Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(jans-cedarling): Support JSON logic for principal boolean operations #10590

Open
rmarinn opened this issue Jan 10, 2025 · 0 comments
Open

feat(jans-cedarling): Support JSON logic for principal boolean operations #10590

rmarinn opened this issue Jan 10, 2025 · 0 comments
Labels
comp-jans-cedarling Touching folder /jans-cedarling enhancement kind-feature Issue or PR is a new feature request
Milestone
next-release

Comments

@rmarinn
Copy link
Contributor

rmarinn commented Jan 10, 2025

Is your feature request related to a problem? Please describe.

The current CEDARLING_USER_WORKLOAD_BOOLEAN_OPERATION bootstrap property is restrictive, allowing only basic AND or OR operations to combine the results of multiple principals. This limitation prevents the implementation of more complex decision-making logic or the inclusion of additional custom principals.

Describe the solution you'd like

Replace the CEDARLING_USER_WORKLOAD_BOOLEAN_OPERATION property with a new CEDARLING_PRINCIPAL_BOOLEAN_OPERATION property that accepts a JSON Logic expression. This enhancement would enable users to define more flexible and complex logic for combining principal results.

Examples

  1. Current AND in JSON Logic:
{
    "and" : [
        {"==": [{"var": "Jans::Workload"}, "ALLOW"]},
        {"==": [{"var": "Jans::User"}, "ALLOW"]}
    ] 
}
  1. Current OR in JSON Logic:
{
    "and" : [
        {"==": [{"var": "Jans::Workload"}, "ALLOW"]},
        {"==": [{"var": "Jans::User"}, "ALLOW"]}
    ] 
}
  1. Complex Decision Tree Example: An ALLOW decision is returned only if either the Jans::Workload or Jans::User principal is allowed, and a custom principal (Another::Custom) is also allowed:
{
    "and" : [
        {"or": [
            {"==": [{"var": "Jans::Workload"}, "ALLOW"]},
            {"==": [{"var": "Jans::User"}, "ALLOW"]}
        ]},
        {"==": [{"var": "Another::Custom"}, "ALLOW"]}
    ] 
}

JSON Logic for Rust

There are multiple crates that we can try and use to parse the JSON logic:

It also seems like jsonlogic isn't really being maintained anymore.

Describe alternatives you've considered

N/A

Additional context

To explore and test JSON Logic expressions, visit: https://jsonlogic.com/play.html

Example Rule:

{
    "and" : [
        {"==": [{"var": "Jans::Workload"}, "ALLOW" ] },
        {"==": [{"var": "Jans::User"}, "ALLOW" ] }
    ] 
}

Example data:

{
    "Jans::User" : "ALLOW",
    "Jans::Workload" : "ALLOW"
}
@rmarinn rmarinn assigned moabu and unassigned moabu Jan 10, 2025
@mo-auto mo-auto added comp-jans-cedarling Touching folder /jans-cedarling kind-feature Issue or PR is a new feature request labels Jan 10, 2025
@moabu moabu added this to the next release milestone Jan 13, 2025
@rmarinn rmarinn mentioned this issue Jan 14, 2025
Closed
@nynymike nynymike changed the title feat(jans-cedarling): support JSON logic for principal boolean operations feat(jans-cedarling): Support JSON logic for principal boolean operations Jan 20, 2025
@moabu moabu modified the milestones: 1.3.0, next-release Jan 21, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
comp-jans-cedarling Touching folder /jans-cedarling enhancement kind-feature Issue or PR is a new feature request
Projects
None yet
Milestone
next-release
Development

No branches or pull requests
3 participants
@rmarinn @moabu @mo-auto