Fix validation for action entitites in TPE #1838
Conversation
Signed-off-by: Lucas Käldström <[email protected]>
Coverage ReportHead Commit: Base Commit: Download the full coverage report. Coverage of Added or Modified Lines of Rust CodeRequired coverage: 80.00% Actual coverage: 100.00% Status: PASSED ✅ Details
Coverage of All Lines of Rust CodeRequired coverage: 80.00% Actual coverage: 84.08% Status: PASSED ✅ Details
|
| let etype = uid.entity_type(); | ||
|
|
||
| if self.uid.is_action() { | ||
| if self.attrs.is_none() || self.tags.is_none() { |
There was a problem hiding this comment.
I believe here none is used to denote unknown attributes / tags. Which is different from no attributes which would be represented as Some(Empty BTreeMap).
@shaobo-he-aws can confirm.
There was a problem hiding this comment.
In the code you linked here, if you changed lines 425 and 434 to be Some(BTreeMap::new()) does it work as expected without this patch?
There was a problem hiding this comment.
@chaluli is correct.
There was a problem hiding this comment.
I'll check. Don't remember of the top of my head, it's a month or so since I looked at this, I just put a note to myself to check this later
|
To your aside, I agree we should have a way to automatically add the action entities on a users behalf within TPE because the schema is known (perhaps as a separate API for constructing a partial entities). |
As a matter of fact, actions are inserted in |
|
Awesome. Thanks @shaobo-he-aws |
|
Awesome, #1844 addresses this then 💯 |
3 participants
Description of changes
In the Cedar+Kubernetes integration, I noticed that I could not use TPE correctly. At first, I did not add the action entities to the entities list when running TPE, but then the residual contained things like
action in Action::"foo", which I did not want, as this data is in fact known at this point.However, adding the actions to the entity list manually here yielded an error, as
PartialEntity.validateboth errors if the action hasNoneandSomeattributes and tags, which I presume is a bug.With this patch the k8s integration works as expected.
As a side point: it'd be nice to not have to do the extra work of adding the action entities at all, but let that be done automatically by TPE, as it anyways has the schema at hand.
FYI @shaobo-he-aws
I'll make a unit test once you've confirmed removing this if statement was desired.
Checklist for requesting a review
The change in this PR is (choose one, and delete the other options):
I confirm that this PR (choose one, and delete the other options):
I confirm that
cedar-spec(choose one, and delete the other options):cedar-spec. (Post your PR anyways, and we'll discuss in the comments.)Not sure if this is covered (or should be) by DRT.
I confirm that
docs.cedarpolicy.com(choose one, and delete the other options):