshalJSON encodes a single Policy statement in the JSON format specified by the Cedar documentation.
func (*Policy) PrincipalEq ¶
PrincipalEq replaces the principal scope condition.
func (*Policy) PrincipalIn ¶
PrincipalIn replaces the principal scope condition.
func (*Policy) PrincipalIs ¶
func (p *Policy) PrincipalIs(entityType types.EntityType) *Policy
PrincipalIs replaces the principal scope condition.
func (*Policy) PrincipalIsIn ¶
PrincipalIsIn replaces the principal scope condition.
func (*Policy) ResourceEq ¶
ResourceEq replaces the resource scope condition.
func (*Policy) ResourceIn ¶
ResourceIn replaces the resource scope condition.
func (*Policy) ResourceIs ¶
func (p *Policy) ResourceIs(entityType types.EntityType) *Policy
ResourceIs replaces the resource scope condition.
func (*Policy) ResourceIsIn ¶
ResourceIsIn replaces the resource scope condition.
func (*Policy) UnmarshalCedar ¶ added in v1.0.0
UnmarshalCedar parses and compiles a single Policy statement in the human-readable format specified by the Cedar documentation.
func (*Policy) UnmarshalJSON ¶ added in v1.0.0
UnmarshalJSON parses and compiles a single Policy statement in the JSON format specified by the Cedar documentation.
Source Files