Get residual results even when concrete result is achieved #474
Description
Category
User level API changes
Describe the feature you'd like to request
With the current cedar_policy_core::Authorizer::is_authorized_core method implementation, when satisfied permits are available and no satisfied or residual forbids are found, the cedar_policy::Authorizer responds with the Allow decision and only the satisfied permits policy set.
However, users can also be interested in the residual permits even though these policies do not affect the Allow decision (or the residual forbids when there are satisfied forbids).
For example, a user may want to collect all the annotations of policies that contribute to a Allow decision. But due to some unknowns, residual permits policies will be neglected from the response, while ideally the user could then resolve these unknowns and re-evaluate the residual permit policies to collect all annotations.
One way to achieve this is by tweaking the input of a existing method cedar_policy_core::Authorizer::evaluate_policies and expose it as a public method in the cedar_policy crate. The method would just return evaluation results and their corresponding policies and leave it to the users in terms of what to do next.
Describe alternatives you've considered
Wrap the cedar_policy_core::Evaluator struct and expose it in cedar_policy crate.
Additional context
No response
Is this something that you'd be interested in working on?
- 👋 I may be able to implement this feature request
-
⚠️ This feature might incur a breaking change