Add isImplicit boolean flag to check result (#233)

warrant-dev · Oct 7, 2023 · 4e73db3 · 4e73db3
1 parent cb48bac
commit 4e73db3
Show file tree

Hide file tree

Showing 7 changed files with 119 additions and 58 deletions.
diff --git a/pkg/authz/check/service.go b/pkg/authz/check/service.go
@@ -208,15 +208,17 @@ func (svc CheckService) CheckMany(ctx context.Context, authInfo *service.AuthInf
 
 	if warrantCheck.Op == objecttype.InheritIfAllOf {
 		var processingTime int64
+		var isImplicit bool
 		for _, warrantSpec := range warrantCheck.Warrants {
-			match, decisionPath, err := svc.Check(ctx, authInfo, CheckSpec{
+			match, decisionPath, implicit, err := svc.Check(ctx, authInfo, CheckSpec{
 				CheckWarrantSpec: warrantSpec,
 				Debug:            warrantCheck.Debug,
 			})
 			if err != nil {
 				return nil, err
 			}
 
+			isImplicit = isImplicit || implicit
 			if warrantCheck.Debug {
 				checkResult.ProcessingTime = processingTime + time.Since(start).Milliseconds()
 				if len(decisionPath) > 0 {
@@ -238,6 +240,7 @@ func (svc CheckService) CheckMany(ctx context.Context, authInfo *service.AuthInf
 
 				checkResult.Code = http.StatusForbidden
 				checkResult.Result = NotAuthorized
+				checkResult.IsImplicit = false
 				return &checkResult, nil
 			}
 
@@ -249,13 +252,14 @@ func (svc CheckService) CheckMany(ctx context.Context, authInfo *service.AuthInf
 
 		checkResult.Code = http.StatusOK
 		checkResult.Result = Authorized
+		checkResult.IsImplicit = isImplicit
 		return &checkResult, nil
 	}
 
 	if warrantCheck.Op == objecttype.InheritIfAnyOf {
 		var processingTime int64
 		for _, warrantSpec := range warrantCheck.Warrants {
-			match, decisionPath, err := svc.Check(ctx, authInfo, CheckSpec{
+			match, decisionPath, isImplicit, err := svc.Check(ctx, authInfo, CheckSpec{
 				CheckWarrantSpec: warrantSpec,
 				Debug:            warrantCheck.Debug,
 			})
@@ -284,6 +288,7 @@ func (svc CheckService) CheckMany(ctx context.Context, authInfo *service.AuthInf
 
 				checkResult.Code = http.StatusOK
 				checkResult.Result = Authorized
+				checkResult.IsImplicit = isImplicit
 				return &checkResult, nil
 			}
 
@@ -297,6 +302,7 @@ func (svc CheckService) CheckMany(ctx context.Context, authInfo *service.AuthInf
 
 		checkResult.Code = http.StatusForbidden
 		checkResult.Result = NotAuthorized
+		checkResult.IsImplicit = false
 		return &checkResult, nil
 	}
 
@@ -305,7 +311,7 @@ func (svc CheckService) CheckMany(ctx context.Context, authInfo *service.AuthInf
 	}
 
 	warrantSpec := warrantCheck.Warrants[0]
-	match, decisionPath, err := svc.Check(ctx, authInfo, CheckSpec{
+	match, decisionPath, isImplicit, err := svc.Check(ctx, authInfo, CheckSpec{
 		CheckWarrantSpec: warrantSpec,
 		Debug:            warrantCheck.Debug,
 	})
@@ -334,6 +340,7 @@ func (svc CheckService) CheckMany(ctx context.Context, authInfo *service.AuthInf
 
 		checkResult.Code = http.StatusOK
 		checkResult.Result = Authorized
+		checkResult.IsImplicit = isImplicit
 		return &checkResult, nil
 	}
 
@@ -344,11 +351,12 @@ func (svc CheckService) CheckMany(ctx context.Context, authInfo *service.AuthInf
 
 	checkResult.Code = http.StatusForbidden
 	checkResult.Result = NotAuthorized
+	checkResult.IsImplicit = false
 	return &checkResult, nil
 }
 
 // Check returns true if the subject has a warrant (explicitly or implicitly) for given objectType:objectId#relation and context.
-func (svc CheckService) Check(ctx context.Context, authInfo *service.AuthInfo, warrantCheck CheckSpec) (bool, []warrant.WarrantSpec, error) {
+func (svc CheckService) Check(ctx context.Context, authInfo *service.AuthInfo, warrantCheck CheckSpec) (bool, []warrant.WarrantSpec, bool, error) {
 	// Used to automatically append tenant context for session token w/ tenantId checks
 	if authInfo != nil && authInfo.TenantId != "" {
 		if warrantCheck.CheckWarrantSpec.Context == nil {
@@ -365,7 +373,7 @@ func (svc CheckService) Check(ctx context.Context, authInfo *service.AuthInfo, w
 
 	checkCtx, err := svc.CreateCheckContext(ctx)
 	if err != nil {
-		return false, nil, err
+		return false, nil, false, err
 	}
 	childCtx, cancelFunc := context.WithTimeout(checkCtx, svc.CheckConfig.Timeout)
 	defer cancelFunc()
@@ -377,14 +385,14 @@ func (svc CheckService) Check(ctx context.Context, authInfo *service.AuthInfo, w
 	result := <-resultsC
 
 	if result.Err != nil {
-		return false, nil, result.Err
+		return false, nil, false, result.Err
 	}
 
 	if result.Matched {
-		return true, result.DecisionPath, nil
+		return true, result.DecisionPath, len(result.DecisionPath) != 1 || result.DecisionPath[0].Relation != warrantCheck.Relation, nil
 	}
 
-	return false, nil, nil
+	return false, nil, false, nil
 }
 
 type result struct {

diff --git a/pkg/authz/check/spec.go b/pkg/authz/check/spec.go
@@ -128,6 +128,7 @@ func (spec SessionCheckManySpec) ToMap() map[string]interface{} {
 type CheckResultSpec struct {
 	Code           int64                            `json:"code,omitempty"`
 	Result         string                           `json:"result"`
+	IsImplicit     bool                             `json:"isImplicit"`
 	ProcessingTime int64                            `json:"processingTime,omitempty"`
 	DecisionPath   map[string][]warrant.WarrantSpec `json:"decisionPath,omitempty"`
 }
diff --git a/tests/authz-policy.json b/tests/authz-policy.json
@@ -202,7 +202,8 @@
                 "statusCode": 200,
                 "body": {
                     "code": 200,
-                    "result": "Authorized"
+                    "result": "Authorized",
+                    "isImplicit": false
                 }
             }
         },
@@ -232,7 +233,8 @@
                 "statusCode": 200,
                 "body": {
                     "code": 403,
-                    "result": "Not Authorized"
+                    "result": "Not Authorized",
+                    "isImplicit": false
                 }
             }
         },
@@ -366,7 +368,8 @@
                 "statusCode": 200,
                 "body": {
                     "code": 200,
-                    "result": "Authorized"
+                    "result": "Authorized",
+                    "isImplicit": false
                 }
             }
         },
@@ -396,7 +399,8 @@
                 "statusCode": 200,
                 "body": {
                     "code": 403,
-                    "result": "Not Authorized"
+                    "result": "Not Authorized",
+                    "isImplicit": false
                 }
             }
         },
@@ -479,7 +483,8 @@
                 "statusCode": 200,
                 "body": {
                     "code": 200,
-                    "result": "Authorized"
+                    "result": "Authorized",
+                    "isImplicit": false
                 }
             }
         },
@@ -512,7 +517,8 @@
                 "statusCode": 200,
                 "body": {
                     "code": 403,
-                    "result": "Not Authorized"
+                    "result": "Not Authorized",
+                    "isImplicit": false
                 }
             }
         },
@@ -637,7 +643,8 @@
                 "statusCode": 200,
                 "body": {
                     "code": 200,
-                    "result": "Authorized"
+                    "result": "Authorized",
+                    "isImplicit": false
                 }
             }
         },
@@ -680,7 +687,8 @@
                 "statusCode": 200,
                 "body": {
                     "code": 403,
-                    "result": "Not Authorized"
+                    "result": "Not Authorized",
+                    "isImplicit": false
                 }
             }
         },
@@ -707,7 +715,8 @@
                 "statusCode": 200,
                 "body": {
                     "code": 403,
-                    "result": "Not Authorized"
+                    "result": "Not Authorized",
+                    "isImplicit": false
                 }
             }
         },