Skip to content

fix: support recursive attributes in lookup-entity #1

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
erberkson wants to merge 1 commit into
base: before-recursive
Choose a base branch
from
Open

fix: support recursive attributes in lookup-entity #1

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
217 changes: 217 additions & 0 deletions internal/engines/check_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2372,4 +2372,221 @@ var _ = Describe("check-engine", func() {
}
})
})

Context("Recursive Attribute Permissions", func() {
It("should allow same-type recursive attribute permissions", func() {
schema := `
entity user {}

entity resource {
relation parent @resource
attribute is_public boolean
permission view = is_public or parent.view
}
`

db, err := factories.DatabaseFactory(config.Database{Engine: "memory"})
Expect(err).ShouldNot(HaveOccurred())

conf, err := newSchema(schema)
Expect(err).ShouldNot(HaveOccurred())

schemaWriter := factories.SchemaWriterFactory(db)
err = schemaWriter.WriteSchema(context.Background(), conf)
Expect(err).ShouldNot(HaveOccurred())

schemaReader := factories.SchemaReaderFactory(db)
dataReader := factories.DataReaderFactory(db)
dataWriter := factories.DataWriterFactory(db)

checkEngine := NewCheckEngine(schemaReader, dataReader)
lookupEngine := NewLookupEngine(checkEngine, schemaReader, dataReader)
invoker := invoke.NewDirectInvoker(schemaReader, dataReader, checkEngine, nil, lookupEngine, nil)
checkEngine.SetInvoker(invoker)

relationships := []string{
"resource:r1#parent@resource:default",
}

var tuples []*base.Tuple
for _, relationship := range relationships {
t, err := tuple.Tuple(relationship)
Expect(err).ShouldNot(HaveOccurred())
tuples = append(tuples, t)
}

publicAttr, err := attribute.Attribute("resource:default$is_public|boolean:true")
Expect(err).ShouldNot(HaveOccurred())

_, err = dataWriter.Write(
context.Background(),
"t1",
database.NewTupleCollection(tuples...),
database.NewAttributeCollection(publicAttr),
)
Expect(err).ShouldNot(HaveOccurred())

resp, err := invoker.Check(context.Background(), &base.PermissionCheckRequest{
TenantId: "t1",
Entity: &base.Entity{Type: "resource", Id: "r1"},
Permission: "view",
Subject: &base.Subject{Type: "user", Id: "u1"},
Metadata: &base.PermissionCheckRequestMetadata{
SnapToken: token.NewNoopToken().Encode().String(),
SchemaVersion: "",
Depth: 20,
},
})
Expect(err).ShouldNot(HaveOccurred())
Expect(resp.GetCan()).To(Equal(base.CheckResult_CHECK_RESULT_ALLOWED))
})

It("should allow cross-type recursive attribute permissions", func() {
schema := `
entity user {}

entity org {
attribute is_public boolean
permission view = is_public
}

entity folder {
relation parent @org
attribute is_public boolean
permission view = is_public or parent.view
}

entity resource {
relation parent @folder
permission view = parent.view
}
`

db, err := factories.DatabaseFactory(config.Database{Engine: "memory"})
Expect(err).ShouldNot(HaveOccurred())

conf, err := newSchema(schema)
Expect(err).ShouldNot(HaveOccurred())

schemaWriter := factories.SchemaWriterFactory(db)
err = schemaWriter.WriteSchema(context.Background(), conf)
Expect(err).ShouldNot(HaveOccurred())

schemaReader := factories.SchemaReaderFactory(db)
dataReader := factories.DataReaderFactory(db)
dataWriter := factories.DataWriterFactory(db)

checkEngine := NewCheckEngine(schemaReader, dataReader)
lookupEngine := NewLookupEngine(checkEngine, schemaReader, dataReader)
invoker := invoke.NewDirectInvoker(schemaReader, dataReader, checkEngine, nil, lookupEngine, nil)
checkEngine.SetInvoker(invoker)

relationships := []string{
"folder:f1#parent@org:o1",
"resource:r1#parent@folder:f1",
}

var tuples []*base.Tuple
for _, relationship := range relationships {
t, err := tuple.Tuple(relationship)
Expect(err).ShouldNot(HaveOccurred())
tuples = append(tuples, t)
}

publicAttr, err := attribute.Attribute("org:o1$is_public|boolean:true")
Expect(err).ShouldNot(HaveOccurred())

_, err = dataWriter.Write(
context.Background(),
"t1",
database.NewTupleCollection(tuples...),
database.NewAttributeCollection(publicAttr),
)
Expect(err).ShouldNot(HaveOccurred())

resp, err := invoker.Check(context.Background(), &base.PermissionCheckRequest{
TenantId: "t1",
Entity: &base.Entity{Type: "resource", Id: "r1"},
Permission: "view",
Subject: &base.Subject{Type: "user", Id: "u1"},
Metadata: &base.PermissionCheckRequestMetadata{
SnapToken: token.NewNoopToken().Encode().String(),
SchemaVersion: "",
Depth: 20,
},
})
Expect(err).ShouldNot(HaveOccurred())
Expect(resp.GetCan()).To(Equal(base.CheckResult_CHECK_RESULT_ALLOWED))
})

It("should allow mixed-entrance recursive attribute permissions", func() {
schema := `
entity user {}

entity resource {
relation viewer @user
relation parent @resource
attribute is_public boolean
permission view = viewer or is_public or parent.view
}
`

db, err := factories.DatabaseFactory(config.Database{Engine: "memory"})
Expect(err).ShouldNot(HaveOccurred())

conf, err := newSchema(schema)
Expect(err).ShouldNot(HaveOccurred())

schemaWriter := factories.SchemaWriterFactory(db)
err = schemaWriter.WriteSchema(context.Background(), conf)
Expect(err).ShouldNot(HaveOccurred())

schemaReader := factories.SchemaReaderFactory(db)
dataReader := factories.DataReaderFactory(db)
dataWriter := factories.DataWriterFactory(db)

checkEngine := NewCheckEngine(schemaReader, dataReader)
lookupEngine := NewLookupEngine(checkEngine, schemaReader, dataReader)
invoker := invoke.NewDirectInvoker(schemaReader, dataReader, checkEngine, nil, lookupEngine, nil)
checkEngine.SetInvoker(invoker)

relationships := []string{
"resource:za#viewer@user:u1",
"resource:zb#parent@resource:za",
"resource:zc#parent@resource:zb",
}

var tuples []*base.Tuple
for _, relationship := range relationships {
t, err := tuple.Tuple(relationship)
Expect(err).ShouldNot(HaveOccurred())
tuples = append(tuples, t)
}

publicAttr, err := attribute.Attribute("resource:za$is_public|boolean:true")
Expect(err).ShouldNot(HaveOccurred())

_, err = dataWriter.Write(
context.Background(),
"t1",
database.NewTupleCollection(tuples...),
database.NewAttributeCollection(publicAttr),
)
Expect(err).ShouldNot(HaveOccurred())

resp, err := invoker.Check(context.Background(), &base.PermissionCheckRequest{
TenantId: "t1",
Entity: &base.Entity{Type: "resource", Id: "zc"},
Permission: "view",
Subject: &base.Subject{Type: "user", Id: "u1"},
Metadata: &base.PermissionCheckRequestMetadata{
SnapToken: token.NewNoopToken().Encode().String(),
SchemaVersion: "",
Depth: 20,
},
})
Expect(err).ShouldNot(HaveOccurred())
Expect(resp.GetCan()).To(Equal(base.CheckResult_CHECK_RESULT_ALLOWED))
})
})
})
Loading