internal/parser: test parsing of tags in condition

Signed-off-by: Ali Dowair <[email protected]>
strongdm · Dec 5, 2024 · 22b2bd0 · 22b2bd0
1 parent 387286b
commit 22b2bd0
Show file tree

Hide file tree

Showing 2 changed files with 56 additions and 0 deletions.
diff --git a/internal/parser/cedar_parse_test.go b/internal/parser/cedar_parse_test.go
@@ -111,6 +111,18 @@ func TestParse(t *testing.T) {
 			when { action.foo["bar"].isIpv4() }
 			unless { principal.isIpv4(false, 123, "foo") }
 			when { principal["foo"] };`, false},
+		{"tags", `permit(principal, action, resource)
+			when { resource.hasTag("blue") };
+
+			permit(principal, action, resource)
+			when { resource.getTag("blue") };
+
+			permit(principal, action, resource)
+			when { resource.hasTag(context.color) };
+
+			permit(principal, action, resource)
+			when { resource.getTag(context.color) };
+			`, false},
 		{"unary", `permit(principal, action, resource)
 			when { !resource.foo }
 			unless { -resource.bar }
@@ -243,6 +255,20 @@ func TestParse(t *testing.T) {
 			when { resource.bar[baz]`, true},
 		{"invalidAccess8", `permit(principal, action, resource)
 			when { resource.bar["baz")`, true},
+		{"invalidTag1", `permit(principal, action, resource)
+			when { resource.getTag(42)}`, true},
+		{"invalidTag2", `permit(principal, action, resource)
+			when { resource.hasTag(42)}`, true},
+		{"invalidTag3", `permit(principal, action, resource)
+			when { resource.hasTag(12.1 + 3.6)}`, true},
+		{"invalidTag4", `permit(principal, action, resource)
+			when { resource.hasTag(true)}`, true},
+		{"invalidTag5", `permit(principal, action, resource)
+			when { "blue".hasTag("true")}`, true},
+		{"invalidTag6", `permit(principal, action, resource)
+			when { 42.hasTag("true")}`, true},
+		{"invalidTag7", `permit(principal, action, resource)
+			when { true.hasTag("true")}`, true},
 		{"invalidUnaryOp", `permit(principal, action, resource)
 			when { +resource.bar };`, true},
 		{"invalidAdd", `permit(principal, action, resource)

diff --git a/internal/parser/cedar_unmarshal_test.go b/internal/parser/cedar_unmarshal_test.go
@@ -200,6 +200,36 @@ when { context.sourceIP.isIpv4() };`,
 when { 42 * 2 };`,
 			ast.Permit().When(ast.Long(42).Multiply(ast.Long(2))),
 		},
+		{
+			"principal has tag",
+			`permit ( principal, action, resource )
+when { principal.hasTag("blue") };`,
+			ast.Permit().When(ast.Principal().HasTag(ast.String("blue"))),
+		},
+		{
+			"resource has tag",
+			`permit ( principal, action, resource )
+when { resource.hasTag("blue") };`,
+			ast.Permit().When(ast.Resource().HasTag(ast.String("blue"))),
+		},
+		{
+			"principal tag equals value",
+			`permit ( principal, action, resource )
+when { principal.hasTag("blue") && principal.getTag("blue") == "green" };`,
+			ast.Permit().When(ast.Principal().HasTag(ast.String("blue")).And(ast.Principal().GetTag(ast.String("blue")).Equal(ast.String("green")))),
+		},
+		{
+			"principal tag has attribute",
+			`permit ( principal, action, resource )
+when { principal.hasTag("blue") && principal.getTag("blue") has attr };`,
+			ast.Permit().When(ast.Principal().HasTag(ast.String("blue")).And(ast.Principal().GetTag(ast.String("blue")).Has("attr"))),
+		},
+		{
+			"principal has tag from context",
+			`permit ( principal, action, resource )
+when { principal.hasTag(context.request_ip) };`,
+			ast.Permit().When(ast.Principal().HasTag(ast.Context().Access("request_ip"))),
+		},
 		{
 			"multiple multiplication",
 			`permit ( principal, action, resource )