Bug: Policy deletion from team

[ShaunBaker]

As displayed in the screenshot, we have a team which has three policies attached to it. Key to note this is in fact the same policy but each are using different variables.

Now the question here is - how can I delete one of these policies?

Udaru provides the DELETE /authorization/teams/{teamId}/policies/{policyId} endpoint - but using this endpoint will delete (all/first) of this policy as they all share the same id.

[cianfoley-nearform]

@ShaunBaker this is a bug as far as I can see, in the DELETE route there is no way to delete a policy based on combo of policyid and variable and it's the same on user and org endpoint

[cianfoley-nearform]

delete functionality is currently broken as it will delete ALL policies with the specified ID on the route

• a quick fix with minimal changes can be put in place using md5 approach to uniquely identify row based on fields and delete and post remains as is (using policyId to delete would delete all policies with id, and using instance reference would delete the policy with specified variables),

• a better fix to add in a settable/maintainable instance_id requires additional columns on team_policies, user_policies and org_policies tables, if a put endpoint is required then this would need to be added to each specific endpoint also (though get and post might be enough if client maintains id at time of update)

More input required on this feature before action taken.

should the idea of defining policy instances be a part of the team, user and org endpoints or should there be a policy instance endpoint to create/edit policy instances and variables so that they can be added to teams/orgs/users as per regular policies using a unique policyId for the instance... the feature of allowing either a id string or object {id, [variables]} using joi.alternatives() when adding policies to teams causes problems for swagger documentation too and is confusing so doing this would also remove this issue.

@mihaidma @ShaunBaker @dberesford

[cianfoley-nearform]

Hi Shaun, delete with instance is now facilitate in latest PR using instance id as a query param, this id is returned on creation. https://github.com/nearform/udaru/pull/506

an edit function on policy instances based on the instance field will be added, but need to evaluate the POST/PUT functionality across API next (this will address dangerous endpoints issue too)