https://cerbos.dev logo
Join Slack
Powered by
Hi; I have a policy document that evaluates proper...
# help
j
Hi; I have a policy document that evaluates properly in the Cerbos playground but unable to work in Go code. Evaluating the "update" action works for when 
R.attr.user_id == P.id
however it does not evaluate when 
R.attr.role == "supervisor"
In the Cerbos playground; this works properly but in Go code; it does not evaluate properly
Copy code
# yaml-language-server: $schema=<https://api.cerbos.dev/latest/cerbos/policy/v1/Policy.schema.json>
# docs: <https://docs.cerbos.dev/cerbos/latest/policies/resource_policies>

apiVersion: api.cerbos.dev/v1
resourcePolicy:
  resource: order
  version: default
  rules:
    - actions:
        - update
      effect: EFFECT_ALLOW
      roles:
        - user
        - admin
        - supervisor
      condition:
        match:
          any:
            of:
              - expr: request.resource.attr.user_id == request.principal.id
              - expr: request.principal.attr.role == "supervisor"
d
Hi Joseph, Can you show your relevant Go code?
j
Copy code
if existingOrder == nil {
    <http://oc.Logger.Info|oc.Logger.Info>("order not found", "log_id", logId)
    return c.Status(400).JSON(internal.NewErrorResponse("order not found"))
}

resource: = cerbos.NewResource("order", existingOrder.ID).
WithAttr("user_id", user.ID)

principal: = cerbos.NewPrincipal(user.ID, user.Role.String()).WithAttr("role", user.Role.String())


isAllowed, err: = oc.CerbosClient.IsAllowed(ctx, principal, resource, "update")
if err != nil {
    oc.Logger.Error("unable to check cerbos policy", "log_id", logId, "err", err)
    return c.Status(400).JSON(internal.NewErrorResponse("unable to update order at this time"))
}

if !isAllowed {
    <http://oc.Logger.Info|oc.Logger.Info>("user not authorized to update order", "log_id", logId)
    return c.Status(400).JSON(internal.NewErrorResponse("user not authorized to update order"))
}
Principal:
Copy code
{
  "id": "user_3c29c3672d794a45815dffb5ea404628",
  "roles": "supervisor",
  "attr": {
    "key": "role",
    "value": {
      "string_value": "supervisor"
    }
  }
}
Resource:
Copy code
{
  "kind": "order",
  "id": "order_4f5feed5b13b489888e13706cffe7933",
  "attr": {
    "key": "user_id",
    "value": {
      "string_value": "user_3c29c3672d794a45815dffb5ea404628"
    }
  }
}
d
Hmm… all seems right, except the principal 
roles
should be an array.
1
o
Hi @Joseph Akayesi, Is there a reason for adding an additional 
role (P.attr.role)
attribute to the 
principal
? If not, you could only use the principal roles. Here is an example: https://play.cerbos.dev/p/yDYhPDTyUjy0BK670a7be0ey05rJMpbe
j
Thanks @oguzhan I will give this a try
cerbie 1
Hi @oguzhan It doesn't seem to work unfortunately
o
So you are using the policies I’ve shared and updated the code to something like this right?
Copy code
action := "update"

principal := cerbos.NewPrincipal(user.ID, user.Role.String())

resource := cerbos.NewResource("order", existingOrder.ID).
WithAttr("user_id", user.ID)

isAllowed, err: = oc.CerbosClient.IsAllowed(ctx, principal, resource, action)
If you did and it doesn’t work, can you share the code again?
j
Copy code
resource: = cerbos.NewResource("order", existingOrder.ID).
WithAttr("user_id", user.ID)

principal: = cerbos.NewPrincipal(user.ID, user.Role.String())

isAllowed, err: = oc.CerbosClient.IsAllowed(ctx, principal, resource, "update")
My bad; this is entirely my mistake. I overlooked a line in my code that does a check further and denies the update. My sincere apologies for this. @oguzhan @Dennis (Cerbos)
🎉 1
o
No problem at all, glad it worked out 🙂
🙏 1
Open in Slack
PreviousNext
Powered by