Make datetime generation optional (#514)

Signed-off-by: Shaobo He <shaobohe@amazon.com>

cedar-drt/fuzz/fuzz_targets/abac-type-directed.rs

@@ -63,6 +63,8 @@ const SETTINGS: ABACSettings = ABACSettings {
     enable_unknowns: false,
     enable_action_in_constraints: true,
     enable_unspecified_apply_spec: true,
+    // It's Ok to enable this flag because the diff tester ignores unknown extension function errors thrown by Lean
+    enable_datetime_extension: true,
 };
 
 impl<'a> Arbitrary<'a> for FuzzTargetInput {

cedar-drt/fuzz/fuzz_targets/abac.rs

@@ -65,6 +65,8 @@ const SETTINGS: ABACSettings = ABACSettings {
     enable_unknowns: false,
     enable_action_in_constraints: true,
     enable_unspecified_apply_spec: true,
+    // It's Ok to enable this flag because the diff tester ignores unknown extension function errors thrown by Lean
+    enable_datetime_extension: true,
 };
 
 impl<'a> Arbitrary<'a> for FuzzTargetInput {

cedar-drt/fuzz/fuzz_targets/common-type-resolution.rs

@@ -49,6 +49,8 @@ const SETTINGS: ABACSettings = ABACSettings {
     enable_unknowns: false,
     enable_action_in_constraints: true,
     enable_unspecified_apply_spec: true,
+    // It's Ok to enable this flag because this target is PBT
+    enable_datetime_extension: true,
 };
 
 impl<'a> Arbitrary<'a> for Input {

cedar-drt/fuzz/fuzz_targets/entity-slicing-drt-type-directed.rs

@@ -64,6 +64,8 @@ const SETTINGS: ABACSettings = ABACSettings {
     enable_unknowns: false,
     enable_action_in_constraints: true,
     enable_unspecified_apply_spec: true,
+    // It's Ok to enable this flag because this target is PBT
+    enable_datetime_extension: true,
 };
 
 impl<'a> Arbitrary<'a> for FuzzTargetInput {

cedar-drt/fuzz/fuzz_targets/entity-validation.rs

@@ -49,6 +49,8 @@ const SETTINGS: ABACSettings = ABACSettings {
     enable_unknowns: false,
     enable_action_in_constraints: true,
     enable_unspecified_apply_spec: true,
+    // It's *not* Ok to enable this flag because this target will otherwise throw unknown extension function errors.
+    enable_datetime_extension: false,
 };
 
 impl<'a> Arbitrary<'a> for FuzzTargetInput {

cedar-drt/fuzz/fuzz_targets/eval-type-directed.rs

@@ -61,6 +61,8 @@ const SETTINGS: ABACSettings = ABACSettings {
     enable_unknowns: false,
     enable_action_in_constraints: true,
     enable_unspecified_apply_spec: true,
+    // It's Ok to enable this flag because the diff tester ignores unknown extension function errors thrown by Lean
+    enable_datetime_extension: true,
 };
 
 impl<'a> Arbitrary<'a> for FuzzTargetInput {

cedar-drt/fuzz/fuzz_targets/formatter.rs

@@ -59,6 +59,8 @@ const SETTINGS: ABACSettings = ABACSettings {
     enable_unknowns: false,
     enable_action_in_constraints: true,
     enable_unspecified_apply_spec: true,
+    // It's Ok to enable this flag because this target is PBT
+    enable_datetime_extension: true,
 };
 
 impl<'a> Arbitrary<'a> for FuzzTargetInput {

cedar-drt/fuzz/fuzz_targets/json-schema-roundtrip.rs

@@ -47,6 +47,8 @@ const SETTINGS: ABACSettings = ABACSettings {
     enable_unknowns: false,
     enable_action_in_constraints: true,
     enable_unspecified_apply_spec: true,
+    // It's Ok to enable this flag because this target is PBT
+    enable_datetime_extension: true,
 };
 
 impl<'a> Arbitrary<'a> for Input {

cedar-drt/fuzz/fuzz_targets/partial-eval.rs

@@ -62,6 +62,8 @@ const SETTINGS: ABACSettings = ABACSettings {
     enable_unknowns: true,
     enable_action_in_constraints: true,
     enable_unspecified_apply_spec: true,
+    // It's Ok to enable this flag because the diff tester ignores unknown extension function errors thrown by Lean
+    enable_datetime_extension: true,
 };
 
 impl<'a> Arbitrary<'a> for FuzzTargetInput {

cedar-drt/fuzz/fuzz_targets/protobuf-roundtrip.rs

@@ -54,6 +54,8 @@ const SETTINGS: ABACSettings = ABACSettings {
     enable_unknowns: false,
     enable_action_in_constraints: true,
     enable_unspecified_apply_spec: true,
+    // It's Ok to enable this flag because this target is PBT
+    enable_datetime_extension: true,
 };
 
 impl<'a> Arbitrary<'a> for FuzzTargetInput {

cedar-drt/fuzz/fuzz_targets/request-validation.rs

@@ -55,6 +55,8 @@ const SETTINGS: ABACSettings = ABACSettings {
     enable_unknowns: false,
     enable_action_in_constraints: true,
     enable_unspecified_apply_spec: true,
+    // It's *not* Ok to enable this flag because this target will otherwise throw unknown extension function errors.
+    enable_datetime_extension: false,
 };
 
 impl<'a> Arbitrary<'a> for FuzzTargetInput {

cedar-drt/fuzz/fuzz_targets/roundtrip-entities.rs

@@ -50,6 +50,8 @@ const SETTINGS: ABACSettings = ABACSettings {
     enable_unknowns: false,
     enable_action_in_constraints: true,
     enable_unspecified_apply_spec: true,
+    // It's Ok to enable this flag because this target is PBT.
+    enable_datetime_extension: true,
 };
 
 impl<'a> Arbitrary<'a> for FuzzTargetInput {

cedar-drt/fuzz/fuzz_targets/roundtrip.rs

@@ -50,6 +50,8 @@ const SETTINGS: ABACSettings = ABACSettings {
     enable_unknowns: false,
     enable_action_in_constraints: true,
     enable_unspecified_apply_spec: true,
+    // It's Ok to enable this flag because this target is PBT.
+    enable_datetime_extension: true,
 };
 
 impl<'a> Arbitrary<'a> for FuzzTargetInput {

cedar-drt/fuzz/fuzz_targets/schema-roundtrip.rs

@@ -49,6 +49,8 @@ const SETTINGS: ABACSettings = ABACSettings {
     enable_unknowns: false,
     enable_action_in_constraints: true,
     enable_unspecified_apply_spec: true,
+    // It's Ok to enable this flag because this target is PBT.
+    enable_datetime_extension: true,
 };
 
 impl<'a> Arbitrary<'a> for Input {

cedar-drt/fuzz/fuzz_targets/validation-drt-type-directed.rs

@@ -46,6 +46,8 @@ const SETTINGS: ABACSettings = ABACSettings {
     enable_unknowns: false,
     enable_action_in_constraints: true,
     enable_unspecified_apply_spec: true,
+    // It's Ok to enable this flag because the diff tester ignores unknown extension function errors thrown by Lean
+    enable_datetime_extension: true,
 };
 
 impl<'a> Arbitrary<'a> for FuzzTargetInput {

cedar-drt/fuzz/fuzz_targets/validation-drt.rs

@@ -48,6 +48,8 @@ const SETTINGS: ABACSettings = ABACSettings {
     enable_unknowns: false,
     enable_action_in_constraints: true,
     enable_unspecified_apply_spec: true,
+    // It's Ok to enable this flag because the diff tester ignores unknown extension function errors thrown by Lean
+    enable_datetime_extension: true,
 };
 
 impl<'a> Arbitrary<'a> for FuzzTargetInput {

cedar-drt/fuzz/fuzz_targets/validation-pbt-type-directed.rs

@@ -64,6 +64,8 @@ const SETTINGS: ABACSettings = ABACSettings {
     enable_unknowns: false,
     enable_action_in_constraints: true,
     enable_unspecified_apply_spec: true,
+    // It's Ok to enable this flag because this target is PBT.
+    enable_datetime_extension: true,
 };
 
 impl<'a> Arbitrary<'a> for FuzzTargetInput {

cedar-drt/fuzz/fuzz_targets/validation-pbt.rs

@@ -65,6 +65,8 @@ const SETTINGS: ABACSettings = ABACSettings {
     enable_unknowns: false,
     enable_action_in_constraints: true,
     enable_unspecified_apply_spec: true,
+    // It's Ok to enable this flag because this target is PBT.
+    enable_datetime_extension: true,
 };
 
 const LOG_FILENAME_GENERATION_START: &str = "./logs/01_generation_start.txt";
@@ -160,7 +162,7 @@ fn log_err<T>(res: Result<T>, doing_what: &str) -> Result<T> {
             Err(Error::OtherArbitrary(_)) => {
                 checkpoint(LOG_FILENAME_ERR_OTHER.to_string() + "_" + doing_what)
             }
-            Ok(_) => (),
+            Ok(_) | Err(Error::DatetimeExtensionsDisabled) => (),
         }
     }
     res

cedar-policy-generators/src/err.rs

@@ -46,6 +46,12 @@ pub enum Error {
         "tried to generate something with an extension type, but extension types were disabled"
     )]
     ExtensionsDisabled,
+    /// Tried to generate something related to the `datetime` extension, but it
+    /// was disabled in settings
+    #[error(
+        "tried to generate something related to the `datetime` extension, but it was disabled"
+    )]
+    DatetimeExtensionsDisabled,
     /// Tried to generate something using the `like` operator, but the `like`
     /// operator was disabled in settings
     #[error("tried to generate something using the `like` operator, but the `like` operator was disabled")]
@@ -89,6 +95,7 @@ impl From<Error> for arbitrary::Error {
             Error::TooDeep => arbitrary::Error::IncorrectFormat,
             Error::NoValidPrincipalOrResourceTypes => arbitrary::Error::IncorrectFormat,
             Error::ExtensionsDisabled => arbitrary::Error::IncorrectFormat,
+            Error::DatetimeExtensionsDisabled => arbitrary::Error::IncorrectFormat,
             Error::LikeDisabled => arbitrary::Error::IncorrectFormat,
             Error::EntitiesError(_) => arbitrary::Error::IncorrectFormat,
             Error::IncorrectFormat { .. } => arbitrary::Error::IncorrectFormat,

cedar-policy-generators/src/expr.rs

@@ -1182,6 +1182,13 @@ impl<'a> ExprGenerator<'a> {
                     if !self.settings.enable_extensions {
                         return Err(Error::ExtensionsDisabled);
                     };
+
+                    if !self.settings.enable_datetime_extension
+                        && matches!(target_type, Type::DateTime | Type::Duration)
+                    {
+                        return Err(Error::DatetimeExtensionsDisabled);
+                    }
+
                     if max_depth == 0 || u.len() < 10 {
                         // no recursion allowed, so, just call the constructor
                         // Invariant (MethodStyleArgs), Function Style, no worries
@@ -1687,7 +1694,13 @@ impl<'a> ExprGenerator<'a> {
             } => match name.as_ref() {
                 "ipaddr" => self.generate_expr_for_type(&Type::ipaddr(), max_depth, u),
                 "decimal" => self.generate_expr_for_type(&Type::decimal(), max_depth, u),
+                "datetime" if !self.settings.enable_datetime_extension => {
+                    Err(Error::DatetimeExtensionsDisabled)
+                }
                 "datetime" => self.generate_expr_for_type(&Type::datetime(), max_depth, u),
+                "duration" if !self.settings.enable_datetime_extension => {
+                    Err(Error::DatetimeExtensionsDisabled)
+                }
                 "duration" => self.generate_expr_for_type(&Type::duration(), max_depth, u),
                 _ => panic!("unrecognized extension type: {name:?}"),
             },
@@ -1822,9 +1835,15 @@ impl<'a> ExprGenerator<'a> {
                     "decimal" => {
                         self.generate_ext_func_call_for_type(&Type::decimal(), max_depth, u)
                     }
+                    "datetime" if !self.settings.enable_datetime_extension => {
+                        return Err(Error::DatetimeExtensionsDisabled);
+                    }
                     "datetime" => {
                         self.generate_ext_func_call_for_type(&Type::datetime(), max_depth, u)
                     }
+                    "duration" if !self.settings.enable_datetime_extension => {
+                        return Err(Error::DatetimeExtensionsDisabled);
+                    }
                     "duration" => {
                         self.generate_ext_func_call_for_type(&Type::duration(), max_depth, u)
                     }
@@ -1886,6 +1905,11 @@ impl<'a> ExprGenerator<'a> {
                 if max_depth == 0 {
                     return Err(Error::TooDeep);
                 }
+                if !self.settings.enable_datetime_extension
+                    && matches!(target_type, Type::DateTime | Type::Duration)
+                {
+                    return Err(Error::DatetimeExtensionsDisabled);
+                }
                 let func = self
                     .ext_funcs
                     .arbitrary_constructor_for_type(target_type, u)?;
@@ -2155,7 +2179,13 @@ impl<'a> ExprGenerator<'a> {
             } => match name.as_ref() {
                 "ipaddr" => self.generate_attr_value_for_type(&Type::ipaddr(), max_depth, u),
                 "decimal" => self.generate_attr_value_for_type(&Type::decimal(), max_depth, u),
+                "datetime" if !self.settings.enable_datetime_extension => {
+                    Err(Error::DatetimeExtensionsDisabled)
+                }
                 "datetime" => self.generate_attr_value_for_type(&Type::datetime(), max_depth, u),
+                "duration" if !self.settings.enable_datetime_extension => {
+                    Err(Error::DatetimeExtensionsDisabled)
+                }
                 "duration" => self.generate_attr_value_for_type(&Type::duration(), max_depth, u),
                 _ => unimplemented!("extension type {name:?}"),
             },

cedar-policy-generators/src/schema.rs

@@ -255,11 +255,19 @@ pub fn arbitrary_schematype_with_bounded_depth<N: From<ast::Name>>(
             json_schema::TypeVariant::Extension {
                 name: "decimal".parse().unwrap(),
             },
-            json_schema::TypeVariant::Extension {
-                name: "datetime".parse().unwrap(),
+            if settings.enable_datetime_extension {
+                json_schema::TypeVariant::Extension {
+                    name: "datetime".parse().unwrap(),
+                }
+            } else {
+                Err(Error::DatetimeExtensionsDisabled)?
             },
-            json_schema::TypeVariant::Extension {
-                name: "duration".parse().unwrap(),
+            if settings.enable_datetime_extension {
+                json_schema::TypeVariant::Extension {
+                    name: "duration".parse().unwrap(),
+                }
+            } else {
+                Err(Error::DatetimeExtensionsDisabled)?
             }
         ),
         loc: None,
@@ -1868,6 +1876,7 @@ mod tests {
         enable_unknowns: false,
         enable_unspecified_apply_spec: true,
         enable_action_in_constraints: true,
+        enable_datetime_extension: true,
     };
 
     const GITHUB_SCHEMA_STR: &str = r#"

cedar-policy-generators/src/settings.rs

@@ -30,6 +30,8 @@ pub struct ABACSettings {
     /// If true, may generate extension function calls in policies and/or
     /// attribute values.
     pub enable_extensions: bool,
+    /// If true, may generate `datetime` extension types/functions/expressions.
+    pub enable_datetime_extension: bool,
     /// Maximum depth of an expression or type. E.g., maximum nesting of sets.
     ///
     /// This is used in the following places: