davidjbrossard / alfa-authorization-language

A repository for the IETF RFC proposal for ALFA 2.0
Other
0 stars 0 forks source link

Complex Attributes #5

Open andrewclymer opened 3 months ago

andrewclymer commented 3 months ago

Attributes are bags of single values.

Integer, double, boolean, string, date, time and dateTime

Scenarios exist that require each attribute bag item to contain multiple values.

When modelling a user's set of specific permissions, having each attribute value contain both an action and the resource to which the action can be applied would be advantageous.

Suggestion

type permission {
  Action:string
  ResourceType:string
}

attribute userPermissions { type = permission  category=resourceCat}

PIPs would then return a bag of values, each containing an Action and a ResourceType.

Reasoning with complex attributes

Consider the following ALFA

condition userPermissions.Action == "update" and userPermissions.ResourceType == "PurchaseOrders"

Where the userPersmissions bag is as follows ( Note: this example is shown in JSON, but there is no requirement for an ALFA implementation to serialise/deserialize JSON).

[ { Action:["UPDATE"] , ResourceType:["Profile","Photo"] } ,
  {Action:["READ"],ResourceType["PurchaseOrder"] }
]

This condition would be evaluated to true, as Permissions has an Action attribute set to UPDATE and a ResourceType Attribute set to PurchaseOrder. The intent is only to produce true if a single instance of the Permissions attribute has Action = "UPDATE" and ResourceType = "PurchaseOrder"

To solve this problem, we could consider the use pattern-matching style syntax

condition Permissions[Action == "UPDATE"].ResourceType == "PurchaseOrder"

The pattern-matching syntax is used to filter the attribute values. The above statement would only evaluate to true if the bag contained an item where the Action was UPDATE and ResourceType is "PurchaseOrder"

Multiple expressions can be contained inside the [ ] operator.

condition Permissions[Action == "open" and ResourceType=="door" ].Resource == "MainDoor"

The use of [] operator does make ALFA less readable, however, combine this with shared conditions and developers could create a shared condition of CanOpenMainDoor

condition CanOpenMainDoor Permissions[Action == "open" and ResourceType=="door" ].Resource == "MainDoor"
. . .

policy DoorAccess 
{
     apply firstApplicable
     target clause ResourceType=="door" and Action =="open"
     rule {
      condition CanOpenMainDoor
      permit
    }
}

Questions

Do we allow complex attributes to be made up of other complex attributes?

davidjbrossard commented 2 months ago

What I wonder here is how much people will use (and abuse?) this type and stop using primitive types. Or how to correlate primitive types to complex types. Or, finally, how that impacts PIPs.