Bradey Wood
11/13/2023, 5:12 PMrequest = {
"resource": {
"kind": "mua:app",
"id": "ioi"
},
"principal": {
"id": "ioi_user",
"roles": [
"user"
],
"attr": {
"appsEnabled": [
"ioi"
]
}
}
}
Rules:
-> :rules
Conditional rules in 'resource.mua_app.vtemplate'
[#0]
actions:
- access
condition:
match:
expr: R.id in P.attr.appsEnabled
effect: EFFECT_ALLOW
roles:
- '*'
-> :exec #0
└──R.id in P.attr.appsEnabled [true]
Tests:
cerbos compile policies --verbose --run=app
Test results
├──view deal (resource_policies/ECM/deal_test.yaml) [SKIPPED]
└─┬access app (resource_policies/MUA/app_test.yaml) [1 FAILED]
└─┬app enabled users can access the relevant app
└─┬ioi_enabled
└─┬ioi
└─┬access [FAILED]
└──OUTCOME: expected: EFFECT_ALLOW, actual: EFFECT_DENY
TRACES
access app - ioi_enabled.ioi.access
action=access
activated
effect → deny
No matching policies
16 tests executed [15 SKIPPED] [1 FAILED]
cerbos: error: tests failed
Charith (Cerbos)
policyVersion: template
in your resource definitions for the testsCharith (Cerbos)
policyVersion
is not defined, Cerbos looks for policies with version default
. In your case, there's no default
policy.Bradey Wood
11/13/2023, 5:18 PMBradey Wood
11/13/2023, 5:18 PM