Brandon Choe
03/22/2024, 11:02 PMUnsupported operator exists
when I try to pass in a relation to fieldNameMapper
queryPlanToPrisma({
queryPlan,
fieldNameMapper: {
'request.resource.attr.workflowUserRoles': 'workflowUserRoles'
}
});
// yaml
- expr: >
R.attr.workflowUserRoles.exists(workflowUserRole,
workflowUserRole.userId == P.id && workflowUserRole.role == "OWNER"
)
// schema.prisma
model Workflow {
workflowUserRoles WorkflowUserRole[]
}
Brandon Choe
03/22/2024, 11:39 PMexists
isn't a supported operator here, it's throwing. should the queryPlan I get from cerbos.planResources
be mapping my .exists
call to one of these operators?
const OPERATORS = {
eq: {
relationalCondition: "is",
fieldCondition: "equals",
},
ne: {
relationalCondition: "isNot",
fieldCondition: "not",
},
in: {
relationalCondition: "some",
fieldCondition: "in",
},
lt: {
fieldCondition: "lt",
},
gt: {
fieldCondition: "gt",
},
le: {
fieldCondition: "lte",
},
ge: {
fieldCondition: "gte",
},
};
Sam Lock (Cerbos)
03/25/2024, 9:52 AMexists
clauses. I'll raise an issue for this.
For the relationship
component, from reading the README, it looks like you might need to specify the model relationship via the relationMapper
third arg to queryPlanToPrisma
, e.g:
const result = queryPlanToPrisma({
queryPlan,
fieldNameMapper: {
"request.resource.attr.aFieldName": "prismaModelFieldName"
},
relationMapper: {
"request.resource.attr.aRelatedModel": {
"relation": "aRelatedModel",
"field": "id" // the column it is joined on
}
}
});
Sam Lock (Cerbos)
03/25/2024, 10:02 AMR.attr.workflowUserRoles
is an array of objects -- modelling your original exists
based expression in a a supported, equivalent way might not be feasible 🤔.
One basic workaround might be to represent each object attribute as individual arrays, so you can do something like:
expr: P.id in R.attr.ownedByIds
Then checking each returned ownedBy
object for the appropriate roles.Sam Lock (Cerbos)
03/25/2024, 10:05 AMone -> many
, could you not reverse it and instead check the principal for access to the resource? E.g:
expr: R.attr.id in P.attr.workflowIds
Brandon Choe
03/25/2024, 5:52 PMworkflowUserRoles
is an attribute of both the resource and the principal, checking the attributes on the principal would work in this case. however, in the case where something is only an attribute of the resource, this solution would not work. for example, let's say a Workflow has a bunch of Tags and I want to check the Tags of a Workflow using queryPlanToPrisma
.
One basic workaround might be to represent each object attribute as individual arrays, so you can do something like:how would this work using
queryPlanToPrisma
? I'm going to try the relationMapper
. thinking about it from a SQL perspective, it should be accomplishable with a join.Brandon Choe
03/25/2024, 6:19 PMSam Lock (Cerbos)
03/26/2024, 8:38 AMhow would this work usingI don't think you can do this entirely with the query planner, given the currently supported adapter operators 🤔. My thinking was that you could retrieve a superset of the required DB rows using a partial condition in the policy, and then post-process in the application layer to reduce it down further. However, I think this is a bit useless given you'd need a "query planner only" rule in your policy, plus the need to further reduce your result set outside of the DB. I think, given the requirement you describe above, you probably do require the?queryPlanToPrisma
exists
operator.Sam Lock (Cerbos)
03/26/2024, 8:41 AMBrandon Choe
03/26/2024, 9:57 PMexists
support into the adapter soon?Sam Lock (Cerbos)
03/27/2024, 9:35 AMaw, that's unfortunate. I do love relying entirely on Cerbos for authorization logicTotally understand.
are you thinking we'll be able to getI don't think we can really commit to specific timings because we're doubled down on some other priorities at the minute, but this is clearly a useful feature and it's now very much on our radar. I know it's cliché, but if you did happen to have a crack at it yourself, we always welcome community contributions!support into the adapter soon?exists
Brandon Choe
04/12/2024, 4:57 PM