can variables hold the boolean result of an expression Cerbos Community #help

Join Slack

can variables hold the boolean result of an expres...

# help

Jesum Yip

08/24/2023, 4:06 AM

can variables hold the boolean result of an expression?

Dennis (Cerbos)

08/24/2023, 4:07 AM

Yes, they can

Jesum Yip

08/24/2023, 4:08 AM

so i can put this whole block into a variable?

Copy code

match:
          all:
            of:
              - expr: P.id in ["xxxxxxxxxx"]
              - any:
                  of:
                    - all:
                        of:
                          - expr: has(request.aux_data.jwt.aud)
                          - any:
                              of:
                                - expr: >
                                    "myaud" in request.aux_data.jwt.aud
                                - expr: (request.aux_data.jwt.aud == "myaud")
                          - expr: has(request.aux_data.jwt.org_info)
                          - expr: has(request.aux_data.jwt.org_info.default_org_id)
                          - expr: has(request.aux_data.jwt.org_info.orgs)
                          - expr: type(request.aux_data.jwt.org_info.orgs) == list
                          - expr: >
                              request.aux_data.jwt.org_info.default_org_id == "org_id"
                          - any:
                              of:
                                - expr: request.principal.attr.surrogate_org_id == ""
                                - expr: has(request.principal.attr.surrogate_org_id) == false
                                - expr: request.principal.attr.surrogate_org_id == null
                    # The next section guarantees that the user is a Avengers surrogate user
                    - all:
                        of:
                          - expr: has(request.aux_data.jwt.aud)
                          - expr: >
                              ("myaud" in request.aux_data.jwt.aud)
                          - expr: has(request.aux_data.jwt.org_info)
                          - expr: has(request.aux_data.jwt.org_info.default_org_id)
                          - expr: has(request.aux_data.jwt.org_info.orgs)
                          - expr: type(request.aux_data.jwt.org_info.orgs) == list
                          - expr: has(request.principal.attr.surrogate_org_id)              
                          - expr: >
                              request.principal.attr.surrogate_org_id == "org_id"
                          - expr: >
                              request.aux_data.jwt.org_info.orgs.exists_one(t, t.org_id == "org_id")

Jesum Yip

08/24/2023, 4:09 AM

this is invalid though

Copy code

apiVersion: api.cerbos.dev/v1
description: Common variables used within the Apatr app
exportVariables:
  name: apatr_common_variables
  definitions:
    super_var:         
      match:
          all:
            of:
              - expr: P.id in ["xxxxxxxxxx"]
              - any:
                  of:
                    - all:
                        of:
                          - expr: has(request.aux_data.jwt.aud)
                          - any:
                              of:
                                - expr: >
                                    "myaud" in request.aux_data.jwt.aud
                                - expr: (request.aux_data.jwt.aud == "myaud")
                          - expr: has(request.aux_data.jwt.org_info)
                          - expr: has(request.aux_data.jwt.org_info.default_org_id)
                          - expr: has(request.aux_data.jwt.org_info.orgs)
                          - expr: type(request.aux_data.jwt.org_info.orgs) == list
                          - expr: >
                              request.aux_data.jwt.org_info.default_org_id == "org_id"
                          - any:
                              of:
                                - expr: request.principal.attr.surrogate_org_id == ""
                                - expr: has(request.principal.attr.surrogate_org_id) == false
                                - expr: request.principal.attr.surrogate_org_id == null
                    # The next section guarantees that the user is a Avengers surrogate user
                    - all:
                        of:
                          - expr: has(request.aux_data.jwt.aud)
                          - expr: >
                              ("myaud" in request.aux_data.jwt.aud)
                          - expr: has(request.aux_data.jwt.org_info)
                          - expr: has(request.aux_data.jwt.org_info.default_org_id)
                          - expr: has(request.aux_data.jwt.org_info.orgs)
                          - expr: type(request.aux_data.jwt.org_info.orgs) == list
                          - expr: has(request.principal.attr.surrogate_org_id)              
                          - expr: >
                              request.principal.attr.surrogate_org_id == "org_id"
                          - expr: >
                              request.aux_data.jwt.org_info.orgs.exists_one(t, t.org_id == "org_id")

Jesum Yip

08/24/2023, 4:10 AM

file is not valid: [/exportVariables/definitions/super_var: expected string, but got object]

Dennis (Cerbos)

08/24/2023, 4:10 AM

A variable can hold a result of CEL expression evaluation.

Jesum Yip

08/24/2023, 4:10 AM

so a single

expr

Dennis (Cerbos)

08/24/2023, 4:10 AM

Yes

Jesum Yip

08/24/2023, 4:11 AM

darn.....i gotta rewrite all that

match.any.of

etc

Jesum Yip

08/24/2023, 4:11 AM

match.all.of

..... ok. i'll try that. thanks!

Dennis (Cerbos)

08/24/2023, 4:12 AM

Yes, quite a long boolean expression.

Jesum Yip

08/24/2023, 4:13 AM

yup! i'll break it down into 1 bool expr in 1 var then one final mother of all vars that uses those individual vars

Dennis (Cerbos)

08/24/2023, 4:14 AM

I don’t think a variable can reference another variable.

Jesum Yip

08/24/2023, 4:15 AM

omg.....

Jesum Yip

08/24/2023, 4:15 AM

Dennis (Cerbos)

08/24/2023, 4:17 AM

Maybe instead of a mother var, you can use a derived role?

Jesum Yip

08/24/2023, 4:17 AM

well i do but i need to repeat the derivedrole logic elsewhere

Dennis (Cerbos)

08/24/2023, 4:18 AM

I see

Jesum Yip

08/24/2023, 4:18 AM

because i want to check if user.id = xxxx and user.derivedRole = "yyyy"

Jesum Yip

08/24/2023, 4:18 AM

i can't access user.derivedRole

Jesum Yip

08/24/2023, 4:18 AM

so i have to repeat the logic

Jesum Yip

08/24/2023, 4:19 AM

so i have 2 derived roles. 1. superman-derivedRole 2. superman-surrogate-derivedRole i have various resource policies where i grant these 2 roles access. i now have a special resource policy that i want to grant to user-X and i want to ensure user-X is either in #1 or #2 above.

Jesum Yip

08/24/2023, 4:20 AM

if i do not do that last check then there is a chance that user-X will be accessing that resource but that resource does not have valid data for that user.

Jesum Yip

08/24/2023, 4:21 AM

just to explain. #2 means the user is in wonderwoman-derivedRole but this user is also granted superman-surrogate-derivedRole. so this user can see data related to superman-derivedRole resources.

Jesum Yip

08/24/2023, 4:21 AM

it's kinda like wonderoman-derivedRole is an auditor and he or she wants to see all financial customer data

Jesum Yip

08/24/2023, 4:22 AM

maybe i should rethink this....scopes might help?

Dennis (Cerbos)

08/24/2023, 4:25 AM

Correct me if I’m wrong. Would it help if you could specify that you need both derived roles? Currently, in a policy, you can specify multiple derived roles, but it is required to have any of them, not all.

Jesum Yip

08/24/2023, 4:26 AM

yes that's right but the problem is when i'm trying to calculate the derivedRole for that special resource

Jesum Yip

08/24/2023, 4:26 AM

i need to think about this a bit more

Jesum Yip

08/24/2023, 4:29 AM

ah yes ther'es a simpler way to do this

Jesum Yip

08/24/2023, 4:32 AM

would be nice if i can reference the derivedRole in P.derivedRole

Jesum Yip

08/24/2023, 4:32 AM

at least get an array. 🙂

Jesum Yip

08/24/2023, 4:33 AM

so what i ended up with: 1. the resourcepolicy "FinancialStatements" that grants access to the role "poweruser" 2. the role "poweruser" is assigned to: • userid-xxx • any user with a JWT that has the details to identify the user as an "Auditor"

Jesum Yip

08/24/2023, 4:33 AM

that problem is the 2nd bullet point

Jesum Yip

08/24/2023, 4:33 AM

i have a derived role policy for "Auditor"

Dennis (Cerbos)

08/24/2023, 4:33 AM

Is “poweruser” a derived role?

Jesum Yip

08/24/2023, 4:33 AM

yes

Jesum Yip

08/24/2023, 4:34 AM

i had to cut and paste the logic from derived role "Auditor" into the resourcepolicy "FinancialStatements"

Dennis (Cerbos)

08/24/2023, 4:35 AM

Is what you were trying to avoid with your original question about variables?

Jesum Yip

08/24/2023, 4:35 AM

yeah

Jesum Yip

08/24/2023, 4:35 AM

that's my scenario.

Jesum Yip

08/24/2023, 4:36 AM

Copy code

apiVersion: "api.cerbos.dev/v1"
description: Global Invicta Roles
derivedRoles:
  name: global_invicta_roles
  definitions:
    - name: invicta_cspm_role
      parentRoles: [ "*" ]
      condition:
        match:
          any:
            of:
              - expr: P.id in ["xxxx"]
              - expr: P.derivedRole in ["Auditor"]

Jesum Yip

08/24/2023, 4:36 AM

that would be nice but it's not possible because of

P.derivedRole

Dennis (Cerbos)

08/24/2023, 4:36 AM

Can you declare a set of variables and reference them in these “auditor” and “poweruser” roles?

Jesum Yip

08/24/2023, 4:37 AM

how? i can't because:

Copy code

- all:
                  of:
                    - expr: has(request.aux_data.jwt.aud)
                    - any:
                        of:
                          - expr: >
                              "myaud" in request.aux_data.jwt.aud
                          - expr: (request.aux_data.jwt.aud == "myaud")
                    - expr: has(request.aux_data.jwt.org_info)
                    - expr: has(request.aux_data.jwt.org_info.default_org_id)
                    - expr: has(request.aux_data.jwt.org_info.orgs)
                    - expr: type(request.aux_data.jwt.org_info.orgs) == list
                    - expr: >
                        request.aux_data.jwt.org_info.default_org_id == "Audit Company 1"
                    - any:
                        of:
                          - expr: request.principal.attr.surrogate_org_id == ""
                          - expr: has(request.principal.attr.surrogate_org_id) == false
                          - expr: request.principal.attr.surrogate_org_id == null

that's the condition to give "Auditor" role

Jesum Yip

08/24/2023, 4:37 AM

multiple

expr

Dennis (Cerbos)

08/24/2023, 4:40 AM

I agree, merging this into a single

expr

won’t give you a nice solution.

Jesum Yip

08/24/2023, 4:41 AM

difficult to maintain

Jesum Yip

08/24/2023, 4:41 AM

so i really need

P.derivedRole

Dennis (Cerbos)

08/24/2023, 4:42 AM

The problem with

P.derviedRole

is that it implies there’s a dependency between them. We are thinking about an alternative.

Jesum Yip

08/24/2023, 4:43 AM

Dennis (Cerbos)

08/24/2023, 4:45 AM

if you could specify that you need both derived roles “Auditor” and “Poweruser”, you wouldn’t need to repeat the Auditor’s conditions.

Dennis (Cerbos)

08/24/2023, 4:46 AM

A kind of composition instead of inheritance

Jesum Yip

08/24/2023, 4:48 AM

jeeeeeeeeeesus

Jesum Yip

08/24/2023, 4:48 AM

how stupid i was. you are absolutely right! i went down the wrong rabbit hole!!!!!!!!!!

Jesum Yip

08/24/2023, 4:49 AM

grrrrrrr!!!

Dennis (Cerbos)

08/24/2023, 4:49 AM

Sorry, you can’t do it right now.

Jesum Yip

08/24/2023, 4:50 AM

no no, i rewrote my policy. in the resource policy, i just had to add "Auditor" into the derivedRole that has access to that resource of "Financial Statements". my god...i should be slapping myself silly now

Jesum Yip

08/24/2023, 4:50 AM

Copy code

apiVersion: api.cerbos.dev/v1
resourcePolicy:
  resource: test_resource
  version: development
  importDerivedRoles:
  - global_invicta_roles
  - auditor_global_roles
  rules:
  - actions:
    - read
    - subscribed
    effect: EFFECT_ALLOW
    derivedRoles:
    - auditor_role
    - invicta_cspm_role
    condition:
      match:
        expr: request.resource.attr.data_org_id == "xxxxxx"

Dennis (Cerbos)

08/24/2023, 4:51 AM

But what if a user doesn’t have

invicta_cspm_role

role?

Jesum Yip

08/24/2023, 4:51 AM

you mean

derivedRoles

is evaluated as an

and

condition?

Dennis (Cerbos)

08/24/2023, 4:51 AM

Copy code

derivedRoles:
    - auditor_role
    - invicta_cspm_role

This means EITHER of these roles

Jesum Yip

08/24/2023, 4:51 AM

the user needs both roles?

Jesum Yip

08/24/2023, 4:51 AM

yes i want

EITHER

OR

condition

Dennis (Cerbos)

08/24/2023, 4:51 AM

Ah, ok

Jesum Yip

08/24/2023, 4:51 AM

invicta_cspm_role is a role that a bank will hold

Jesum Yip

08/24/2023, 4:52 AM

auditor_role belongs to an auditor

Jesum Yip

08/24/2023, 4:52 AM

and

expr: request.resource.attr.data_org_id == "xxxxxx"

ensures that the resource is only valid if it is attached to THAT bank

Jesum Yip

08/24/2023, 4:52 AM

so if an insurance company comes along, the auditor cannot access "Financial Statements" because

expr: request.resource.attr.data_org_id == "xxxxxx"

wouldn't match for that insurance company

Jesum Yip

08/24/2023, 4:53 AM

if i ever needed the "AND" condition, i would have to write a different derived role policy that combines both auditor and invicta_cspm_role

Jesum Yip

08/24/2023, 4:53 AM

maybe call it invicta_cspm_auditor_role

Dennis (Cerbos)

08/24/2023, 4:56 AM

if i ever needed the “AND” condition, i would have to write a different derived role policy that combines both auditor and invicta_cspm_role

We had this idea, but there’s no ETA yet.

Jesum Yip

08/24/2023, 4:56 AM

alright!

3 Views

Open in Slack

Previous Next