forked from cedar-policy/cedar-go
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathast_test.go
565 lines (554 loc) · 30.5 KB
/
ast_test.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
package ast_test
import (
"net/netip"
"testing"
"time"
"github.com/cedar-policy/cedar-go/internal/testutil"
"github.com/cedar-policy/cedar-go/types"
"github.com/cedar-policy/cedar-go/x/exp/ast"
)
// These tests serve mostly as examples of how to translate from Cedar text into programmatic AST construction. They
// don't verify anything.
func TestAstExamples(t *testing.T) {
t.Parallel()
johnny := types.NewEntityUID("User", "johnny")
sow := types.NewEntityUID("Action", "sow")
cast := types.NewEntityUID("Action", "cast")
// @example("one")
// permit (
// principal == User::"johnny"
// action in [Action::"sow", Action::"cast"]
// resource
// )
// when { true }
// unless { false };
_ = ast.Annotation("example", "one").
Permit().
PrincipalIsIn("User", johnny).
ActionInSet(sow, cast).
When(ast.True()).
Unless(ast.False())
// @example("two")
// forbid (principal, action, resource)
// when { resource.tags.contains("private") }
// unless { resource in principal.allowed_resources };
private := "private"
_ = ast.Annotation("example", "two").
Forbid().
When(
ast.Resource().Access("tags").Contains(ast.String(private)),
).
Unless(
ast.Resource().In(ast.Principal().Access("allowed_resources")),
)
// forbid (principal, action, resource)
// when { {x: "value"}.x == "value" }
// when { {x: 1 + context.fooCount}.x == 3 }
// when { [1, (2 + 3) * 4, context.fooCount].contains(1) };
simpleRecord := types.NewRecord(types.RecordMap{
"x": types.String("value"),
})
_ = ast.Forbid().
When(
ast.Value(simpleRecord).Access("x").Equal(ast.String("value")),
).
When(
ast.Record(ast.Pairs{{Key: "x", Value: ast.Long(1).Add(ast.Context().Access("fooCount"))}}).
Access("x").Equal(ast.Long(3)),
).
When(
ast.Set(
ast.Long(1),
ast.Long(2).Add(ast.Long(3)).Multiply(ast.Long(4)),
ast.Context().Access("fooCount"),
).Contains(ast.Long(1)),
)
}
func TestASTByTable(t *testing.T) {
t.Parallel()
tests := []struct {
name string
in *ast.Policy
out ast.Policy
}{
{
"permit",
ast.Permit(),
ast.Policy{Effect: ast.EffectPermit, Principal: ast.ScopeTypeAll{}, Action: ast.ScopeTypeAll{}, Resource: ast.ScopeTypeAll{}},
},
{
"forbid",
ast.Forbid(),
ast.Policy{Effect: ast.EffectForbid, Principal: ast.ScopeTypeAll{}, Action: ast.ScopeTypeAll{}, Resource: ast.ScopeTypeAll{}},
},
{
"annotationPermit",
ast.Annotation("key", "value").Permit(),
ast.Policy{Annotations: []ast.AnnotationType{{Key: "key", Value: "value"}}, Effect: ast.EffectPermit, Principal: ast.ScopeTypeAll{}, Action: ast.ScopeTypeAll{}, Resource: ast.ScopeTypeAll{}},
},
{
"annotationForbid",
ast.Annotation("key", "value").Forbid(),
ast.Policy{Annotations: []ast.AnnotationType{{Key: "key", Value: "value"}}, Effect: ast.EffectForbid, Principal: ast.ScopeTypeAll{}, Action: ast.ScopeTypeAll{}, Resource: ast.ScopeTypeAll{}},
},
{
"annotations",
ast.Annotation("key", "value").Annotation("abc", "xyz").Permit(),
ast.Policy{Annotations: []ast.AnnotationType{{Key: "key", Value: "value"}, {Key: "abc", Value: "xyz"}}, Effect: ast.EffectPermit, Principal: ast.ScopeTypeAll{}, Action: ast.ScopeTypeAll{}, Resource: ast.ScopeTypeAll{}},
},
{
"policyAnnotate",
ast.Permit().Annotate("key", "value"),
ast.Policy{Annotations: []ast.AnnotationType{{Key: "key", Value: "value"}}, Effect: ast.EffectPermit, Principal: ast.ScopeTypeAll{}, Action: ast.ScopeTypeAll{}, Resource: ast.ScopeTypeAll{}},
},
{
"when",
ast.Permit().When(ast.True()),
ast.Policy{Effect: ast.EffectPermit, Principal: ast.ScopeTypeAll{}, Action: ast.ScopeTypeAll{}, Resource: ast.ScopeTypeAll{},
Conditions: []ast.ConditionType{{Condition: ast.ConditionWhen, Body: ast.NodeValue{Value: types.True}}},
},
},
{
"unless",
ast.Permit().Unless(ast.True()),
ast.Policy{Effect: ast.EffectPermit, Principal: ast.ScopeTypeAll{}, Action: ast.ScopeTypeAll{}, Resource: ast.ScopeTypeAll{},
Conditions: []ast.ConditionType{{Condition: ast.ConditionUnless, Body: ast.NodeValue{Value: types.True}}},
},
},
{
"scopePrincipalEq",
ast.Permit().PrincipalEq(types.NewEntityUID("T", "42")),
ast.Policy{Effect: ast.EffectPermit, Principal: ast.ScopeTypeEq{Entity: types.NewEntityUID("T", "42")}, Action: ast.ScopeTypeAll{}, Resource: ast.ScopeTypeAll{}},
},
{
"scopePrincipalIn",
ast.Permit().PrincipalIn(types.NewEntityUID("T", "42")),
ast.Policy{Effect: ast.EffectPermit, Principal: ast.ScopeTypeIn{Entity: types.NewEntityUID("T", "42")}, Action: ast.ScopeTypeAll{}, Resource: ast.ScopeTypeAll{}},
},
{
"scopePrincipalIs",
ast.Permit().PrincipalIs("T"),
ast.Policy{Effect: ast.EffectPermit, Principal: ast.ScopeTypeIs{Type: types.EntityType("T")}, Action: ast.ScopeTypeAll{}, Resource: ast.ScopeTypeAll{}},
},
{
"scopePrincipalIsIn",
ast.Permit().PrincipalIsIn("T", types.NewEntityUID("T", "42")),
ast.Policy{Effect: ast.EffectPermit, Principal: ast.ScopeTypeIsIn{Type: types.EntityType("T"), Entity: types.NewEntityUID("T", "42")}, Action: ast.ScopeTypeAll{}, Resource: ast.ScopeTypeAll{}},
},
{
"scopeActionEq",
ast.Permit().ActionEq(types.NewEntityUID("T", "42")),
ast.Policy{Effect: ast.EffectPermit, Principal: ast.ScopeTypeAll{}, Action: ast.ScopeTypeEq{Entity: types.NewEntityUID("T", "42")}, Resource: ast.ScopeTypeAll{}},
},
{
"scopeActionIn",
ast.Permit().ActionIn(types.NewEntityUID("T", "42")),
ast.Policy{Effect: ast.EffectPermit, Principal: ast.ScopeTypeAll{}, Action: ast.ScopeTypeIn{Entity: types.NewEntityUID("T", "42")}, Resource: ast.ScopeTypeAll{}},
},
{
"scopeActionInSet",
ast.Permit().ActionInSet(types.NewEntityUID("T", "42"), types.NewEntityUID("T", "43")),
ast.Policy{Effect: ast.EffectPermit, Principal: ast.ScopeTypeAll{}, Action: ast.ScopeTypeInSet{Entities: []types.EntityUID{types.NewEntityUID("T", "42"), types.NewEntityUID("T", "43")}}, Resource: ast.ScopeTypeAll{}},
},
{
"scopeResourceEq",
ast.Permit().ResourceEq(types.NewEntityUID("T", "42")),
ast.Policy{Effect: ast.EffectPermit, Principal: ast.ScopeTypeAll{}, Action: ast.ScopeTypeAll{}, Resource: ast.ScopeTypeEq{Entity: types.NewEntityUID("T", "42")}},
},
{
"scopeResourceIn",
ast.Permit().ResourceIn(types.NewEntityUID("T", "42")),
ast.Policy{Effect: ast.EffectPermit, Principal: ast.ScopeTypeAll{}, Action: ast.ScopeTypeAll{}, Resource: ast.ScopeTypeIn{Entity: types.NewEntityUID("T", "42")}},
},
{
"scopeResourceIs",
ast.Permit().ResourceIs("T"),
ast.Policy{Effect: ast.EffectPermit, Principal: ast.ScopeTypeAll{}, Action: ast.ScopeTypeAll{}, Resource: ast.ScopeTypeIs{Type: types.EntityType("T")}},
},
{
"scopeResourceIsIn",
ast.Permit().ResourceIsIn("T", types.NewEntityUID("T", "42")),
ast.Policy{Effect: ast.EffectPermit, Principal: ast.ScopeTypeAll{}, Action: ast.ScopeTypeAll{}, Resource: ast.ScopeTypeIsIn{Type: types.EntityType("T"), Entity: types.NewEntityUID("T", "42")}},
},
{
"variablePrincipal",
ast.Permit().When(ast.Principal()),
ast.Policy{Effect: ast.EffectPermit, Principal: ast.ScopeTypeAll{}, Action: ast.ScopeTypeAll{}, Resource: ast.ScopeTypeAll{},
Conditions: []ast.ConditionType{{Condition: ast.ConditionWhen, Body: ast.NodeTypeVariable{Name: "principal"}}},
},
},
{
"variableAction",
ast.Permit().When(ast.Action()),
ast.Policy{Effect: ast.EffectPermit, Principal: ast.ScopeTypeAll{}, Action: ast.ScopeTypeAll{}, Resource: ast.ScopeTypeAll{},
Conditions: []ast.ConditionType{{Condition: ast.ConditionWhen, Body: ast.NodeTypeVariable{Name: "action"}}},
},
},
{
"variableResource",
ast.Permit().When(ast.Resource()),
ast.Policy{Effect: ast.EffectPermit, Principal: ast.ScopeTypeAll{}, Action: ast.ScopeTypeAll{}, Resource: ast.ScopeTypeAll{},
Conditions: []ast.ConditionType{{Condition: ast.ConditionWhen, Body: ast.NodeTypeVariable{Name: "resource"}}},
},
},
{
"variableContext",
ast.Permit().When(ast.Context()),
ast.Policy{Effect: ast.EffectPermit, Principal: ast.ScopeTypeAll{}, Action: ast.ScopeTypeAll{}, Resource: ast.ScopeTypeAll{},
Conditions: []ast.ConditionType{{Condition: ast.ConditionWhen, Body: ast.NodeTypeVariable{Name: "context"}}},
},
},
{
"valueBoolFalse",
ast.Permit().When(ast.Boolean(false)),
ast.Policy{Effect: ast.EffectPermit, Principal: ast.ScopeTypeAll{}, Action: ast.ScopeTypeAll{}, Resource: ast.ScopeTypeAll{},
Conditions: []ast.ConditionType{{Condition: ast.ConditionWhen, Body: ast.NodeValue{Value: types.False}}},
},
},
{
"valueBoolTrue",
ast.Permit().When(ast.Boolean(true)),
ast.Policy{Effect: ast.EffectPermit, Principal: ast.ScopeTypeAll{}, Action: ast.ScopeTypeAll{}, Resource: ast.ScopeTypeAll{},
Conditions: []ast.ConditionType{{Condition: ast.ConditionWhen, Body: ast.NodeValue{Value: types.True}}},
},
},
{
"valueTrue",
ast.Permit().When(ast.True()),
ast.Policy{Effect: ast.EffectPermit, Principal: ast.ScopeTypeAll{}, Action: ast.ScopeTypeAll{}, Resource: ast.ScopeTypeAll{},
Conditions: []ast.ConditionType{{Condition: ast.ConditionWhen, Body: ast.NodeValue{Value: types.True}}},
},
},
{
"valueFalse",
ast.Permit().When(ast.False()),
ast.Policy{Effect: ast.EffectPermit, Principal: ast.ScopeTypeAll{}, Action: ast.ScopeTypeAll{}, Resource: ast.ScopeTypeAll{},
Conditions: []ast.ConditionType{{Condition: ast.ConditionWhen, Body: ast.NodeValue{Value: types.False}}},
},
},
{
"valueString",
ast.Permit().When(ast.String("cedar")),
ast.Policy{Effect: ast.EffectPermit, Principal: ast.ScopeTypeAll{}, Action: ast.ScopeTypeAll{}, Resource: ast.ScopeTypeAll{},
Conditions: []ast.ConditionType{{Condition: ast.ConditionWhen, Body: ast.NodeValue{Value: types.String("cedar")}}},
},
},
{
"valueLong",
ast.Permit().When(ast.Long(42)),
ast.Policy{Effect: ast.EffectPermit, Principal: ast.ScopeTypeAll{}, Action: ast.ScopeTypeAll{}, Resource: ast.ScopeTypeAll{},
Conditions: []ast.ConditionType{{Condition: ast.ConditionWhen, Body: ast.NodeValue{Value: types.Long(42)}}},
},
},
{
"valueSet",
ast.Permit().When(ast.Value(types.NewSet(types.Long(42), types.Long(43)))),
ast.Policy{Effect: ast.EffectPermit, Principal: ast.ScopeTypeAll{}, Action: ast.ScopeTypeAll{}, Resource: ast.ScopeTypeAll{},
Conditions: []ast.ConditionType{{Condition: ast.ConditionWhen, Body: ast.NodeValue{Value: types.NewSet(types.Long(42), types.Long(43))}}},
},
},
{
"valueSetNodes",
ast.Permit().When(ast.Set(ast.Long(42), ast.Long(43))),
ast.Policy{Effect: ast.EffectPermit, Principal: ast.ScopeTypeAll{}, Action: ast.ScopeTypeAll{}, Resource: ast.ScopeTypeAll{},
Conditions: []ast.ConditionType{{Condition: ast.ConditionWhen, Body: ast.NodeTypeSet{Elements: []ast.IsNode{ast.NodeValue{Value: types.Long(42)}, ast.NodeValue{Value: types.Long(43)}}}}},
},
},
{
"valueRecord",
ast.Permit().When(ast.Value(types.NewRecord(types.RecordMap{"key": types.Long(43)}))),
ast.Policy{Effect: ast.EffectPermit, Principal: ast.ScopeTypeAll{}, Action: ast.ScopeTypeAll{}, Resource: ast.ScopeTypeAll{},
Conditions: []ast.ConditionType{{Condition: ast.ConditionWhen, Body: ast.NodeValue{Value: types.NewRecord(types.RecordMap{"key": types.Long(43)})}}},
},
},
{
"valueEntityUID",
ast.Permit().When(ast.EntityUID("T", "42")),
ast.Policy{Effect: ast.EffectPermit, Principal: ast.ScopeTypeAll{}, Action: ast.ScopeTypeAll{}, Resource: ast.ScopeTypeAll{},
Conditions: []ast.ConditionType{{Condition: ast.ConditionWhen, Body: ast.NodeValue{Value: types.NewEntityUID("T", "42")}}},
},
},
{
"valueIPAddr",
ast.Permit().When(ast.IPAddr(netip.MustParsePrefix("127.0.0.1/16"))),
ast.Policy{Effect: ast.EffectPermit, Principal: ast.ScopeTypeAll{}, Action: ast.ScopeTypeAll{}, Resource: ast.ScopeTypeAll{},
Conditions: []ast.ConditionType{{Condition: ast.ConditionWhen, Body: ast.NodeValue{Value: types.IPAddr(netip.MustParsePrefix("127.0.0.1/16"))}}},
},
},
{
"extensionCall",
ast.Permit().When(ast.ExtensionCall("ip", ast.String("127.0.0.1"))),
ast.Policy{Effect: ast.EffectPermit, Principal: ast.ScopeTypeAll{}, Action: ast.ScopeTypeAll{}, Resource: ast.ScopeTypeAll{},
Conditions: []ast.ConditionType{{Condition: ast.ConditionWhen, Body: ast.NodeTypeExtensionCall{Name: "ip", Args: []ast.IsNode{ast.NodeValue{Value: types.String("127.0.0.1")}}}}},
}},
{
"opEquals",
ast.Permit().When(ast.Long(42).Equal(ast.Long(43))),
ast.Policy{Effect: ast.EffectPermit, Principal: ast.ScopeTypeAll{}, Action: ast.ScopeTypeAll{}, Resource: ast.ScopeTypeAll{},
Conditions: []ast.ConditionType{{Condition: ast.ConditionWhen, Body: ast.NodeTypeEquals{BinaryNode: ast.BinaryNode{Left: ast.NodeValue{Value: types.Long(42)}, Right: ast.NodeValue{Value: types.Long(43)}}}}}},
},
{
"opNotEquals",
ast.Permit().When(ast.Long(42).NotEqual(ast.Long(43))),
ast.Policy{Effect: ast.EffectPermit, Principal: ast.ScopeTypeAll{}, Action: ast.ScopeTypeAll{}, Resource: ast.ScopeTypeAll{},
Conditions: []ast.ConditionType{{Condition: ast.ConditionWhen, Body: ast.NodeTypeNotEquals{BinaryNode: ast.BinaryNode{Left: ast.NodeValue{Value: types.Long(42)}, Right: ast.NodeValue{Value: types.Long(43)}}}}}},
},
{
"opLessThan",
ast.Permit().When(ast.Long(42).LessThan(ast.Long(43))),
ast.Policy{Effect: ast.EffectPermit, Principal: ast.ScopeTypeAll{}, Action: ast.ScopeTypeAll{}, Resource: ast.ScopeTypeAll{},
Conditions: []ast.ConditionType{{Condition: ast.ConditionWhen, Body: ast.NodeTypeLessThan{BinaryNode: ast.BinaryNode{Left: ast.NodeValue{Value: types.Long(42)}, Right: ast.NodeValue{Value: types.Long(43)}}}}}},
},
{
"opLessThanOrEqual",
ast.Permit().When(ast.Long(42).LessThanOrEqual(ast.Long(43))),
ast.Policy{Effect: ast.EffectPermit, Principal: ast.ScopeTypeAll{}, Action: ast.ScopeTypeAll{}, Resource: ast.ScopeTypeAll{},
Conditions: []ast.ConditionType{{Condition: ast.ConditionWhen, Body: ast.NodeTypeLessThanOrEqual{BinaryNode: ast.BinaryNode{Left: ast.NodeValue{Value: types.Long(42)}, Right: ast.NodeValue{Value: types.Long(43)}}}}}},
},
{
"opGreaterThan",
ast.Permit().When(ast.Long(42).GreaterThan(ast.Long(43))),
ast.Policy{Effect: ast.EffectPermit, Principal: ast.ScopeTypeAll{}, Action: ast.ScopeTypeAll{}, Resource: ast.ScopeTypeAll{},
Conditions: []ast.ConditionType{{Condition: ast.ConditionWhen, Body: ast.NodeTypeGreaterThan{BinaryNode: ast.BinaryNode{Left: ast.NodeValue{Value: types.Long(42)}, Right: ast.NodeValue{Value: types.Long(43)}}}}}},
},
{
"opGreaterThanOrEqual",
ast.Permit().When(ast.Long(42).GreaterThanOrEqual(ast.Long(43))),
ast.Policy{Effect: ast.EffectPermit, Principal: ast.ScopeTypeAll{}, Action: ast.ScopeTypeAll{}, Resource: ast.ScopeTypeAll{},
Conditions: []ast.ConditionType{{Condition: ast.ConditionWhen, Body: ast.NodeTypeGreaterThanOrEqual{BinaryNode: ast.BinaryNode{Left: ast.NodeValue{Value: types.Long(42)}, Right: ast.NodeValue{Value: types.Long(43)}}}}}},
},
{
"opLessThanExt",
ast.Permit().When(ast.Long(42).DecimalLessThan(ast.Long(43))),
ast.Policy{Effect: ast.EffectPermit, Principal: ast.ScopeTypeAll{}, Action: ast.ScopeTypeAll{}, Resource: ast.ScopeTypeAll{},
Conditions: []ast.ConditionType{{Condition: ast.ConditionWhen, Body: ast.NodeTypeExtensionCall{Name: "lessThan", Args: []ast.IsNode{ast.NodeValue{Value: types.Long(42)}, ast.NodeValue{Value: types.Long(43)}}}}}},
},
{
"opLessThanOrEqualExt",
ast.Permit().When(ast.Long(42).DecimalLessThanOrEqual(ast.Long(43))),
ast.Policy{Effect: ast.EffectPermit, Principal: ast.ScopeTypeAll{}, Action: ast.ScopeTypeAll{}, Resource: ast.ScopeTypeAll{},
Conditions: []ast.ConditionType{{Condition: ast.ConditionWhen, Body: ast.NodeTypeExtensionCall{Name: "lessThanOrEqual", Args: []ast.IsNode{ast.NodeValue{Value: types.Long(42)}, ast.NodeValue{Value: types.Long(43)}}}}}},
},
{
"opGreaterThanExt",
ast.Permit().When(ast.Long(42).DecimalGreaterThan(ast.Long(43))),
ast.Policy{Effect: ast.EffectPermit, Principal: ast.ScopeTypeAll{}, Action: ast.ScopeTypeAll{}, Resource: ast.ScopeTypeAll{},
Conditions: []ast.ConditionType{{Condition: ast.ConditionWhen, Body: ast.NodeTypeExtensionCall{Name: "greaterThan", Args: []ast.IsNode{ast.NodeValue{Value: types.Long(42)}, ast.NodeValue{Value: types.Long(43)}}}}}},
},
{
"opGreaterThanOrEqualExt",
ast.Permit().When(ast.Long(42).DecimalGreaterThanOrEqual(ast.Long(43))),
ast.Policy{Effect: ast.EffectPermit, Principal: ast.ScopeTypeAll{}, Action: ast.ScopeTypeAll{}, Resource: ast.ScopeTypeAll{},
Conditions: []ast.ConditionType{{Condition: ast.ConditionWhen, Body: ast.NodeTypeExtensionCall{Name: "greaterThanOrEqual", Args: []ast.IsNode{ast.NodeValue{Value: types.Long(42)}, ast.NodeValue{Value: types.Long(43)}}}}}},
},
{
"opLike",
ast.Permit().When(ast.Long(42).Like(types.NewPattern(types.Wildcard{}))),
ast.Policy{Effect: ast.EffectPermit, Principal: ast.ScopeTypeAll{}, Action: ast.ScopeTypeAll{}, Resource: ast.ScopeTypeAll{},
Conditions: []ast.ConditionType{{Condition: ast.ConditionWhen, Body: ast.NodeTypeLike{Arg: ast.NodeValue{Value: types.Long(42)}, Value: types.NewPattern(types.Wildcard{})}}}},
},
{
"opAnd",
ast.Permit().When(ast.Long(42).And(ast.Long(43))),
ast.Policy{Effect: ast.EffectPermit, Principal: ast.ScopeTypeAll{}, Action: ast.ScopeTypeAll{}, Resource: ast.ScopeTypeAll{},
Conditions: []ast.ConditionType{{Condition: ast.ConditionWhen, Body: ast.NodeTypeAnd{BinaryNode: ast.BinaryNode{Left: ast.NodeValue{Value: types.Long(42)}, Right: ast.NodeValue{Value: types.Long(43)}}}}}},
},
{
"opOr",
ast.Permit().When(ast.Long(42).Or(ast.Long(43))),
ast.Policy{Effect: ast.EffectPermit, Principal: ast.ScopeTypeAll{}, Action: ast.ScopeTypeAll{}, Resource: ast.ScopeTypeAll{},
Conditions: []ast.ConditionType{{Condition: ast.ConditionWhen, Body: ast.NodeTypeOr{BinaryNode: ast.BinaryNode{Left: ast.NodeValue{Value: types.Long(42)}, Right: ast.NodeValue{Value: types.Long(43)}}}}}},
},
{
"opNot",
ast.Permit().When(ast.Not(ast.True())),
ast.Policy{Effect: ast.EffectPermit, Principal: ast.ScopeTypeAll{}, Action: ast.ScopeTypeAll{}, Resource: ast.ScopeTypeAll{},
Conditions: []ast.ConditionType{{Condition: ast.ConditionWhen, Body: ast.NodeTypeNot{UnaryNode: ast.UnaryNode{Arg: ast.NodeValue{Value: types.True}}}}}},
},
{
"opIf",
ast.Permit().When(ast.IfThenElse(ast.True(), ast.Long(42), ast.Long(43))),
ast.Policy{Effect: ast.EffectPermit, Principal: ast.ScopeTypeAll{}, Action: ast.ScopeTypeAll{}, Resource: ast.ScopeTypeAll{},
Conditions: []ast.ConditionType{{Condition: ast.ConditionWhen, Body: ast.NodeTypeIfThenElse{If: ast.NodeValue{Value: types.True}, Then: ast.NodeValue{Value: types.Long(42)}, Else: ast.NodeValue{Value: types.Long(43)}}}}},
},
{
"opPlus",
ast.Permit().When(ast.Long(42).Add(ast.Long(43))),
ast.Policy{Effect: ast.EffectPermit, Principal: ast.ScopeTypeAll{}, Action: ast.ScopeTypeAll{}, Resource: ast.ScopeTypeAll{},
Conditions: []ast.ConditionType{{Condition: ast.ConditionWhen, Body: ast.NodeTypeAdd{BinaryNode: ast.BinaryNode{Left: ast.NodeValue{Value: types.Long(42)}, Right: ast.NodeValue{Value: types.Long(43)}}}}}},
},
{
"opMinus",
ast.Permit().When(ast.Long(42).Subtract(ast.Long(43))),
ast.Policy{Effect: ast.EffectPermit, Principal: ast.ScopeTypeAll{}, Action: ast.ScopeTypeAll{}, Resource: ast.ScopeTypeAll{},
Conditions: []ast.ConditionType{{Condition: ast.ConditionWhen, Body: ast.NodeTypeSub{BinaryNode: ast.BinaryNode{Left: ast.NodeValue{Value: types.Long(42)}, Right: ast.NodeValue{Value: types.Long(43)}}}}}},
},
{
"opTimes",
ast.Permit().When(ast.Long(42).Multiply(ast.Long(43))),
ast.Policy{Effect: ast.EffectPermit, Principal: ast.ScopeTypeAll{}, Action: ast.ScopeTypeAll{}, Resource: ast.ScopeTypeAll{},
Conditions: []ast.ConditionType{{Condition: ast.ConditionWhen, Body: ast.NodeTypeMult{BinaryNode: ast.BinaryNode{Left: ast.NodeValue{Value: types.Long(42)}, Right: ast.NodeValue{Value: types.Long(43)}}}}}},
},
{
"opNegate",
ast.Permit().When(ast.Negate(ast.True())),
ast.Policy{Effect: ast.EffectPermit, Principal: ast.ScopeTypeAll{}, Action: ast.ScopeTypeAll{}, Resource: ast.ScopeTypeAll{},
Conditions: []ast.ConditionType{{Condition: ast.ConditionWhen, Body: ast.NodeTypeNegate{UnaryNode: ast.UnaryNode{Arg: ast.NodeValue{Value: types.True}}}}}},
},
{
"opIn",
ast.Permit().When(ast.Long(42).In(ast.Long(43))),
ast.Policy{Effect: ast.EffectPermit, Principal: ast.ScopeTypeAll{}, Action: ast.ScopeTypeAll{}, Resource: ast.ScopeTypeAll{},
Conditions: []ast.ConditionType{{Condition: ast.ConditionWhen, Body: ast.NodeTypeIn{BinaryNode: ast.BinaryNode{Left: ast.NodeValue{Value: types.Long(42)}, Right: ast.NodeValue{Value: types.Long(43)}}}}}},
},
{
"opIs",
ast.Permit().When(ast.Long(42).Is("T")),
ast.Policy{Effect: ast.EffectPermit, Principal: ast.ScopeTypeAll{}, Action: ast.ScopeTypeAll{}, Resource: ast.ScopeTypeAll{},
Conditions: []ast.ConditionType{{Condition: ast.ConditionWhen, Body: ast.NodeTypeIs{Left: ast.NodeValue{Value: types.Long(42)}, EntityType: types.EntityType("T")}}}},
},
{
"opIsIn",
ast.Permit().When(ast.Long(42).IsIn("T", ast.Long(43))),
ast.Policy{Effect: ast.EffectPermit, Principal: ast.ScopeTypeAll{}, Action: ast.ScopeTypeAll{}, Resource: ast.ScopeTypeAll{},
Conditions: []ast.ConditionType{{Condition: ast.ConditionWhen, Body: ast.NodeTypeIsIn{NodeTypeIs: ast.NodeTypeIs{Left: ast.NodeValue{Value: types.Long(42)}, EntityType: types.EntityType("T")}, Entity: ast.NodeValue{Value: types.Long(43)}}}}},
},
{
"opContains",
ast.Permit().When(ast.Long(42).Contains(ast.Long(43))),
ast.Policy{Effect: ast.EffectPermit, Principal: ast.ScopeTypeAll{}, Action: ast.ScopeTypeAll{}, Resource: ast.ScopeTypeAll{},
Conditions: []ast.ConditionType{{Condition: ast.ConditionWhen, Body: ast.NodeTypeContains{BinaryNode: ast.BinaryNode{Left: ast.NodeValue{Value: types.Long(42)}, Right: ast.NodeValue{Value: types.Long(43)}}}}}},
},
{
"opContainsAll",
ast.Permit().When(ast.Long(42).ContainsAll(ast.Long(43))),
ast.Policy{Effect: ast.EffectPermit, Principal: ast.ScopeTypeAll{}, Action: ast.ScopeTypeAll{}, Resource: ast.ScopeTypeAll{},
Conditions: []ast.ConditionType{{Condition: ast.ConditionWhen, Body: ast.NodeTypeContainsAll{BinaryNode: ast.BinaryNode{Left: ast.NodeValue{Value: types.Long(42)}, Right: ast.NodeValue{Value: types.Long(43)}}}}}},
},
{
"opContainsAny",
ast.Permit().When(ast.Long(42).ContainsAny(ast.Long(43))),
ast.Policy{Effect: ast.EffectPermit, Principal: ast.ScopeTypeAll{}, Action: ast.ScopeTypeAll{}, Resource: ast.ScopeTypeAll{},
Conditions: []ast.ConditionType{{Condition: ast.ConditionWhen, Body: ast.NodeTypeContainsAny{BinaryNode: ast.BinaryNode{Left: ast.NodeValue{Value: types.Long(42)}, Right: ast.NodeValue{Value: types.Long(43)}}}}}},
},
{
"opAccess",
ast.Permit().When(ast.Long(42).Access("key")),
ast.Policy{Effect: ast.EffectPermit, Principal: ast.ScopeTypeAll{}, Action: ast.ScopeTypeAll{}, Resource: ast.ScopeTypeAll{},
Conditions: []ast.ConditionType{{Condition: ast.ConditionWhen, Body: ast.NodeTypeAccess{StrOpNode: ast.StrOpNode{Arg: ast.NodeValue{Value: types.Long(42)}, Value: "key"}}}}},
},
{
"opHas",
ast.Permit().When(ast.Long(42).Has("key")),
ast.Policy{Effect: ast.EffectPermit, Principal: ast.ScopeTypeAll{}, Action: ast.ScopeTypeAll{}, Resource: ast.ScopeTypeAll{},
Conditions: []ast.ConditionType{{Condition: ast.ConditionWhen, Body: ast.NodeTypeHas{StrOpNode: ast.StrOpNode{Arg: ast.NodeValue{Value: types.Long(42)}, Value: "key"}}}}},
},
{
"opIsIpv4",
ast.Permit().When(ast.Long(42).IsIpv4()),
ast.Policy{Effect: ast.EffectPermit, Principal: ast.ScopeTypeAll{}, Action: ast.ScopeTypeAll{}, Resource: ast.ScopeTypeAll{},
Conditions: []ast.ConditionType{{Condition: ast.ConditionWhen, Body: ast.NodeTypeExtensionCall{Name: "isIpv4", Args: []ast.IsNode{ast.NodeValue{Value: types.Long(42)}}}}}},
},
{
"opIsIpv6",
ast.Permit().When(ast.Long(42).IsIpv6()),
ast.Policy{Effect: ast.EffectPermit, Principal: ast.ScopeTypeAll{}, Action: ast.ScopeTypeAll{}, Resource: ast.ScopeTypeAll{},
Conditions: []ast.ConditionType{{Condition: ast.ConditionWhen, Body: ast.NodeTypeExtensionCall{Name: "isIpv6", Args: []ast.IsNode{ast.NodeValue{Value: types.Long(42)}}}}}},
},
{
"opIsMulticast",
ast.Permit().When(ast.Long(42).IsMulticast()),
ast.Policy{Effect: ast.EffectPermit, Principal: ast.ScopeTypeAll{}, Action: ast.ScopeTypeAll{}, Resource: ast.ScopeTypeAll{},
Conditions: []ast.ConditionType{{Condition: ast.ConditionWhen, Body: ast.NodeTypeExtensionCall{Name: "isMulticast", Args: []ast.IsNode{ast.NodeValue{Value: types.Long(42)}}}}}},
},
{
"opIsLoopback",
ast.Permit().When(ast.Long(42).IsLoopback()),
ast.Policy{Effect: ast.EffectPermit, Principal: ast.ScopeTypeAll{}, Action: ast.ScopeTypeAll{}, Resource: ast.ScopeTypeAll{},
Conditions: []ast.ConditionType{{Condition: ast.ConditionWhen, Body: ast.NodeTypeExtensionCall{Name: "isLoopback", Args: []ast.IsNode{ast.NodeValue{Value: types.Long(42)}}}}}},
},
{
"opIsInRange",
ast.Permit().When(ast.Long(42).IsInRange(ast.Long(43))),
ast.Policy{Effect: ast.EffectPermit, Principal: ast.ScopeTypeAll{}, Action: ast.ScopeTypeAll{}, Resource: ast.ScopeTypeAll{},
Conditions: []ast.ConditionType{{Condition: ast.ConditionWhen, Body: ast.NodeTypeExtensionCall{Name: "isInRange", Args: []ast.IsNode{ast.NodeValue{Value: types.Long(42)}, ast.NodeValue{Value: types.Long(43)}}}}}},
},
{
"opOffset",
ast.Permit().When(ast.Datetime(time.Time{}).Offset(ast.Duration(time.Duration(100)))),
ast.Policy{Effect: ast.EffectPermit, Principal: ast.ScopeTypeAll{}, Action: ast.ScopeTypeAll{}, Resource: ast.ScopeTypeAll{},
Conditions: []ast.ConditionType{{Condition: ast.ConditionWhen, Body: ast.NodeTypeExtensionCall{Name: "offset", Args: []ast.IsNode{ast.NodeValue{Value: types.NewDatetime(time.Time{})}, ast.NodeValue{Value: types.NewDuration(time.Duration(100))}}}}}},
},
{
"opDurationSince",
ast.Permit().When(ast.Datetime(time.Time{}).DurationSince(ast.Datetime(time.Time{}))),
ast.Policy{Effect: ast.EffectPermit, Principal: ast.ScopeTypeAll{}, Action: ast.ScopeTypeAll{}, Resource: ast.ScopeTypeAll{},
Conditions: []ast.ConditionType{{Condition: ast.ConditionWhen, Body: ast.NodeTypeExtensionCall{Name: "durationSince", Args: []ast.IsNode{ast.NodeValue{Value: types.NewDatetime(time.Time{})}, ast.NodeValue{Value: types.NewDatetime(time.Time{})}}}}}},
},
{
"opToDate",
ast.Permit().When(ast.Datetime(time.Time{}).ToDate()),
ast.Policy{Effect: ast.EffectPermit, Principal: ast.ScopeTypeAll{}, Action: ast.ScopeTypeAll{}, Resource: ast.ScopeTypeAll{},
Conditions: []ast.ConditionType{{Condition: ast.ConditionWhen, Body: ast.NodeTypeExtensionCall{Name: "toDate", Args: []ast.IsNode{ast.NodeValue{Value: types.NewDatetime(time.Time{})}}}}}},
},
{
"opToTime",
ast.Permit().When(ast.Datetime(time.Time{}).ToTime()),
ast.Policy{Effect: ast.EffectPermit, Principal: ast.ScopeTypeAll{}, Action: ast.ScopeTypeAll{}, Resource: ast.ScopeTypeAll{},
Conditions: []ast.ConditionType{{Condition: ast.ConditionWhen, Body: ast.NodeTypeExtensionCall{Name: "toTime", Args: []ast.IsNode{ast.NodeValue{Value: types.NewDatetime(time.Time{})}}}}}},
},
{
"opToDays",
ast.Permit().When(ast.Duration(time.Duration(100)).ToDays()),
ast.Policy{Effect: ast.EffectPermit, Principal: ast.ScopeTypeAll{}, Action: ast.ScopeTypeAll{}, Resource: ast.ScopeTypeAll{},
Conditions: []ast.ConditionType{{Condition: ast.ConditionWhen, Body: ast.NodeTypeExtensionCall{Name: "toDays", Args: []ast.IsNode{ast.NodeValue{Value: types.NewDuration(time.Duration(100))}}}}}},
},
{
"opToHours",
ast.Permit().When(ast.Duration(time.Duration(100)).ToHours()),
ast.Policy{Effect: ast.EffectPermit, Principal: ast.ScopeTypeAll{}, Action: ast.ScopeTypeAll{}, Resource: ast.ScopeTypeAll{},
Conditions: []ast.ConditionType{{Condition: ast.ConditionWhen, Body: ast.NodeTypeExtensionCall{Name: "toHours", Args: []ast.IsNode{ast.NodeValue{Value: types.NewDuration(time.Duration(100))}}}}}},
},
{"opToMinutes",
ast.Permit().When(ast.Duration(time.Duration(100)).ToMinutes()),
ast.Policy{Effect: ast.EffectPermit, Principal: ast.ScopeTypeAll{}, Action: ast.ScopeTypeAll{}, Resource: ast.ScopeTypeAll{},
Conditions: []ast.ConditionType{{Condition: ast.ConditionWhen, Body: ast.NodeTypeExtensionCall{Name: "toMinutes", Args: []ast.IsNode{ast.NodeValue{Value: types.NewDuration(time.Duration(100))}}}}}},
},
{
"opToSeconds",
ast.Permit().When(ast.Duration(time.Duration(100)).ToSeconds()),
ast.Policy{Effect: ast.EffectPermit, Principal: ast.ScopeTypeAll{}, Action: ast.ScopeTypeAll{}, Resource: ast.ScopeTypeAll{},
Conditions: []ast.ConditionType{{Condition: ast.ConditionWhen, Body: ast.NodeTypeExtensionCall{Name: "toSeconds", Args: []ast.IsNode{ast.NodeValue{Value: types.NewDuration(time.Duration(100))}}}}}},
},
{
"opToMilliseconds",
ast.Permit().When(ast.Duration(time.Duration(100)).ToMilliseconds()),
ast.Policy{Effect: ast.EffectPermit, Principal: ast.ScopeTypeAll{}, Action: ast.ScopeTypeAll{}, Resource: ast.ScopeTypeAll{},
Conditions: []ast.ConditionType{{Condition: ast.ConditionWhen, Body: ast.NodeTypeExtensionCall{Name: "toMilliseconds", Args: []ast.IsNode{ast.NodeValue{Value: types.NewDuration(time.Duration(100))}}}}}},
},
{
"duplicateAnnotations",
ast.Permit().Annotate("key", "value").Annotate("key", "value2"),
ast.Policy{Annotations: []ast.AnnotationType{{Key: "key", Value: "value2"}}, Effect: ast.EffectPermit, Principal: ast.ScopeTypeAll{}, Action: ast.ScopeTypeAll{}, Resource: ast.ScopeTypeAll{}},
},
{
"valueRecordElements",
ast.Permit().When(ast.Record(ast.Pairs{{Key: "key", Value: ast.Long(42)}})),
ast.Policy{Effect: ast.EffectPermit, Principal: ast.ScopeTypeAll{}, Action: ast.ScopeTypeAll{}, Resource: ast.ScopeTypeAll{},
Conditions: []ast.ConditionType{{Condition: ast.ConditionWhen, Body: ast.NodeTypeRecord{Elements: []ast.RecordElementNode{{Key: "key", Value: ast.NodeValue{Value: types.Long(42)}}}}}}},
},
{
"duplicateValueRecordElements",
ast.Permit().When(ast.Record(ast.Pairs{{Key: "key", Value: ast.Long(42)}, {Key: "key", Value: ast.Long(43)}})),
ast.Policy{Effect: ast.EffectPermit, Principal: ast.ScopeTypeAll{}, Action: ast.ScopeTypeAll{}, Resource: ast.ScopeTypeAll{},
Conditions: []ast.ConditionType{{Condition: ast.ConditionWhen, Body: ast.NodeTypeRecord{Elements: []ast.RecordElementNode{{Key: "key", Value: ast.NodeValue{Value: types.Long(43)}}}}}}},
},
}
for _, tt := range tests {
tt := tt
t.Run(tt.name, func(t *testing.T) {
t.Parallel()
testutil.Equals(t, tt.in, &tt.out)
})
}
}