Detect if rule exists and run it

[chippyash]

I'm in the process of trying to create an RBAC policy interpreter. Part of this is that a permission can have an additional assertion attached to it. In the rule processing I want to be able to detect if a rule that is named in the policy definition exists, and if it does, then evaluate it. Some code for context:

rbac00005roles.json

{
  "user_roles": {
    "alice": [
      "admin"
    ],
    "bob": [
      "service"
    ],
    "dave": [
      "guest"
    ]
  }
}

rbac00005permissions.json

{
    "role_permissions": {
        "admin": [
            {
                "action": "*",
                "resource": "portal:*"
            }
        ],
        "guest": [],
        "service": [
            {
                "action": "enroll",
                "resource": "portal:customer",
                "assertion": "loc_is_london"
            },
            {
                "action": "status-change",
                "resource": "portal:user"
            },
            {
                "action": "reset-password",
                "resource": "portal:user"
            }
        ]
    }
}

rbac00005rules.rego

package rbac00005.authz

import rego.v1

files = ["./data/rbac00005permissions.json", "./data/rbac00005roles.json"]
import data.role_permissions
import data.user_roles

# logic that implements RBAC.
default allow := false
allow if {
    # split the permission
    perm_parts := split(input.permission, ":")
    # parse the action
    action := perm_parts[2]
    # parse the resource
    resource := concat(":", array.slice(perm_parts,0,2))

    # lookup the list of roles for the user
    roles := user_roles[input.user]
    # for each role in that list
    some r in roles
        # lookup the permissions list for role r
        permissions := role_permissions[r]
        # for each permission
        some p in permissions
            # check if the permission granted to r matches the user's request
            glob.match(p.resource, [], resource)
            glob.match(p.action, [], action)
            assertion(p.assertion)
}

assertion(assert) if {
    assert == ""
#    assert.test()
}

loc_is_london if {
	input.location == "London"
}

the assertion rule should evaluate as true if the assert parameter == "" else check if the rule named by assert exists, return false if it doesn't else evaluate the rule. I've looked through the docs but cannot find anything that will allow me to do it. In Pseudo Code it would be

if assert == "" 
   return true
else
    if method_exists(assert) 
        return call_method(assert)
    else
        msg.append("required method "+ assert + " does not exist")
        return false
    endif
endif

Is this possible in OPA?

[johanfylling]

You can use dynamic policy composition, as explained here to dynamically refer to rules in your policy.
E.g.:

package play

import rego.v1

allow if {
	assertions[input.assertion]
}

assertions.foo if {
	input.x == 1
}

assertions.bar if {
	input.x == 2
}

Playground link

[chippyash]

Hi @johanfylling. I've put an example using you suggestion at https://play.openpolicyagent.org/p/YdG3o1fixW

Using

{
  "user": "bob",
  "permission": "portal:customer:enroll",
  "location": "London"
}

I get the correct answer

However, using

{
  "user": "alice",
  "permission": "portal:customer:enroll",
  "location": "London"
}

I get the wrong answer. alice is an admin user and should be able to carry out any action on the 'portal:*' resource.

Any help appreciated.

[johanfylling]

There is no assertion attribute on the admin role. This makes the assertions[p.assertion] statement fail, as p.assertion is undefined. You can solve this a number of ways; like adding an assertion to the admin role that is always true, or by wrapping the assertions[*] call in a function that handles this scenario.

E.g.;

assert(p) if {
	not p.assertion
} else if {
	assertions[p.assertion]
}

and then call assert(p) in your allow rule.

https://play.openpolicyagent.org/p/E0WY4deUGc

[chippyash]

Thanks for that. Appreciated.