diff --git a/internal/parser/cedar_parse_test.go b/internal/parser/cedar_parse_test.go index 4b77c24..f72663c 100644 --- a/internal/parser/cedar_parse_test.go +++ b/internal/parser/cedar_parse_test.go @@ -111,6 +111,18 @@ func TestParse(t *testing.T) { when { action.foo["bar"].isIpv4() } unless { principal.isIpv4(false, 123, "foo") } when { principal["foo"] };`, false}, + {"tags", `permit(principal, action, resource) + when { resource.hasTag("blue") }; + + permit(principal, action, resource) + when { resource.getTag("blue") }; + + permit(principal, action, resource) + when { resource.hasTag(context.color) }; + + permit(principal, action, resource) + when { resource.getTag(context.color) }; + `, false}, {"unary", `permit(principal, action, resource) when { !resource.foo } unless { -resource.bar } @@ -243,6 +255,20 @@ func TestParse(t *testing.T) { when { resource.bar[baz]`, true}, {"invalidAccess8", `permit(principal, action, resource) when { resource.bar["baz")`, true}, + {"invalidTag1", `permit(principal, action, resource) + when { resource.getTag(42)}`, true}, + {"invalidTag2", `permit(principal, action, resource) + when { resource.hasTag(42)}`, true}, + {"invalidTag3", `permit(principal, action, resource) + when { resource.hasTag(12.1 + 3.6)}`, true}, + {"invalidTag4", `permit(principal, action, resource) + when { resource.hasTag(true)}`, true}, + {"invalidTag5", `permit(principal, action, resource) + when { "blue".hasTag("true")}`, true}, + {"invalidTag6", `permit(principal, action, resource) + when { 42.hasTag("true")}`, true}, + {"invalidTag7", `permit(principal, action, resource) + when { true.hasTag("true")}`, true}, {"invalidUnaryOp", `permit(principal, action, resource) when { +resource.bar };`, true}, {"invalidAdd", `permit(principal, action, resource) diff --git a/internal/parser/cedar_unmarshal_test.go b/internal/parser/cedar_unmarshal_test.go index 5f349ac..b8ae8f4 100644 --- a/internal/parser/cedar_unmarshal_test.go +++ b/internal/parser/cedar_unmarshal_test.go @@ -200,6 +200,36 @@ when { context.sourceIP.isIpv4() };`, when { 42 * 2 };`, ast.Permit().When(ast.Long(42).Multiply(ast.Long(2))), }, + { + "principal has tag", + `permit ( principal, action, resource ) +when { principal.hasTag("blue") };`, + ast.Permit().When(ast.Principal().HasTag(ast.String("blue"))), + }, + { + "resource has tag", + `permit ( principal, action, resource ) +when { resource.hasTag("blue") };`, + ast.Permit().When(ast.Resource().HasTag(ast.String("blue"))), + }, + { + "principal tag equals value", + `permit ( principal, action, resource ) +when { principal.hasTag("blue") && principal.getTag("blue") == "green" };`, + ast.Permit().When(ast.Principal().HasTag(ast.String("blue")).And(ast.Principal().GetTag(ast.String("blue")).Equal(ast.String("green")))), + }, + { + "principal tag has attribute", + `permit ( principal, action, resource ) +when { principal.hasTag("blue") && principal.getTag("blue") has attr };`, + ast.Permit().When(ast.Principal().HasTag(ast.String("blue")).And(ast.Principal().GetTag(ast.String("blue")).Has("attr"))), + }, + { + "principal has tag from context", + `permit ( principal, action, resource ) +when { principal.hasTag(context.request_ip) };`, + ast.Permit().When(ast.Principal().HasTag(ast.Context().Access("request_ip"))), + }, { "multiple multiplication", `permit ( principal, action, resource )