Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: Make DAC write permission more granular #3218

Draft
wants to merge 4 commits into
base: develop
Choose a base branch
from
+116 −32
Draft

feat: Make DAC write permission more granular #3218

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
1a6d0b4
PR(MAIN): Update implementation
shahzadlone Jan 2, 2025
06e469f
PR(DOCS): Update acp readme
shahzadlone Jan 2, 2025
282e34d
PR(DOCS): Update Examples
shahzadlone Jan 2, 2025
19a52d8
PR(TEST-UNIT): Update acp unit tests
shahzadlone Jan 2, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
37 changes: 29 additions & 8 deletions acp/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -174,6 +174,8 @@ defradb client ... --identity e3b722906ee4e56368f581cd8b18ab0f48af1ea53e635e3f7b

We have in `examples/dpi_policy/user_dpi_policy.yml`:
```yaml
name: An Example Policy

description: A Valid DefraDB Policy Interface (DPI)

actor:
Expand All @@ -183,9 +185,11 @@ resources:
users:
permissions:
read:
expr: owner + reader
write:
expr: owner
expr: owner + reader + updater + deleter
update:
expr: owner + updater
delete:
expr: owner + deleter
Comment on lines +188 to +192
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

question: I'm curious why we decided not to have write: updater + deleter


relations:
owner:
Expand All @@ -194,6 +198,12 @@ resources:
reader:
types:
- actor
updater:
types:
- actor
deleter:
types:
- actor
```

CLI Command:
Expand Down Expand Up @@ -443,8 +453,8 @@ Note:
- The collection with the target document must have a valid policy and resource linked.
- The target document must be registered with ACP already (private document).
- The requesting identity MUST either be the owner OR the manager (manages the relation) of the resource.
- If the specified relation was not granted the miminum DPI permissions (read or write) within the policy,
and a relationship is formed, the subject/actor will still not be able to access (read or write) the resource.
- If the specified relation was not granted the miminum DPI permissions (read or update or delete) within the policy,
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

question: These should read (read and update and delete) no? Having all 3 is required?

Copy link
Member Author

@shahzadlone shahzadlone Jan 16, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No. They are required for the owner relation only. This part of documentation is under the topic of sharing the document (adding a relationship). The relation being added might not have any of read or update or delete (in which case the identity might not be able to perform any action) or any other permission combination, which will determine what the identity that is being shared with can do.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah, I asked the right question in the wrong location!

They are required for the owner relation only

Is there nowhere in the documentation that notes this? I see no other lines changed.

thought: I'm happy with the feature, and the 4-5 lines of code that have changed, but will not approve until the PR is out of draft status :)

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is there nowhere in the documentation that notes this? I see no other lines changed.

From line 100 onwards...

## DAC DPI Rules
To qualify as a DPI-compliant `resource`, the following rules **MUST** be satisfied:
- The resource **must include** the mandatory `registerer` (`owner`) relation within the `relations` attribute.
- The resource **must encompass** all the required permissions under the `permissions` attribute.
- Every required permission must have the required registerer relation (`owner`) in `expr`.
- The required registerer relation **must be positioned** as the leading (first) relation in `expr` (see example below).
- Any relation after the required registerer relation must only be a union set operation (`+`).
For a `Policy` to be `DPI` compliant for DAC, all of its `resources` must be DPI compliant.
To be `Partially-DPI` at least one of its `resource` must be DPI compliant.
### More Into The Weeds:
All mandatory permissions are:
- Specified in the `dpi.go` file within the variable `dpiRequiredPermissions`.

It's worded in a generic manner so in future changing would have to be done in minimal places... so for example it says dpi.go file has the required owner permissions defined (it's actually part of what it means for a policy to be DPI/DRI compliant)

thought: I'm happy with the feature, and the 4-5 lines of code that have changed, but will not approve until the PR is out of draft status :)

Fair enough

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

has the required owner permissions defined

Does the doc define what the required owner permissions are? How will users know they need to define update and delete?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The same way they knew before that read and write are required by looking where the doc tells them to look.

Which is here:

https://github.com/sourcenetwork/defradb/pull/3218/files#diff-ad40faeabd754bac2701e0b75e95ceca2744fb511c6cb44221dfa2d6101ab6d8R35-R40

However, I do understand if you are suggested to have it explicitly defined and for us to maintain it every time it is changed. LMK, if so, happy to do that.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah okay - thanks Shahzad :)

I have a preference for them to not have to look at a .go file to get that info, but changing that isn't really in scope here and we probably have better things to spend our time on atm :)

Thanks for your explanations!

and a relationship is formed, the subject/actor will still not be able to access (read or update or delete) the resource.
- If the relationship already exists, then it will just be a no-op.

Consider the following policy that we have under `examples/dpi_policy/user_dpi_policy_with_manages.yml`:
Expand All @@ -461,10 +471,13 @@ resources:
users:
permissions:
read:
expr: owner + reader + writer
expr: owner + reader + updater + deleter

update:
expr: owner + updater

write:
expr: owner + writer
delete:
expr: owner + deleter

nothing:
expr: dummy
Expand All @@ -478,6 +491,14 @@ resources:
types:
- actor

updater:
types:
- actor

deleter:
types:
- actor

writer:
types:
- actor
Expand Down
2 changes: 1 addition & 1 deletion acp/acp.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -89,7 +89,7 @@ type ACP interface {
// Otherwise if check failed then an error is returned (and the boolean result should not be used).
//
// Note(s):
// - permission here is a valid DPI permission we are checking for ("read" or "write").
// - permission here is a valid DPI permission we are checking for ("read" or "update" or "delete").
CheckDocAccess(
ctx context.Context,
permission DPIPermission,
Expand Down
42 changes: 35 additions & 7 deletions acp/acp_local_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,7 @@ var invalidIdentity = identity.Identity{
DID: "did:something",
}

var validPolicyID string = "d59f91ba65fe142d35fc7df34482eafc7e99fed7c144961ba32c4664634e61b7"
var validPolicyID string = "87480b693bdaccdbbe1c1334204b31fd1cb44d3ad70b66fab57595283714fbfe"
var validPolicy string = `
name: test
description: a policy
Expand All @@ -40,10 +40,12 @@ actor:
resources:
users:
permissions:
write:
expr: owner
read:
expr: owner + reader
update:
expr: owner
delete:
expr: owner

relations:
owner:
Expand Down Expand Up @@ -495,10 +497,23 @@ func Test_LocalACP_InMemory_CheckDocAccess_TrueIfHaveAccessFalseIfNotErrorOtherw
require.ErrorIs(t, errCheckDocAccess, ErrFailedToVerifyDocAccessWithACP)
require.False(t, hasAccess)

// Invalid empty arguments such that we can't check doc access (write).
// Invalid empty arguments such that we can't check doc access (update).
hasAccess, errCheckDocAccess = localACP.CheckDocAccess(
ctx,
WritePermission,
UpdatePermission,
identity1.DID,
validPolicyID,
"",
"",
)
require.Error(t, errCheckDocAccess)
require.ErrorIs(t, errCheckDocAccess, ErrFailedToVerifyDocAccessWithACP)
require.False(t, hasAccess)

// Invalid empty arguments such that we can't check doc access (delete).
hasAccess, errCheckDocAccess = localACP.CheckDocAccess(
ctx,
DeletePermission,
identity1.DID,
validPolicyID,
"",
Expand Down Expand Up @@ -594,10 +609,23 @@ func Test_LocalACP_PersistentMemory_CheckDocAccess_TrueIfHaveAccessFalseIfNotErr
require.ErrorIs(t, errCheckDocAccess, ErrFailedToVerifyDocAccessWithACP)
require.False(t, hasAccess)

// Invalid empty arguments such that we can't check doc access (write).
// Invalid empty arguments such that we can't check doc access (update).
hasAccess, errCheckDocAccess = localACP.CheckDocAccess(
ctx,
UpdatePermission,
identity1.DID,
validPolicyID,
"",
"",
)
require.Error(t, errCheckDocAccess)
require.ErrorIs(t, errCheckDocAccess, ErrFailedToVerifyDocAccessWithACP)
require.False(t, hasAccess)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

question: all unit tests (I didn't see any changes in integration tests) assert that there is no access. Is there a place where you assert that there is access?


// Invalid empty arguments such that we can't check doc access (delete).
hasAccess, errCheckDocAccess = localACP.CheckDocAccess(
ctx,
WritePermission,
DeletePermission,
identity1.DID,
validPolicyID,
"",
Expand Down
13 changes: 8 additions & 5 deletions acp/dpi.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,22 +19,25 @@ type DPIPermission int
// Valid DefraDB Policy Interface Permission Type.
const (
ReadPermission DPIPermission = iota
WritePermission
UpdatePermission
DeletePermission
)

// permissionsThatImplyRead is a list of any permissions that if we have, we assume that the user can read.
// This is because for DefraDB's purposes if an identity has access to the write permission, then they don't
// need to explicitly have read permission inorder to read, we can just imply that they have read access.
// This is because for DefraDB's purposes if an identity has access to any write permission (delete or update),
// then they don't need to explicitly have read permission inorder to read, we can just imply that they have read access.
var permissionsThatImplyRead = []DPIPermission{
ReadPermission,
WritePermission,
UpdatePermission,
DeletePermission,
}

// List of all valid DPI permissions, the order of permissions in this list must match
// the above defined ordering such that iota matches the index position within the list.
var dpiRequiredPermissions = []string{
"read",
"write",
"update",
"delete",
}

func (dpiPermission DPIPermission) String() string {
Expand Down
19 changes: 16 additions & 3 deletions examples/dpi_policy/user_dpi_policy.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,10 +8,13 @@
"users": {
"permissions": {
"read": {
"expr": "owner + reader"
"expr": "owner + reader + updater + deleter"
},
"write": {
"expr": "owner"
"update": {
"expr": "owner + updater"
}
"delete": {
"expr": "owner + deleter"
}
},
"relations": {
Expand All @@ -25,6 +28,16 @@
"actor"
]
}
"updater": {
"types": [
"actor"
]
}
"deleter": {
"types": [
"actor"
]
}
}
}
}
Expand Down
14 changes: 11 additions & 3 deletions examples/dpi_policy/user_dpi_policy.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,9 +18,11 @@ resources:
users:
permissions:
read:
expr: owner + reader
write:
expr: owner
expr: owner + reader + updater + deleter
update:
expr: owner + updater
delete:
expr: owner + deleter

relations:
owner:
Expand All @@ -29,3 +31,9 @@ resources:
reader:
types:
- actor
updater:
types:
- actor
deleter:
types:
- actor
17 changes: 14 additions & 3 deletions examples/dpi_policy/user_dpi_policy_with_manages.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,10 +17,13 @@ resources:
users:
permissions:
read:
expr: owner + reader + writer
expr: owner + reader + updater + deleter + writer

write:
expr: owner + writer
update:
expr: owner + updater

delete:
expr: owner + deleter

nothing:
expr: dummy
Expand All @@ -34,6 +37,14 @@ resources:
types:
- actor

updater:
types:
- actor

deleter:
types:
- actor

writer:
types:
- actor
Expand Down
2 changes: 1 addition & 1 deletion internal/db/collection.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -523,7 +523,7 @@ func (c *collection) update(
// Stop the update if the correct permissions aren't there.
canUpdate, err := c.checkAccessOfDocWithACP(
ctx,
acp.WritePermission,
acp.UpdatePermission,
doc.ID().String(),
)
if err != nil {
Expand Down
2 changes: 1 addition & 1 deletion internal/db/collection_delete.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -128,7 +128,7 @@ func (c *collection) applyDelete(
// Stop deletion of document if the correct permissions aren't there.
canDelete, err := c.checkAccessOfDocWithACP(
ctx,
acp.WritePermission,
acp.DeletePermission,
primaryKey.DocID,
)

Expand Down
Loading