fix: cedar request handling and policy configuration

[cb80]

Summary

Successfully fixed the Cedar policy engine architectural flaw by separating request configuration from engine state.

Problem Identified

The original implementation had a confusing and dangerous pattern:

• Check() created a temporary cedarPolicyEngine instance
• Option closures (WithSubject, WithAction, WithContextData) type-asserted and mutated the temporary engine's request field
• The actual authorization used e.policySet from the receiver and cpe.request from the temporary engine
• This only worked because current options don't read receiver state
• Future options (e.g., WithResource) could silently read from the wrong engine

Solution Implemented

Created a dedicated request type for building authorization requests:

1. Added request type in internal/policies/cedarpolicy/check.go:

   • Implements Engine interface (required by CheckOption signature)
   • Panics if Check() is called (fail-fast for misuse)
   • Contains fields: principal, action, resource, context

2. Updated option functions to type-assert to *request:

   • WithSubject: mutates req.principal instead of cpe.request.Principal
   • WithAction: mutates req.action instead of cpe.request.Action
   • WithContextData: mutates req.context instead of cpe.request.Context

3. Updated Check() method:

   • Creates &request{} instead of temporary &cedarPolicyEngine{}
   • Applies options to build the request
   • Constructs cedar.Request from the built request
   • Uses receiver's e.policySet with the properly-constructed request

4. Removed unused field from cedarPolicyEngine:

   • Removed request cedar.Request field (line 12 in engine.go)
   • Engine now only stores policySet — the persistent configuration

[coderabbitai]

Important

Review skipped

Auto reviews are disabled on this repository. Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 85e3c370-d735-4e43-ad59-7f0396482940

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}