if i have a derivedrole policy that looks like thi...
# helpj
Jesum Yip
12/16/2021, 6:14 AMif i have a derivedrole policy that looks like this. ....will the user end up getting an array of roles with 2 entries in it for "explore" ?
Jesum Yip
12/16/2021, 6:15 AMfurthermore, if the claim is missing from the jwt, then will line 26 evaluate correctly to 0?
Jesum Yip
12/16/2021, 6:18 AM Copy code
{
"requestId": "1",
"resourceInstances": {
"prod": {
"actions": {
"read": "EFFECT_ALLOW"
}
}
},
"meta": {
"resourceInstances": {
"prod": {
"actions": {
"read": {
"matchedPolicy": "resource.businessassets.v1"
}
},
"effectiveDerivedRoles": []
}
}
}
}Jesum Yip
12/16/2021, 6:18 AMi see that the effectiveDerivedRoles is blank.... ?
Jesum Yip
12/16/2021, 6:18 AMso this is supposed to be populated with the correct role if it matched a derivedrole policy?
d
Dennis (Cerbos)
12/16/2021, 6:19 AM
derived role names should be unique.
j
Jesum Yip
12/16/2021, 6:20 AMok so is there a way i can group those 2 pairs of exprs?
Jesum Yip
12/16/2021, 6:20 AMin an OR condition
👍 1
d
Dennis (Cerbos)
12/16/2021, 6:20 AM
match all is ‘AND’ condition
j
Jesum Yip
12/16/2021, 6:22 AMcondition:
match:
expr: |-
((request.aux_data.jwt.hm_account_status == "Explore") && (expr: request.aux_data.jwt.is_hm_employee != "TRUE")) ||
((expr: size(request.aux_data.jwt.hm_account_status) == 0) && (expr: request.aux_data.jwt.is_hm_employee != "TRUE"))
👍 1
Jesum Yip
12/16/2021, 6:22 AMi assume the above would work 🙂
d
Dennis (Cerbos)
12/16/2021, 6:23 AM
it is easier to replace
allanyDennis (Cerbos)
12/16/2021, 6:24 AM
ouch. not that simple
j
Jesum Yip
12/16/2021, 6:25 AMlet me try with the above first
Jesum Yip
12/16/2021, 6:25 AMbut now i know derivedroles must be unique
d
Dennis (Cerbos)
12/16/2021, 6:30 AM
The policy above is incorrect
Dennis (Cerbos)
12/16/2021, 6:32 AM
Try this:
Copy code
- name: explore
condition:
match:
any:
of:
- expr: (request.aux_data.jwt.hm_account_status == "Explore" && request.aux_data.jwt.is_hm_employee != "TRUE")
- expr: (equest.aux_data.jwt.hm_account_status != "" && request.aux_data.jwt.is_hm_employee != "TRUE")j
Jesum Yip
12/16/2021, 6:34 AMok
Jesum Yip
12/16/2021, 6:37 AM Copy code
{
"requestId": "1",
"resourceInstances": {
"prod": {
"actions": {
"read": "EFFECT_DENY"
}
}
},
"meta": {
"resourceInstances": {
"prod": {
"actions": {
"read": {
"matchedPolicy": "resource.businessassets.v1"
}
},
"effectiveDerivedRoles": []
}
}
}
}Jesum Yip
12/16/2021, 6:37 AMi'm getting that
d
Dennis (Cerbos)
12/16/2021, 6:37 AM
What’s the intent of this
size(request.<http://aux_data.jwt.hm|aux_data.jwt.hm>_account_status) == 0j
Jesum Yip
12/16/2021, 6:37 AMwhich is odd....effectiveDerivedRoles is blank
Jesum Yip
12/16/2021, 6:37 AMwell that claim might be blank
Jesum Yip
12/16/2021, 6:37 AMi.e. uninitialized
d
Dennis (Cerbos)
12/16/2021, 6:37 AM
But does it exist in the claim at all?
j
Jesum Yip
12/16/2021, 6:38 AMno it does not
d
Dennis (Cerbos)
12/16/2021, 6:38 AM
then you need something else. give me a minute
j
Jesum Yip
12/16/2021, 6:38 AMoh ok
d
Dennis (Cerbos)
12/16/2021, 6:39 AM
Copy code
- name: explore
condition:
match:
any:
of:
- expr: (request.aux_data.jwt.hm_account_status == "Explore" && request.aux_data.jwt.is_hm_employee != "TRUE")
- expr: (!has(request.aux_data.jwt.hm_account_status) && request.aux_data.jwt.is_hm_employee != "TRUE")j
Jesum Yip
12/16/2021, 6:40 AMoh!!!!
Jesum Yip
12/16/2021, 6:44 AMso i did this
Jesum Yip
12/16/2021, 6:44 AMand i have a resource policy like this
Jesum Yip
12/16/2021, 6:45 AMin my json payload, i specify the user is a type "naked_user" but i'm getting an effectr deny
Jesum Yip
12/16/2021, 6:45 AMand the effectivederivedroles is blank
Jesum Yip
12/16/2021, 6:45 AM Copy code
{
"requestId": "1",
"resourceInstances": {
"prod": {
"actions": {
"read": "EFFECT_DENY"
}
}
},
"meta": {
"resourceInstances": {
"prod": {
"actions": {
"read": {
"matchedPolicy": "resource.businessassets.v1"
}
},
"effectiveDerivedRoles": []
}
}
}
}Jesum Yip
12/16/2021, 6:46 AMwhat's odd is effectiveDerivedROles is blank
Jesum Yip
12/16/2021, 6:46 AMi would expect it to have 'explore'
Jesum Yip
12/16/2021, 6:47 AMthe jwt i submitted does not have hm_account_status AND does not have is_hm_employee claims
d
Dennis (Cerbos)
12/16/2021, 6:47 AM
Can you please submit your HTTP request
Dennis (Cerbos)
12/16/2021, 6:48 AM
without the token of course
j
Jesum Yip
12/16/2021, 6:48 AMit's ok token has expired - u can't use it
d
Dennis (Cerbos)
12/16/2021, 6:49 AM
kk
Dennis (Cerbos)
12/16/2021, 6:51 AM
What if you remove
hm_employeej
Jesum Yip
12/16/2021, 6:53 AMok let me try
Jesum Yip
12/16/2021, 6:55 AM Copy code
{
"requestId": "1",
"resourceInstances": {
"prod": {
"actions": {
"read": "EFFECT_DENY"
}
}
},
"meta": {
"resourceInstances": {
"prod": {
"actions": {
"read": {
"matchedPolicy": "resource.businessassets.v1"
}
},
"effectiveDerivedRoles": []
}
}
}
}Jesum Yip
12/16/2021, 6:55 AM Copy code
apiVersion: api.cerbos.dev/v1
resourcePolicy:
version: "1"
importDerivedRoles:
- platform_roles
resource: "businessassets"
rules:
- name: allow_readbusinessassets_test
actions: ['read']
effect: EFFECT_ALLOW
derivedRoles:
- exploreJesum Yip
12/16/2021, 6:55 AMthat's my resource policy
Jesum Yip
12/16/2021, 6:56 AM Copy code
apiVersion: "api.cerbos.dev/v1"
description: "Dynamic roles."
derivedRoles:
name: platform_roles
definitions:
- name: explore
parentRoles: ["naked_user"]
condition:
match:
any:
of:
- expr: (request.aux_data.jwt.hm_account_status == "Explore" && request.aux_data.jwt.is_hm_employee != "TRUE")
- expr: (request.aux_data.jwt.hm_account_status == "" && request.aux_data.jwt.is_hm_employee != "TRUE")
- expr: (request.aux_data.jwt.hm_account_status == "" && request.aux_data.jwt.is_hm_employee == "")
- expr: (!has(request.aux_data.jwt.hm_account_status))
- expr: (!has(request.aux_data.jwt.is_hm_employee))
- name: expand
parentRoles: ["naked_user"]
condition:
match:
all:
of:
- expr: request.aux_data.jwt.hm_account_status == "Expand"
- expr: request.aux_data.jwt.is_hm_employee != "TRUE"
- name: experience
parentRoles: ["naked_user"]
condition:
match:
all:
of:
- expr: request.aux_data.jwt.hm_account_status == "Experience"
- expr: request.aux_data.jwt.is_hm_employee != "TRUE"Jesum Yip
12/16/2021, 6:56 AMthat's derived role policy
d
Dennis (Cerbos)
12/16/2021, 6:56 AM
Great. Thanks. I’ll try locally
j
Jesum Yip
12/16/2021, 7:30 AMdid you manage to reproduce the issue?
d
Dennis (Cerbos)
12/16/2021, 7:45 AM
Yes, and I found what caused the problem.
Dennis (Cerbos)
12/16/2021, 7:46 AM
- expr: (request.<http://aux_data.jwt.hm|aux_data.jwt.hm>_account_status == "" && request.aux_data.jwt.is_hm_employee == "")hm_account_statusDennis (Cerbos)
12/16/2021, 7:47 AM
This works:
Copy code
- name: explore
parentRoles: ["naked_user"]
condition:
match:
any:
of:
- expr: (!has(request.aux_data.jwt.hm_account_status) || request.aux_data.jwt.hm_account_status == "")
- expr: (!has(request.aux_data.jwt.is_hm_employee) || request.aux_data.jwt.is_hm_employee == "")j
Jesum Yip
12/16/2021, 7:51 AMOoooh. So the condition fails when the claim doesn't exist. I see. I learn something new
Jesum Yip
12/16/2021, 7:51 AMOk!!
Jesum Yip
12/16/2021, 8:05 AMvery nice. it works as expected.
👍 1
Jesum Yip
12/16/2021, 8:06 AMgosh....so is this a CEL specific behaviour?
d
Dennis (Cerbos)
12/16/2021, 8:07 AM
CEL does not give a default value for a field missing in the struct.
j
Jesum Yip
12/16/2021, 8:08 AMroger that. i understand now. i think i'll go read up more about CEL.
Jesum Yip
12/16/2021, 8:08 AMi now get this:
{"requestId":"1","resourceInstances":{"prod":{"actions":{"read":"EFFECT_ALLOW"},"validationErrors":[]}},"meta":{"resourceInstances":{"prod":{"actions":{"read":{"matchedPolicy":"resource.businessassets.v1"}},"effectiveDerivedRoles":["explore"]}}}}Jesum Yip
12/16/2021, 8:08 AMwhich i exactly what i am expecting
d
Dennis (Cerbos)
12/16/2021, 8:09 AM
Great. Here’s an intro into CEL https://github.com/google/cel-spec/blob/master/doc/intro.md
6 Views