[WIP] Resource yaml based rbac

[speza]

Massive WIP.

Description TBD.

Todo:

• Refinement
• Proper testing
• Cache eviction
• UI (another branch/PR maybe?)

[Skarlso]

First glance comments. I'll have to do another rounds for a deeper inspection. These are surface remarks for now. :) Generally, I saw what I expect I would see mostly, things I think are missing yet right? Like calling the cache eviction and the likes. Unless my glance missed that :)

[Skarlso]

If this could potentially be nil inside the interface, this check will not be enough.

You'll have to also check the value in the interface to be nil or not using reflection.

if policyClaims == nil || reflect.ValueOf(policyClaims).IsNil() {

[Skarlso]

Do a type assert here on []interface{} to make sure it doesn't throw a type exception.

[Skarlso]

same here

[Skarlso]

In this case, I'd prefer a named return value for clarity. But I'll leave it up to you. :)

[Skarlso]

Please sort the includes according to ( in all other files too ):

1. stdlib
   empty line
2. outside libraries
   empty line
3. external gaia libraries
   empty line
4. internal gaia libraries.

[speza]

Just need to sort my fmt out, np :)

[speza]

@Skarlso are you doing these manually or using a formatter?

[Skarlso]

By hand, I'm afraid. 😁

[Skarlso]

Since we know that these will be string values, I think this cache doesn't need to be interface valued, right? Unless I'm missing something and there could be other types values?

[speza]

I thought the cache could be generic enough that we could reuse if required?

[Skarlso]

we'll alter it when we get there I think. :) We might never reuse it. :)

If we would, it's very easy to change it to interface.

[speza]

Sure thing 👍

[Skarlso]

Why are these exported?

[Skarlso]

Do check for errors here though... If the policy doesn't exists, this should throw some kind of warning.

[Skarlso]

We should refactor this O(n^3)... :))) This should be very quick considering this will happen for every request.

[speza]

Yeah agreed! This was the first basic impl. Now I have some passing tests I will refactor it for sure,

[speza]

First glance comments. I'll have to do another rounds for a deeper inspection. These are surface remarks for now. :) Generally, I saw what I expect I would see mostly, things I think are missing yet right? Like calling the cache eviction and the likes. Unless my glance missed that :)

Yep, correct mate. This was a rough PR that is definitely not ready. I just wanted some thoughts before I carried on. Its suprsingly a lot of code to get this system in! Especially to then refine it. I'd usually do this sort of work in many multiple PRs!

I left a short list of the required work still:

• Code refinement
• Testing
• Cache eviction and update when a resource has been modified
• UI (another branch/PR maybe?)
• Think about how we handle default policies for existing users...

[Skarlso]

@speza Quick question. Did we ever consider using Casbin with echo: https://echo.labstack.com/middleware/casbin-auth

[Skarlso]

casbin and it's configration based role set + middleware actually looks kind of interesting....
https://casbin.org/docs/en/syntax-for-models

[speza]

Hmm @Skarlso. I do remember seeing this in the past. Not for Gaia though. I wonder if this seemed a little heavy weight... but arguably we’re heading towards this now.

[Skarlso]

I have some general comments for now and one question regarding the rbac stuff. What do you think?

[Skarlso]

Suggested change

	if _, ok := policyClaims.(map[string]interface{}); !ok {
	return nil, errors.New("policyClaims is not correct type")
	}
	return policyClaims.(map[string]interface{}), nil
	v, ok := policyClaims.(map[string]interface{})
	if !ok {
	return nil, errors.New("policyClaims is not correct type")
	}
	return v, nil

[Skarlso]

So, I don't think we need this here. You can register a high level rbac middleware and that should just get what resources and actions are available from the rbac policy based on the URI that the middleware gets.

There could be another yaml mapping providing this information. That way, we can change things on the fly and there won't be any need for rebuilding.

What do you think?

[speza]

Let me have a think mate. I did something similar, albeit structs instead of YAML with the old system.

[Skarlso]

Handlers in here should be pointer receivers.

[Skarlso]

This is just style, but I would prefer to bail out early if !ok and continue otherwise.

ctx, ok := c.(AuthContext)
if ! ok {
    return c.String(http.StatusInternalServerError, "An error has occurred.")
}
.... rest of the things with `ctx`.

[speza]

Completely agree. I would usually do this 👍🏻

[Skarlso]

I don't think this will work the way you think it would. Make it look something like this...

First, have something like Run on cache. With a * function receiver. And there, do this:

	for {
                 c.EvictExpired()

		select {
		case <-time.After(15 * time.Minute):
			// Continue
		}
	}

This will now properly block and wait. And once you return the pointer to cache it will still have a context. So later on, when we want to cancel it for whatever reason, we can do something like this:

	for {
                 c.EvictExpired()

		select {
		case <-time.After(15 * time.Minute):
			// Continue
		case <-ctx.Done():
			// Context canceled
			return
		}
	}

[speza]

Will take a look. Still getting my head around channels and goroutines!

[Skarlso]

Please reverse the order to follow sequential reading.

This is probably okay, but first, throws off the reader, second, it's actually risky as in, if there is another defer, and the lock fails with inconsistent mutex state for some reason, you call defer unlock which will case further problems. So, lock then defer unlock please. :)

[speza]

Agree here. I think this was just a mistake on my part!

[Skarlso]

If the resource is empty it's all resources? I would think if the resource is empty, we shouldn't automatically allow all. * should be something very explicit. If new resources are defined, that means nothing is allowed.

[speza]

Yep, this was just temporary. I hadn’t got to implementing proper resource authentication yet mate 👍🏻 Was just to unblock testing on!

[Skarlso]

*fro -> for
O(n2) -> O(n^2)

[hsluoyz]

Hmm @Skarlso. I do remember seeing this in the past. Not for Gaia though. I wonder if this seemed a little heavy weight... but arguably we’re heading towards this now.

@Skarlso @speza Hi guys! I'm Casbin author. I looked through the committed files. And it seems Casbin has already got all functionalities you need. Casbin only has 1 dependency (the evaluator) so it isn't very "heavy" in my sense. Of course, Casbin's code is complex than this PR's code but its correctness is proved by hundreds of test cases in the CI and production use of many companies. But your customized authz code may contain bugs and it's not easy to find them all via code review only. If one bug is not found here, maybe it will be a severe security vulnerability. If we can switch to using Casbin, we are very happy to solve your issues using it and then you can concentrate on your main directions instead of authz.

[Skarlso]

@hsluoyz Hi!

Absolutely awesome from you to reach out to us. :)

Let us formulate an answer for you and we'll see if you can help out with that or maybe we misunderstood something about Casbin that you could clarify. :)

[speza]

Yeah thanks for reaching out @hsluoyz!

I will try and remember my reasons for thinking Casbin was heavy. I definitely think the code I have written here isn’t particularly simple anymore to be honest, and also 100% not a fan of not reinventing the wheel that’s for sure.