Skip to content

feat: detect Cedar enforcement points #76

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
boorad merged 2 commits into from
May 6, 2026
+516 −9
Merged

feat: detect Cedar enforcement points #76

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
dd1a00e
feat: detect Cedar enforcement points
boorad May 6, 2026
d206e0b
fix: tighten externalized enforcement rules
boorad May 6, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion rules/csharp/authorization-service-authorize-async.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,7 @@ query = """
eq = "AuthorizeAsync"

[rule.predicates.arguments]
match = "(Policy|Requirement|Operations\\.|\"[^\"]+\"|(?i:[A-Za-z_][A-Za-z0-9_]*?(policy|requirement)s?))"
match = "(Policy|Requirement|Operations\\.|\"[^\"]+\"|(?i:\\b[A-Za-z_]*(policy|requirement)[A-Za-z0-9_]*\\b))"

[rule.rego_template]
template = """
Expand Down
44 changes: 44 additions & 0 deletions rules/csharp/aws-verified-permissions.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,44 @@
[rule]
id = "csharp-aws-verified-permissions"
languages = ["csharp"]
category = "custom"
confidence = "high"
description = "AWS Verified Permissions authorization call in C#"
externalized = true
query = """
(invocation_expression
function: (member_access_expression
expression: (_) @receiver
name: (identifier) @method_name)
) @match
"""

[rule.predicates.method_name]
match = "^(IsAuthorizedAsync|IsAuthorizedWithTokenAsync)$"

[rule.predicates.receiver]
match = "(?i)(verifiedpermissions|verified_permissions|avp|\\bvp\\b)"

[[rule.tests]]
input = """
var response = await avp.IsAuthorizedAsync(request);
"""
expect_match = true

[[rule.tests]]
input = """
var response = await verifiedPermissions.IsAuthorizedWithTokenAsync(request);
"""
expect_match = true

[[rule.tests]]
input = """
var response = await client.SendAsync(request);
"""
expect_match = false

[[rule.tests]]
input = """
var response = await client.IsAuthorizedAsync(request);
"""
expect_match = false
68 changes: 68 additions & 0 deletions rules/go/aws-verified-permissions.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,68 @@
[rule]
id = "go-aws-verified-permissions"
languages = ["go"]
category = "custom"
confidence = "high"
description = "AWS Verified Permissions authorization call in Go"
externalized = true
query = """
(call_expression
function: (selector_expression
operand: (_) @receiver
field: (field_identifier) @method_name)
) @match
"""

[rule.predicates.method_name]
match = "^(IsAuthorized|IsAuthorizedWithToken)$"

[rule.predicates.receiver]
match = "(?i)(verifiedpermissions|verified_permissions|avp|\\bvp\\b)"

[[rule.tests]]
input = """
package main

import "github.com/aws/aws-sdk-go-v2/service/verifiedpermissions"

func decide(avp *verifiedpermissions.Client, ctx context.Context, input *verifiedpermissions.IsAuthorizedInput) {
out, err := avp.IsAuthorized(ctx, input)
_ = out
_ = err
}
"""
expect_match = true

[[rule.tests]]
input = """
package main

func decide(verifiedpermissions *verifiedpermissions.Client, ctx context.Context, input *verifiedpermissions.IsAuthorizedWithTokenInput) {
out, err := verifiedpermissions.IsAuthorizedWithToken(ctx, input)
_ = out
_ = err
}
"""
expect_match = true

[[rule.tests]]
input = """
package main

func handle(client *http.Client, req *http.Request) {
client.Do(req)
}
"""
expect_match = false

[[rule.tests]]
input = """
package main

func decide(client *Authorizer, ctx context.Context, input Input) {
out, err := client.IsAuthorized(ctx, input)
_ = out
_ = err
}
"""
expect_match = false
56 changes: 56 additions & 0 deletions rules/go/cedar-eval.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,56 @@
[rule]
id = "go-cedar-eval"
languages = ["go"]
category = "custom"
confidence = "high"
description = "Cedar policy evaluation in Go (cedar-go PolicySet/IsAuthorized calls)"
externalized = true
query = """
(call_expression
function: (selector_expression
operand: (_) @receiver
field: (field_identifier) @method_name)
) @match
"""

[rule.predicates.method_name]
eq = "IsAuthorized"

[rule.predicates.receiver]
match = "(?i)(cedar|policyset|policy_set|ps|authorizer|authz)"

[[rule.tests]]
input = """
package main

import "github.com/cedar-policy/cedar-go"

func loadPolicySet(src []byte) {
ps, err := cedar.NewPolicySetFromBytes(src)
_ = ps
_ = err
}
"""
expect_match = false

[[rule.tests]]
input = """
package main

func decide(ps *cedar.PolicySet, req cedar.Request) {
ok, diag := ps.IsAuthorized(req)
_ = ok
_ = diag
}
"""
expect_match = true

[[rule.tests]]
input = """
package main

func handle(svc *Service) {
svc.Process(input)
}
"""
expect_match = false
61 changes: 61 additions & 0 deletions rules/java/aws-verified-permissions.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,61 @@
[rule]
id = "java-aws-verified-permissions"
languages = ["java"]
category = "custom"
confidence = "high"
description = "AWS Verified Permissions authorization call in Java"
externalized = true
query = """
(method_invocation
object: (_) @receiver
name: (identifier) @method_name
) @match
"""

[rule.predicates.method_name]
match = "^(isAuthorized|isAuthorizedWithToken)$"

[rule.predicates.receiver]
match = "(?i)(verifiedpermissions|verified_permissions|avp|\\bvp\\b)"

[[rule.tests]]
input = """
import software.amazon.awssdk.services.verifiedpermissions.VerifiedPermissionsClient;

class Handler {
void decide(VerifiedPermissionsClient avp, IsAuthorizedRequest request) {
avp.isAuthorized(request);
}
}
"""
expect_match = true

[[rule.tests]]
input = """
class Handler {
void decide(VerifiedPermissionsClient verifiedPermissions, IsAuthorizedWithTokenRequest request) {
verifiedPermissions.isAuthorizedWithToken(request);
}
}
"""
expect_match = true

[[rule.tests]]
input = """
class Handler {
void run(Service svc) {
svc.process(input);
}
}
"""
expect_match = false

[[rule.tests]]
input = """
class Handler {
void decide(Authorizer client, Request request) {
client.isAuthorized(request);
}
}
"""
expect_match = false
41 changes: 41 additions & 0 deletions rules/java/cedar-eval.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,41 @@
[rule]
id = "java-cedar-eval"
languages = ["java"]
category = "custom"
confidence = "high"
description = "Cedar policy evaluation in Java (AuthorizationEngine.isAuthorized)"
externalized = true
query = """
(method_invocation
object: (_) @receiver
name: (identifier) @method_name
) @match
"""

[rule.predicates.method_name]
eq = "isAuthorized"

[rule.predicates.receiver]
match = "(?i)(authorizationengine|engine|authorizer|cedar|authz)"

[[rule.tests]]
input = """
import com.cedarpolicy.AuthorizationEngine;

class Handler {
boolean decide(AuthorizationEngine engine, Request request) {
return engine.isAuthorized(request).isAllowed();
}
}
"""
expect_match = true

[[rule.tests]]
input = """
class Handler {
void run(Service svc) {
svc.process(input);
}
}
"""
expect_match = false
47 changes: 47 additions & 0 deletions rules/python/aws-verified-permissions.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,47 @@
[rule]
id = "py-aws-verified-permissions"
languages = ["python"]
category = "custom"
confidence = "high"
description = "AWS Verified Permissions authorization call in Python"
externalized = true
query = """
(call
function: (attribute
object: (_) @receiver
attribute: (identifier) @method_name)
) @match
"""

[rule.predicates.method_name]
match = "^(is_authorized|is_authorized_with_token)$"

[rule.predicates.receiver]
match = "(?i)(verifiedpermissions|verified_permissions|avp|\\bvp\\b)"

[[rule.tests]]
input = """
import boto3

verifiedpermissions = boto3.client("verifiedpermissions")
verifiedpermissions.is_authorized_with_token(**params)
"""
expect_match = true

[[rule.tests]]
input = """
avp.is_authorized(policyStoreId=store_id)
"""
expect_match = true

[[rule.tests]]
input = """
cache.get("is_authorized")
"""
expect_match = false

[[rule.tests]]
input = """
client.is_authorized(policyStoreId=store_id)
"""
expect_match = false
48 changes: 48 additions & 0 deletions rules/typescript/aws-verified-permissions.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,48 @@
[rule]
id = "ts-aws-verified-permissions"
languages = ["typescript", "javascript"]
category = "custom"
confidence = "high"
description = "AWS Verified Permissions authorization call in JavaScript/TypeScript"
externalized = true
query = """
(call_expression
function: (member_expression
object: (_) @receiver
property: (property_identifier) @method_name)
) @match
"""

[rule.predicates.method_name]
match = "^(isAuthorized|isAuthorizedWithToken)$"

[rule.predicates.receiver]
match = "(?i)(verifiedpermissions|verified_permissions|verifiedPermissionsClient|avp|\\bvp\\b)"

[[rule.tests]]
input = """
import { VerifiedPermissions } from "@aws-sdk/client-verifiedpermissions";

const verifiedpermissions = new VerifiedPermissions({});
await verifiedpermissions.isAuthorizedWithToken(params);
"""
expect_match = true

[[rule.tests]]
input = """
const verifiedPermissionsClient = new VerifiedPermissionsClient({});
await verifiedPermissionsClient.isAuthorized(params);
"""
expect_match = true

[[rule.tests]]
input = """
await user.isAuthorized();
"""
expect_match = false

[[rule.tests]]
input = """
await client.isAuthorized(params);
"""
expect_match = false
Loading