npm - @highflame/policy - Versions diffs - 1.2.0 → 2.0.0 - Mend

@highflame/policy 1.2.0 → 2.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (74) hide show

package/README.md +219 -0
package/_schemas/overwatch/context.json +463 -0
package/_schemas/overwatch/schema.cedarschema +184 -0
package/_schemas/palisade/context.json +325 -0
package/_schemas/palisade/schema.cedarschema +168 -0
package/dist/builder.d.ts +1 -2
package/dist/builder.d.ts.map +1 -1
package/dist/builder.js.map +1 -1
package/dist/context.gen.d.ts +1 -94
package/dist/context.gen.d.ts.map +1 -1
package/dist/context.gen.js +1 -97
package/dist/context.gen.js.map +1 -1
package/dist/engine.d.ts +18 -18
package/dist/engine.d.ts.map +1 -1
package/dist/engine.js +44 -28
package/dist/engine.js.map +1 -1
package/dist/engine.test.js.map +1 -1
package/dist/entities.gen.d.ts +1 -0
package/dist/entities.gen.d.ts.map +1 -1
package/dist/entities.gen.js +1 -0
package/dist/entities.gen.js.map +1 -1
package/dist/errors.d.ts +102 -0
package/dist/errors.d.ts.map +1 -0
package/dist/errors.js +127 -0
package/dist/errors.js.map +1 -0
package/dist/index.d.ts +2 -0
package/dist/index.d.ts.map +1 -1
package/dist/index.js +2 -0
package/dist/index.js.map +1 -1
package/dist/overwatch-context.gen.d.ts +31 -0
package/dist/overwatch-context.gen.d.ts.map +1 -0
package/dist/overwatch-context.gen.js +32 -0
package/dist/overwatch-context.gen.js.map +1 -0
package/dist/palisade-context.gen.d.ts +25 -0
package/dist/palisade-context.gen.d.ts.map +1 -0
package/dist/palisade-context.gen.js +26 -0
package/dist/palisade-context.gen.js.map +1 -0
package/dist/parser.d.ts.map +1 -1
package/dist/parser.js +79 -34
package/dist/parser.js.map +1 -1
package/dist/parser.test.js +44 -0
package/dist/parser.test.js.map +1 -1
package/dist/schema.gen.d.ts +1 -1
package/dist/schema.gen.d.ts.map +1 -1
package/dist/schema.gen.js +60 -541
package/dist/schema.gen.js.map +1 -1
package/dist/schemas.d.ts +64 -0
package/dist/schemas.d.ts.map +1 -0
package/dist/schemas.js +70 -0
package/dist/schemas.js.map +1 -0
package/dist/schemas.test.d.ts +8 -0
package/dist/schemas.test.d.ts.map +1 -0
package/dist/schemas.test.js +381 -0
package/dist/schemas.test.js.map +1 -0
package/dist/types.d.ts +1 -0
package/dist/types.d.ts.map +1 -1
package/dist/types.js +2 -0
package/dist/types.js.map +1 -1
package/package.json +13 -6
package/src/builder.ts +1 -2
package/src/context.gen.ts +0 -97
package/src/engine.test.ts +0 -1
package/src/engine.ts +62 -33
package/src/entities.gen.ts +1 -0
package/src/errors.ts +195 -0
package/src/index.ts +2 -0
package/src/overwatch-context.gen.ts +34 -0
package/src/palisade-context.gen.ts +28 -0
package/src/parser.test.ts +53 -0
package/src/parser.ts +83 -36
package/src/schema.gen.ts +60 -541
package/src/schemas.test.ts +449 -0
package/src/schemas.ts +91 -0
package/src/types.ts +3 -0

package/src/parser.ts CHANGED Viewed

@@ -11,6 +11,7 @@
 import * as cedar from "@cedar-policy/cedar-wasm/nodejs";
 import type { PolicyRule, PolicyCondition, PolicyEntity, PolicyEffect, ConditionOperator } from "./builder.js";
+import { ParserError, ErrorCodes } from "./errors.js";
 /**
  * Result of parsing Cedar policies
@@ -141,6 +142,23 @@ export function parseCedarToRules(cedarText: string): ParseResult {
     result.errors.push(`Parse error: ${e instanceof Error ? e.message : String(e)}`);
   }
+  // Check for duplicate policy IDs and add warnings
+  const idOccurrences = new Map<string, number[]>();
+  result.rules.forEach((rule, idx) => {
+    if (rule.id) {
+      const indices = idOccurrences.get(rule.id) || [];
+      indices.push(idx);
+      idOccurrences.set(rule.id, indices);
+    }
+  });
+  for (const [id, indices] of idOccurrences) {
+    if (indices.length > 1) {
+      result.errors.push(
+        `[${ErrorCodes.PARSE_DUPLICATE_ID}] Duplicate policy ID '${id}' found at indices [${indices.join(", ")}]`
+      );
+    }
+  }
   return result;
 }
@@ -162,31 +180,37 @@ function cedarJsonToRule(
     return { raw };
   }
-  const rule: PolicyRule = {
-    id: policy.annotations?.id || policyId,
-    name: policy.annotations?.name || policy.annotations?.id || policyId,
-    effect: policy.effect as PolicyEffect,
-    principal: mapScopeToEntity(policy.principal),
-    action: mapActionScope(policy.action),
-    resource: mapScopeToEntity(policy.resource),
-    conditions: [],
-    enabled: true,
-    order: index,
-  };
+  try {
+    const rule: PolicyRule = {
+      id: policy.annotations?.id || policyId,
+      name: policy.annotations?.name || policy.annotations?.id || policyId,
+      effect: policy.effect as PolicyEffect,
+      principal: mapScopeToEntity(policy.principal, "principal"),
+      action: mapActionScope(policy.action),
+      resource: mapScopeToEntity(policy.resource, "resource"),
+      conditions: [],
+      enabled: true,
+      order: index,
+    };
+    // Map description from annotations
+    if (policy.annotations?.description) {
+      rule.description = policy.annotations.description;
+    }
-  // Map description from annotations
-  if (policy.annotations?.description) {
-    rule.description = policy.annotations.description;
-  }
+    // Map conditions
+    const { conditions, rawCondition } = mapConditions(policy.conditions);
+    rule.conditions = conditions;
+    if (rawCondition) {
+      rule.rawCondition = rawCondition;
+    }
-  // Map conditions
-  const { conditions, rawCondition } = mapConditions(policy.conditions);
-  rule.conditions = conditions;
-  if (rawCondition) {
-    rule.rawCondition = rawCondition;
+    return { rule };
+  } catch (e) {
+    const error = e instanceof Error ? e.message : String(e);
+    const raw = originalText || getRawCedar(policyId, policy);
+    return { raw, error };
   }
-  return { rule };
 }
 /**
@@ -237,13 +261,21 @@ function getRawCedar(policyId: string, policy: CedarPolicyJSON): string {
   } catch {
     // Ignore conversion errors
   }
-  return `// Complex policy: ${policyId}`;
+  // Sanitize policyId to prevent newline injection attacks
+  const safeId = policyId.replace(/[\n\r]/g, " ");
+  return `// Complex policy: ${safeId}`;
 }
 /**
  * Map Cedar scope constraint to PolicyEntity
+ *
+ * Returns null for unconstrained ("All") scopes.
+ * Throws ParserError for malformed constraints to prevent silent misinterpretation.
+ *
+ * @param scope - The Cedar scope constraint
+ * @param field - The field name ("principal" or "resource") for error context
  */
-function mapScopeToEntity(scope: CedarScopeConstraint): PolicyEntity | null {
+function mapScopeToEntity(scope: CedarScopeConstraint, field: string): PolicyEntity | null {
   if (scope.op === "All") {
     return null;
   }
@@ -253,13 +285,17 @@ function mapScopeToEntity(scope: CedarScopeConstraint): PolicyEntity | null {
       const entity = normalizeEntityRef(scope.entity);
       return { type: entity.type, id: entity.id };
     }
-    // Slot - can't represent
-    return null;
+    if ("slot" in scope) {
+      throw ParserError.scopeSlotNotSupported("==", field);
+    }
+    throw ParserError.scopeMissingEntity("==", field);
   }
   if (scope.op === "is") {
-    // Type constraint
-    return { type: scope.entity_type };
+    if (scope.entity_type) {
+      return { type: scope.entity_type };
+    }
+    throw ParserError.scopeMissingEntityType(field);
   }
   if (scope.op === "in") {
@@ -267,15 +303,19 @@ function mapScopeToEntity(scope: CedarScopeConstraint): PolicyEntity | null {
       const entity = normalizeEntityRef(scope.entity);
       return { type: entity.type, id: entity.id };
     }
-    // Slot - can't represent
-    return null;
+    if ("slot" in scope) {
+      throw ParserError.scopeSlotNotSupported("in", field);
+    }
+    throw ParserError.scopeMissingEntityList(field);
   }
-  return null;
+  throw ParserError.scopeUnsupportedOp((scope as { op: string }).op, field);
 }
 /**
  * Map action scope to action string(s)
+ *
+ * Throws ParserError for malformed constraints to prevent silent misinterpretation.
  */
 function mapActionScope(scope: CedarActionConstraint): string | string[] {
   if (scope.op === "All") {
@@ -283,8 +323,11 @@ function mapActionScope(scope: CedarActionConstraint): string | string[] {
   }
   if (scope.op === "==") {
-    const entity = normalizeEntityRef(scope.entity);
-    return entity.id;
+    if ("entity" in scope) {
+      const entity = normalizeEntityRef(scope.entity);
+      return entity.id;
+    }
+    throw ParserError.actionMissingEntity("==");
   }
   if (scope.op === "in") {
@@ -296,9 +339,10 @@ function mapActionScope(scope: CedarActionConstraint): string | string[] {
       const entity = normalizeEntityRef(scope.entity);
       return entity.id;
     }
+    throw ParserError.actionMissingEntities();
   }
-  return "";
+  throw ParserError.actionUnsupportedOp((scope as { op: string }).op);
 }
 /**
@@ -324,9 +368,11 @@ function mapConditions(conditions: CedarCondition[]): {
     }
   }
+  // Store raw conditions as a valid JSON array instead of joining with " && "
+  // This ensures downstream systems can parse the rawCondition field
   return {
     conditions: result,
-    rawCondition: rawParts.length > 0 ? rawParts.join(" && ") : undefined,
+    rawCondition: rawParts.length > 0 ? `[${rawParts.join(",")}]` : undefined,
   };
 }
@@ -412,9 +458,10 @@ function mapLike(args: { left: CedarExpr; pattern: Array<"Wildcard" | { Literal:
   if (!field) return null;
   // Convert pattern to string (e.g., ["Wildcard", { Literal: "foo" }, "Wildcard"] -> "*foo*")
+  // Escape literal * characters to distinguish from wildcards on round-trip
   const patternStr = args.pattern.map(p => {
     if (p === "Wildcard") return "*";
-    if (typeof p === "object" && "Literal" in p) return p.Literal;
+    if (typeof p === "object" && "Literal" in p) return p.Literal.replace(/\*/g, "\\*");
     return "";
   }).join("");