Support string paramters and string literal arguments in permits definition #1122

stonelgh · 2022-11-10T11:52:20Z

stonelgh
Nov 10, 2022

The below shows off a naive GCP IAM style authorization model (without conditions and deny policy support).

class Perm implements Namespace {}
class User implements Namespace {}

class Role implements Namespace {
    related: {
      perms: (Perm | SubjectSet<Role, "perms">)[]
    }
  
    permits = {
      has_perm: (ctx: Context, perm: string): boolean => this.related.perms.includes(perm),
    }
}

class Policy implements Namespace {
    related: {
      roles: Role[]
      users: (User | SubjectSet<Group, "members">)[]
    }
  
    permits = {
      has_perm: (ctx: Context, perm: string): boolean => this.related.users.includes(ctx.subject) &&
        this.related.roles.traverse((p) => p.permits.has_perm(ctx, perm)),
    }
}

class Group implements Namespace {
    related: {
      parents: Group[]
      members: (User | SubjectSet<Group, "members">)[]
      policies: Policy[]
    }
  
    permits = {
      check: (ctx: Context, perm: string): boolean => this.related.parents.traverse((p) => p.permits.check(ctx, perm)) ||
        this.related.policies.traverse((p) => p.permits.has_perm(ctx, perm)),
    }
}

class ResourceA implements Namespace {
  related: {
    owners: Group[]
    policies: Policy[]
  }

  permits = {
    check: (ctx: Context, perm: string): boolean => this.related.owners.traverse((p) => p.permits.check(ctx, perm)) ||
      this.related.policies.traverse((p) => p.permits.check(ctx, perm)),
    get: (ctx: Context): boolean => this.permits.check(ctx, "resourceA.get"),
    edit: (ctx: Context): boolean => this.permits.check(ctx, "resourceA.edit"),
  }
}

Given the following relations:

Role:viewer#[email protected]

Policy:viewer#roles@Role:viewer#
Policy:viewer#users@User:bob#

Group:x#members@User:mark#
Group:x#policies@Policy:viewer2#

Policy:viewer2#roles@Role:viewer#
Policy:viewer2#users@User:sandy#

ResourceA:id-1#policies@Policy:viewer#
ResourceA:id-1#owners@Group:x#

The following check will return Allowed:

ResourceA:id-1#get@User:bob
ResourceA:id-1#get@User:sandy

Without the string parameters and string literal arguments support, it will be very hard to implement the model.

arieltorti · 2023-03-27T20:12:13Z

arieltorti
Mar 27, 2023

@stonelgh did you ever find a workaround for this ?

1 reply

stonelgh Aug 9, 2023
Author

We use a trick as implemented by this PR: #1123

TomOperator · 2024-12-14T22:59:44Z

TomOperator
Dec 14, 2024

This is exactly what I was looking for. Thank you @stonelgh.

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Support string paramters and string literal arguments in permits definition #1122

{{title}}

{{editor}}'s edit

{{editor}}'s edit

Replies: 2 comments 1 reply

{{title}}

{{title}}

{{title}}

Select a reply

Support string paramters and string literal arguments in permits definition #1122

stonelgh Nov 10, 2022

Replies: 2 comments · 1 reply

arieltorti Mar 27, 2023

stonelgh Aug 9, 2023 Author

TomOperator Dec 14, 2024

stonelgh
Nov 10, 2022

Replies: 2 comments 1 reply

arieltorti
Mar 27, 2023

stonelgh Aug 9, 2023
Author

TomOperator
Dec 14, 2024