feat: implement policy templates

internal/eval/compile.go

@@ -66,9 +66,9 @@ func scopeToNode(varNode ast.NodeTypeVariable, in ast.IsScopeNode) ast.Node {
 	case ast.ScopeTypeAll:
 		return ast.True()
 	case ast.ScopeTypeEq:
-		return ast.NewNode(varNode).Equal(ast.Value(t.Entity))
+		return ast.NewNode(varNode).Equal(ast.Value(entityReferenceToUID(t.Entity)))
 	case ast.ScopeTypeIn:
-		return ast.NewNode(varNode).In(ast.Value(t.Entity))
+		return ast.NewNode(varNode).In(ast.Value(entityReferenceToUID(t.Entity)))
 	case ast.ScopeTypeInSet:
 		vals := make([]types.Value, len(t.Entities))
 		for i, e := range t.Entities {
@@ -79,8 +79,19 @@ func scopeToNode(varNode ast.NodeTypeVariable, in ast.IsScopeNode) ast.Node {
 		return ast.NewNode(varNode).Is(t.Type)
 
 	case ast.ScopeTypeIsIn:
-		return ast.NewNode(varNode).IsIn(t.Type, ast.Value(t.Entity))
+		return ast.NewNode(varNode).IsIn(t.Type, ast.Value(entityReferenceToUID(t.Entity)))
 	default:
 		panic(fmt.Sprintf("unknown scope type %T", t))
 	}
 }
+
+func entityReferenceToUID(ef types.EntityReference) types.EntityUID {
+	switch e := ef.(type) {
+	case types.EntityUID:
+		return e
+	case types.SlotID:
+		panic("variable slot cannot be evaluated, you should instantiate a template-linked policy first")
+	default:
+		panic(fmt.Sprintf("unknown entity reference type %T", e))
+	}
+}

internal/eval/partial.go

@@ -139,14 +139,14 @@ func partialScopeEval(env Env, ent types.Value, in ast.IsScopeNode) (evaled bool
 	case ast.ScopeTypeEq:
 		return true, e == t.Entity
 	case ast.ScopeTypeIn:
-		return true, entityInOne(env, e, t.Entity)
+		return true, entityInOne(env, e, entityReferenceToUID(t.Entity))
 	case ast.ScopeTypeInSet:
 		set := mapset.Immutable(t.Entities...)
 		return true, entityInSet(env, e, set)
 	case ast.ScopeTypeIs:
 		return true, e.Type == t.Type
 	case ast.ScopeTypeIsIn:
-		return true, e.Type == t.Type && entityInOne(env, e, t.Entity)
+		return true, e.Type == t.Type && entityInOne(env, e, entityReferenceToUID(t.Entity))
 	default:
 		panic(fmt.Sprintf("unknown scope type %T", t))
 	}

internal/json/json.go

@@ -12,12 +12,13 @@ type policyJSON struct {
 	Principal   scopeJSON         `json:"principal"`
 	Action      scopeJSON         `json:"action"`
 	Resource    scopeJSON         `json:"resource"`
-	Conditions  []conditionJSON   `json:"conditions,omitempty"`
+	Conditions  []conditionJSON   `json:"conditions"` // [Cedar documentation]: https://docs.cedarpolicy.com/policies/json-format.html#policy-set-format
 }
 
 // scopeInJSON uses the implicit form of EntityUID JSON serialization to match the Rust SDK
 type scopeInJSON struct {
-	Entity types.ImplicitlyMarshaledEntityUID `json:"entity"`
+	Entity *types.ImplicitlyMarshaledEntityUID `json:"entity,omitempty"`
+	Slot   *string                             `json:"slot,omitempty"`
 }
 
 // scopeJSON uses the implicit form of EntityUID JSON serialization to match the Rust SDK
@@ -27,6 +28,7 @@ type scopeJSON struct {
 	Entities   []types.ImplicitlyMarshaledEntityUID `json:"entities,omitempty"`
 	EntityType string                               `json:"entity_type,omitempty"`
 	In         *scopeInJSON                         `json:"in,omitempty"`
+	Slot       *string                              `json:"slot,omitempty"`
 }
 
 type conditionJSON struct {

internal/json/json_marshal.go

@@ -15,13 +15,27 @@ func (s *scopeJSON) FromNode(src ast.IsScopeNode) {
 		return
 	case ast.ScopeTypeEq:
 		s.Op = "=="
-		e := types.ImplicitlyMarshaledEntityUID(t.Entity)
-		s.Entity = &e
+		switch ent := t.Entity.(type) {
+		case types.EntityUID:
+			e := types.ImplicitlyMarshaledEntityUID(ent)
+			s.Entity = &e
+		case types.SlotID:
+			varName := ent.String()
+			s.Slot = &varName
+		}
+
 		return
 	case ast.ScopeTypeIn:
 		s.Op = "in"
-		e := types.ImplicitlyMarshaledEntityUID(t.Entity)
-		s.Entity = &e
+		switch ent := t.Entity.(type) {
+		case types.EntityUID:
+			e := types.ImplicitlyMarshaledEntityUID(ent)
+			s.Entity = &e
+		case types.SlotID:
+			varName := ent.String()
+			s.Slot = &varName
+		}
+
 		return
 	case ast.ScopeTypeInSet:
 		s.Op = "in"
@@ -38,9 +52,19 @@ func (s *scopeJSON) FromNode(src ast.IsScopeNode) {
 	case ast.ScopeTypeIsIn:
 		s.Op = "is"
 		s.EntityType = string(t.Type)
-		s.In = &scopeInJSON{
-			Entity: types.ImplicitlyMarshaledEntityUID(t.Entity),
+		in := &scopeInJSON{}
+
+		switch et := t.Entity.(type) {
+		case types.EntityUID:
+			uid := types.ImplicitlyMarshaledEntityUID(et)
+			in.Entity = &uid
+		case types.SlotID:
+			varName := et.String()
+			in.Slot = &varName
 		}
+
+		s.In = in
+
 		return
 	default:
 		panic(fmt.Sprintf("unknown scope type %T", t))
@@ -317,6 +341,8 @@ func (p *Policy) MarshalJSON() ([]byte, error) {
 	j.Principal.FromNode(p.Principal)
 	j.Action.FromNode(p.Action)
 	j.Resource.FromNode(p.Resource)
+
+	j.Conditions = make([]conditionJSON, 0, len(p.Conditions)) // [Cedar documentation]: https://docs.cedarpolicy.com/policies/json-format.html#policy-set-format
 	for _, c := range p.Conditions {
 		var cond conditionJSON
 		cond.Kind = "when"

internal/json/json_test.go

@@ -475,6 +475,54 @@ func TestUnmarshalJSON(t *testing.T) {
 			ast.Permit().When(ast.ExtensionCall("ip", ast.String("10.0.0.43")).IsInRange(ast.ExtensionCall("ip", ast.String("10.0.0.42/8")))),
 			testutil.OK,
 		},
+		{
+			"principal template variable",
+			`{"effect":"permit","principal":{"op":"==", "slot": "?principal"},"action":{"op":"All"},"resource":{"op":"All"}}`,
+			ast.Permit().PrincipalEq(types.PrincipalSlot),
+			testutil.OK,
+		},
+		{
+			"principal template variable with in operator",
+			`{"effect":"permit","principal":{"op":"in", "slot": "?principal"},"action":{"op":"All"},"resource":{"op":"All"}}`,
+			ast.Permit().PrincipalIn(types.PrincipalSlot),
+			testutil.OK,
+		},
+		{
+			"principal template variable with is in operator",
+			`{"effect":"permit","principal":{"op":"is", "entity_type": "User", "in": {"slot": "?principal"} },"action":{"op":"All"},"resource":{"op":"All"}}`,
+			ast.Permit().PrincipalIsIn("User", types.PrincipalSlot),
+			testutil.OK,
+		},
+		{
+			"resource template variable",
+			`{"effect":"permit","principal":{"op":"All"},"action":{"op":"All"},"resource":{"op":"==", "slot": "?resource"}}`,
+			ast.Permit().ResourceEq(types.ResourceSlot),
+			testutil.OK,
+		},
+		{
+			"resource template variable with in operator",
+			`{"effect":"permit","principal":{"op":"All"},"action":{"op":"All"},"resource":{"op":"in", "slot": "?resource"}}`,
+			ast.Permit().ResourceIn(types.ResourceSlot),
+			testutil.OK,
+		},
+		{
+			"resource template variable with is in operator",
+			`{"effect":"permit","principal":{"op":"All"},"action":{"op":"All"},"resource":{"op":"is", "entity_type": "Photo", "in": {"slot": "?resource"} }}`,
+			ast.Permit().ResourceIsIn("Photo", types.ResourceSlot),
+			testutil.OK,
+		},
+		{
+			"fail if entity and slot present with equal operator",
+			`{"effect":"permit","principal":{"op":"==", "slot": "?principal", "entity": {"type": "User", "id": "12UA45"}},"action":{"op":"All"},"resource":{"op":"All"}}`,
+			nil,
+			testutil.Error,
+		},
+		{
+			"fail if entity and slot present with in operator",
+			`{"effect":"permit","principal":{"op":"All"},"action":{"op":"All"},"resource":{"op":"in", "slot": "?resource", "entity": {"type": "User", "id": "12UA45"}}}`,
+			nil,
+			testutil.Error,
+		},
 	}
 
 	for _, tt := range tests {