Skip to content

iann0036/polai

BranchesTags

Repository files navigation

polai

Warning This project is experimental and is not recommended for use

Foreword

This project was an experimental project to understand the complexity of the Cedar policy language. The project is incomplete and doesn't feature the automated reasoning guarantees that the official engine has. For use in a production context, consume the official engine directly or via one of the bindings.

GoDoc

A Cedar policy language lexer, parser & evaluator.

Installation

go get github.com/iann0036/polai

Please add -u flag to update in the future.

Usage

Basic Usage

package main

import (
    "fmt"
    "strings"

    "github.com/iann0036/polai"
)

func main() {
    e := polai.NewEvaluator(strings.NewReader(`
    permit (
        principal,
        action,
        resource == Folder::"My Folder"
    ) when {
        context.ssl == true
    };`))

    result, _ := e.Evaluate(`User::"alice"`, `Action::"listFiles"`, `Folder::"My Folder"`, `{
        "ssl": true
    }`)

    if result {
        fmt.Println("Authorized")
    } else {
        fmt.Println("Not Authorized")
    }
}

Advanced Options

package main

import (
    "fmt"
    "strings"

    "github.com/iann0036/polai"
)

func main() {
    e := polai.NewEvaluator(strings.NewReader(`
    permit (
        principal,
        action,
        resource == Folder::"My Folder"
    ) when {
        if context.ssl == true && principal.hasTraining
        then true
        else principal.invalidproperty
    };`))

    e.AllowShortCircuiting = true // evaluation will fail when set to false

    e.SetEntities(strings.NewReader(`
    [
        {
            "uid": "User::\"alice\"",
            "attrs": {
                "hasTraining": true
            }
        },
        {
            "uid": "User::\"kate\"",
            "attrs": {
                "hasTraining": false
            }
        }
    ]`))

    result, _ := e.Evaluate(`User::"alice"`, `Action::"listFiles"`, `Folder::"My Folder"`, `{
        "ssl": true
    }`)

    if result {
        fmt.Println("Authorized")
    } else {
        fmt.Println("Not Authorized")
    }
}

Features

  • Policy language interpreter
  • Basic permit and forbid evaluation logic
  • Equality / inequality operator within principal, action, and resource within the scope block
  • Inheritance (in) within scope block
  • Basic set (in) for action within scope block
  • Basic when and unless evaluation logic
  • Logical operators for basic types (string, long, boolean) within condition block
  • Entity store interpreter
  • Inheritance (in) within condition block
  • Entity attributes evaluation
  • IP and Decimal extensions
  • Context object
  • Set operations
  • has operation
  • Logical not ! operation
  • like operator
  • if-then-else ternary
  • Enforce Action:: namespace for actions
  • && and || short-circuiting
  • if-then-else short-circuiting
  • Embedded if-then-else
  • 4x limit on unary
  • Syntactic constraint on multiply operator
  • Anonymous records / sets
  • __entity / __extn syntax in context / entities
  • Policy templates

License

This project is under MIT license. See the LICENSE file for the full license text.

About

A Cedar policy language lexer, parser & evaluator

Topics

aws cedar aws-verified-permissions

Resources

Readme

License

MIT license
Activity

Stars

15 stars

Watchers

2 watching

Forks

1 fork
Report repository

Sponsor this project

 
Learn more about GitHub Sponsors

Languages