OPL parent permissions not working
MD-AZMAL opened this issue · comments
Preflight checklist
- I could not find a solution in the existing issues, docs, nor discussions.
- I agree to follow this project's Code of Conduct.
- I have read and am following this repository's Contribution Guidelines.
- This issue affects my Ory Network project.
- I have joined the Ory Community Slack.
- I am signed up to the Ory Security Patch Newsletter.
Describe the bug
I am trying to run the rewrite example in ory keto, this is my permission file
// Copyright © 2023 Ory Corp
// SPDX-License-Identifier: Apache-2.0
import { Namespace, SubjectSet, Context } from "@ory/keto-namespace-types"
class User implements Namespace {
related: {
manager: User[]
}
}
class Group implements Namespace {
related: {
members: (User | Group)[]
}
}
class Folder implements Namespace {
related: {
parents: (File | Folder)[]
viewers: SubjectSet<Group, "members">[]
}
permits = {
view: (ctx: Context): boolean =>
this.related.viewers.includes(ctx.subject) ||
this.related.parents.traverse((p) => p.permits.view(ctx)),
}
}
class File implements Namespace {
related: {
parents: (File | Folder)[]
viewers: (User | SubjectSet<Group, "members">)[]
owners: (User | SubjectSet<Group, "members">)[]
}
permits = {
view: (ctx: Context): boolean =>
this.related.parents.traverse((p) => p.permits.view(ctx)) ||
this.related.viewers.includes(ctx.subject) ||
this.related.owners.includes(ctx.subject),
edit: (ctx: Context) => this.related.owners.includes(ctx.subject),
}
}
basically, i want that any user having the viewers access of parent should have viewer access for any of the childs. I created user group developer that has viewers access for folder keto/ and folder keto/ is parent folder keto/src/. I have two users in developer group.
when i run check for viewers access for the user in developer to keto/ it gives me allowed true, but when i run check for viewers access for keto/src/ it gives me false, even though the parent has the viewers access. As far as i could understand from the permission file the user should have viewers access for the children as well. I tried asking in the slack but it didnt solve that
Reproducing the bug
- Run rewrites-example from contrib in keto
Relevant log output
No response
Relevant configuration
version: v0.11.1
dsn: memory
namespaces:
location: file:///home/ory/namespaces.keto.ts
log:
level: debug
serve:
read:
host: 0.0.0.0
port: 4466
write:
host: 0.0.0.0
port: 4467Version
0.11.1
On which operating system are you observing this issue?
Linux
In which environment are you deploying?
Docker Compose
Additional Context
these are my relationship tuples
{
"relation_tuples": [
{
"namespace": "Folder",
"object": "keto/",
"relation": "viewers",
"subject_set": {
"namespace": "Group",
"object": "developer",
"relation": "members"
}
},
{
"namespace": "Folder",
"object": "keto/src/",
"relation": "parents",
"subject_set": {
"namespace": "Folder",
"object": "keto/",
"relation": ""
}
},
{
"namespace": "Group",
"object": "developer",
"relation": "members",
"subject_set": {
"namespace": "User",
"object": "Tom",
"relation": ""
}
},
{
"namespace": "Group",
"object": "developer",
"relation": "members",
"subject_set": {
"namespace": "User",
"object": "John",
"relation": ""
}
},
{
"namespace": "File",
"object": "keto/README.md",
"relation": "parents",
"subject_set": {
"namespace": "Folder",
"object": "keto/",
"relation": ""
}
}
],
"next_page_token": ""
}
I'm not getting the same results. When I test using your exact parameters, I'm seeing the check pass as expected. What are your exact arguments to the check? I suspect you're trying this:
keto check Tom view Folder keto/src/
when, according to your definitions above you should be doing:
keto check User:Tom view Folder keto/src/
The reason your check would be failing is subtle. Your entry/entries for adding Tom and John as members of the developer group goes to the heart of an unrelated issue/concern that someone else has raised. That is the question of subject-id vs subject-sets. You added Tom and John, not as a simple subject-id but as a subject-set, thereby locking forever your necessity to always refer to Tom and John using their full subject-set when performing checks where Tom or John are the subject: User:Tom# and User:John# (with an empty relation, the # is optional but the namespace is not optional).
Incidentally and as an aside. If you were to change the definition from:
...
{
"namespace": "Group",
"object": "developer",
"relation": "members",
"subject_set": {
"namespace": "User",
"object": "Tom",
"relation": ""
}
},
{
"namespace": "Group",
"object": "developer",
"relation": "members",
"subject_set": {
"namespace": "User",
"object": "John",
"relation": ""
}
},
...
to
...
{
"namespace": "Group",
"object": "developer",
"relation": "members",
"subject_id": "Tom"
},
{
"namespace": "Group",
"object": "developer",
"relation": "members",
"subject_set": "John"
},
...
your issue would be partially solved. In my fork of keto, I've added some fairly material improvements that would get you the rest of the way. In my fork the following would be the results:
Given:
Folder:keto/#viewers@Group:developer#members
Folder:keto/src/#parents@Folder:keto/
Group:developer#members@Tom
Group:developer#members@John
File:keto/README.md#parents@Folder:keto/
with your OPL you would get the following check <Result> permissions:
check Allowed Folder:keto/#viewers@Group:developer#members
check Allowed Folder:keto/src/#parents@Folder:keto/
check Allowed Group:developer#members@Tom
check Allowed Group:developer#members@John
check Allowed File:keto/README.md#parents@Folder:keto/
check Allowed Folder:keto/src/#view@User:Tom
check Allowed Folder:keto/src/#view@Tom