search

elct9620 / cedar-policy-rb

Ruby bindings for Cedar policy evaluation engine.
Apache License 2.0
3 stars 1 forks source link

Schema Support #7

Open kindjar opened 21 hours ago

kindjar commented 21 hours ago

Cedar Schema allows Actions to be members of Action Groups. Action Groups are useful for authorizing multiple Actions with a single policy.

Here is an example Cedar policy file:

@id("Any user can View")
permit(
  principal is User,
  action == Action::"View",
  resource
);

@id("Owner can Edit")
permit(
  principal is User,
  action == Action::"Edit",
  resource
) when { resource.owner == principal };

@id("Users with isAdmin=true can Delete")
permit(
  principal,
  action in Action::"AdminActions",
  resource
) when { principal has isAdmin && principal.isAdmin };

And here is a corresponding Cedar schema file:

entity User {
  isAdmin?: Bool
};

entity Image {
  owner: User
};

action AdminActions;

action View in [AdminActions] appliesTo {
    principal: [User],
    resource: [Image]
};

action Edit in [AdminActions] appliesTo {
    principal: [User],
    resource: [Image]
};

action Delete in [AdminActions] appliesTo {
    principal: [User],
    resource: [Image]
};

Currently, there is no way to use a Cedar Schema in cedar-policy-rb, so the Users with isAdmin=true can Delete policy cannot be used.

Schema can also be used to validate the structure of Entities data during authorization.

I have implemented Schema support by wrapping the rust Schema class with a ruby one, adding a schema accessor on the ruby Entities class, and passing the schema from the ruby Entities class to the rust Entities::from_json_value method.

Are you open to receiving a pull request for a feature like this?

elct9620 commented 14 hours ago

Sure, the pull request is welcome.