Skip to content

Comments

adds validateWithLevel API for CedarJava#327

Merged
muditchaudhary merged 6 commits intocedar-policy:mainfrom
muditchaudhary:4.4_release/features/validate_with_level
Aug 1, 2025
Merged

adds validateWithLevel API for CedarJava#327
muditchaudhary merged 6 commits intocedar-policy:mainfrom
muditchaudhary:4.4_release/features/validate_with_level

Conversation

@muditchaudhary
Copy link
Contributor

@muditchaudhary muditchaudhary commented Jul 23, 2025

Overview

Introduces validateWithLevel API in CedarJava, matching the functionality of Cedar Policy's validate_with_level (RFC 76).

Changes

CedarJava Layer

  • Implements new validateWithLevel API with comprehensive test coverage
  • Maintains interface consistency with existing validation methods i.e., exposed through AuthorizationEngine and responses as ValidationResponse

CedarJavaFFI Layer

  • Implements validate_with_level FFI method in src/helpers.rs (Ideally should belong in cedar_policy::ffi. See Note below)
  • Borrows some implementation from cedar_policy::ffi for consistency
  • Maintains the same interface structure as existing validate calls from cedar_policy::ffi
  • Adds tests added to verify FFI behavior

Example Usage

// Policy
permit(
  principal in UserGroup::"alice_friends",
  action == Action::"viewPhoto",
  resource
) when {principal in resource.owner.friend};

// Sample Output
ValidationResponse(
  validationErrors = [
    Error(
      policyId=policy0, 
      error=DetailedError{
        message="for policy policy0, this policy requires level 2, which exceeds the maximum allowed level (1)",
        help="",
        code="",
        url="",
        severity=,
        sourcelocations=[SourceLabel{label="", start=122, end=143}],
        related=[]
      }
    )
  ],
  validationWarnings = []
)

Note

The validate_with_level FFI implementation currently resides in CedarJavaFFI to facilitate inclusion of this feature in the CedarJava 4.4 release. This approach avoids waiting for the next minor version release of cedar_policy (likely 4.6). A near future PR will move this functionality to cedar_policy::ffi. Once validate_with_level API is exposed through cedar_policy::ffi we can remove its implementation from CedarJavaFFI in a subsequent release.

Next Steps

  • Create a separate PR for moving validate_with_level to cedar_policy::ffi (I'll do it)

If review scope is too large, this PR can be split into separate FFI and Java contributions

@muditchaudhary
adds validate_with_level FFI helper methods
d753389 
Signed-off-by: Mudit Chaudhary <chmudit@amazon.com>
@muditchaudhary
adds validate with level operation to interface
71f31de 
Signed-off-by: Mudit Chaudhary <chmudit@amazon.com>
@muditchaudhary
adds validateWithLevel API
f47ba08 
Signed-off-by: Mudit Chaudhary <chmudit@amazon.com>
@muditchaudhary
adds validateWithLevel tests
5538492 
Signed-off-by: Mudit Chaudhary <chmudit@amazon.com>
muditchaudhary
muditchaudhary commented Jul 23, 2025
View reviewed changes
CedarJavaFFI/src/helpers.rs
serde_json::to_string(&ans)
}

pub fn validate_with_level(call: LevelValidationCall) -> ValidationAnswer {
Copy link
Contributor Author

@muditchaudhary muditchaudhary Jul 23, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This should/will belong in cedar_policy::ffi. See Note in the PR description.

@muditchaudhary muditchaudhary marked this pull request as ready for review July 23, 2025 19:16
mark-creamer-amazon
mark-creamer-amazon reviewed Jul 25, 2025
View reviewed changes
mark-creamer-amazon
mark-creamer-amazon reviewed Jul 25, 2025
View reviewed changes
mark-creamer-amazon
mark-creamer-amazon reviewed Jul 25, 2025
View reviewed changes
CedarJava/src/main/java/com/cedarpolicy/model/LevelValidationRequest.java
@SuppressFBWarnings
public LevelValidationRequest(Schema schema, PolicySet policies, long maxDerefLevel) {
if (schema == null) {
throw new NullPointerException("schema");
Copy link
Contributor

@mark-creamer-amazon mark-creamer-amazon Jul 25, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nit as an aside: Looks like this is how we do it in most places, but here it looks like we print it differently.

I wonder what our appetite for using something like Lombok to improve boilerplate like this and getters/setters is: https://projectlombok.org/features/NonNull

Copy link
Contributor Author

@muditchaudhary muditchaudhary Jul 25, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, there is some inconsistency in the message. I followed the message that we use in ValidationRequest constructor.

Maybe we can do a Lombok "campaign" to avoid inconsistency across CedarJava before the release.

@muditchaudhary
fixes nits
2ca8306 
Signed-off-by: Mudit Chaudhary <chmudit@amazon.com>
@muditchaudhary muditchaudhary force-pushed the 4.4_release/features/validate_with_level branch from ac1d5e3 to 2ca8306 Compare July 25, 2025 19:28
john-h-kastner-aws
john-h-kastner-aws reviewed Jul 31, 2025
View reviewed changes
CedarJavaFFI/src/helpers.rs
Comment on lines +161 to +162
policy_id: error.policy_id().clone(),
error: miette::Report::new(error.clone()).into(),
Copy link
Contributor

@john-h-kastner-aws john-h-kastner-aws Jul 31, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

note: once moved into cedar_policy crate these clones should be avoidable

@muditchaudhary
fixes nits
0aac094 
Signed-off-by: Mudit Chaudhary <chmudit@amazon.com>
@muditchaudhary muditchaudhary merged commit 23e570c into cedar-policy:main Aug 1, 2025
4 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@john-h-kastner-aws john-h-kastner-aws john-h-kastner-aws approved these changes

@mark-creamer-amazon mark-creamer-amazon mark-creamer-amazon approved these changes

@adpaco-aws adpaco-aws Awaiting requested review from adpaco-aws

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@muditchaudhary @john-h-kastner-aws @mark-creamer-amazon