Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

reject if #141

Open
2 of 3 tasks
divarvel opened this issue Jun 26, 2023 · 4 comments
Open
2 of 3 tasks

reject if #141

divarvel opened this issue Jun 26, 2023 · 4 comments

Comments

@divarvel
Copy link
Collaborator

divarvel commented Jun 26, 2023
edited
Loading

Currently, authorization logic can be described with two mechanisms:

  • checks (and check all): when present, a check must be satisfied for the authorization to go through. check mandates that at least one combination of facts match the predicates and satisfy the expressions, while check all mandates that at least one combination of facts match the predicates, and that all combination of facts that match the predicates, satisfy the expressions.
  • policies (allow / deny): those are tried in order, and the first one to match determines is the request is allowed or not (as long as all checks are satisfied).

So checks are there to ensure that a condition holds, not matter what, while policies are useful to try several conditions one after the other.

One missing bit is being able to ensure that a condition does not hold, no matter what. This kind of logic is used in AWS policies for instance: if a deny policy matches, authorization will fail, regardless of all other policies.
This behaviour can be done in biscuit by putting deny policies first, so that no allow policies has the chance to bypass the check of deny policies, but this is a bit fragile. In some cases, check all can also be used to this effect.

reject if

The next biscuit version could introduce a new check kind, that makes authorization fail if it matches. This would allow us to have autonomous exclusion checks.

open questions

  • keyword: reject if was the version favoured by people https://framapiaf.org/@clementd/110616658721525331
  • behaviour: if present, and there is a combination of facts that matches predicates and satisfy the expressions, then authorization fails.
  • should check all also have a negative version as well?
@Geal
Copy link
Contributor

Geal commented Jun 26, 2023

I like the idea, but maybe the name is a bit confusing. Are there alternative ways to express it? check if none comes to mind but it's not great

@divarvel
Copy link
Collaborator Author

divarvel commented Jun 26, 2023
edited
Loading

What about forbid if or reject if? Or maybe check none in opposition to check all?

@divarvel
Copy link
Collaborator Author

i have opened a poll: https://framapiaf.org/@clementd/110616658721525331

@divarvel divarvel mentioned this issue Jul 3, 2023
Merged
@divarvel divarvel changed the title check if not reject if Oct 18, 2023
@divarvel divarvel moved this to Todo in biscuit v5 Dec 28, 2023
@divarvel divarvel moved this from Todo to Implementation in biscuit v5 Dec 28, 2023
@divarvel divarvel mentioned this issue Dec 28, 2023
Merged
@divarvel divarvel moved this from Implementation to Done in biscuit v5 Dec 29, 2023
This was referenced May 12, 2024
Open
Open
Open
Open
@Geal
Copy link
Contributor

Geal commented May 12, 2024

the new samples are available in #161

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
biscuit v5
Status: Done
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Geal @divarvel