New policy-query engine replaces old policy features.
Tests with examples in test/fluree.db.policy.*
Currently, this deprecates the latest f:equals policy, but that could get added back as an interim feature if needed (at the expense of extra query/parsing when policy-wrapping a db).
Key features:
Policies are described with queries, anything you can do with query logic can be applied to a policy
Policies can be dynamically supplied by the app as plain JSON-LD, they don't need to be stored in the db. If you want to continue to use the db to manage policies, policy groups, and identities you should use the new API fluree/wrap-identity-policy instead of the main fluree/wrap-policy API.
Policy query values/variables can be supplied when calling fluree/wrap-policy. These can be any variables used in your policy queries, and allow variables coming from an external system (e.g. identity provider, app) to be used as part of policy criteria
fluree/wrap-policy set of APIs (listed below) allow a flag, default-allow? which if true, will allow any data not covered by policy to be allowed. Prior Fluree versions always had all data not covered by policy to be denied - now there is an option.
Policy APIs
fluree/wrap-policy - the main API, where you supply the db, policies in JSON-LD, default-allow? flag, and values/variable map. How you assemble your policies is together up to you/your app. Policy queries use the special ?$this variable to evaluate if the user can see the flake/value. If the policy query returns any results, they can see it, if it returns no results they cannot see it.
fluree/wrap-identity-policy - most similar to prior Fluree versions, where instead of supplying policies, you supply an identity. We query the DB for the provided identity, and look for the f:policyClass property, which should contain a list of classes. We then query the DB for all policies matching those class(es) to find the full set of policies - and with those in hand, call the standard fluree/wrap-policy but also inject the special values variable ?$identity which is available to your policy queries in addition to the standard ?$this variable.
fluree/credential-query - Use instead of fluree/query if your query is wrapped in a verifiable credential. If so, we'll verify the credential, extract the identity and call fluree/wrap-identity-policy to policy-enforce the db. NOTE: fluree/query no longer accepts verifiable credential queries, use this API instead.
fluree/credential-history - Like fluree/credential-query, use this for history queries that are wrapped in a verifiable credential. NOTE: fluree/history no longer accepts verifiable credential queries, use this API instead.
New policy-query engine replaces old policy features.
Tests with examples in test/fluree.db.policy.*
Currently, this deprecates the latest
f:equals
policy, but that could get added back as an interim feature if needed (at the expense of extra query/parsing when policy-wrapping a db).Key features:
fluree/wrap-identity-policy
instead of the mainfluree/wrap-policy
API.values
/variables can be supplied when callingfluree/wrap-policy
. These can be any variables used in your policy queries, and allow variables coming from an external system (e.g. identity provider, app) to be used as part of policy criteriafluree/wrap-policy
set of APIs (listed below) allow a flag,default-allow?
which if true, will allow any data not covered by policy to be allowed. Prior Fluree versions always had all data not covered by policy to be denied - now there is an option.Policy APIs
fluree/wrap-policy
- the main API, where you supply the db, policies in JSON-LD, default-allow? flag, and values/variable map. How you assemble your policies is together up to you/your app. Policy queries use the special?$this
variable to evaluate if the user can see the flake/value. If the policy query returns any results, they can see it, if it returns no results they cannot see it.fluree/wrap-identity-policy
- most similar to prior Fluree versions, where instead of supplying policies, you supply an identity. We query the DB for the provided identity, and look for thef:policyClass
property, which should contain a list of classes. We then query the DB for all policies matching those class(es) to find the full set of policies - and with those in hand, call the standardfluree/wrap-policy
but also inject the specialvalues
variable?$identity
which is available to your policy queries in addition to the standard?$this
variable.fluree/credential-query
- Use instead offluree/query
if your query is wrapped in a verifiable credential. If so, we'll verify the credential, extract the identity and callfluree/wrap-identity-policy
to policy-enforce the db. NOTE:fluree/query
no longer accepts verifiable credential queries, use this API instead.fluree/credential-history
- Likefluree/credential-query
, use this for history queries that are wrapped in a verifiable credential. NOTE:fluree/history
no longer accepts verifiable credential queries, use this API instead.