Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use PE to implement GetLists #121

Merged
merged 6 commits into from
Jun 17, 2024
Merged

Use PE to implement GetLists #121

merged 6 commits into from
Jun 17, 2024

Conversation

shaobo-he-aws
Copy link
Contributor

Issue #, if available:

Description of changes:

@shaobo-he-aws
Use PE to implement GetLists
fd43075 
Signed-off-by: Shaobo He <shaobohe@amazon.com>
mwhicks1
mwhicks1 requested changes May 20, 2024
View reviewed changes
Copy link
Contributor

@mwhicks1 mwhicks1 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'd like to have GetLists restored, as an action.

tinytodo/policies.cedar Outdated Show resolved Hide resolved
tinytodo/src/context.rs Outdated Show resolved Hide resolved
@shaobo-he-aws
Merge remote-tracking branch 'origin/main' into feature/shaobo/pe
ae8e8a2 
Signed-off-by: Shaobo He <shaobohe@amazon.com>
@shaobo-he-aws
cargo fmt
a0131ea 
Signed-off-by: Shaobo He <shaobohe@amazon.com>
@shaobo-he-aws
restored GetLists check
ee4da36 
Signed-off-by: Shaobo He <shaobohe@amazon.com>
@shaobo-he-aws
minor fix
fbd21fa 
Signed-off-by: Shaobo He <shaobohe@amazon.com>
@shaobo-he-aws
Merge remote-tracking branch 'origin/main' into feature/shaobo/pe
21bf560 
Signed-off-by: Shaobo He <shaobohe@amazon.com>
mwhicks1
mwhicks1 approved these changes Jun 17, 2024
View reviewed changes
tinytodo/src/context.rs
Comment on lines +521 to +523
let partial_response =
self.authorizer
.is_authorized_partial(&partial_request, &self.policies, &entities);
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe add a comment explain what's going on here, because readers might be confused.

What we are trying to simulate is the following:

  • For all entities L of type List, is_authorized(principal,GET_LIST, L ) ? If so, add to collection

What we are doing here instead is

  • Let res = is_authorized_partial(principal,GET_LIST, unknown ).
  • For all entities L of type List, is res .reauthorize( unknown = L ) ? If so, add to collection

The benefit is that we are partially evaluating some of the policies so the reauthorization requires less work. Even more, we imagine that a future implementation of the entity store can implement the reauthorize logic more directly/efficiently, e.g., as a DB query.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Noted. Will fix it in another PR.

@shaobo-he-aws shaobo-he-aws merged commit 327cbaa into main Jun 17, 2024
7 checks passed
@shaobo-he-aws shaobo-he-aws deleted the feature/shaobo/pe branch June 17, 2024 17:14
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mwhicks1 mwhicks1 mwhicks1 approved these changes

@andrewmwells-amazon andrewmwells-amazon andrewmwells-amazon approved these changes

@aaronjeline aaronjeline Awaiting requested review from aaronjeline

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@shaobo-he-aws @mwhicks1 @andrewmwells-amazon