Disallow unknown and bump version to 3.2.2 (#1103)

Signed-off-by: Aaron Eline <aeline+github@amazon.com>

Author: Aaron Eline

cedar-policy-cli/Cargo.toml

@@ -3,7 +3,7 @@ name = "cedar-policy-cli"
 edition = "2021"
 rust-version = "1.76.0"  # minimum supported Rust version is currently 1.76.0 because `cedar-policy-core` requirement. Check with `cargo install cargo-msrv && cargo msrv --min 1.75.0`
 
-version = "3.2.1"
+version = "3.2.2"
 license = "Apache-2.0"
 categories = ["compilers", "config"]
 description = "CLI interface for the Cedar Policy language."
@@ -12,8 +12,8 @@ homepage = "https://cedarpolicy.com"
 repository = "https://github.com/cedar-policy/cedar"
 
 [dependencies]
-cedar-policy = { version = "=3.2.1", path = "../cedar-policy" }
-cedar-policy-formatter = { version = "=3.2.1", path = "../cedar-policy-formatter" }
+cedar-policy = { version = "=3.2.2", path = "../cedar-policy" }
+cedar-policy-formatter = { version = "=3.2.2", path = "../cedar-policy-formatter" }
 clap = { version = "4", features = ["derive", "env"] }
 serde = { version = "1.0", features = ["derive"] }
 serde_json = "1.0"

cedar-policy-core/Cargo.toml

@@ -4,7 +4,7 @@ edition = "2021"
 rust-version = "1.76.0"  # minimum supported Rust version is currently 1.76.0 because of use of `Arc::unwrap_or_clone()`. Check with `cargo install cargo-msrv && cargo msrv --min 1.75.0`
 build = "build.rs"
 
-version = "3.2.1"
+version = "3.2.2"
 license = "Apache-2.0"
 categories = ["compilers", "config"]
 description = "Core implemenation of the Cedar Policy language."
@@ -57,3 +57,6 @@ lalrpop = "0.20.0"
 
 [dev-dependencies]
 cool_asserts = "2.0"
+
+[lints.rust]
+unexpected_cfgs = { level = 'deny', check-cfg = ['cfg(fuzzing)'] }

cedar-policy-core/src/authorizer.rs

@@ -272,6 +272,7 @@ mod test {
         .expect("Policy Creation Failed")
     }
 
+    #[cfg(feature = "partial-eval")]
     fn context_pol(id: &str, effect: Effect) -> StaticPolicy {
         let pid = PolicyID::from_string(id);
         StaticPolicy::new(
@@ -308,6 +309,7 @@ mod test {
     }
 
     #[test]
+    #[cfg(feature = "partial-eval")]
     fn authorizer_sanity_check_partial_deny() {
         let context = Context::from_expr(
             RestrictedExpr::record([(
@@ -392,6 +394,44 @@ mod test {
         let mut pset = PolicySet::new();
         let es = Entities::new();
 
+        let src1 = r#"
+        permit(principal == test_entity_type::"p",action,resource);
+        "#;
+        let src2 = r#"
+        forbid(principal == test_entity_type::"p",action,resource) when {
+            false
+        };
+        "#;
+
+        pset.add_static(
+            parser::parse_policy(Some(PolicyID::from_string("1").to_string()), src1).unwrap(),
+        )
+        .unwrap();
+        pset.add_static(
+            parser::parse_policy(Some(PolicyID::from_string("2").to_string()), src2).unwrap(),
+        )
+        .unwrap();
+
+        let r = a.is_authorized_core(q.clone(), &pset, &es).decision();
+        assert_eq!(r, Some(Decision::Allow));
+    }
+
+    #[test]
+    #[cfg(feature = "partial-eval")]
+    fn satisfied_permit_no_forbids_unknown() {
+        let q = Request::new(
+            (EntityUID::with_eid("p"), None),
+            (EntityUID::with_eid("a"), None),
+            (EntityUID::with_eid("r"), None),
+            Context::empty(),
+            None::<&RequestSchemaAllPass>,
+            Extensions::none(),
+        )
+        .unwrap();
+        let a = Authorizer::new();
+        let mut pset = PolicySet::new();
+        let es = Entities::new();
+
         let src1 = r#"
         permit(principal == test_entity_type::"p",action,resource);
         "#;
@@ -431,6 +471,7 @@ mod test {
     }
 
     #[test]
+    #[cfg(feature = "partial-eval")]
     fn satisfied_permit_residual_forbid() {
         let q = Request::new(
             (EntityUID::with_eid("p"), None),
@@ -479,6 +520,7 @@ mod test {
     }
 
     #[test]
+    #[cfg(feature = "partial-eval")]
     fn no_permits() {
         let q = Request::new(
             (EntityUID::with_eid("p"), None),
@@ -541,6 +583,7 @@ mod test {
     }
 
     #[test]
+    #[cfg(feature = "partial-eval")]
     fn residual_permits() {
         let q = Request::new(
             (EntityUID::with_eid("p"), None),

cedar-policy-core/src/extensions.rs

@@ -34,6 +34,7 @@ lazy_static::lazy_static! {
         ipaddr::extension(),
         #[cfg(feature = "decimal")]
         decimal::extension(),
+        #[cfg(feature = "partial-eval")]
         partial_evaluation::extension(),
     ];
 }

cedar-policy-core/src/extensions/partial_evaluation.rs

@@ -13,6 +13,7 @@
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
+#![cfg(feature = "partial-eval")]
 
 //! This module contains the extension for including unknown values
 use crate::{

cedar-policy-formatter/Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "cedar-policy-formatter"
-version = "3.2.1"
+version = "3.2.2"
 edition = "2021"
 rust-version = "1.76.0"  # minimum supported Rust version is currently 1.76.0 because `cedar-policy-core` requirement. Check with `cargo install cargo-msrv && cargo msrv --min 1.75.0`
 license = "Apache-2.0"
@@ -11,7 +11,7 @@ homepage = "https://cedarpolicy.com"
 repository = "https://github.com/cedar-policy/cedar"
 
 [dependencies]
-cedar-policy-core = { version = "=3.2.1", path = "../cedar-policy-core" }
+cedar-policy-core = { version = "=3.2.2", path = "../cedar-policy-core" }
 pretty = "0.12.1"
 logos = "0.14.0"
 itertools = "0.12"

cedar-policy-validator/Cargo.toml

@@ -3,7 +3,7 @@ name = "cedar-policy-validator"
 edition = "2021"
 rust-version = "1.76.0"  # minimum supported Rust version is currently 1.76.0 because `cedar-policy-core` requirement. Check with `cargo install cargo-msrv && cargo msrv --min 1.75.0`
 
-version = "3.2.1"
+version = "3.2.2"
 license = "Apache-2.0"
 categories = ["compilers", "config"]
 description = "Validator for the Cedar Policy language."
@@ -12,7 +12,7 @@ homepage = "https://cedarpolicy.com"
 repository = "https://github.com/cedar-policy/cedar"
 
 [dependencies]
-cedar-policy-core = { version = "=3.2.1", path = "../cedar-policy-core" }
+cedar-policy-core = { version = "=3.2.2", path = "../cedar-policy-core" }
 serde = { version = "1.0", features = ["derive"] }
 serde_json = { version = "1.0", features = ["preserve_order"] }
 serde_with = "3.0"
@@ -38,6 +38,7 @@ default = ["ipaddr", "decimal"]
 # when enabling a feature, make sure that the Core feature is also enabled
 ipaddr = ["cedar-policy-core/ipaddr"]
 decimal = ["cedar-policy-core/decimal"]
+partial-eval = ["cedar-policy-core/partial-eval"]
 
 # Enables `Arbitrary` implementations for several types in this crate
 arbitrary = ["dep:arbitrary"]
@@ -48,7 +49,7 @@ wasm = ["serde-wasm-bindgen", "tsify", "wasm-bindgen"]
 
 [dev-dependencies]
 cool_asserts = "2.0"
-cedar-policy-core = { version = "=3.2.1", path = "../cedar-policy-core", features = [
+cedar-policy-core = { version = "=3.2.2", path = "../cedar-policy-core", features = [
     "test-util",
 ] }
 

cedar-policy-validator/src/extensions.rs

@@ -33,6 +33,7 @@ pub fn all_available_extension_schemas() -> Vec<ExtensionSchema> {
         ipaddr::extension_schema(),
         #[cfg(feature = "decimal")]
         decimal::extension_schema(),
+        #[cfg(feature = "partial-eval")]
         partial_evaluation::extension_schema(),
     ]
 }

cedar-policy-validator/src/extensions/partial_evaluation.rs

@@ -18,6 +18,7 @@
 //! out-of-date with the decimal extension definition in CedarCore.
 //! This is tested by the `extension_schema_correctness()` test
 
+#![cfg(feature = "partial-eval")]
 use crate::extension_schema::{ExtensionFunctionType, ExtensionSchema};
 use crate::types::{self, Type};
 use cedar_policy_core::extensions::partial_evaluation;

cedar-policy/Cargo.toml

@@ -3,7 +3,7 @@ name = "cedar-policy"
 edition = "2021"
 rust-version = "1.76.0"  # minimum supported Rust version is currently 1.76.0 because `cedar-policy-core` requirement. Check with `cargo install cargo-msrv && cargo msrv --min 1.75.0`
 
-version = "3.2.1"
+version = "3.2.2"
 license = "Apache-2.0"
 categories = ["compilers", "config"]
 description = "Cedar is a language for defining permissions as policies, which describe who should have access to what."
@@ -12,8 +12,8 @@ homepage = "https://cedarpolicy.com"
 repository = "https://github.com/cedar-policy/cedar"
 
 [dependencies]
-cedar-policy-core = { version = "=3.2.1", path = "../cedar-policy-core" }
-cedar-policy-validator = { version = "=3.2.1", path = "../cedar-policy-validator" }
+cedar-policy-core = { version = "=3.2.2", path = "../cedar-policy-core" }
+cedar-policy-validator = { version = "=3.2.2", path = "../cedar-policy-validator" }
 ref-cast = "1.0"
 serde = { version = "1.0", features = ["derive", "rc"] }
 serde_json = "1.0"
@@ -48,7 +48,7 @@ integration_testing = []
 # Experimental features.
 # Enable all experimental features with `cargo build --features "experimental"`
 experimental = ["partial-eval", "permissive-validate", "partial-validate"]
-partial-eval = ["cedar-policy-core/partial-eval"]
+partial-eval = ["cedar-policy-core/partial-eval", "cedar-policy-validator/partial-eval"]
 permissive-validate = []
 partial-validate = ["cedar-policy-validator/partial-validate"]
 wasm = ["serde-wasm-bindgen", "tsify", "wasm-bindgen"]