v3.0.0

Release 3.0.0, available on crates.io

Cedar Language Version: 3.0.0

Added

• Marked the Template::from_json and Template::to_json apis as public (#458)
• New APIs to Entities to make it easy to add a collection of entities to an
  existing Entities structure. (#276)
• Export the cedar_policy_core::evaluator::{EvaluationError, EvaluationErrorKind} and
  cedar_policy_core::authorizer::AuthorizationError error types. (#260, #271)
• ParseError::primary_source_span to get the primary source span locating an
  error. (#324)
• Experimental API PolicySet::unknown_entities to collect unknown entity UIDs
  from a PartialResponse. (#353, resolving #321)
• PolicySet::remove_static, PolicySet::remove_template and
  PolicySet::unlink to remove policies from the policy set. (#337, resolving #328)
• PolicySet::get_linked_policies to get the policies linked to a Template. (#337)
• ValidationResult::validation_warnings to access non-fatal warnings returned
  by the validator and ValidationResult::validation_passed_without_warnings.
  The main validation entry point now checks for warnings previously only
  available through confusable_string_checker. (#404)
• The is operation as described in
  RFC 5.
  (#396)
• Entity::new_no_attrs() which provides an infallible constructor for Entity
  in the case that there are no attributes. (See changes to Entity::new()
  below.) (#430)
• RestrictedExpression::new_entity_uid() (#442, resolving #350)

Changed

• Rename cedar_policy_core::est::EstToAstError to
  cedar_policy_core::est::FromJsonError. (#197)
• Rename cedar_policy_core::entities::JsonDeserializationError::ExtensionsError
  to cedar_policy_core::entities::JsonDeserializationError::ExtensionFunctionLookup.
  (#360)
• Rename variants in SchemaError. (#231)
• SchemaError has a new variant corresponding to errors evaluating action
  attributes. (#430)
• Diagnostics::errors() now returns an iterator over AuthorizationErrors.
  (#260)
• Response::new() now expects a Vec<AuthorizationError> as its third
  argument. (#260)
• Implement RFC 19,
  making validation slightly more strict, but more explainable. (#282)
• Implement RFC 20,
  disallowing duplicate keys in record values (including record literals in
  policies, request context, and records in entity attributes). (#375)
• Entities::from_*() methods now automatically add action entities present in
  the schema to the constructed Entities, if a schema is provided. (#360)
• Entities::from_*() methods now validate the entities against the schema,
  if a schema is provided. (#360)
• Entities::from_entities() and Entities::add_entities() now take an
  optional schema argument. (#360)
• Request::new() now takes an optional schema argument, and validates the request
  against that schema. To signal validation errors, it now returns a Result.
  (#393, resolving #191)
• Change the semantics of equality for IP ranges. For example,
  ip("192.168.0.1/24") == ip("192.168.0.3/24") was previously true and is now
  false. The behavior of equality on single IP addresses is unchanged, and so is
  the behavior of .isInRange(). (#348)
• Standardize on duplicates being errors instead of last-write-wins in the
  JSON-based APIs in the frontend module. This also means some error types
  have changed. (#365, #448)
• Entity::new() now eagerly evaluates entity attributes, leading to
  performance improvements (particularly when entity data is reused across
  multiple is_authorized calls). As a result, it returns Result, because
  attribute evaluation can fail. (#430)
• Entities::from_json_*() also now eagerly evaluates entity attributes, and as
  a result returns errors when attribute evaluation fails. (#430)
• Entity::attr() now returns errors in many fewer cases (because the attribute
  is stored in already-evaluated form), and its error type has changed. (#430)
• Context::from_*() methods also now eagerly evaluate the Context, and as
  a result return errors when evaluation fails. (#430)
• <EntityId as FromStr>::Error is now Infallible instead of ParseErrors.
  (#372)
• Improve the Display impls for Policy and PolicySet, and add a Display
  impl for Template. The displayed representations now more closely match the
  original input, whether the input was in string or JSON form. (#167, resolving
  #125)
• ValidationWarning::location and ValidationWarning::to_kind_and_location
  now return &SourceLocation<'a> instead of &'a PolicyID, matching
  ValidationError::location. (#405)
• ValidationWarningKind is now non_exhaustive, allowing future warnings to
  be added without a breaking change. (#404)
• Improve schema parsing error messages when a cycle exists in the action
  hierarchy to includes an action which is part of the cycle (#436, resolving
  #416).

Fixed

• Evaluation order of operand to > and >=. They now evaluate left to right,
  matching all other operators. This affects what error is reported when there is
  an evaluation error in both operands, but does not otherwise change the result
  of evaluation. (#402, resolving #112)
• Updated PolicySet::link to not mutate internal state when failing to link a static
  policy. With this fix it is possible to create a link with a policy id
  after previously failing to create that link with the same id from a static
  policy. (#412)
• Fixed schema-based parsing of entity data that includes unknowns (for the
  partial-eval experimental feature). (#419, resolving #418)

Removed

• Removed __expr escape from Cedar JSON formats, which has been deprecated
  since Cedar 1.2. (#333)
• Move ValidationMode::Permissive behind an experimental feature flag.
  To continue using this feature you must enable the permissive-validate
  feature flag. (#428)