Address type mismatch false positive by implementing context validation

Mish Jude · Mish Jude · commit 3f8386e39d91 · 2025-06-05T19:31:52.000Z
cr: https://code.amazon.com/reviews/CR-200369282
diff --git a/cedar-policy-core/src/ast/request.rs b/cedar-policy-core/src/ast/request.rs
@@ -612,6 +612,14 @@ pub trait RequestSchema {
         request: &Request,
         extensions: &Extensions<'_>,
     ) -> Result<(), Self::Error>;
+
+    /// Validate the given `context`, returning `Err` if it fails validation
+    fn validate_context<'a>(
+        &self,
+        context: &Context,
+        action: &EntityUID,
+        extensions: &Extensions<'a>,
+    ) -> std::result::Result<(), Self::Error>;
 }
 
 /// A `RequestSchema` that does no validation and always reports a passing result
@@ -626,6 +634,17 @@ impl RequestSchema for RequestSchemaAllPass {
     ) -> Result<(), Self::Error> {
         Ok(())
     }
+
+    fn validate_context<'a>(
+        &self,
+        _context: &Context,
+        _action: &EntityUID,
+        _extensions: &Extensions<'a>,
+    ) -> std::result::Result<(), Self::Error> {
+        Ok(())
+    }
+
+    
 }
 
 /// Wrapper around `std::convert::Infallible` which also implements
diff --git a/cedar-policy-validator/src/coreschema.rs b/cedar-policy-validator/src/coreschema.rs
@@ -260,6 +260,44 @@ impl ast::RequestSchema for ValidatorSchema {
         }
         Ok(())
     }
+
+    /// Validate a context against a schema for a specific action
+    fn validate_context<'a>(
+        &self,
+        context: &ast::Context,
+        action: &ast::EntityUID,
+        extensions: &Extensions<'a>,
+    ) -> std::result::Result<(), RequestValidationError> {
+        // Following the same logic in validate_request
+        // Get the action ID
+        let action_arc = Arc::new(action.clone());
+        let validator_action_id = self.get_action_id(&action_arc).ok_or_else(|| {
+            request_validation_errors::UndeclaredActionError {
+                action: action_arc.clone(),
+            }
+        })?;
+        
+        // Validate entity UIDs in the context
+        validate_euids_in_partial_value(
+            &CoreSchema::new(&self),
+            &context.clone().into(),
+        )
+        .map_err(RequestValidationError::InvalidEnumEntity)?;
+        
+        // Typecheck the context against the expected context type
+        let expected_context_ty = validator_action_id.context_type();
+        if !expected_context_ty
+            .typecheck_partial_value(&context.clone().into(), extensions)
+            .map_err(RequestValidationError::TypeOfContext)?
+        {
+            return Err(request_validation_errors::InvalidContextError {
+                context: context.clone(),
+                action: action_arc,
+            }
+            .into());
+        }
+        Ok(())
+    }
 }
 
 impl ValidatorActionId {
@@ -305,6 +343,16 @@ impl ast::RequestSchema for CoreSchema<'_> {
     ) -> Result<(), Self::Error> {
         self.schema.validate_request(request, extensions)
     }
+
+    /// Validate the given `context`, returning `Err` if it fails validation
+    fn validate_context<'a>(
+        &self,
+        context: &cedar_policy_core::ast::Context,
+        action: &EntityUID,
+        extensions: &Extensions<'a>,
+    ) -> std::result::Result<(), Self::Error> {
+        self.schema.validate_context(context, action, extensions)
+    }
 }
 
 /// Error when the request does not conform to the schema.
diff --git a/cedar-policy/src/api.rs b/cedar-policy/src/api.rs
@@ -44,7 +44,7 @@ pub use ast::Effect;
 pub use authorizer::Decision;
 #[cfg(feature = "partial-eval")]
 use cedar_policy_core::ast::BorrowedRestrictedExpr;
-use cedar_policy_core::ast::{self, RestrictedExpr};
+use cedar_policy_core::ast::{self, RequestSchema, RestrictedExpr};
 use cedar_policy_core::authorizer;
 use cedar_policy_core::entities::{ContextSchema, Dereference};
 use cedar_policy_core::est::{self, TemplateLink};
@@ -4561,6 +4561,28 @@ impl Context {
     ) -> Result<Self, ContextCreationError> {
         Self::from_pairs(self.into_iter().chain(other_context))
     }
+
+    /// Validates this context against the provided schema
+    /// Returns Ok(()) if the context is valid according to the schema, or an error otherwise
+    pub fn validate_context(&self, schema: Option<&crate::Schema>, action: Option<&EntityUid>) -> std::result::Result<(), String> {
+        match (schema, action) {
+            (Some(schema), Some(action)) => {
+                // Get the context schema for this action
+                let _context_schema = Self::get_context_schema(schema, action)
+                    .map_err(|e| format!("Context schema error: {}", e))?;
+                
+                // Call the validate_context function from coreschema.rs
+                RequestSchema::validate_context(
+                    &schema.0,
+                    &self.0,
+                    action.as_ref(),
+                    &Extensions::all_available()
+                )
+                .map_err(|e| format!("Context validation failed: {}", e))
+            },
+            _ => Ok(()) // If no schema or action provided, we can't validate, so return Ok
+        }
+    }
 }
 
 /// Utilities for implementing `IntoIterator` for `Context`
diff --git a/cedar-policy/src/ffi/check_parse.rs b/cedar-policy/src/ffi/check_parse.rs
@@ -153,7 +153,20 @@ pub fn check_parse_context(call: ContextParsingCall) -> CheckParseAnswer {
             };
         }
     };
-    call.context.parse(schema.as_ref(), action.as_ref()).into()
+    
+    let parse_result = call.context.parse(schema.as_ref(), action.as_ref());
+    
+    // Check if the parsed context is valid
+    if let Ok(context) = &parse_result {
+        if let Err(err) = context.validate_context(schema.as_ref(), action.as_ref()) {
+            return CheckParseAnswer::Failure {
+                errors: vec![miette::Report::msg(err).into()],
+            };
+        }
+    }
+    
+    // Return the parse result if all other checks pass
+    parse_result.into()
 }
 
 /// Check whether a context successfully parses. Input is a JSON encoding of
@@ -534,4 +547,153 @@ mod test {
         let errs = assert_check_parse_is_err(&answer);
         assert_exactly_one_error(errs, "while parsing context, expected the record to have an attribute `referrer`, but it does not", None);
     }
+
+    #[test]
+    fn check_parse_context_fails_for_invalid_context_type(){
+        let call = json!({
+            "context": {
+                "authenticated": "foo"
+            },
+            "action": {
+                "type": "PhotoApp::Action",
+                "id": "viewPhoto"
+            },
+            "schema": {
+                "PhotoApp": {
+                    "commonTypes": {
+                        "PersonType": {
+                            "type": "Record",
+                            "attributes": {
+                                "age": {
+                                    "type": "Long"
+                                },
+                                "name": {
+                                    "type": "String"
+                                }
+                            }
+                        },
+                        "ContextType": {
+                            "type": "Record",
+                            "attributes": {
+                                "ip": {
+                                    "type": "Extension",
+                                    "name": "ipaddr",
+                                    "required": false
+                                },
+                                "authenticated": {
+                                    "type": "Boolean",
+                                    "required": true
+                                }
+                            }
+                        }
+                    },
+                    "entityTypes": {
+                        "User": {
+                            "shape": {
+                                "type": "Record",
+                                "attributes": {
+                                    "userId": {
+                                        "type": "String"
+                                    },
+                                    "personInformation": {
+                                        "type": "PersonType"
+                                    }
+                                }
+                            },
+                            "memberOfTypes": [
+                                "UserGroup"
+                            ]
+                        },
+                        "UserGroup": {
+                            "shape": {
+                                "type": "Record",
+                                "attributes": {}
+                            }
+                        },
+                        "Photo": {
+                            "shape": {
+                                "type": "Record",
+                                "attributes": {
+                                    "account": {
+                                        "type": "Entity",
+                                        "name": "Account",
+                                        "required": true
+                                    },
+                                    "private": {
+                                        "type": "Boolean",
+                                        "required": true
+                                    }
+                                }
+                            },
+                            "memberOfTypes": [
+                                "Album",
+                                "Account"
+                            ]
+                        },
+                        "Album": {
+                            "shape": {
+                                "type": "Record",
+                                "attributes": {}
+                            }
+                        },
+                        "Account": {
+                            "shape": {
+                                "type": "Record",
+                                "attributes": {}
+                            }
+                        }
+                    },
+                    "actions": {
+                        "viewPhoto": {
+                            "appliesTo": {
+                                "principalTypes": [
+                                    "User",
+                                    "UserGroup"
+                                ],
+                                "resourceTypes": [
+                                    "Photo"
+                                ],
+                                "context": {
+                                    "type": "ContextType"
+                                }
+                            }
+                        },
+                        "createPhoto": {
+                            "appliesTo": {
+                                "principalTypes": [
+                                    "User",
+                                    "UserGroup"
+                                ],
+                                "resourceTypes": [
+                                    "Photo"
+                                ],
+                                "context": {
+                                    "type": "ContextType"
+                                }
+                            }
+                        },
+                        "listPhotos": {
+                            "appliesTo": {
+                                "principalTypes": [
+                                    "User",
+                                    "UserGroup"
+                                ],
+                                "resourceTypes": [
+                                    "Photo"
+                                ],
+                                "context": {
+                                    "type": "ContextType"
+                                }
+                            }
+                        }
+                    }
+                }
+            
+            }
+        });
+        let answer = serde_json::from_value(check_parse_context_json(call).unwrap()).unwrap();
+        let errs = assert_check_parse_is_err(&answer);
+        assert_exactly_one_error(errs, "Context validation failed: context `{authenticated: \"foo\"}` is not valid for `PhotoApp::Action::\"viewPhoto\"`", None);
+    }
+
 }
