KEMBAR78
docs(jans-cedarling): shorten conditional by SafinWasi · Pull Request #10812 · JanssenProject/jans · GitHub
Skip to content

Conversation

@SafinWasi
Copy link
Contributor

Prepare


Description

Target issue

closes #10810

Implementation Details


Test and Document the changes

N/A

Please check the below before submitting your PR. The PR will not be merged if there are no commits that start with docs: to indicate documentation changes or if the below checklist is not selected.

  • I confirm that there is no impact on the docs due to the code changes in this PR.

Signed-off-by: SafinWasi <6601566+SafinWasi@users.noreply.github.com>
@mo-auto mo-auto added area-documentation Documentation needs to change as part of issue or PR comp-docs Touching folder /docs comp-jans-cedarling Touching folder /jans-cedarling labels Feb 7, 2025
Copy link
Contributor

@olehbozhok olehbozhok left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks like you don't need to remove attribute has because it can cause error in evaluating this rule

)
when {
((principal has "access_token") && ((principal["access_token"]) has "scope")) && (((principal["access_token"])["scope"]).contains("profile"))
((principal["access_token"])["scope"]).contains("profile")
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You must check for presence of nested, optional attributes one layer at a time. For example, to check for the presence of principal.custom.project where both custom and project are optional, you must first check if principal has a custom attribute and then check that it principal.custom has a project attribute:

https://docs.cedarpolicy.com/policies/syntax-operators.html#operator-has

olehbozhok
olehbozhok previously approved these changes Feb 7, 2025
Copy link
Contributor

@olehbozhok olehbozhok left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't agree to make the rule shorten, but approve if Michael agree

@nynymike
Copy link
Contributor

nynymike commented Feb 9, 2025

Let's consider ergonomic syntax... is your policy more readible? Is it much faster? If so, how much? If it's not more readible, or faster, what is the advantage? Please don't just say "I don't like it"--give me a reason please.

@syntrydy
Copy link
Contributor

syntrydy commented Feb 10, 2025

@nynymike

  1. It violates Cedar's fundamental safety principles by making assumptions about the data structure without verification. In Cedar, when we access optional attributes using bracket notation like principal["access_token"] , we're essentially saying "I'm certain this attribute exists" - but we can't actually be certain.
    This is particularly dangerous in authorization policies where unexpected attribute access could lead to security vulnerabilities.

  2. When we chain attribute access like ((principal["access_token"])["scope"]) , we're creating a cascade of potential failure points. If either access_token or scope is missing, this could lead to a runtime error. This is especially problematic because Cedar policies need to be reliable and deterministic - a policy failure due to unsafe attribute access could result in either incorrectly granting or denying permissions, both of which are serious security concerns.

  3. Cedar deliberately requires explicit handling of optional attributes using the has operator to force policy authors to think about and handle edge cases. The above change goes against Cedar's philosophy of making attribute access safety explicit rather than implicit. This makes the policy more fragile and harder to maintain because it's not clear from reading the code whether these attributes are optional or required.

@nynymike
Copy link
Contributor

Ok, I'm going to post this to the Cedar slack. It seems like we're sacrificing ergonomic syntax.

@SafinWasi
Copy link
Contributor Author

According to cedar developers, the ergonomic way to do this is to use dot notation instead of square bracket syntax. By using the extended RHS syntax of the has operator, we can implicitly test the existence of both access_token and scope before the second conditional is evaluated.

@id("allow_one")
permit(
  principal is Jans::Workload,
  action == Jans::Action::"GET",
  resource is Jans::HTTP_Request
)
when {
    principal has access_token.scope &&
    principal.access_token.scope.contains("profile")
};

On cedar-policy-cli 4.3.1:

$ cedar validate --schema cedarling_core.cedarschema --policies policy.cedar
  ☞ policy set validation passed
  ╰─▶ no errors or warnings

Signed-off-by: SafinWasi <6601566+SafinWasi@users.noreply.github.com>
Signed-off-by: SafinWasi <6601566+SafinWasi@users.noreply.github.com>
@SafinWasi SafinWasi requested a review from nynymike February 12, 2025 15:30
@SafinWasi SafinWasi enabled auto-merge (squash) February 12, 2025 15:33
Copy link
Contributor

@nynymike nynymike left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks better!

Signed-off-by: SafinWasi <6601566+SafinWasi@users.noreply.github.com>
@SafinWasi SafinWasi merged commit 565a422 into main Feb 13, 2025
2 checks passed
@SafinWasi SafinWasi deleted the docs-fix-krakend branch February 13, 2025 07:32
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

area-documentation Documentation needs to change as part of issue or PR comp-docs Touching folder /docs comp-jans-cedarling Touching folder /jans-cedarling

Projects

None yet

Development

Successfully merging this pull request may close these issues.

docs(jans-cedarling): update krakend readme for scope based access

5 participants