Skip to content

Remove FFI interface from cedar-cli and create new create cedar-lean-ffi which can be used in both cedar-cli and cedar-drt.#628

Merged
chaluli merged 7 commits into
cedar-policy:mainfrom
chaluli:main
Jun 6, 2025
Merged

Remove FFI interface from cedar-cli and create new create cedar-lean-ffi which can be used in both cedar-cli and cedar-drt.#628
chaluli merged 7 commits into
cedar-policy:mainfrom
chaluli:main

Conversation

@chaluli

@chaluli chaluli commented Jun 5, 2025

Copy link
Copy Markdown

Refactor cedar-cli to create a new cratecedar-lean-ffi which provides a reusable set of Rust-bindings to the Lean formalization of Cedar.

Additionally, fixes a bug in cedar-cli which caused the cli to parse json format schemas using the cedar-schema parser.

The new crate should be a superset of the needs for both cedar-cli and cedar-drt.

@chaluli

chaluli commented Jun 5, 2025

Copy link
Copy Markdown
Author

The goal of this refactor is to eliminate code dupilication between the cedar-cli and cedar-drt crates. This PR takes the first step to accomplish this task by creating a new crate cedar-lean-ffi which provides re-usable Rust-bindings (in the form of a library) to the Lean formalization of Cedar.

I have refactored cedar-cli to use this new cate. In a future PR will update cedar-drt accordingly to do the same.

@john-h-kastner-aws john-h-kastner-aws left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Change looks good. CI isn't building this, so I'll assume for now that it passes all tests, but we should fix that

Comment thread cedar-cli/src/validation.rs Outdated
Ok(())
}
Err(e) => Err(e),
Err(e) => Err(e)?,

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Err(e)? looks funny to me. Should be able to put the ? in the match like lean_context.validate(policyset, schema, mode)? and drop this arm. Same for the other changes in this file

Copy link
Copy Markdown
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That's fair. The underlying err type changed and I was on auto-pilot to fix the errors. 😅

Comment thread cedar-lean-ffi/README.md Outdated
cp -r include/google/ /usr/local/include/
```

### Build this CLI

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
### Build this CLI
### Build this Library

Comment thread cedar-lean-ffi/build.rs Outdated
Comment thread cedar-lean-ffi/Cargo.toml
publish = false

[dependencies]
cedar-policy = { version = "4.4.0", features = ["protobufs"] }

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I like not always requiring a local clone, but what's the plan for local development and the Github actions build? As written, this will always pull from crates.io

Copy link
Copy Markdown
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If I understand correctly, it won't pull from crates.io if the crate that imports this library uses a local clone of cedar-policy?

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I guess the problem is if we add a new function to cedar-policy and want to call it in this crate. That will requiring depending on the local version for development and then the github version for CI until we do a new minor version release. Could be fine if you think this crate is small and stable enough for that not to come up.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

My biggest concern is that I want CI to be testing that this crate always build with the latest version of cedar-policy from main. If you think you have a way to set that up (or if building this into cedar-drt should do that automatically), then this isn't a problem

Copy link
Copy Markdown
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I see two possible solutions.

1.) We add a use-local feature that will change the dependency to a local clone of cedar-policy.

by adding the following lines to Cargo.toml

[dependencies]
cedar-policy = { version = "4.4.0", features = ["protobufs"], optional = true }

[dependencies.cedar-policy-local]
package = "cedar-policy"
path = "../cedar/cedar-policy"
version = "4.4.0"
features = ["protobufs"]
optional = true

[features]
use-local = ["cedar-policy-local"]
default = ["cedar-policy"]

Normally, we build using crate.io (or whatever version the importing code uses). But allows us to do:

cargo build --features use-local --no-default-features

Note, as far as I can tell. I would need to modify every import of cedar_policy::* to use cedar_policy_local::* if the use-local feature is set.

2.) Require the CI or local developer to either manually edit the cargo or add a cargo patch that forces the use of a local clone of cedar-policy

# .cargo/config.toml
[patch.crates-io]
cedar-policy = { path = "../cedar/cedar-policy" }

Pros: No need to modify the actual Cargo.toml or rust code.
Cons: a bit clunkier to do during local development. Can be automated in CI by writing .cargo/config.toml in the CI actions as part of the setup.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think our CI for some repo in this org takes some variant of approach 2. Probably makes sense to be consistent -- if we go with something else here, update our other CIs to match

@cdisselkoen cdisselkoen left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks like a great change to me

Comment thread cedar-cli/Cargo.toml
Comment thread cedar-cli/src/err.rs Outdated
Comment thread cedar-cli/src/evaluation.rs Outdated
Ok(())
}
Err(e) => Err(e),
Err(e) => Err(e)?,

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Here's another place where we can move the ? up, in this case to line 62 probably

Comment thread cedar-lean-ffi/Cargo.toml
publish = false

[dependencies]
cedar-policy = { version = "4.4.0", features = ["protobufs"] }

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think our CI for some repo in this org takes some variant of approach 2. Probably makes sense to be consistent -- if we go with something else here, update our other CIs to match

Comment thread cedar-lean-ffi/README.md Outdated
Comment thread cedar-lean-ffi/src/lean_ffi.rs Outdated
let decision = match inner.decision.as_str() {
"allow" => Decision::Allow,
"deny" => Decision::Deny,
_ => return Err(FfiError::LeanDeserializationError),

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Might be helpful to have this error carry the value that wasn't recognized

chaluli and others added 4 commits June 6, 2025 19:50
…ffi which can be used in both cedar-cli and cedar-drt.

Signed-off-by: Charlie Murphy <mutmoth@amazon.com>
Co-authored-by: John Kastner <130772734+john-h-kastner-aws@users.noreply.github.com>
Signed-off-by: Charlie Murphy <mutmoth@amazon.com>
Signed-off-by: Charlie Murphy <mutmoth@amazon.com>
Co-authored-by: Craig Disselkoen <craigdissel@gmail.com>
Signed-off-by: Charlie Murphy <mutmoth@amazon.com>
chaluli added 3 commits June 6, 2025 20:06
…al cedar-cli and this cli

Signed-off-by: Charlie Murphy <mutmoth@amazon.com>
Signed-off-by: Charlie Murphy <mutmoth@amazon.com>
Signed-off-by: Charlie Murphy <mutmoth@amazon.com>
Comment thread cedar-lean-cli/Cargo.toml
[package]
name = "cedar-lean-cli"
edition = "2021"
version = "0.1.0"

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

should this start at 4.4.0 as well?

@chaluli chaluli merged commit 1be5254 into cedar-policy:main Jun 6, 2025
6 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants