https://cerbos.dev logo
Join Slack
Powered by
hmmmmm i don't know if this is a question to be po...
# help
j
hmmmmm i don't know if this is a question to be posted here but based on https://github.com/google/cel-spec/blob/master/doc/langdef.md i can see CEL supports regular expressions through the "matches" symbol.
but i can't get it to work as expected......
Copy code
apiVersion: "api.cerbos.dev/v1"
description: "Dynamic roles."
derivedRoles:
  name: platform_roles
  definitions:
    - name: idtoken_user
      parentRoles: ["naked_user"]
      condition: 
        match:
          all:
            of:
              - expr: (has(request.aux_data.jwt.scope) && request.aux_data.jwt.scope.matches("\b(read:blueteamreport)"))
looks correct?
that's a word-boundary search for the text "read:blueteamreport"
it doesn't match a jwt that looks like this:
Copy code
"scope": "read:businessassets read:blueteamreport"
so i'm wondering if this is a CEL specific issue and not cerbos related..... 🙂
Copy code
apiVersion: "api.cerbos.dev/v1"
description: "Dynamic roles."
derivedRoles:
  name: platform_roles
  definitions:
    - name: idtoken_user
      parentRoles: ["naked_user"]
      condition: 
        match:
          expr: (has(request.aux_data.jwt.scope) && request.aux_data.jwt.scope.contains("read:blueteamreport"))
this works though
d
What if you omit parentheses?
in your regex: 
\b(read...)
j
let me try that
so you mean like this:
Copy code
apiVersion: "api.cerbos.dev/v1"
description: "Dynamic roles."
derivedRoles:
  name: platform_roles
  definitions:
    - name: idtoken_user
      parentRoles: ["naked_user"]
      condition: 
        match:
          expr: (has(request.aux_data.jwt.scope) && request.aux_data.jwt.scope.matches("\bread:blueteamreport"))
?
d
yes
j
ok gimme a sec
no luck.
d
If you replace \b with ^
j
btw i did some offline testing using cel-python package (the python implementation of CEL), and I'm getting the same behaviour. so i'm wondering...how in the world does ".matches" work in CEL?? i guess it's a CEL problem then
ok
but ^ is for beginning of line
what if read:blueteamreport is somewhere in the middle
d
Yes. Ok. I see.
\b is supported according to https://github.com/google/re2/wiki/Syntax
j
based on the RFC for JWTs...."scope" is a space separated list of values
so i need word-boundary checks with regular expression....
my situation is my APIs need to respond to id_tokens and accecss_tokens
id_tokens are easy. i just have attributes i pull out of the JWT to determine if the user has access
for access_tokens, i would like to use the scope claim......i mean i can go another route and inject custom claims into the access_token jwt too but would rather use scope if i can.
(this is for client-credentials grant type)
access_tokens = client-credentials; id_token = authorization code
d
It makes total sense to me
Let me double check the scope value
j
ok thank you
by the way, using .contains works but that's not good enough. need word boundary checks.
d
Can you please try 
\\b
double dash backslash
j
ok
d
no parentheses
j
slaps forehead
double blackslash works!!
🎉 1
jesusssssssssssssssssssssss
thank you once again dennis
d
Glad, I could help
7 Views
Open in Slack
PreviousNext
Powered by