Add Go example for TinyTodo based on cedar-go

[mqf20]

Also see cedar-policy/cedar-go#24.

[mqf20]

Hey @andrewmwells-amazon, I've prepared the PR as suggested.

There seems to be a problem with DCO sign off, do you need me to sign or does it only concern AWS staff?

[khieta]

Hi @mqf20! To pass the DCO check you should include -s in your git commit commands. I believe if you click the "Details" link next to the CI failure it'll take you to a page that explains more.

[khieta]

(Also: thanks for the contribution! I'll tag some reviewers who have familiarity with Go & the TinyTodo app)

[mqf20]

Got it, I just wasn't sure if the signing policy applies only to AWS staff.

Should I withdraw this PR and resubmit a new one with a signed commit?

[cdisselkoen]

You can git commit --amend -s and then force-push to the PR branch

[shaobo-he-aws]

I assume that the go version uses the same "frontend" Python file as the Rust version.. If so, we should also use one copy only.

[patjakdev]

Agreed, although it's not totally clear to me what value the Python frontend adds over just running go build and cmd/server directly. Maybe it lets you interact with the server from a REPL somewhat easily? Dunno.

[shaobo-he-aws]

Yes. We use the Python REPL to interact with the backend server.

[shaobo-he-aws]

A high-level feedback from me is to reuse the files in the existing TinyTodo example (e.g., policies, entities, and Python files) as much as possible, which makes me wonder if we should restructure the TinyTodo folder into something like,

tinytodo
  - policy.cedar
  - tinytodo.cedarschema
  - tinytodo.py
  - ...
  - rust
    - Cargo.toml
    - src
  - go
    - ...

[mqf20]

A high-level feedback from me is to reuse the files in the existing TinyTodo example (e.g., policies, entities, and Python files) as much as possible, which makes me wonder if we should restructure the TinyTodo folder into something like,

tinytodo
  - policy.cedar
  - tinytodo.cedarschema
  - tinytodo.py
  - ...
  - rust
    - Cargo.toml
    - src
  - go
    - ...

Agreed, this sounds neater.

However, the Go implementation does not support some features (templates, schemas), so the Rust and Go implementations are not equivalent.

[patjakdev]

Thank you so much for writing all of this up and adeptly skirting some of the limitations of the current cedar-go implementation!

I mostly skimmed over the actual application logic, but I did look more closely at the interface with cedar-go and had a few questions. I decided to request changes because I think it's pretty important that isAuthorized() adhere to the Cedar ethos of respecting the policy decision, even in the face of errors.

[patjakdev]

I may be mistaken, but this doesn't seem to match the behavior of the Rust implementation:

        let response = self.authorizer.is_authorized(&q, &self.policies, &es);
        info!("Auth response: {:?}", response);
        match response.decision() {
            Decision::Allow => Ok(()),
            Decision::Deny => Err(Error::AuthDenied(response.diagnostics().clone())),
        }

That implementation seems to simply log any policy errors and just return the decision, which I think matches the spirit of Cedar's skip-on-error behavior:

The reasoning for the skip-on-error property is more involved. An alternative authorization algorithm we considered would be to Deny a request when any policy evaluation exhibits an error. While this might sound good at first, deny-on-error raises concerns of safety. An application that was working fine with 100 policies might suddenly start denying all requests if the 101st policy has an error. Skip-on-error avoids this dramatic failure mode, and is more flexible: applications can always choose to look at the authorization response’s diagnostics and take a different decision if an evaluated policy produces errors. For more information, see this blog post written by one of the Cedar designers.

[mqf20]

You're right, the Go implementation does not match the Rust implementation.

Before I fix the Go implementation, please correct me if I have misinterpreted the Rust implementation (I'm new to Rust):

        let response = self.authorizer.is_authorized(&q, &self.policies, &es);
        info!("Auth response: {:?}", response);
        match response.decision() {
            Decision::Allow => Ok(()),
            Decision::Deny => Err(Error::AuthDenied(response.diagnostics().clone())),
        }

• Returns an empty successful value if the decision is allow
• Returns an error with the diagnostics (errors and reasons) if the decision is deny

Based on Cedar's skip-on-error behavior that you quoted, it seems like the Rust implementation has overlooked a scenario: the decision is allow but errors are present.

[patjakdev]

Based on Cedar's skip-on-error behavior that you quoted, it seems like the Rust implementation has overlooked a scenario: the decision is allow but errors are present.

I think the Rust implementation is following the spirit of the skip-on-error behavior. If the decision is allow, the request should be authorized, even if there are errors. Those errors are logged via the info!() macro above the match statement.

[mqf20]

Got it, let me know if this commit is aligned with the Rust implementation

[patjakdev]

Agreed, although it's not totally clear to me what value the Python frontend adds over just running go build and cmd/server directly. Maybe it lets you interact with the server from a REPL somewhat easily? Dunno.

[patjakdev]

Looks good! Thanks for taking my feedback.

[patjakdev]

nit: I'd consider putting this argument last to match the normal PARC order.

[mqf20]

In this case, the context here is different from the context in an authorization request (the C in PARC). In the Rust implementation, the authorization request is also missing.

Perhaps I should make this differentiation clearer?

[mqf20]

@patjakdev I just pushed commit 9839aea to clean up the Go module paths, and commit 98ccf5f to remove an irrelevant file I added by accident

[mqf20]

@aaronjeline @shaobo-he-aws do you have any comments on this PR?

[shaobo-he-aws]

LGTM, as a person who rarely knows Go.

[aaronjeline]

Looks good overall. Two minor requests:

1. The above comment, if there isn't a clear solution it's fine as is.
2. Can you adjust the CI to auto-build this?

[aaronjeline]

Looks good, once CI passes :)