Upgraded cedar to 4.2.0

Cargo.toml

@@ -1,7 +1,7 @@
 [package]
 name = "cedar-local-agent"
 edition = "2021"
-version = "3.0.0"
+version = "2.0.0"
 license = "Apache-2.0"
 description = "Foundational library for creating Cedar-based asynchronous authorizers."
 keywords = ["cedar", "agent", "authorization", "policy", "security"]
@@ -13,7 +13,6 @@ bench = false
 [dependencies]
 # Utilities
 async-trait = "0.1.71"
-bytemuck = "1.20.0"
 chrono = "0.4.26"
 derive_builder = "0.12.0"
 futures = { version = "0.3.31", features = ["std"] }
@@ -24,7 +23,6 @@ serde = { version = "1.0.166", features = ["derive"] }
 serde_json = "1.0.100"
 serde_repr = "0.1.16"
 sha256 = "1.3.0"
-smol_str = "0.3.2"
 tokio = { version = "1.0", features = ["full", "signal", "sync", "parking_lot"] }
 uuid = { version = "1.4.1", features = ["v4"] }
 

deny.toml

@@ -1,5 +1,7 @@
 # This file defines configuration for the cargo deny command
 # Ref: https://github.com/EmbarkStudios/cargo-deny
+[graph]
+targets = []
 
 [advisories]
 ignore = []

src/public/log/schema.rs

@@ -550,9 +550,9 @@ pub enum ObservableTypeId {
     IPAddress = 2,
     /// Media Access Control (MAC) address. For example: 18:36:F3:98:4F:9A
     MACAddress = 3,
-    /// User name. For example: `john_doe`
+    /// User name. For example: john\_doe
     UserName = 4,
-    /// Email address. For example: `john_doe@example.com`
+    /// Email address. For example: john\_doe@example.com
     EmailAddress = 5,
     /// Uniform Resource Locator (URL) string
     URLString = 6,
@@ -942,7 +942,8 @@ mod test {
     use std::str::FromStr;
 
     use cedar_policy::{
-        Context, Entities, EntityId, EntityTypeName, EntityUid, PolicyId, Request, Response,
+        AuthorizationError, Authorizer, Context, Entities, EntityId, EntityTypeName, EntityUid,
+        PolicyId, PolicySet, Request, Response,
     };
     use cedar_policy_core::authorizer::Decision;
     use serde_json::{from_str, to_string, to_value, Map};
@@ -1078,20 +1079,31 @@ mod test {
         policy_ids.insert(PolicyId::from_str("policy1").unwrap());
         policy_ids.insert(PolicyId::from_str("policy2").unwrap());
 
-        // Old code - no longer works
-        // let errors = (0..num_of_error)
-        //     .map(|i| AuthorizationError::PolicyEvaluationError {
-        //         id: PolicyID::from_string(format!("policy{i}")),
-        //         error: EvaluationError::from(RestrictedExpr::InvalidRestrictedExpression {
-        //             feature: Default::default(),
-        //             expr: Value::from(true).into(),
-        //         }),
-        //     })
-        //     .collect();
-        println!("Number of errors needed: {}", { num_of_error });
-        // Uses a empty vector now instead of giving num_of_error errors. Tests have been changed to reflect this
-        // Leads to problems in test coverage
-        Response::new(decision, policy_ids, vec![])
+        let authorizer = Authorizer::new();
+        let policy_set = PolicySet::from_str(
+            r"permit(
+            principal,
+            action,
+            resource
+            ) when {
+                resource.admins.contains(principal)
+            };",
+        )
+        .unwrap();
+
+        let euid_type = EntityTypeName::from_str("Veris::User").unwrap();
+        let euid_id = EntityId::from_str("test").unwrap();
+        let euid = EntityUid::from_type_name_and_id(euid_type, euid_id);
+
+        let request =
+            Request::new(euid.clone(), euid.clone(), euid, Context::empty(), None).unwrap();
+
+        let auth_res = authorizer.is_authorized(&request, &policy_set, &Entities::empty());
+        let auth_err = auth_res.diagnostics().errors().next().unwrap();
+
+        let errors: Vec<AuthorizationError> = (0..num_of_error).map(|_| auth_err.clone()).collect();
+
+        Response::new(decision, policy_ids, errors)
     }
 
     #[test]
@@ -1127,8 +1139,8 @@ mod test {
         );
         assert!(ocsf.is_ok());
         let ocsf_log = ocsf.unwrap();
-        assert_eq!(ocsf_log.severity_id, SeverityId::Informational);
-        assert_eq!(ocsf_log.status.unwrap(), "Success".to_string());
+        assert_eq!(ocsf_log.severity_id, SeverityId::Low);
+        assert_eq!(ocsf_log.status.unwrap(), "Failure".to_string());
 
         let response = generate_response(2, Decision::Deny);
         let ocsf = OpenCyberSecurityFramework::create(
@@ -1141,8 +1153,8 @@ mod test {
 
         assert!(ocsf.is_ok());
         let ocsf_log = ocsf.unwrap();
-        assert_eq!(ocsf_log.severity_id, SeverityId::Informational);
-        assert_eq!(ocsf_log.status.unwrap(), "Success".to_string());
+        assert_eq!(ocsf_log.severity_id, SeverityId::Medium);
+        assert_eq!(ocsf_log.status.unwrap(), "Failure".to_string());
         assert_eq!(ocsf_log.status_code.unwrap(), "Deny".to_string());
     }
 

src/public/simple.rs

@@ -218,10 +218,7 @@ where
 
         // Skip logging for now
         info!("Generated OCSF log record.");
-        // match &partial_response {
-        //     Concrete(response) => self.log(request, response, entities),
-        //     Residual(residual_response) => self.log_residual(request, residual_response, entities),
-        // };
+
         match partial_response.decision() {
             Some(_) => self.log(request, &concrete_response, entities),
             None => self.log_residual(
@@ -249,7 +246,6 @@ where
     fn log_residual(
         &self,
         request: &Request,
-        // residual_response: &ResidualResponse,
         diagnostics: &Diagnostics,
         policies: &PartialResponse,
         entities: &Entities,
@@ -258,9 +254,7 @@ where
             serde_json::to_string(
                 &OpenCyberSecurityFramework::create_generic(
                     request,
-                    //residual_response.diagnostics(),
                     diagnostics,
-                    // residual_response.residuals().policies()
                     policies.all_residuals()
                         .map(|policy| format!("{}", policy.id()))
                         .collect::<Vec<String>>()