Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Can't get shortcut "admin" rule to work #1536

Open
lafrech opened this issue Feb 27, 2022 · 1 comment
Open

Can't get shortcut "admin" rule to work #1536

lafrech opened this issue Feb 27, 2022 · 1 comment

Comments

@lafrech
Copy link
Contributor

lafrech commented Feb 27, 2022

Hi.

Here's another of my 0.26 migration issues.

I have a set of auth rules based on a SQLAlchemy relationship model and I use a shortcut "admin" rule to specify that admin users (users with is_admin property set to True) can do everything.

# Admin can do anything
allow(user: User, _action, _resource) if user.is_admin = true;

This worked fine until 0.26 / SqlAlchemyAdapter. Now, I have issues with authorized_query not returning all expected rows.

Here's a 0.25 query:

SELECT anon_1.timeseries_id AS anon_1_timeseries_id, anon_1.timeseries_cluster_id AS anon_1_timeseries_cluster_id, anon_1.timeseries_data_state_id AS anon_1_timeseries_data_state_id 
FROM (SELECT timeseries.id AS timeseries_id, timeseries.cluster_id AS timeseries_cluster_id, timeseries.data_state_id AS timeseries_data_state_id 
FROM timeseries 
WHERE true UNION SELECT timeseries.id AS timeseries_id, timeseries.cluster_id AS timeseries_cluster_id, timeseries.data_state_id AS timeseries_data_state_id 
FROM timeseries 
WHERE timeseries.cluster_id IN (__[POSTCOMPILE_cluster_id_1])) AS anon_1

And here's the equivalent 0.26 query:

SELECT DISTINCT timeseries.id AS timeseries_id, timeseries.cluster_id AS timeseries_cluster_id, timeseries.data_state_id AS timeseries_data_state_id 
FROM timeseries JOIN timeseries_clusters ON timeseries.cluster_id = timeseries_clusters.id JOIN timeseries_cluster_groups ON timeseries_clusters.group_id = timeseries_cluster_groups.id JOIN timeseries_cluster_groups_by_users ON timeseries_cluster_groups.id = timeseries_cluster_groups_by_users.timeseries_cluster_group_id JOIN users ON timeseries_cluster_groups_by_users.user_id = users.id 
WHERE true OR users.id = %(id_1)s

The issue seems to be that the "admin" shortcut (WHERE true) is only used after the joins needed for the relational rule.

In the case above, the query returns no row because the admin user has no relation to the timeseries objects. If I add an unrelated user with relations to timeseries objects, then, thanks to the admin shortcut, those timeseries are returned.

Basically, the "admin" shortcut is broken as it only returns the rows for which at least a user exists that fills the rule.

Trace 0.25 
[oso][info]   QUERY RULE: allow(<User Chuck <chuck@test.com>, admin: True, active: True> TYPE `User`, "read", resource)
[oso][info]     APPLICABLE_RULES:
[oso][info]       allow(user: UserActor{}, _action, _resource) at line 13, column 1 of file /mnt/projets/bemserver/bemserver-core/bemserver_core/authorization.polar
[oso][info]       allow(actor, action, resource) at line 7, column 1 of file /mnt/projets/bemserver/bemserver-core/bemserver_core/authorization.polar
[oso][info]       allow(_actor, _action, _resource) at line 10, column 1 of file /mnt/projets/bemserver/bemserver-core/bemserver_core/authorization.polar
[oso][info]   RESULT: {
[oso][info]     resource: _this matches Timeseries{}
[oso][info]   }
[oso][info]       QUERY RULE: has_permission(_actor_320, _action_321, _resource_322)
[oso][info]           QUERY RULE: has_relation(_related_timeseriescluster_410, "cluster", _timeseries_409)
[oso][info]           QUERY RULE: has_permission(_actor_408, "read", _related_timeseriescluster_410)
[oso][info]               QUERY RULE: has_relation(_related_timeseriesclustergroup_510, "group", _timeseriescluster_509)
[oso][info]               QUERY RULE: has_role(_actor_508, "tscg_member", _related_timeseriesclustergroup_510)
[oso][info]   RESULT: {
[oso][info]     resource: _this.cluster.group matches TimeseriesClusterGroup{} and _this.cluster matches TimeseriesCluster{} and _this matches Timeseries{} and _tscgbu_537 in _this.cluster.group.timeseries_cluster_groups_by_users and <User Chuck <chuck@test.com>, admin: True, active: True> TYPE `User` = _tscgbu_537.user
[oso][info]   }
Trace 0.26 
[oso][info]   QUERY RULE: allow(<User Chuck <chuck@test.com>, admin: True, active: True> TYPE `User`, "read", resource)
[oso][info]     APPLICABLE_RULES:
[oso][info]       allow(user: User{}, _action, _resource) at line 13, column 1 of file /mnt/projets/bemserver/bemserver-core/bemserver_core/authorization.polar
[oso][info]       allow(actor, action, resource) at line 7, column 1 of file /mnt/projets/bemserver/bemserver-core/bemserver_core/authorization.polar
[oso][info]       allow(_actor, _action, _resource) at line 10, column 1 of file /mnt/projets/bemserver/bemserver-core/bemserver_core/authorization.polar
[oso][info]     RULE: allow(user: User{}, _action, _resource) if _value_2 = true and user.is_admin = _value_2;
[oso][info]   RESULT: {
[oso][info]     resource: _this matches Timeseries{}
[oso][info]   }
[oso][info]     RULE: allow(actor, action, resource) if has_permission(actor, action, resource);
[oso][info]       QUERY RULE: has_permission(_actor_315, _action_316, _resource_317)
[oso][info]         APPLICABLE_RULES:
[oso][info]           has_permission(actor: Actor{}, "read", timeseries: Timeseries{}) at line 144, column 5 of file /mnt/projets/bemserver/bemserver-core/bemserver_core/authorization.polar
[oso][info]         RULE: has_permission(actor: Actor{}, "read", timeseries: Timeseries{}) if has_relation(related_timeseriescluster, "cluster", timeseries) and has_permission(actor, "read", related_timeseriescluster);
[oso][info]           QUERY RULE: has_relation(_related_timeseriescluster_386, "cluster", _timeseries_385)
[oso][info]             APPLICABLE_RULES:
[oso][info]               has_relation(tsc: TimeseriesCluster{}, "cluster", ts: Timeseries{}) at line 149, column 1 of file /mnt/projets/bemserver/bemserver-core/bemserver_core/authorization.polar
[oso][info]             RULE: has_relation(tsc: TimeseriesCluster{}, "cluster", ts: Timeseries{}) if tsc = _value_15 and ts.cluster = _value_15;
[oso][info]           QUERY RULE: has_permission(_actor_384, "read", _related_timeseriescluster_386)
[oso][info]             APPLICABLE_RULES:
[oso][info]               has_permission(actor: Actor{}, "read", timeseriescluster: TimeseriesCluster{}) at line 116, column 5 of file /mnt/projets/bemserver/bemserver-core/bemserver_core/authorization.polar
[oso][info]             RULE: has_permission(actor: Actor{}, "read", timeseriescluster: TimeseriesCluster{}) if has_relation(related_timeseriesclustergroup, "group", timeseriescluster) and has_role(actor, "tscg_member", related_timeseriesclustergroup);
[oso][info]               QUERY RULE: has_relation(_related_timeseriesclustergroup_467, "group", _timeseriescluster_466)
[oso][info]                 APPLICABLE_RULES:
[oso][info]                   has_relation(group: TimeseriesClusterGroup{}, "group", tsc: TimeseriesCluster{}) at line 121, column 1 of file /mnt/projets/bemserver/bemserver-core/bemserver_core/authorization.polar
[oso][info]                 RULE: has_relation(group: TimeseriesClusterGroup{}, "group", tsc: TimeseriesCluster{}) if group = _value_13 and tsc.group = _value_13;
[oso][info]               QUERY RULE: has_role(_actor_465, "tscg_member", _related_timeseriesclustergroup_467)
[oso][info]                 APPLICABLE_RULES:
[oso][info]                   has_role(user: User{}, "tscg_member", tg: TimeseriesClusterGroup{}) at line 93, column 1 of file /mnt/projets/bemserver/bemserver-core/bemserver_core/authorization.polar
[oso][info]                 RULE: has_role(user: User{}, "tscg_member", tg: TimeseriesClusterGroup{}) if tg.timeseries_cluster_groups_by_users = _value_10 and tscgbu in _value_10 and user = _value_11 and tscgbu.user = _value_11;
[oso][info]   RESULT: {
[oso][info]     resource: _this.cluster.group matches TimeseriesClusterGroup{} and _this.cluster matches TimeseriesCluster{} and _this matches Timeseries{} and _tscgbu_492 in _this.cluster.group.timeseries_cluster_groups_by_users and <User Chuck <chuck@test.com>, admin: True, active: True> TYPE `User` = _tscgbu_492.user
[oso][info]   }
[oso][info]     RULE: allow(_actor, _action, _resource) if OpenBarPolarClass.get() = _value_1 and _value_1;

In both traces, the admin shortcut line gives the following result:

[oso][info]   RESULT: {
[oso][info]     resource: _this matches Timeseries{}
[oso][info]   }

and the relational line

[oso][info]   RESULT: {
[oso][info]     resource: _this.cluster.group matches TimeseriesClusterGroup{} and _this.cluster matches TimeseriesCluster{} and _this matches Timeseries{} and _tscgbu_492 in _this.cluster.group.timeseries_cluster_groups_by_users and <User Chuck <chuck@test.com>, admin: True, active: True> TYPE `User` = _tscgbu_492.user
[oso][info]   }

The first result should allow the query to return all Timeseries. The generated query should then be

SELECT DISTINCT timeseries.id AS timeseries_id, timeseries.cluster_id AS timeseries_cluster_id, timeseries.data_state_id AS timeseries_data_state_id 
FROM timeseries

Or am I getting/doing this wrong?
@lafrech lafrech mentioned this issue Feb 27, 2022
Open
@cofinalsubnets
Copy link
Contributor

Hi @lafrech , you're not wrong, this is a bug. I added it to our internal issue tracker & I'll keep you updated. Thanks for reporting!

@lafrech lafrech mentioned this issue Mar 28, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@cofinalsubnets @lafrech