Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OPL parent permissions not working #1320

Open
5 of 6 tasks
MD-AZMAL opened this issue May 4, 2023 · 1 comment
Open
5 of 6 tasks

OPL parent permissions not working #1320

MD-AZMAL opened this issue May 4, 2023 · 1 comment
Labels
bug Something is not working.

Comments

@MD-AZMAL
Copy link

MD-AZMAL commented May 4, 2023

Preflight checklist

Describe the bug

I am trying to run the rewrite example in ory keto, this is my permission file

// Copyright © 2023 Ory Corp
// SPDX-License-Identifier: Apache-2.0

import { Namespace, SubjectSet, Context } from "@ory/keto-namespace-types"

class User implements Namespace {
  related: {
    manager: User[]
  }
}

class Group implements Namespace {
  related: {
    members: (User | Group)[]
  }
}

class Folder implements Namespace {
  related: {
    parents: (File | Folder)[]
    viewers: SubjectSet<Group, "members">[]
  }

  permits = {
    view: (ctx: Context): boolean =>
      this.related.viewers.includes(ctx.subject) ||
      this.related.parents.traverse((p) => p.permits.view(ctx)),
  }
}

class File implements Namespace {
  related: {
    parents: (File | Folder)[]
    viewers: (User | SubjectSet<Group, "members">)[]
    owners: (User | SubjectSet<Group, "members">)[]
  }

  permits = {
    view: (ctx: Context): boolean =>
      this.related.parents.traverse((p) => p.permits.view(ctx)) ||
      this.related.viewers.includes(ctx.subject) ||
      this.related.owners.includes(ctx.subject),

    edit: (ctx: Context) => this.related.owners.includes(ctx.subject),
  }
}

basically, i want that any user having the viewers access of parent should have viewer access for any of the childs. I created user group developer that has viewers access for folder keto/ and folder keto/ is parent folder keto/src/. I have two users in developer group.
when i run check for viewers access for the user in developer to keto/ it gives me allowed true, but when i run check for viewers access for keto/src/ it gives me false, even though the parent has the viewers access. As far as i could understand from the permission file the user should have viewers access for the children as well. I tried asking in the slack but it didnt solve that

Reproducing the bug

  1. Run rewrites-example from contrib in keto

Relevant log output

No response

Relevant configuration

version: v0.11.1

dsn: memory

namespaces:
  location: file:///home/ory/namespaces.keto.ts

log:
  level: debug

serve:
  read:
    host: 0.0.0.0
    port: 4466
  write:
    host: 0.0.0.0
    port: 4467

Version

0.11.1

On which operating system are you observing this issue?

Linux

In which environment are you deploying?

Docker Compose

Additional Context

these are my relationship tuples

{
    "relation_tuples": [
        {
            "namespace": "Folder",
            "object": "keto/",
            "relation": "viewers",
            "subject_set": {
                "namespace": "Group",
                "object": "developer",
                "relation": "members"
            }
        },
        {
            "namespace": "Folder",
            "object": "keto/src/",
            "relation": "parents",
            "subject_set": {
                "namespace": "Folder",
                "object": "keto/",
                "relation": ""
            }
        },
        {
            "namespace": "Group",
            "object": "developer",
            "relation": "members",
            "subject_set": {
                "namespace": "User",
                "object": "Tom",
                "relation": ""
            }
        },
        {
            "namespace": "Group",
            "object": "developer",
            "relation": "members",
            "subject_set": {
                "namespace": "User",
                "object": "John",
                "relation": ""
            }
        },
        {
            "namespace": "File",
            "object": "keto/README.md",
            "relation": "parents",
            "subject_set": {
                "namespace": "Folder",
                "object": "keto/",
                "relation": ""
            }
        }
    ],
    "next_page_token": ""
}
@MD-AZMAL MD-AZMAL added the bug Something is not working. label May 4, 2023
@cmmoran
Copy link

cmmoran commented Jan 20, 2024
edited
Loading

I'm not getting the same results. When I test using your exact parameters, I'm seeing the check pass as expected. What are your exact arguments to the check? I suspect you're trying this:

keto check Tom view Folder keto/src/

when, according to your definitions above you should be doing:

keto check User:Tom view Folder keto/src/

The reason your check would be failing is subtle. Your entry/entries for adding Tom and John as members of the developer group goes to the heart of an unrelated issue/concern that someone else has raised. That is the question of subject-id vs subject-sets. You added Tom and John, not as a simple subject-id but as a subject-set, thereby locking forever your necessity to always refer to Tom and John using their full subject-set when performing checks where Tom or John are the subject: User:Tom# and User:John# (with an empty relation, the # is optional but the namespace is not optional).

Incidentally and as an aside. If you were to change the definition from:

...
        {
            "namespace": "Group",
            "object": "developer",
            "relation": "members",
            "subject_set": {
                "namespace": "User",
                "object": "Tom",
                "relation": ""
            }
        },
        {
            "namespace": "Group",
            "object": "developer",
            "relation": "members",
            "subject_set": {
                "namespace": "User",
                "object": "John",
                "relation": ""
            }
        },
...

to

...
        {
            "namespace": "Group",
            "object": "developer",
            "relation": "members",
            "subject_id": "Tom"
        },
        {
            "namespace": "Group",
            "object": "developer",
            "relation": "members",
            "subject_set": "John"
        },
...

your issue would be partially solved. In my fork of keto, I've added some fairly material improvements that would get you the rest of the way. In my fork the following would be the results:

Given:

Folder:keto/#viewers@Group:developer#members
Folder:keto/src/#parents@Folder:keto/
Group:developer#members@Tom
Group:developer#members@John
File:keto/README.md#parents@Folder:keto/

with your OPL you would get the following check <Result> permissions:

check Allowed Folder:keto/#viewers@Group:developer#members
check Allowed Folder:keto/src/#parents@Folder:keto/
check Allowed Group:developer#members@Tom
check Allowed Group:developer#members@John
check Allowed File:keto/README.md#parents@Folder:keto/
check Allowed Folder:keto/src/#view@User:Tom
check Allowed Folder:keto/src/#view@Tom

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something is not working.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@cmmoran @MD-AZMAL