Skip to content
/ mini-cedar-api Public

A minimal rest api for cedar, intended to help with local development of AmazonVerifiedPermissions

License

MIT license
0 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

pageuppeople-opensource/mini-cedar-api

BranchesTags

Repository files navigation

A super-simple rest api to expose the cedar policy engine

Intended to be used as part of mocking AWS Amazon Verified Permissions until such time that localstack supports this service. Have this api called from a fake IAmazonVerifiedPermissions implementation to handle your validation and authZ checks, and separately implement a policy store.

Quick start

Using rust:

cargo run

Using docker:

docker compose up

Or use the repository image.

After running, the api is available at http://localhost:3000

APIs

Check out the rest api file for examples.

  • GET / Health check endpoint, returns "Hello from Rust!"
  • POST /bulk-has-access Run many access checks
    • Request: 
      type request = {
    "checks": {
        "principal": string,
        "action": string,
        "resource": string,
        "context"?: {} // same as attrs below, see samples in cedar repos
    }[],
    "entities": {
        "uid": { "type": string, "id": string },
        "attrs": { }, // see sample entities in cedar repos
        "parents": { "type": string, "id": string }[]
    }[] | string, // alternatively just use cedar-json
    "policies": {
        "static_policies": { "id": string, "statement": string }[],
        "templated_policies": {
            "id": string,
            "template_id": string,
            "principal"?: string,
            "resource"?: string
        }[],
        "templates": { "id": string, "statement": string }[],
    },
    "schema": string
}
    • Response: 
      type response = {
    "decision": "Allow" | "Deny",
    "diagnostics": {
        "reason": string[],
        "errors": string[]
    }
}[]
  • POST /validate/schema Parse and validate a schema
    • Request: 
      type request = {
    "schema": string
}
    • Response (200 if ok, 400 otherwise): 
      type response = string[] // errors, if any
  • POST /validate/template Parse and validate a template against a schema
    • Request: 
      type request = {
    "schema": string,
    "template_statement": string
}
    • Response (200 if ok, 400 otherwise): 
      type response = string[] // errors, if any
  • POST /validate/static-policy Parse and validate a static policy against a schema
    • Request: 
      type request = {
    "schema": string,
    "policy_statement": string
}
    • Response (200 if ok, 400 otherwise): 
      type response = string[] // errors, if any
  • POST /validate/templated_policy Parse and validate a templated policy against a schema and template
    • Request: 
      type request = {
    "schema": string,
    "template_statement": string,
    "principal"?: string,
    "resource"?: string
}
    • Response (200 if ok, 400 otherwise): 
      type response = string[] // errors, if any

Maintaining

This code is by no means an example of "good" or "idiomatic" Rust. In particular, the error handling is done very poorly, but for now "it works".

As AVP improves support for cedar, we will need to update the cedar version used. This can be done by modifying the cargo.toml file to update cedar-policy to the newly supported version. Then run cargo update and cargo run.

About

A minimal rest api for cedar, intended to help with local development of AmazonVerifiedPermissions

Resources

Readme

License

MIT license
Activity
Custom properties

Stars

0 stars

Watchers

5 watching

Forks

0 forks
Report repository

Releases 2

v4.3.3 Latest
Apr 7, 2025
+ 1 release

Packages

 
 
 

Languages