Adds examples and integration tests for cedar-lean-cli's analysis capabilities.#638
Conversation
…abilities. Signed-off-by: Charlie Murphy <mutmoth@amazon.com>
Signed-off-by: Charlie Murphy <mutmoth@amazon.com>
adpaco
left a comment
There was a problem hiding this comment.
Looks good, thanks!
I like output files to end with newlines and it looked like you were trimming in check_output so adding them shouldn't be an issue, right?
| match &self.principal_type { | ||
| Some(req_principal_type) if req_principal_type != principal_type => { | ||
| continue | ||
| } | ||
| _ => (), | ||
| }; |
There was a problem hiding this comment.
| match &self.principal_type { | |
| Some(req_principal_type) if req_principal_type != principal_type => { | |
| continue | |
| } | |
| _ => (), | |
| }; | |
| if let Some(req_principal_type) = &self.principal_type && req_principal_type != principal_type { | |
| continue; | |
| } |
There was a problem hiding this comment.
Also, should we check and extract the value in &self.principal_type before going into this loop? Then you wouldn't need to have an if let Some(...) check in each iteration.
| if let Some(resource_types) = schema.resources_for_action(&action_id) { | ||
| for resource_type in resource_types { | ||
| match &self.resource_type { | ||
| Some(req_resource_type) if req_resource_type != resource_type => { | ||
| continue | ||
| } |
There was a problem hiding this comment.
Approximately same comments apply here.
| let output = Command::new("cedar-lean-cli") | ||
| .arg("analyze") | ||
| .arg("policies") | ||
| .arg(base_path.join("policies1.cedar")) | ||
| .arg(base_path.join("policies.cedarschema")) | ||
| .output() | ||
| .expect("Failed to run cedar-lean-cli"); |
There was a problem hiding this comment.
You could have a helper to build these commands so you only pass policies1.cedar and policies.cedarschema to it here, for example.
| use std::path::{Path, PathBuf}; | ||
| use std::process::{Command, Output}; | ||
|
|
||
| fn check_output<P: AsRef<Path>>(output: Output, expected_output_file: P, should_error: bool) { |
There was a problem hiding this comment.
You don't have any test with should_error set to true, right?
Adds examples to cedar-lean-cli for analysis. Uses examples to write integration tests. Add running integration tests to CI.
Updates analysis to output tabular results in a deterministic order (to make tests pass).
Updates cedar-lean-cli to change how vacuous policy findings are printed to make the text easier to understand. (applies to all requests instead of (permits) allows all / (forbids) denies all and applies to no requests instead of (permits) denies all / (forbids) allows all).