treat cycles as falsy outcome in intersection and exclusion CheckFuncReducers #1372
Conversation
There was a problem hiding this comment.
I would caution against ignoring errors in Check. We did the same mistake in ListRelations in the SDK and been wanting to revert since then.
You are assuming all checks are of the form:
can user:anne read document 1?
Which implies if we cannot say that Anne can read, it implies that Anne cannot.
But this is not the only possibility. For example, a check may be on a relation with negative connotations, for example:
is user:anne blocked from document 1?
Now imagine someone calling FGA from a different context (e.g. OPA), so FGA is functioning as an information point instead of a decision point. In OPA the policy might be:
Anne can access the document, if it is tagged "marketing" and "published" and not blocked in FGA
By us returning false, we are indicating that we know 100% that anne is not blocked, so OPA will assume that and the user will be granted access.
indeterimite answers (such as errors) should be ignored ONLY if another path 100% guarantees a determinate answer, for example (true or error is always true, and false AND error is always false), because no matter what the value of error is, we know the final outcome.
For the full cases where error can be ignored:
true OR true = true
true OR false = true
true OR error = true # error can be ignored
false OR true = true
false OR false = false
false OR error = error # error CANNOT be ignored
error OR error = error # error CANNOT be ignored
true AND true = true
true AND false = false
true AND error = error # error CANNOT be ignored
false AND true = false
false AND false = false
false AND error = false # error can be ignored
error AND error = error # error cannot be ignored
true BUT NOT true = false
true BUT NOT false = true
true BUT NOT error = error # error CANNOT be ignored
false BUT NOT true = false
false BUT NOT false = false
false BUT NOT error = false # error can be ignored
error BUT NOT error = error # error CANNOT be ignored
|
@rhamzeh This is not ignoring all errors but effectively considering |
Co-authored-by: Maria Ines Parnisari <maria.inesparnisari@okta.com>
jon-whit
deleted the
adjust-and-test-intersection-and-exclusion-reducers
branch
Description
The changes in this PR adjust the intersection and exclusion CheckFuncReducers to treat a loopback cycle effectively as
{allowed: false}. The idea being that if you could have resolved something in the resolution path then you would have, otherwise you can return{allowed: false}explicitly.ErrCycleDetectedis not an error that should be considered a critical error like transient errors and/orErrResolutionDepthExceeded. It should be considered the same as a falsy result because it signals that a resolution branch was exhausted without any explicitly truthy or falsy outcome. Treating this error in this specific way within the intersection and exclusion reducers will result in more correct and fault-tolerant Check resolution.I've also added some tests for the intersection and exclusion reducers so that this behavior is more apparent in the future as well. The tests I added also include behavior around context cancellation, so that will help us avoid accidentally introducing regression in cancellation of in-progress subproblem resolution.
References
Related to #1371
Review Checklist
main