Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Check valid relation-tuple characters on insert #661

Closed
relvacode opened this issue Jul 15, 2021 · 2 comments · Fixed by #709
Closed

Check valid relation-tuple characters on insert #661

relvacode opened this issue Jul 15, 2021 · 2 comments · Fixed by #709
Labels
bug Something is not working.
Milestone
v0.7.0

Comments

@relvacode
Copy link

Is your feature request related to a problem? Please describe.

With a postgres backend it's possible to insert a relation-tuple such that certain read operations always fail due to malformed string input when the server encounters a tuple in the database which contains a subject as a subject set with a colon : in the set's object.

After the problem relation-tuple is created it's no longer possible to check, or list relation-tuples that encounter it.

Now, this is described in the limitations page https://www.ory.sh/keto/docs/concepts/subjects and the document does heavily recommend using UUID mappings so this isn't a bug per-se. However, the server will still accept these on insert over gRPC causing a very vague error when attempting any read operation (I was only able to trace this down by looking at Keto's code).

Related code

keto/internal/relationtuple/definitions.go

Line 199 in 0ac4fe1

func (s *SubjectSet) FromString(str string) (Subject, error) {

For example,

members of group:B are members of group:A

NAMESPACE	OBJECT   RELATION NAME   SUBJECT
default		group:B	 member          default:group:A#member

&acl.RelationTupleDelta{
    Action: acl.RelationTupleDelta_INSERT,
    RelationTuple: &acl.RelationTuple{
        Namespace: "default",
        Object:    "group:B",
        Relation: "member",
        Subject:  &acl.Subject{
            Ref: &acl.Subject_Set{
                Set: &acl.SubjectSet{
                    Namespace: "default",
                    Object:    "group:A",
                    Relation:  "member",
                },
            },
        },
    },
}

Describe the solution you'd like

Relation tuples should be validated on insert such that they can be parsed back out of the database. In other words, anything that goes in should be able to come back out.

Describe alternatives you've considered

I've changed my application to not use any of the disallowed characters but this may help those that encounter this in future.
@zepatrik zepatrik added the bug Something is not working. label Jul 15, 2021
@zepatrik
Copy link
Member

This will be resolved as part of #638 because we don't string en- and de-code anymore with that.
Thanks for the detailed report 👍

@zepatrik
Copy link
Member

zepatrik commented Jul 15, 2021
edited
Loading

Btw, in your case you should consider having a "group" namespace, as that is really what namespaces are for.
See https://www.ory.sh/keto/docs/concepts/namespaces#scoping-of-objects for some details.

@zepatrik zepatrik added this to the v0.7.0 milestone Aug 30, 2021
This was referenced Sep 14, 2021
Closed
Merged
@github-actions github-actions bot mentioned this issue Sep 25, 2021
Closed
1 task
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something is not working.
Projects
None yet
Milestone
v0.7.0
Development

Successfully merging a pull request may close this issue.

test: ensure problematic chars are not creatable over REST ory/keto
2 participants
@zepatrik @relvacode