[PW-2409] Policies implementation #123
Conversation
toydestroyer
added
the
WIP
toydestroyer
force-pushed
the
poc-policies
branch
3 times, most recently
from
84a48b8 to
5c53e6f
Compare
toydestroyer
force-pushed
the
poc-policies
branch
from
7a28bd9 to
326db00
Compare
toydestroyer
changed the title
toydestroyer
force-pushed
the
poc-policies
branch
from
050aefd to
5a0e178
Compare
toydestroyer
force-pushed
the
poc-policies
branch
from
f7f15f3 to
e2ca5f5
Compare
|
|
||
| def urn_match?(urn_to_compare) | ||
| params = %i[txt partition_name service_name region account_id resource] | ||
| record_urn = Ros::Urn.from_urn(self.class.to_urn) | ||
| record_urn = Ros::Urn.from_urn(self.to_urn) |
There was a problem hiding this comment.
What do we need the class urn_match? method for?
| check_action(:create?) | ||
| end | ||
| actions = if user.attached_actions.is_a?(String) | ||
| JSON.parse(user.attached_actions) |
There was a problem hiding this comment.
I think that this should be handled by the PolicyUser and not the ApplicationPolicy itself, meaning that once we ask the PolicyUser for its actions, we should always get the same data type back.
| extend ActiveSupport::Concern | ||
|
|
||
| included do | ||
| scope :everything, ->(_user_context) { all } |
There was a problem hiding this comment.
I'm not sure we should be sending the whole context to the scope. This would mean that all the models now all of the sudden know how to handle PolicyUser and know what to expect inside of it. I don't think that is the right way of doing it.
The context should most likely receive only the cognito_user_id and use it when needed, ignore it when they don't care about it
| @@ -16,22 +16,24 @@ def find_by_urn(value); find_by(urn_id => value) end | |||
|
|
|||
| # NOTE: Override in model to provide a custom id | |||
| def urn_id; :id end | |||
| end | |||
|
|
|||
| included do | |||
There was a problem hiding this comment.
Do we need to have urn_match? method both in the class level and instance level?
| def edit? | ||
| update? | ||
| end | ||
| actions.select! { |i| i['effect'] == 'allow' && (i['name'] == action.to_s || i['name'] == '*') } |
There was a problem hiding this comment.
This should also probably be the responsibility of the PolicyUser instead of the application policy.
E.g.
user.can?(action, record) which returns true/false
|
|
||
| scopes = [] | ||
|
|
||
| actions.select! { |i| i['effect'] == 'allow' && (i['name'] == user.params['action'] || i['name'] == '*') } |
There was a problem hiding this comment.
This could probably become
user.scopes_for?(action, scope) which would return the scopes to be sent to the original scope (line 61)
| @@ -6,6 +6,8 @@ class User < Cognito::ApplicationRecord | |||
| has_many :user_pools | |||
| has_many :pools, through: :user_pools | |||
|
|
|||
| scope :owned, ->(user_context) { where(id: user_context.cognito_user_id) } | |||
There was a problem hiding this comment.
So, as mentioned above, I don't think active records should know anything about request contexts
| @@ -17,7 +17,7 @@ | |||
| let(:scope) { Pundit.policy_scope!(policy_user, User) } | |||
|
|
|||
| context 'admin iam user' do | |||
| it 'returns all users' do | |||
| xit 'returns all users' do | |||
There was a problem hiding this comment.
If we don't need these, then we can remove them
| end | ||
| end | ||
| end | ||
| # RSpec.describe PolicyPolicy do |
There was a problem hiding this comment.
Once again if this is not needed, then we can delete it.
|
closing in favor of #170 |
Refer to the issue id if any. Include the link to the issue. E.g:
ApplicationPolicy should make use of the actions assigned to a user
Describe the changes made. What does this PR changes that might be critical. If any critical decisions have been made, make sure you explain the rationale for these decisions.
Introducing new (almost) concept of Policy Actions represented by
Actionmodel on IAM service.Actionmodel has these attributes:namerepresented action name and could benew,create,index,show,destroy,edit,updateor*for wildcard. Action name points to actual controller action so if you have a custom one likepublishyou can create policy action with this name.effect—allowordeny. Everything is denied.denyeffect more valuable than any amount ofalloweffects for the resource.target_resource— resource represented by urn (including wildcarded ones):urn:ros:iam::222222222:credentialurn:ros:iam::222222222:*urn:ros:*segment— scope of resources described by action. Points to actual scope on model. scope MUST accept user context as a parameter (user context is instance ofPolicyUserobject).There's predefined scopes
everythingthat just alias forallbut with user context andowned, that initially also pointed toalland should be redefined if necessary, for exampleiam/usermodel:Actions belongs to Policies and Policy has many Actions. IAM User has field
attached_actionswith all cached actions for this User, User Groups or User Roles. Combined and deduplicated*.[ { "name": "*", "effect": "allow", "segment": "everything", "resources": [ "urn:perx:cognito::222222222:*", "urn:perx:comm::222222222:*", "urn:perx:iam::platform:tenant", "urn:perx:iam::222222222:*" ] } ]How does the implementation addresses the problem
User can manage policies and actions now to set permissions for User, Group and Role.