Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

integrates caveat context in PermissionService API methods #886

Merged
merged 1 commit into from
Oct 18, 2022
Merged

integrates caveat context in PermissionService API methods #886

merged 1 commit into from
Oct 18, 2022

Conversation

vroldanbet
Copy link
Contributor

@vroldanbet vroldanbet commented Oct 5, 2022
edited
Loading

Closes #881
Closes #882
Closes #880

What

integrates caveat context in PermissionService API methods

How

  • Check API forward context to Check dispatch, which already understands caveat context
    • A limit of 4096 bytes in the caveat context was introduced. Eventually we can turn that into a configurable parameter
    • If a caveated response is returned by dispatcher, instead of panicking it returns an PERMISSIONSHIP_CONDITIONAL_PERMISSION response, and the response will contain missing fields
  • LookupSubjects and LookupResources are adjusted to return a gRPC unimplemented error. Various choke points where added to prevent evaluation of caveated relationships in the graph

@vroldanbet vroldanbet self-assigned this Oct 5, 2022
@github-actions github-actions bot added area/api v1 Affects the v1 API area/dependencies Affects dependencies labels Oct 5, 2022
@vroldanbet vroldanbet force-pushed the add-permission-service-context branch from 8f3d3b8 to c920bf4 Compare October 5, 2022 18:18
@vroldanbet vroldanbet force-pushed the add-permission-service-context branch 2 times, most recently from d8c3a1f to a109547 Compare October 6, 2022 09:39
@github-actions github-actions bot added the area/tooling Affects the dev or user toolchain (e.g. tests, ci, build tools) label Oct 6, 2022
@vroldanbet vroldanbet force-pushed the add-permission-service-context branch from a109547 to 72facd0 Compare October 6, 2022 11:26
@vroldanbet vroldanbet changed the title use caveat context from request in Check API integrates caveat context in PermissionService API methods Oct 6, 2022
vroldanbet
vroldanbet commented Oct 6, 2022
View reviewed changes
internal/graph/lookup.go
@@ -112,7 +111,7 @@ func (cl *ConcurrentLookup) LookupViaReachability(ctx context.Context, req Valid
Metadata: req.Metadata,
}, stream)
if err != nil {
resp := lookupResultError(NewErrInvalidArgument(fmt.Errorf("error in reachablility: %w", err)), emptyMetadata)
resp := lookupResultError(err, emptyMetadata)
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this was turning every error received by reachable resources into an invalid argument, and prevented downstream code to provide a more specific error code. It also made the assumption everything fell in that category, whereas other error handling in this method did not make such assumption. Therefore it seemed uncontroversial to remove this.

internal/graph/lookupsubjects.go
@@ -111,6 +111,9 @@ func (cl *ConcurrentLookupSubjects) lookupDirectSubjects(
if it.Err() != nil {
return it.Err()
}
if tpl.Caveat != nil {
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

choke point to prevent evaluation of the graph if relationship is caveated. This is a temporal measure until caveat support is introduced in Lookup* methods

@vroldanbet vroldanbet force-pushed the add-permission-service-context branch from 72facd0 to e417f4a Compare October 6, 2022 11:47
@vroldanbet vroldanbet force-pushed the add-permission-service-context branch 6 times, most recently from 45f88f5 to 72b3cff Compare October 7, 2022 11:00
@jzelinskie jzelinskie added the area/caveats Affects caveated relationships label Oct 8, 2022
@vroldanbet vroldanbet force-pushed the add-permission-service-context branch 4 times, most recently from ba79cbd to 3168732 Compare October 14, 2022 18:01
@vroldanbet vroldanbet marked this pull request as ready for review October 14, 2022 18:03
@vroldanbet vroldanbet requested a review from a team as a code owner October 14, 2022 18:03
@vroldanbet vroldanbet force-pushed the add-permission-service-context branch from 3168732 to 1a16604 Compare October 18, 2022 09:15
@vroldanbet
update authzed-go with PermissionService reqs /w context
97069de 
- fully implemented in Check API, new permissionship value
  "conditional" returned if fields were missing in context
- LookupResources and LookupSubjects return errors when a
  caveated relationship is detected in the working set
- a limit of 4096 bytes in the caveat context was
  introduced. Eventually we can turn this into a configurable
  setting
@vroldanbet vroldanbet force-pushed the add-permission-service-context branch from 1a16604 to 97069de Compare October 18, 2022 17:33
josephschorr
josephschorr approved these changes Oct 18, 2022
View reviewed changes
Copy link
Member

@josephschorr josephschorr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@vroldanbet vroldanbet merged commit 9d4c6d3 into main Oct 18, 2022
@vroldanbet vroldanbet deleted the add-permission-service-context branch October 18, 2022 17:44
@github-actions github-actions bot locked and limited conversation to collaborators Oct 18, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@josephschorr josephschorr josephschorr approved these changes

Assignees

@vroldanbet vroldanbet

Labels
area/api v1 Affects the v1 API area/caveats Affects caveated relationships area/dependencies Affects dependencies area/tooling Affects the dev or user toolchain (e.g. tests, ci, build tools)
Projects
None yet
Milestone
No milestone
3 participants
@vroldanbet @josephschorr @jzelinskie