From 72308facbe2fbde2a0dc8a94f1a55480e5c81670 Mon Sep 17 00:00:00 2001
From: Kesha Hietala <khieta@amazon.com>
Date: Mon, 23 Sep 2024 16:23:14 -0400
Subject: [PATCH] fix for cedar#1220 (#195)

---
 .../document_cloud/policies.cedar             |   2 +-
 .../hotel_chains/static/policies.cedar        | 130 ++++++++++--------
 .../hotel_chains/templated/policies.cedar     |  87 ++++++------
 cedar-example-use-cases/run.sh                |   8 +-
 .../sales_orgs/static/policies.cedar          |  97 ++++++-------
 .../sales_orgs/templated/policies.cedar       | 114 +++++++--------
 .../tags_n_roles/policies.cedar               |   2 +-
 .../tax_preprarer/policies.cedar              |   2 +-
 .../GitApp/gitapp.cedar                       |   2 +-
 .../PhotoApp/photoapp.cedar                   |   2 +-
 cedar-wasm-example/__tests__/main.test.ts     |   2 +-
 11 files changed, 239 insertions(+), 209 deletions(-)

diff --git a/cedar-example-use-cases/document_cloud/policies.cedar b/cedar-example-use-cases/document_cloud/policies.cedar
index 36c5976..c9a680b 100644
--- a/cedar-example-use-cases/document_cloud/policies.cedar
+++ b/cedar-example-use-cases/document_cloud/policies.cedar
@@ -115,4 +115,4 @@ when
   principal != resource.owner &&
   resource has isPrivate &&
   resource.isPrivate
-};
\ No newline at end of file
+};
diff --git a/cedar-example-use-cases/hotel_chains/static/policies.cedar b/cedar-example-use-cases/hotel_chains/static/policies.cedar
index 6d1a0fc..9d98868 100644
--- a/cedar-example-use-cases/hotel_chains/static/policies.cedar
+++ b/cedar-example-use-cases/hotel_chains/static/policies.cedar
@@ -1,81 +1,99 @@
 // ==========================================
 // Policies for particular property resource types
-permit(
-  principal, 
+permit (
+  principal,
   action in [Action::"viewReservation"],
-  resource)
-when {
-   resource in principal.viewPermissions.hotelReservations ||
-   resource in principal.viewPermissions.propertyReservations
+  resource
+)
+when
+{
+  resource in principal.viewPermissions.hotelReservations ||
+  resource in principal.viewPermissions.propertyReservations
 };
-// ... three similar policies but for Inventory, PaymentDetails, Rates
 
-permit(
-  principal, 
-  action in [Action::"viewReservation",
-             Action::"updateReservation",
-             Action::"createReservation"],
-  resource)
-when {
+// ... three similar policies but for Inventory, PaymentDetails, Rates
+permit (
+  principal,
+  action in
+    [Action::"viewReservation",
+     Action::"updateReservation",
+     Action::"createReservation"],
+  resource
+)
+when
+{
   resource in principal.memberPermissions.hotelReservations ||
   resource in principal.memberPermissions.propertyReservations
 };
-// ... three similar policies but for Inventory, PaymentDetails, Rates
 
-permit(
-  principal, 
-  action in [Action::"viewReservation",
-             Action::"updateReservation",
-             Action::"createReservation",
-             Action::"grantAccessReservation"
-             // ... other actions for all resource types
-             ],             
-  resource)
-when {
+// ... three similar policies but for Inventory, PaymentDetails, Rates
+permit (
+  principal,
+  action in
+    [Action::"viewReservation",
+     Action::"updateReservation",
+     Action::"createReservation",
+     Action::"grantAccessReservation"
+    // ... other actions for all resource types
+    ],
+  resource
+)
+when
+{
   resource in principal.hotelAdminPermissions ||
   resource in principal.propertyAdminPermissions
 };
 
 // ==========================================
 // Policies for properties and hotels
-permit(
-  principal, 
-  action in [Action::"viewProperty",
-             Action::"viewHotel"],
-  resource)
-when {
+permit (
+  principal,
+  action in [Action::"viewProperty", Action::"viewHotel"],
+  resource
+)
+when
+{
   resource in principal.viewPermissions.hotelReservations ||
-  resource is Property && resource in principal.viewPermissions.propertyReservations
+  resource is Property &&
+  resource in principal.viewPermissions.propertyReservations
 // || resource in principal.viewPermissions.inventory ... for other resource types
 };
 
-permit(
-  principal, 
-  action in [Action::"viewProperty",
-             Action::"updateProperty",
-             Action::"createProperty",
-             Action::"viewHotel",
-             Action::"updateHotel",
-             Action::"createHotel"],
-  resource)
-when {
+permit (
+  principal,
+  action in
+    [Action::"viewProperty",
+     Action::"updateProperty",
+     Action::"createProperty",
+     Action::"viewHotel",
+     Action::"updateHotel",
+     Action::"createHotel"],
+  resource
+)
+when
+{
   resource in principal.memberPermissions.hotelReservations ||
-  resource is Property && resource in principal.memberPermissions.propertyReservations
+  resource is Property &&
+  resource in principal.memberPermissions.propertyReservations
 // || resource in principal.memberPermissions.inventory ... for other resource types
 };
 
-permit(
+permit (
   principal,
-  action in [Action::"viewProperty",
-             Action::"updateProperty",
-             Action::"createProperty",
-             Action::"grantAccessProperty",
-             Action::"viewHotel",
-             Action::"updateHotel",
-             Action::"createHotel",
-             Action::"grantAccessHotel"],
-  resource)
-when {
+  action in
+    [Action::"viewProperty",
+     Action::"updateProperty",
+     Action::"createProperty",
+     Action::"grantAccessProperty",
+     Action::"viewHotel",
+     Action::"updateHotel",
+     Action::"createHotel",
+     Action::"grantAccessHotel"],
+  resource
+)
+when
+{
   resource in principal.hotelAdminPermissions ||
-  resource is Property && resource in principal.propertyAdminPermissions
-};
\ No newline at end of file
+  resource is Property &&
+  resource in principal.propertyAdminPermissions
+};
diff --git a/cedar-example-use-cases/hotel_chains/templated/policies.cedar b/cedar-example-use-cases/hotel_chains/templated/policies.cedar
index d0b7057..4e04e15 100644
--- a/cedar-example-use-cases/hotel_chains/templated/policies.cedar
+++ b/cedar-example-use-cases/hotel_chains/templated/policies.cedar
@@ -1,53 +1,62 @@
 @id("ViewReservation")
-permit(
+permit (
   principal == ?principal,
   action in [Action::"viewReservation"],
-  resource in ?resource);
-  
+  resource in ?resource
+);
+
 @id("MemberReservation")
-permit(
-  principal == ?principal, 
-  action in [Action::"viewReservation",
-             Action::"updateReservation",
-             Action::"createReservation"],
-  resource in ?resource);
+permit (
+  principal == ?principal,
+  action in
+    [Action::"viewReservation",
+     Action::"updateReservation",
+     Action::"createReservation"],
+  resource in ?resource
+);
 
 @id("AdminReservation")
-permit(
+permit (
   principal == ?principal,
-  action in [Action::"viewReservation",
-             Action::"updateReservation",
-             Action::"createReservation",
-             Action::"grantAccessReservation"],
-  resource in ?resource);
+  action in
+    [Action::"viewReservation",
+     Action::"updateReservation",
+     Action::"createReservation",
+     Action::"grantAccessReservation"],
+  resource in ?resource
+);
 
 @id("ViewPropertyOrHotel")
-permit(
+permit (
   principal == ?principal,
-  action in [Action::"viewHotel",
-             Action::"viewProperty"],
-  resource in ?resource);
-  
+  action in [Action::"viewHotel", Action::"viewProperty"],
+  resource in ?resource
+);
+
 @id("MemberPropertyOrHotel")
-permit(
-  principal == ?principal, 
-  action in [Action::"viewHotel",
-             Action::"updateHotel",
-             Action::"createHotel",
-             Action::"viewProperty",
-             Action::"updateProperty",
-             Action::"createProperty"],
-  resource in ?resource);
+permit (
+  principal == ?principal,
+  action in
+    [Action::"viewHotel",
+     Action::"updateHotel",
+     Action::"createHotel",
+     Action::"viewProperty",
+     Action::"updateProperty",
+     Action::"createProperty"],
+  resource in ?resource
+);
 
 @id("AdminPropertyOrHotel")
-permit(
+permit (
   principal == ?principal,
-  action in [Action::"viewHotel",
-             Action::"updateHotel",
-             Action::"createHotel",
-             Action::"grantAccessHotel",
-             Action::"viewProperty",
-             Action::"updateProperty",
-             Action::"createProperty",
-             Action::"grantAccessProperty"],
-  resource in ?resource);
\ No newline at end of file
+  action in
+    [Action::"viewHotel",
+     Action::"updateHotel",
+     Action::"createHotel",
+     Action::"grantAccessHotel",
+     Action::"viewProperty",
+     Action::"updateProperty",
+     Action::"createProperty",
+     Action::"grantAccessProperty"],
+  resource in ?resource
+);
diff --git a/cedar-example-use-cases/run.sh b/cedar-example-use-cases/run.sh
index bfb8aa2..9ca5df8 100755
--- a/cedar-example-use-cases/run.sh
+++ b/cedar-example-use-cases/run.sh
@@ -30,24 +30,24 @@ format "tax_preprarer" "policies.cedar"
 echo -e "\nTesting Sales Orgs (static)..."
 validate "sales_orgs/static" "policies.cedar" "policies.cedarschema"
 authorize "sales_orgs/static" "policies.cedar" "entities.json" "policies.cedarschema"
-#format "sales_orgs/static" "policies.cedar"
+format "sales_orgs/static" "policies.cedar"
 
 # Sales org templated
 echo -e "\nTesting Sales Orgs (templated)..."
 validate "sales_orgs/templated" "policies.cedar" "policies.cedarschema" "linked"
 authorize "sales_orgs/templated" "policies.cedar" "entities.json" "policies.cedarschema" "linked"
-#format "sales_orgs/templated" "policies.cedar"
+format "sales_orgs/templated" "policies.cedar"
 
 # Hotel chains static
 echo -e "\nTesting Hotels (static)..."
 validate "hotel_chains/static" "policies.cedar" "policies.cedarschema"
 authorize "hotel_chains/static" "policies.cedar" "entities.json" "policies.cedarschema"
-#format "hotel_chains/static" "policies.cedar"
+format "hotel_chains/static" "policies.cedar"
 
 # Hotel chains templated
 echo -e "\nTesting Hotels (templated)..."
 validate "hotel_chains/templated" "policies.cedar" "policies.cedarschema" "linked"
 authorize "hotel_chains/templated" "policies.cedar" "entities.json" "policies.cedarschema" "linked"
-#format "hotel_chains/static" "policies.cedar"
+format "hotel_chains/templated" "policies.cedar"
 
 exit "$any_failed"
diff --git a/cedar-example-use-cases/sales_orgs/static/policies.cedar b/cedar-example-use-cases/sales_orgs/static/policies.cedar
index 8d26e0b..605b7ba 100644
--- a/cedar-example-use-cases/sales_orgs/static/policies.cedar
+++ b/cedar-example-use-cases/sales_orgs/static/policies.cedar
@@ -1,41 +1,38 @@
 // PRESENTATION POLICIES
 @id("external-prez-view")
-permit(
+permit (
   principal,
   action in Action::"ExternalPrezViewActions",
-  resource)
-when {
-  principal in resource.viewers
-};
+  resource
+)
+when { principal in resource.viewers };
 
 @id("internal-prez-view")
-permit(
+permit (
   principal,
   action in Action::"InternalPrezViewActions",
-  resource)
-when {
-  principal.job == Job::"internal" && 
-  principal in resource.viewers
-};
+  resource
+)
+when { principal.job == Job::"internal" && principal in resource.viewers };
 
 // Authorizes edit actions generally, but these limited with forbid policies
 @id("prez-edit")
-permit(
+permit (
   principal,
   action in Action::"PrezEditActions",
-  resource)
-when {
-  resource.owner == principal || 
-  principal in resource.editors
-};
+  resource
+)
+when { resource.owner == principal || principal in resource.editors };
 
 // only permit sharing to non-customers
 @id("limit-prez-view-customer")
-forbid(
+forbid (
   principal,
   action == Action::"grantViewAccessToPresentation",
-  resource)
-unless {
+  resource
+)
+unless
+{
   context.target.job != Job::"customer" ||
   (principal.job == Job::"distributor" &&
    principal.customerId == context.target.customerId)
@@ -43,64 +40,68 @@ unless {
 
 // forbid sharing editor access to non-internal users
 @id("limit-prez-edit-to-internal")
-forbid(
+forbid (
   principal,
   action == Action::"grantEditAccessToPresentation",
-  resource)
-when {
-  context.target.job != Job::"internal"
-};
+  resource
+)
+when { context.target.job != Job::"internal" };
 
 // TEMPLATE POLICIES
 @id("market-template-view")
-permit(
+permit (
   principal,
   action in Action::"MarketTemplateViewActions",
-  resource)
-when {
-  principal in resource.viewerMarkets
-};
+  resource
+)
+when { principal in resource.viewerMarkets };
 
 @id("internal-template-view")
-permit(
+permit (
   principal,
   action in Action::"InternalTemplateViewActions",
-  resource)
-when {
-  principal.job == Job::"internal" && principal in resource.viewers
-};
+  resource
+)
+when { principal.job == Job::"internal" && principal in resource.viewers };
 
 // Authorizes edit actions generally, but these limited with forbid policies
 @id("template-edit")
-permit(
+permit (
   principal,
   action in Action::"TemplateEditActions",
-  resource)
-when {
-  resource.owner == principal || 
+  resource
+)
+when
+{
+  resource.owner == principal ||
   principal in resource.editors ||
   principal in resource.editorMarkets
 };
 
 // only permit sharing by internal users to non-customers
 @id("limit-template-grant-view")
-forbid(
+forbid (
   principal,
   action == Action::"grantViewAccessToTemplate",
-  resource)
-when {
-  context has targetUser && context.targetUser.job == Job::"customer" &&
+  resource
+)
+when
+{
+  context has targetUser &&
+  context.targetUser.job == Job::"customer" &&
   (principal.job != Job::"distributor" ||
    principal.customerId != context.targetUser.customerId)
 };
 
 // forbid sharing editor access to non-internal users
 @id("limit-template-grant-edit-internal")
-forbid(
+forbid (
   principal,
   action == Action::"grantEditAccessToTemplate",
-  resource)
-when {
-   context has targetUser && context.targetUser.job != Job::"internal"
-   // context.targetMarket always Ok, no matter the market
+  resource
+)
+when
+{
+  context has targetUser && context.targetUser.job != Job::"internal"
+// context.targetMarket always Ok, no matter the market
 };
diff --git a/cedar-example-use-cases/sales_orgs/templated/policies.cedar b/cedar-example-use-cases/sales_orgs/templated/policies.cedar
index 96e74a6..118ddc6 100644
--- a/cedar-example-use-cases/sales_orgs/templated/policies.cedar
+++ b/cedar-example-use-cases/sales_orgs/templated/policies.cedar
@@ -2,50 +2,52 @@
 @createPolicyWhen("Create a template linked policy
                    when a external user is added to a prez as viewer")
 @id("external-prez-view")
-permit(principal == ?principal,
+permit (
+  principal == ?principal,
   action in Action::"ExternalPrezViewActions",
-  resource == ?resource)
-when {
-  principal.job != Job::"internal"
-};
+  resource == ?resource
+)
+when { principal.job != Job::"internal" };
 
 // Here, ?principal is a group of users allowed to view ?resource
 @createPolicyWhen("Create a template linked policy
                    when a internal user is added to a prez as viewer")
 @id("internal-prez-view")
-permit(principal == ?principal,
+permit (
+  principal == ?principal,
   action in Action::"InternalPrezViewActions",
-  resource == ?resource)
-when {
-  principal.job == Job::"internal"
-};
+  resource == ?resource
+)
+when { principal.job == Job::"internal" };
 
 // Here, ?principal is a group of users allowed to edit ?resource, i.e., resource.editors above
 @createPolicyWhen("Create a template linked policy
                    when a user is added to a prez as editor")
-@id("template-edit for non-owner")                   
-permit(
+@id("template-edit for non-owner")
+permit (
   principal == ?principal,
   action in Action::"PrezEditActions",
-  resource == ?resource);
+  resource == ?resource
+);
 
 // Presentation owners always allowed to do what they want
 @id("template-edit for owner")
-permit(
+permit (
   principal,
   action in Action::"PrezEditActions",
-  resource)
-when {
-  resource.owner == principal
-};
+  resource
+)
+when { resource.owner == principal };
 
 // only permit sharing to non-customers
 @id("limit-prez-view-customer")
-forbid(
+forbid (
   principal,
   action == Action::"grantViewAccessToPresentation",
-  resource)
-unless {
+  resource
+)
+unless
+{
   context.target.job != Job::"customer" ||
   (principal.job == Job::"distributor" &&
    principal.customerId == context.target.customerId)
@@ -53,76 +55,76 @@ unless {
 
 // forbid sharing editor access to non-internal users
 @id("limit-prez-edit-to-internal")
-forbid(
+forbid (
   principal,
   action == Action::"grantEditAccessToPresentation",
-  resource)
-when {
-  context.target.job != Job::"internal"
-};
-
+  resource
+)
+when { context.target.job != Job::"internal" };
 
 // TEMPLATE POLICIES
 @createPolicyWhen("Create a template linked policy
                    when a user is added to a template as market viewer")
 @id("market-template-view")
-permit(
+permit (
   principal == ?principal,
   action in Action::"MarketTemplateViewActions",
-  resource == ?resource)
-when {
-  principal.job != Job::"internal"
-};
-
+  resource == ?resource
+)
+when { principal.job != Job::"internal" };
 
 @createPolicyWhen("Create a template linked policy
                    when a internal user is added to a template as viewer")
 @id("internal-template-view")
-permit(
+permit (
   principal == ?principal,
   action in Action::"InternalTemplateViewActions",
-  resource == ?resource)
-when {
-  principal.job == Job::"internal"
-};
+  resource == ?resource
+)
+when { principal.job == Job::"internal" };
 
 // Authorizes edit actions generally, but these limited with forbid policies
 @id("template-edit")
 @createPolicyWhen("Create a template linked policy
                    when a user is added to a template as editor")
-permit(
+permit (
   principal == ?principal,
   action in Action::"TemplateEditActions",
-  resource == ?resource);
+  resource == ?resource
+);
 
-// Permit owners to edit templates 
-permit(
+// Permit owners to edit templates
+permit (
   principal,
   action in Action::"TemplateEditActions",
-  resource)
-when {
-  principal == resource.owner 
-};
+  resource
+)
+when { principal == resource.owner };
 
 // only permit sharing by internal users to non-customers
 @id("limit-template-grant-view")
-forbid(
+forbid (
   principal,
   action == Action::"grantViewAccessToTemplate",
-  resource)
-when {
-  context has targetUser && context.targetUser.job == Job::"customer" &&
+  resource
+)
+when
+{
+  context has targetUser &&
+  context.targetUser.job == Job::"customer" &&
   (principal.job != Job::"distributor" ||
    principal.customerId != context.targetUser.customerId)
 };
 
 // forbid sharing editor access to non-internal users
 @id("limit-template-grant-edit-internal")
-forbid(
+forbid (
   principal,
   action == Action::"grantEditAccessToTemplate",
-  resource)
-when {
-   context has targetUser && context.targetUser.job != Job::"internal"
-   // context.targetMarket always Ok, no matter the market
-};
\ No newline at end of file
+  resource
+)
+when
+{
+  context has targetUser && context.targetUser.job != Job::"internal"
+// context.targetMarket always Ok, no matter the market
+};
diff --git a/cedar-example-use-cases/tags_n_roles/policies.cedar b/cedar-example-use-cases/tags_n_roles/policies.cedar
index f5e79c2..749e79e 100644
--- a/cedar-example-use-cases/tags_n_roles/policies.cedar
+++ b/cedar-example-use-cases/tags_n_roles/policies.cedar
@@ -180,4 +180,4 @@ when
        true
    else
      true)
-};
\ No newline at end of file
+};
diff --git a/cedar-example-use-cases/tax_preprarer/policies.cedar b/cedar-example-use-cases/tax_preprarer/policies.cedar
index 2eae25a..eb28bc6 100644
--- a/cedar-example-use-cases/tax_preprarer/policies.cedar
+++ b/cedar-example-use-cases/tax_preprarer/policies.cedar
@@ -36,4 +36,4 @@ unless
 {
   context.consent.client == resource.owner &&
   context.consent.team_region_list.contains(principal.location)
-};
\ No newline at end of file
+};
diff --git a/cedar-policy-language-in-action/GitApp/gitapp.cedar b/cedar-policy-language-in-action/GitApp/gitapp.cedar
index 8db4beb..d72b9a0 100644
--- a/cedar-policy-language-in-action/GitApp/gitapp.cedar
+++ b/cedar-policy-language-in-action/GitApp/gitapp.cedar
@@ -62,4 +62,4 @@ permit (
      GitApp::Action::"forkRepo"],
   resource in GitApp::Application::"GitApp"
 )
-when { resource has contributors && principal in resource.contributors };
\ No newline at end of file
+when { resource has contributors && principal in resource.contributors };
diff --git a/cedar-policy-language-in-action/PhotoApp/photoapp.cedar b/cedar-policy-language-in-action/PhotoApp/photoapp.cedar
index 639d7ac..eb344bb 100644
--- a/cedar-policy-language-in-action/PhotoApp/photoapp.cedar
+++ b/cedar-policy-language-in-action/PhotoApp/photoapp.cedar
@@ -53,4 +53,4 @@ permit (
   principal == PhotoApp::User::"JohnDoe",
   action == PhotoApp::Action::"viewPhoto",
   resource in PhotoApp::Album::"JaneVacation"
-);
\ No newline at end of file
+);
diff --git a/cedar-wasm-example/__tests__/main.test.ts b/cedar-wasm-example/__tests__/main.test.ts
index a4a89c0..96b6d3b 100644
--- a/cedar-wasm-example/__tests__/main.test.ts
+++ b/cedar-wasm-example/__tests__/main.test.ts
@@ -220,7 +220,7 @@ describe('formatter tests', () => {
         `};
         const formattingResult = cedar.formatPolicies(call);
         expect(formattingResult.type).toBe('success');
-        expect('formatted_policy' in formattingResult && formattingResult.formatted_policy).toBe('permit (principal, action, resource);');
+        expect('formatted_policy' in formattingResult && formattingResult.formatted_policy).toBe('permit (principal, action, resource);\n');
     });
 
     test('executes successfully but returns failure when passed an invalid policy', () => {