The query planner fails if a known resource attribute is an index into a struct

[dbuduev]

Is there an existing issue for this?

• I have searched the existing issues

Current Behavior

apiVersion: api.cerbos.dev/v1
variables: 
  location_roles: P.attr.roles[R.attr.location_id]
derivedRoles:
  name: my_roles
  definitions:
    - name: global_admin
      parentRoles:
        - user
      condition:
        match:
          expr: ("Global Admin" in V.location_roles)

Log:

{"log.level":"info","@timestamp":"2022-11-07T23:34:00.201Z","log.logger":"cerbos.payload","message":"server request payload logged as grpc.request.content field","system":"grpc","span.kind":"server","grpc.service":"cerbos.svc.v1.CerbosService","grpc.method":"PlanResources","peer.address":"127.0.0.1:52082","http":{"x_forwarded_for":["172.17.0.1"],"x_forwarded_host":["localhost:3592"]},"grpc.request.content":{"msg":{"action":"entry:read","principal":{"id":"1","policyVersion":"default","roles":["user"],"attr":{"employee_id":"123","permissions":{"1":["entry.read_all"]},"roles":{"1":["Employee"]}}},"resource":{"kind":"entry","attr":{"location_id":"1"},"policyVersion":"default"},"includeMeta":true}}}
{"log.level":"error","@timestamp":"2022-11-07T23:34:00.203Z","log.logger":"cerbos.grpc","message":"Resources query plan request failed","grpc.start_time":"2022-11-07T23:34:00Z","system":"grpc","span.kind":"server","grpc.service":"cerbos.svc.v1.CerbosService","grpc.method":"PlanResources","peer.address":"127.0.0.1:52082","http":{"x_forwarded_for":["172.17.0.1"],"x_forwarded_host":["localhost:3592"]},"cerbos":{"call_id":"01GHA734RAWRPKZD2E4NGASBH1"},"error":"error evaluating condition \"(\\\"Employee\\\" in V.location_roles)\": invalid qualifier type: *structpb.Value"}
{"log.level":"error","@timestamp":"2022-11-07T23:34:00.203Z","log.logger":"cerbos.grpc","message":"Handled request","grpc.start_time":"2022-11-07T23:34:00Z","system":"grpc","span.kind":"server","grpc.service":"cerbos.svc.v1.CerbosService","grpc.method":"PlanResources","cerbos":{"call_id":"01GHA734RAWRPKZD2E4NGASBH1"},"peer.address":"127.0.0.1:52082","http":{"x_forwarded_for":["172.17.0.1"],"x_forwarded_host":["localhost:3592"]},"error":"rpc error: code = Internal desc = Resources query plan request failed","grpc.code":"Internal","grpc.time_ms":2.047}

[dbuduev]

This was reported in the community channel. The query planner seems to work as expected in v0.22.0.

[owen-c]

Assuming the playground is running 0.22.0, here is a repro case

curl https://demo-pdp.cerbos.cloud/api/plan/resources \
  --header 'Playground-Instance: udGsUA8636a8c56QIjsKz0zGdgh9viK7' \
  --header 'Content-Type: application/json' \
  --data '{
    "principal": {
      "id": "user@example.com",
      "roles": [
        "user"
      ],
      "attr": {
        "roles": {
          "1": ["Global Admin"]
        }
      }
    },
    "resource": {
      "kind": "entry",
      "attr": {
        "location_id": "1"
      }
    },
    "action": "entry:read"
  }'

[alexolivier]

From the PDP logs

error: "error evaluating condition "(\"Global Admin\" in V.location_roles)": invalid qualifier type: *structpb.Value"

[owen-c]

Yep that is the error I was getting

[alexolivier]

Thanks for confirming and the repro - we will look into it now