Backport #243 to release/3.1.x (#245)

Signed-off-by: Shaobo He <[email protected]>
cedar-policy · Mar 5, 2024 · 69a3c6a · 69a3c6a
1 parent 28c4281
commit 69a3c6a
Showing 1 changed file with 12 additions and 12 deletions.
diff --git a/cedar-drt/fuzz/src/schemas.rs b/cedar-drt/fuzz/src/schemas.rs
@@ -65,7 +65,9 @@ fn action_type_equivalence(name: &str, lhs: ActionType, rhs: ActionType) -> Resu
         match (lhs.applies_to, rhs.applies_to) {
             (None, None) => Ok(()),
             (Some(lhs), Some(rhs)) => {
-                if empty_target(&rhs) || empty_target(&lhs) || rhs == lhs {
+                // If either of them has at least one empty appliesTo list, the other must have the same attribute.
+                // Otherwise both of them must apply to unspecified entities or non-empty entity lists, which must be equal.
+                if (either_empty(&lhs) && either_empty(&rhs)) || rhs == lhs {
                     Ok(())
                 } else {
                     Err(format!(
@@ -74,7 +76,8 @@ fn action_type_equivalence(name: &str, lhs: ActionType, rhs: ActionType) -> Resu
                     ))
                 }
             }
-            (Some(spec), None) | (None, Some(spec)) if empty_target(&spec) => Ok(()),
+            // if one of them has `appliesTo` being null, then the other must have both principal and resource types unspecified
+            (Some(spec), None) | (None, Some(spec)) if both_unspecified(&spec) => Ok(()),
             (Some(_), None) => Err(format!(
                 "Mismatched applies to in `{name}`, lhs was `Some`, `rhs` was `None`"
             )),
@@ -85,14 +88,11 @@ fn action_type_equivalence(name: &str, lhs: ActionType, rhs: ActionType) -> Resu
     }
 }
 
-fn empty_target(spec: &ApplySpec) -> bool {
-    spec.resource_types
-        .as_ref()
-        .map(|v| v.is_empty())
-        .unwrap_or(false)
-        || spec
-            .principal_types
-            .as_ref()
-            .map(|v| v.is_empty())
-            .unwrap_or(false)
+fn both_unspecified(spec: &ApplySpec) -> bool {
+    spec.resource_types.is_none() && spec.principal_types.is_none()
+}
+
+fn either_empty(spec: &ApplySpec) -> bool {
+    matches!(spec.resource_types.as_ref(), Some(ts) if ts.is_empty())
+        || matches!(spec.principal_types.as_ref(), Some(ts) if ts.is_empty())
 }