Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow querying/transacting as an identity via opts #424

Merged
merged 11 commits into from
Mar 24, 2023
Merged

Allow querying/transacting as an identity via opts #424

merged 11 commits into from
Mar 24, 2023

Conversation

mpoffald
Copy link
Contributor

@mpoffald mpoffald commented Mar 22, 2023
edited
Loading

Closes #409

This PR allows for querying/transacting as a given identity via opts, to get policy enforcement without directly invoking the top-level wrap-policy api fn.

Examples:

@(fluree/query db+policy {:select {'?s [:* {:ex/location [:*]}]}
                                       :where  [['?s :rdf/type :ex/User]]
                                       :opts {:did "did:fluree:Tf6i5oh2ssYNRpxxUM2zea1Yo7x4uRqyTeU"
                                              :role      :ex/userRole}})

or

@(fluree/stage db+policy {:id   :ex/widget
                          :schema/name "Widget2"}
                         {:did "did:fluree:Tf6i5oh2ssYNRpxxUM2zea1Yo7x4uRqyTeU"
                          :role      :ex/userRole})

This is supported in:

  • query
  • multi-query
  • history query
  • stage

Note that this leaves out some api fns that operate on dbs, eg:

  • internal-id
  • range
  • slice

Also, the following are disallowed and will result in an error:

  • wrapping a db in policy twice (eg passing in an identity in the opts and also using wrap-policy on the db itself)
  • passing in an identity in the opts of an individual query in a multi-query (identity is only accepted on top-level opts in a multi-query)

Notes

@mpoffald
allow passing in an identity map as opts to stage and query to pe…
e9d3be9 
…rform operation as that identity
@mpoffald
support policy enforcement via opts in multi-query
9638443
@mpoffald
allow enforcing policy using opts on history queries
b79aa0b
@mpoffald
more history tests
e820d85
@mpoffald
throw an error if attempting to wrap a db in policy twice
d9ee03b 
If a user tries to supply an identity via `:opts`, and perform an operation on a db that already has policy applied (via `wrap-policy`), this is an error.

In the future, we could maybe do something mores sophisticated, such as allowing this in cases where the "latter" policy is more restrictive, but for now this is an error.
@mpoffald
disallow supplying policy enforcement opts on individual queries in a…
eb91e47 
… multi-query
@mpoffald mpoffald requested a review from a team March 22, 2023 20:05
@mpoffald
allow providing just a role, and enforcing policy according to that role
630800e 
If a given policy cares about identity and you do not provide it, you will only be permitted to do whatever that policy allows for that role.

For example: If there’s a policy that says "`:ex/userRole` can see any `:ex/user`’s data, but you can only see your own ssn”, and you try to view all user data with just `:ex/userRole`, you will receive all the data that would’ve been viewable to anyone with `:ex/userRole` (no ssn’s at all, because you need identity for that).
@mpoffald
rename opts keys for wrap-policy to look less suspiciously like iris
21af2f4 
the values are not actually treated as iris, these are just opts keys. This makes that clearer.
@mpoffald
throw an error if a role is not provided
4cf1618 
In the future, we should be able to support a use case where we can look up which roles an identity has, and we can remove this error.
@mpoffald
fix wording
333a4ba
@mpoffald
Copy link
Contributor Author

mpoffald commented Mar 24, 2023
edited
Loading

More details on how this PR handles these opts:

  1. We do not look up roles for a given identity, it just works with what it's supplied (role lookups will be future work)
  2. if you provide just a role, we allow whatever that role allows. If the policy cares about identity, we just won't let you do anything that requires a specific identity
    • Example: If there’s a policy that says “someone with :ex/userRole can see any :ex/user’s data but only their own ssn”, and you try to view all user data with just :ex/userRole, you will receive all the data that would’ve been viewable to anyone with :ex/userRole (no ssn’s at all, because you need identity for that).
  3. providing just an identity is still not supported, if you don't supply a role we throw an error (see #1 above)
  4. if you provide a role and and an identity, we just believe you that you want that identity to have that role for this operation and act accordingly

zonotope
zonotope approved these changes Mar 24, 2023
View reviewed changes
Copy link
Contributor

@zonotope zonotope left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

📜

src/fluree/db/json_ld/transact.cljc Outdated Show resolved Hide resolved
@mpoffald mpoffald merged commit 889df05 into main Mar 24, 2023
@mpoffald mpoffald deleted the feature/query-transact-as-identity branch March 24, 2023 22:00
@mpoffald mpoffald mentioned this pull request Mar 24, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@zonotope zonotope zonotope approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Enable query/transactions as specific policyGroup and/or identity
2 participants
@mpoffald @zonotope