Admins should have a playground to test a Subject against a Subject Condition Set #77
Comments
jrschumacher
pushed a commit
that referenced
this issue
Mar 28, 2024
Adds CRUD for subject condition sets, with the JSON relation of `[]*policy.SubjectSets` passed via a string flag or found in a `.json` file with the filepath/name provided in a flag on CREATE, and validation that only one is provided at once. On UPDATE, only a JSON string is allowed. There is an open `pflags` issue (since 2022) which is the library under Cobra's flags implementation which affects the Subject Condition Sets (SCSs) flag API: spf13/pflag#370. Unfortunately, this issue means we cannot allow a slice of individual SCSs passed via CLI as we do with `--label` where each individual label passed with `--label` populates a `[]string` of all `labels`. In this case, if we attempt `--subject-set <single subject set json>` to populate a `[]string` where each index is a JSON string for a single SCS, we get an error `flag: parse error on line 1, column 3: bare " in non-quoted-field`. Because of this, we must expect all SCSs being created via JSON in the CLI to already be joined into the single array and passed as a single string flag `--subject-sets <json array of all subject sets in the SCS>`. There is already support added in this PR for reading from a JSON file to create the SCS, and any time there is JSON in the CLI it is likely it will be added via script instead of manually. See [new issue](#77) around admin UX of testing Subject Condition Sets before creating. > [!NOTE] > This PR was going to introduce reading Subject Sets from a YAML file as well, but yaml struct tags are not generated in the proto-built types. If this is needed, it should be discussed further and separately how the platform could expose YAML tags so consumers do not reimplement them repeatedly and potentially mistakenly. Perhaps a [new proto plugin](https://github.com/srikrsna/protoc-gen-gotag) could be utilized.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
This issue is WIP.
Background
There is a desire to support multiple sources of truth to associate a Subject (user, PE, NPE) via Subject Condition Sets (SCS) and their Subject Mappings (SM) to Attribute Values on data resources. These may look like:
When admins are creating Subject Condition Sets and their mappings to values, they should have a playground to test that with: a) a test input of any of those sources of external Subject context (as they are supported) and b) a test Subject Condition Set, there is a logical match of the SCS for the Subject. For example:
Example playground test "match/no match" scenarios:
This is distinct from an access decision playground like ABACUS because it would be isolated to testing any dynamic idP plugins, any selector syntax in the
subject_external_fields in the SCS, and any AND/OR/IN/NOT_IN logical matching within the SCS. A playground like ABACUS tests one level higher where a Subject's matched attribute values are already resolved through the mappings and the test is pairing Data attributes with Subject attributes to make a decision. It is likely this playground could exist within the higher level playground to e2e test Subject -> SCS/SM -> attribute values -> + data attributes -> access decision, but it should also exist and be able to be run independently.The text was updated successfully, but these errors were encountered: