Skip to content

Commit

Permalink
Redid errors returned by generate_response
Browse files Browse the repository at this point in the history
  • Loading branch information
l-kli committed Nov 26, 2024
1 parent 3fe0ef4 commit aaa37b3
Show file tree
Hide file tree
Showing 5 changed files with 38 additions and 34 deletions.
4 changes: 1 addition & 3 deletions Cargo.lock

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

4 changes: 1 addition & 3 deletions Cargo.toml
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
[package]
name = "cedar-local-agent"
edition = "2021"
version = "3.0.0"
version = "2.0.0"
license = "Apache-2.0"
description = "Foundational library for creating Cedar-based asynchronous authorizers."
keywords = ["cedar", "agent", "authorization", "policy", "security"]
Expand All @@ -13,7 +13,6 @@ bench = false
[dependencies]
# Utilities
async-trait = "0.1.71"
bytemuck = "1.20.0"
chrono = "0.4.26"
derive_builder = "0.12.0"
futures = { version = "0.3.31", features = ["std"] }
Expand All @@ -24,7 +23,6 @@ serde = { version = "1.0.166", features = ["derive"] }
serde_json = "1.0.100"
serde_repr = "0.1.16"
sha256 = "1.3.0"
smol_str = "0.3.2"
tokio = { version = "1.0", features = ["full", "signal", "sync", "parking_lot"] }
uuid = { version = "1.4.1", features = ["v4"] }

Expand Down
2 changes: 2 additions & 0 deletions deny.toml
Original file line number Diff line number Diff line change
@@ -1,5 +1,7 @@
# This file defines configuration for the cargo deny command
# Ref: https://github.com/EmbarkStudios/cargo-deny
[graph]
targets = []

[advisories]
ignore = []
Expand Down
54 changes: 33 additions & 21 deletions src/public/log/schema.rs
Original file line number Diff line number Diff line change
Expand Up @@ -550,9 +550,9 @@ pub enum ObservableTypeId {
IPAddress = 2,
/// Media Access Control (MAC) address. For example: 18:36:F3:98:4F:9A
MACAddress = 3,
/// User name. For example: `john_doe`
/// User name. For example: john\_doe
UserName = 4,
/// Email address. For example: `john_doe@example.com`
/// Email address. For example: john\_doe@example.com
EmailAddress = 5,
/// Uniform Resource Locator (URL) string
URLString = 6,
Expand Down Expand Up @@ -942,7 +942,8 @@ mod test {
use std::str::FromStr;

use cedar_policy::{
Context, Entities, EntityId, EntityTypeName, EntityUid, PolicyId, Request, Response,
AuthorizationError, Authorizer, Context, Entities, EntityId, EntityTypeName, EntityUid,
PolicyId, PolicySet, Request, Response,
};
use cedar_policy_core::authorizer::Decision;
use serde_json::{from_str, to_string, to_value, Map};
Expand Down Expand Up @@ -1078,20 +1079,31 @@ mod test {
policy_ids.insert(PolicyId::from_str("policy1").unwrap());
policy_ids.insert(PolicyId::from_str("policy2").unwrap());

// Old code - no longer works
// let errors = (0..num_of_error)
// .map(|i| AuthorizationError::PolicyEvaluationError {
// id: PolicyID::from_string(format!("policy{i}")),
// error: EvaluationError::from(RestrictedExpr::InvalidRestrictedExpression {
// feature: Default::default(),
// expr: Value::from(true).into(),
// }),
// })
// .collect();
println!("Number of errors needed: {}", { num_of_error });
// Uses a empty vector now instead of giving num_of_error errors. Tests have been changed to reflect this
// Leads to problems in test coverage
Response::new(decision, policy_ids, vec![])
let authorizer = Authorizer::new();
let policy_set = PolicySet::from_str(
r"permit(
principal,
action,
resource
) when {
resource.admins.contains(principal)
};",
)
.unwrap();

let euid_type = EntityTypeName::from_str("Veris::User").unwrap();
let euid_id = EntityId::from_str("test").unwrap();
let euid = EntityUid::from_type_name_and_id(euid_type, euid_id);

let request =
Request::new(euid.clone(), euid.clone(), euid, Context::empty(), None).unwrap();

let auth_res = authorizer.is_authorized(&request, &policy_set, &Entities::empty());
let auth_err = auth_res.diagnostics().errors().next().unwrap();

let errors: Vec<AuthorizationError> = (0..num_of_error).map(|_| auth_err.clone()).collect();

Response::new(decision, policy_ids, errors)
}

#[test]
Expand Down Expand Up @@ -1127,8 +1139,8 @@ mod test {
);
assert!(ocsf.is_ok());
let ocsf_log = ocsf.unwrap();
assert_eq!(ocsf_log.severity_id, SeverityId::Informational);
assert_eq!(ocsf_log.status.unwrap(), "Success".to_string());
assert_eq!(ocsf_log.severity_id, SeverityId::Low);
assert_eq!(ocsf_log.status.unwrap(), "Failure".to_string());

let response = generate_response(2, Decision::Deny);
let ocsf = OpenCyberSecurityFramework::create(
Expand All @@ -1141,8 +1153,8 @@ mod test {

assert!(ocsf.is_ok());
let ocsf_log = ocsf.unwrap();
assert_eq!(ocsf_log.severity_id, SeverityId::Informational);
assert_eq!(ocsf_log.status.unwrap(), "Success".to_string());
assert_eq!(ocsf_log.severity_id, SeverityId::Medium);
assert_eq!(ocsf_log.status.unwrap(), "Failure".to_string());
assert_eq!(ocsf_log.status_code.unwrap(), "Deny".to_string());
}

Expand Down
8 changes: 1 addition & 7 deletions src/public/simple.rs
Original file line number Diff line number Diff line change
Expand Up @@ -218,10 +218,7 @@ where

// Skip logging for now
info!("Generated OCSF log record.");
// match &partial_response {
// Concrete(response) => self.log(request, response, entities),
// Residual(residual_response) => self.log_residual(request, residual_response, entities),
// };

match partial_response.decision() {
Some(_) => self.log(request, &concrete_response, entities),
None => self.log_residual(
Expand Down Expand Up @@ -249,7 +246,6 @@ where
fn log_residual(
&self,
request: &Request,
// residual_response: &ResidualResponse,
diagnostics: &Diagnostics,
policies: &PartialResponse,
entities: &Entities,
Expand All @@ -258,9 +254,7 @@ where
serde_json::to_string(
&OpenCyberSecurityFramework::create_generic(
request,
//residual_response.diagnostics(),
diagnostics,
// residual_response.residuals().policies()
policies.all_residuals()
.map(|policy| format!("{}", policy.id()))
.collect::<Vec<String>>()
Expand Down

0 comments on commit aaa37b3

Please sign in to comment.