search

cedar-policy / cedar

Implementation of the Cedar Policy Language
https://www.cedarpolicy.com
Apache License 2.0
860 stars 76 forks source link

Clarification Needed on Valid Identifiers in Policies #1278

Open joshkraft-ncino opened 1 week ago

joshkraft-ncino commented 1 week ago

Before opening, please confirm:

Bug Category

Schemas and Validation

Describe the bug

I have been encountering errors of this type when setting up AVP w/ Cedar to perform route-based API authorization:

identifier `get /foo` contains characters that fall outside of the General Security Profile for Identifiers

API route identifiers of the flavor get /foo seem to violate constraints Cedar is expecting, but are used in documentation such as this:

https://aws.amazon.com/blogs/security/authorize-api-gateway-apis-using-amazon-verified-permissions-and-amazon-cognito/

I have also encountered this issue in the console when using the automated 'Set up with API Gateway and an identity provider' starting action.

Expected behavior

According to the documentation, API routes of the format get /foo should be valid actions.

Reproduction steps

  1. Create an API Gateway with a get /foo endpoint.
  2. Create AVP request authorizer and attach to API.
  3. Attempt to create a simple policy such as: 
    permit (
principal in {{NAMESPACE}}::UserGroup::"{{USER_POOL_ID}}|{{USER_GROUP_NAME}}",
action in
[
{{NAMESPACE}}::Action::"get /foo"
],
resource
);

Log output

Warning:   ⚠ for policy `policy0`, identifier `get /foo` contains characters that fall outside of the General Security Profile for Identifiers

Additional configuration

No response

Operating System

No response

Additional information and screenshots

No response

cdisselkoen commented 1 week ago

Currently, the / character triggers this warning, but should not: #621

joshkraft-ncino commented 1 week ago

Hi @cdisselkoen - just to clarify, I see this as a warning in the Cedar CLI, but it actually blocks the creation of policies in the Cedar AWS console. It lists the same error as being a validation warning, but you are blocked from actually creating the policy. The Chrome console states that it is running against Cedar 3.3.0.

image

cdisselkoen commented 1 week ago

Understood, but this is a problem in the Verified Permissions service or console, not in Cedar. Cedar reports it as a warning and not an error, as you say. So even though Cedar could improve by not reporting a warning at all in this case (#621), the behavior of blocking policy creation is somewhere in Verified Permissions code.

joshkraft-ncino commented 1 week ago

Got it - any suggestions on where to forward this issue re: the console?

cdisselkoen commented 1 week ago

You can use the "feedback" button in the footer of the console. If you have an AWS support contract or account manager, I recommend going through them instead / as well. If you're internal to AWS, ping me internally (@cdiss) and I'll give you internal details on how to report.