Implement Context serialization to better support logging

[adamrothman]

Describe the improvement you'd like to request

The cedar-local-agent crate supports the logging of authorization requests. A developer using the crate can configure which properties of the request should be logged using FieldSetBuilder, as in this example:

let log_config = log::ConfigBuilder::default()
    .field_set(
        log::FieldSetBuilder::default()
            .principal(true)
            .action(true)
            .resource(true)
            .context(true)
            .entities(log::FieldLevel::All)
            .build()
            .expect("building log field set"),
    )
    .build()
    .expect("building log config");

But even when .context(true) is set on the field set builder, as in the example above, the context object is logged opaquely, like this:

request with principal Example::Principal::"foo", action Example::Action::"bar", resource Example::Resource::"baz", and context <first-class record with 4 fields>

Our particular application of Cedar makes extensive use of the context, and as it stands, it's difficult to do any kind of useful analysis of the logs we get from cedar-local-agent. When I raised this with the Cedar team, @GurvirDehal pointed out that cedar-local-agent simply relies on the impl std::fmt::Display for Request provided by the core Cedar SDK. This implementation does not serialize the context's contents.

Since it's already possible to deserialize a Context from JSON via from_json_str and from_json_value, one option might be to implement the corresponding serialization steps for easy logging.

Describe alternatives you've considered

No response

Additional context

No response

Is this something that you'd be interested in working on?

• 👋 I may be able to implement this internal improvement
• ⚠️ This feature might incur a breaking change

[shaobo-he-aws]

Thank you for your interest in Cedar. It seems cedar-local-agent depends on cedar-policy-core, where Context does derive Serialize. That being said, its counterpart in cedar-policy does not and cedar-policy contains our stable public APIs. @GurvirDehal, could you please confirm that which crate cedar-local-agent uses to implement request?

[GurvirDehal]

The cedar-local-agent uses the Request impl from cedar-policy crate in this case. The relevant block of code in the CLA for this issue is here.

[shaobo-he-aws]

We just released APIs to get the context of a request in 4.3.0. That being said, we don't provide a to_json method to Context. If you are thinking of implenting what @adamrothman requested, we can certainly add it.

Added Request::context and Context::get methods to allow easy extraction of values from the context by key (#1318)

[GurvirDehal]

Having that Context::to_json method would be fantastic if possible : )
We can then raise an issue on the cedar-local-agent for it to change it's logging impl accordingly.