Support template placeholders in conditions

[WanderingStar]

Category

Cedar language features

Describe the feature you'd like to request

We would like to be able to use placeholders like ?principal and ?resource in the when/unless conditions.

Describe the solution you'd like

Placeholders are evaluated in the conditions.

Describe alternatives you've considered

The alternative seems to be creating multiple different policies, rather than using the template linking feature to re-use the same policy. This is unappealing because of the maintenance burden of applying changes to the underlying logic to a large number of existing policies.

Additional context

An example of a policy that would use this:

@id("Admin")
permit(
  principal == ?principal,
  action, 
  resource)
when {
    // take any action in the scope that you're admin on
    resource in ?resource

    // allow access up the tree for navigation
    || (action == Action::"Navigate" && ?resource in resource)
};

This policy is intended to allow someone to administer a particular resource subtree in the resource hierarchy, and also to navigate down to their subtree.

This could be broken up into:

@id("AdminAdmin")
permit(
  principal == ?principal,
  action, 
  resource in ?resource);     // take any action in the scope that you're admin on;

@id("AdminNavigate")
permit(
  principal == ?principal,
  action == Action::"Navigate", 
  ?resource in resource); // allow access up the tree for navigation

to avoid supporting placeholders in the conditions, but then it would be possible to get into strange states where someone had AdminAdmin applied, but not AdminNavigate, which is undesirable.

Notes:

• The Admin policy above currently appears to work, though the docs say it shouldn't
• The docs also say that ?resource in resource is not allowed ("Placeholders can appear in only the policy head on the right-hand side of the == or in operators.") but it also appears to work

Is this something that you'd be interested in working on?

• 👋 I may be able to implement this feature request
• ⚠️ This feature might incur a breaking change

[mwhicks1]

It looks like you want more than just slots in conditions, you also want to allow slots in more locations in an expression. In particular, we do not currently allow the following:

@id("AdminNavigate")
permit(
  principal == ?principal,
  action == Action::"Navigate", 
  ?resource in resource); // allow access up the tree for navigation

That's because ?resource needs to be on the RHS of the in, not the LHS.

[mwhicks1]

Stepping back from the original request:

I wonder if a better solution might be some form of template group which puts together multiple templates so they can be instantiated as a unit? Then you could write multiple policies like you have done above, but as a group that can be linked all at once?

[WanderingStar]

As I mentioned above, the current implementation appears to support what I'm asking for already, despite the docs saying it doesn't. It both honors template placeholders in the conditions, and honors ?resource on both the LHS and RHS.

Here's a toy example:
mini-entities.txt
mini-roles.txt
mini-schema.txt
mini-template-linked.txt

Policy template:

@id("Admin")
permit(
  principal == ?principal,
  action, 
  resource
)
when {
    // write in descendants
    (resource in ?resource && action == FS::Action::"Write")

    // list in ancestors
    || (?resource in resource && action == FS::Action::"List")
};

Entity graph:

• FS::Disk::"SSD"
  • FS::Folder::"Downloads"
    • FS::File::"package.zip"
  • FS::Folder::"Photos" <-- Alice is admin of this
    • FS::File::"vacation.jpg"

Run like:

cargo run authorize \
    --policies mini-roles.txt \
    --schema mini-schema.txt \
    --entities mini-entities.txt \
    --template-linked mini-template-linked.txt \
    --principal 'FS::Person::"Alice"' \
    --action 'FS::Action::"List"' \
    --resource 'FS::Disk::"SSD"'

Action	Resource	Result	Note
FS::Action::"List"	FS::Disk::"SSD"	ALLOW	Can List ancestor
FS::Action::"Write"	FS::Disk::"SSD"	DENY	... but not Write
FS::Action::"List"	FS::Folder::"Downloads"	DENY	Wrong branch
FS::Action::"Write"	FS::Folder::"Downloads"	DENY	Wrong branch
FS::Action::"List"	FS::File::"package.zip"	DENY	Wrong branch
FS::Action::"Write"	FS::File::"package.zip"	DENY	Wrong branch
FS::Action::"List"	FS::Folder::"Photos"	ALLOW	Can List bound resource
FS::Action::"Write"	FS::Folder::"Photos"	ALLOW	... and Write it
FS::Action::"List"	FS::File::"vacation.jpg"	DENY	Can't List descendant
FS::Action::"Write"	FS::File::"vacation.jpg"	ALLOW	... but can Write it

[WanderingStar]

I wonder if a better solution might be some form of template group which puts together multiple templates so they can be instantiated as a unit? Then you could write multiple policies like you have done above, but as a group that can be linked all at once?

I'd love template groups. The when { A || B || C } I'm using is awkward.

I'd still want to have ?resource allowed on both the LHS and RHS (as it seems it already is).

[mwhicks1]

we do not currently allow the following:

I'm not sure what version you are using, but I just cloned the most recent version and tried to get the CLI to parse this policy

permit(
  principal == ?principal,
  action == Action::"Navigate", 
  ?resource in resource); // allow access up the tree for navigation

and it fails saying that ?resource is unrecognized. If I move the ? to the RHS it works. I guess this support was rolled back recently, to match the docs. @anwarmamat ?

For template groups: I've filed a separate issue for that: #106

[WanderingStar]

I was on 960394d5da664ce2dba383270e29fa2a8683e4bd From May 18. Looks like support for placeholders in conditions was removed here:
9772870