Improved support for nested rules

l46kok · copybara-github · commit 803aa2ee7e98 · 2024-08-14T17:35:38.000-07:00
PiperOrigin-RevId: 662601763
diff --git a/policy/src/main/java/dev/cel/policy/BUILD.bazel b/policy/src/main/java/dev/cel/policy/BUILD.bazel
@@ -227,6 +227,7 @@ java_library(
         "//bundle:cel",
         "//common",
         "//common:compiler_common",
+        "//common/ast",
         "@maven//:com_google_errorprone_error_prone_annotations",
         "@maven//:com_google_guava_guava",
     ],
@@ -304,7 +305,6 @@ java_library(
         "//common",
         "//common:compiler_common",
         "//common:mutable_ast",
-        "//common/ast",
         "//extensions:optional_library",
         "//optimizer:ast_optimizer",
         "//optimizer:mutable_ast",
diff --git a/policy/src/main/java/dev/cel/policy/CelCompiledRule.java b/policy/src/main/java/dev/cel/policy/CelCompiledRule.java
@@ -20,6 +20,8 @@
 import dev.cel.bundle.Cel;
 import dev.cel.common.CelAbstractSyntaxTree;
 import dev.cel.common.CelVarDecl;
+import dev.cel.common.ast.CelConstant;
+import dev.cel.common.ast.CelExpr;
 import java.util.Optional;
 
 /**
@@ -36,6 +38,28 @@ public abstract class CelCompiledRule {
 
   public abstract Cel cel();
 
+  /**
+   * HasOptionalOutput returns whether the rule returns a concrete or optional value. The rule may
+   * return an optional value if all match expressions under the rule are conditional.
+   */
+  public boolean hasOptionalOutput() {
+    boolean isOptionalOutput = false;
+    for (CelCompiledMatch match : matches()) {
+      if (match.result().kind().equals(CelCompiledMatch.Result.Kind.RULE)
+          && match.result().rule().hasOptionalOutput()) {
+        return true;
+      }
+
+      if (match.isConditionLiteral()) {
+        return false;
+      }
+
+      isOptionalOutput = true;
+    }
+
+    return isOptionalOutput;
+  }
+
   /**
    * A compiled policy variable (ex: variables.foo). Note that this is not the same thing as the
    * variables declared in the config.
@@ -63,6 +87,12 @@ public abstract static class CelCompiledMatch {
 
     public abstract Result result();
 
+    public boolean isConditionLiteral() {
+      CelExpr celExpr = condition().getExpr();
+      return celExpr.constantOrDefault().getKind().equals(CelConstant.Kind.BOOLEAN_VALUE)
+          && celExpr.constant().booleanValue();
+    }
+
     /** Encapsulates the result of this match when condition is met. (either an output or a rule) */
     @AutoOneOf(CelCompiledMatch.Result.Kind.class)
     public abstract static class Result {
diff --git a/policy/src/main/java/dev/cel/policy/RuleComposer.java b/policy/src/main/java/dev/cel/policy/RuleComposer.java
@@ -24,7 +24,6 @@
 import dev.cel.common.CelAbstractSyntaxTree;
 import dev.cel.common.CelMutableAst;
 import dev.cel.common.CelValidationException;
-import dev.cel.common.ast.CelConstant.Kind;
 import dev.cel.extensions.CelOptionalLibrary.Function;
 import dev.cel.optimizer.AstMutator;
 import dev.cel.optimizer.CelAstOptimizer;
@@ -75,10 +74,14 @@ private RuleOptimizationResult optimizeRule(Cel cel, CelCompiledRule compiledRul
     long lastOutputId = 0;
     for (CelCompiledMatch match : Lists.reverse(compiledRule.matches())) {
       CelAbstractSyntaxTree conditionAst = match.condition();
-      boolean isTriviallyTrue =
-          conditionAst.getExpr().constantOrDefault().getKind().equals(Kind.BOOLEAN_VALUE)
-              && conditionAst.getExpr().constant().booleanValue();
+      // If the condition is trivially true, none of the matches in the rule causes the result
+      // to become optional, and the rule is not the last match, then this will introduce
+      // unreachable outputs or rules.
+      boolean isTriviallyTrue = match.isConditionLiteral();
+
       switch (match.result().kind()) {
+        // For the match's output, determine whether the output should be wrapped
+        // into an optional value, a conditional, or both.
         case OUTPUT:
           OutputValue matchOutput = match.result().output();
           CelMutableAst outAst = CelMutableAst.fromCelAst(matchOutput.ast());
@@ -107,21 +110,25 @@ private RuleOptimizationResult optimizeRule(Cel cel, CelCompiledRule compiledRul
           lastOutputId = matchOutput.sourceId();
           continue;
         case RULE:
+          // If the match has a nested rule, then compute the rule and whether it has
+          // an optional return value.
           CelCompiledRule matchNestedRule = match.result().rule();
           RuleOptimizationResult nestedRule = optimizeRule(cel, matchNestedRule);
+          boolean nestedHasOptional = matchNestedRule.hasOptionalOutput();
           CelMutableAst nestedRuleAst = nestedRule.ast();
-          if (isOptionalResult && !nestedRule.isOptionalResult()) {
+          if (isOptionalResult && !nestedHasOptional) {
             nestedRuleAst =
                 astMutator.newGlobalCall(Function.OPTIONAL_OF.getFunction(), nestedRuleAst);
           }
-          if (!isOptionalResult && nestedRule.isOptionalResult()) {
+          if (!isOptionalResult && nestedHasOptional) {
             matchAst = astMutator.newGlobalCall(Function.OPTIONAL_OF.getFunction(), matchAst);
             isOptionalResult = true;
           }
-          if (!isOptionalResult && !nestedRule.isOptionalResult()) {
-            throw new IllegalArgumentException("Subrule early terminates policy");
-          }
-          if (isTriviallyTrue) {
+          // If either the nested rule or current condition output are optional then
+          // use optional.or() to specify the combination of the first and second results
+          // Note, the argument order is reversed due to the traversal of matches in
+          // reverse order.
+          if (isOptionalResult && isTriviallyTrue) {
             matchAst = astMutator.newMemberCall(nestedRuleAst, Function.OR.getFunction(), matchAst);
           } else {
             matchAst =
@@ -131,6 +138,7 @@ private RuleOptimizationResult optimizeRule(Cel cel, CelCompiledRule compiledRul
                     nestedRuleAst,
                     matchAst);
           }
+
           assertComposedAstIsValid(
               cel,
               matchAst,
diff --git a/policy/src/test/java/dev/cel/policy/PolicyTestHelper.java b/policy/src/test/java/dev/cel/policy/PolicyTestHelper.java
@@ -48,6 +48,26 @@ enum TestYamlPolicy {
             + "? optional.of({\"banned\": true}) : optional.none()).or("
             + "optional.of((resource.origin in variables.permitted_regions)"
             + " ? {\"banned\": false} : {\"banned\": true})))"),
+    NESTED_RULE2(
+        "nested_rule2",
+        false,
+        "cel.bind(variables.permitted_regions, [\"us\", \"uk\", \"es\"],"
+            + " resource.?user.orValue(\"\").startsWith(\"bad\") ?"
+            + " cel.bind(variables.banned_regions, {\"us\": false, \"ru\": false, \"ir\": false},"
+            + " (resource.origin in variables.banned_regions && !(resource.origin in"
+            + " variables.permitted_regions)) ? {\"banned\": \"restricted_region\"} : {\"banned\":"
+            + " \"bad_actor\"}) : (!(resource.origin in variables.permitted_regions) ? {\"banned\":"
+            + " \"unconfigured_region\"} : {}))"),
+    NESTED_RULE3(
+        "nested_rule3",
+        true,
+        "cel.bind(variables.permitted_regions, [\"us\", \"uk\", \"es\"],"
+            + " resource.?user.orValue(\"\").startsWith(\"bad\") ?"
+            + " optional.of(cel.bind(variables.banned_regions, {\"us\": false, \"ru\": false,"
+            + " \"ir\": false}, (resource.origin in variables.banned_regions && !(resource.origin"
+            + " in variables.permitted_regions)) ? {\"banned\": \"restricted_region\"} :"
+            + " {\"banned\": \"bad_actor\"})) : (!(resource.origin in variables.permitted_regions)"
+            + " ? optional.of({\"banned\": \"unconfigured_region\"}) : optional.none()))"),
     REQUIRED_LABELS(
         "required_labels",
         true,
diff --git a/policy/src/test/resources/nested_rule2/config.yaml b/policy/src/test/resources/nested_rule2/config.yaml
@@ -0,0 +1,22 @@
+# Copyright 2024 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#    https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+name: "nested_rule2"
+variables:
+- name: "resource"
+  type:
+    type_name: "map"
+    params:
+    - type_name: "string"
+    - type_name: "dyn"
diff --git a/policy/src/test/resources/nested_rule2/policy.yaml b/policy/src/test/resources/nested_rule2/policy.yaml
@@ -0,0 +1,40 @@
+# Copyright 2024 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#    https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+name: nested_rule2
+rule:
+  variables:
+  - name: "permitted_regions"
+    expression: "['us', 'uk', 'es']"
+  match:
+  - condition: resource.?user.orValue("").startsWith("bad")
+    rule:
+      id: "banned regions"
+      description: >
+        determine whether the resource origin is in the banned
+        list. If the region is also in the permitted list, the
+        ban has no effect.
+      variables:
+      - name: "banned_regions"
+        expression: "{'us': false, 'ru': false, 'ir': false}"
+      match:
+      - condition: |
+          resource.origin in variables.banned_regions &&
+          !(resource.origin in variables.permitted_regions)
+        output: "{'banned': 'restricted_region'}"
+        explanation: "'resource is in the banned region ' + resource.origin"
+      - output: "{'banned': 'bad_actor'}"
+  - condition: "!(resource.origin in variables.permitted_regions)"
+    output: "{'banned': 'unconfigured_region'}"
+  - output: "{}"
diff --git a/policy/src/test/resources/nested_rule2/tests.yaml b/policy/src/test/resources/nested_rule2/tests.yaml
@@ -0,0 +1,48 @@
+# Copyright 2024 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#    https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+description: Nested rule conformance tests
+section:
+- name: "banned"
+  tests:
+  - name: "restricted_origin"
+    input:
+      resource:
+        value:
+          user: "bad-user"
+          origin: "ir"
+    output: "{'banned': 'restricted_region'}"
+  - name: "by_default"
+    input:
+      resource:
+        value:
+          user: "bad-user"
+          origin: "de"
+    output: "{'banned': 'bad_actor'}"
+  - name: "unconfigured_region"
+    input:
+      resource:
+        value:
+          user: "good-user"
+          origin: "de"
+    output: "{'banned': 'unconfigured_region'}"
+- name: "permitted"
+  tests:
+  - name: "valid_origin"
+    input:
+      resource:
+        value:
+          user: "good-user"
+          origin: "uk"
+    output: "{}"
diff --git a/policy/src/test/resources/nested_rule3/config.yaml b/policy/src/test/resources/nested_rule3/config.yaml
@@ -0,0 +1,22 @@
+# Copyright 2024 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#    https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+name: "nested_rule3"
+variables:
+- name: "resource"
+  type:
+    type_name: "map"
+    params:
+    - type_name: "string"
+    - type_name: "dyn"
diff --git a/policy/src/test/resources/nested_rule3/policy.yaml b/policy/src/test/resources/nested_rule3/policy.yaml
@@ -0,0 +1,39 @@
+# Copyright 2024 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#    https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+name: nested_rule3
+rule:
+  variables:
+  - name: "permitted_regions"
+    expression: "['us', 'uk', 'es']"
+  match:
+  - condition: resource.?user.orValue("").startsWith("bad")
+    rule:
+      id: "banned regions"
+      description: >
+        determine whether the resource origin is in the banned
+        list. If the region is also in the permitted list, the
+        ban has no effect.
+      variables:
+      - name: "banned_regions"
+        expression: "{'us': false, 'ru': false, 'ir': false}"
+      match:
+      - condition: |
+          resource.origin in variables.banned_regions &&
+          !(resource.origin in variables.permitted_regions)
+        output: "{'banned': 'restricted_region'}"
+        explanation: "'resource is in the banned region ' + resource.origin"
+      - output: "{'banned': 'bad_actor'}"
+  - condition: "!(resource.origin in variables.permitted_regions)"
+    output: "{'banned': 'unconfigured_region'}"
diff --git a/policy/src/test/resources/nested_rule3/tests.yaml b/policy/src/test/resources/nested_rule3/tests.yaml
@@ -0,0 +1,48 @@
+# Copyright 2024 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#    https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+description: Nested rule conformance tests
+section:
+- name: "banned"
+  tests:
+  - name: "restricted_origin"
+    input:
+      resource:
+        value:
+          user: "bad-user"
+          origin: "ir"
+    output: "{'banned': 'restricted_region'}"
+  - name: "by_default"
+    input:
+      resource:
+        value:
+          user: "bad-user"
+          origin: "de"
+    output: "{'banned': 'bad_actor'}"
+  - name: "unconfigured_region"
+    input:
+      resource:
+        value:
+          user: "good-user"
+          origin: "de"
+    output: "{'banned': 'unconfigured_region'}"
+- name: "permitted"
+  tests:
+  - name: "valid_origin"
+    input:
+      resource:
+        value:
+          user: "good-user"
+          origin: "uk"
+    output: "optional.none()"
