Skip to content

Admin UI authorization using Cedar Policy

Jump to bottom
Arnab Dutta edited this page Oct 9, 2024 · 16 revisions

Command

cedar authorize --policies policies.cedar -k linked --schema policies.cedarschema --schema-format cedar --entities entities.json --request-json test.json

Policy Template (policies.cedar)

@id("ViewFeature")
permit(
    principal == ?principal,
    action,
    resource == ?resource
) 
when {
  principal.rolePermissionsMap.permission.containsAll(resource.permission)
};


@id("EditFeature")
permit(
    principal == ?principal,
    action,
    resource == ?resource
) 
when {
  principal.rolePermissionsMap.permission.containsAll(resource.permission)
};

linked (linked)

[
    {
        "template_id": "ViewFeature",
        "link_id": "ViewOIDCClientJohn",
        "args": {
            "?principal": "User::\"John\"",
            "?resource": "Feature::\"oidc_client_view\""
        }
    },
    {
        "template_id": "EditFeature",
        "link_id": "EditOIDCClientJohn",
        "args": {
            "?principal": "User::\"Ahmad\"",
            "?resource": "Feature::\"oidc_client_view\""
        }
    }
]

Entities (entities.json)

[
    {
        "uid": { "type": "User", "id": "John" },
        "attrs": {
            "rolePermissionsMap":  {
                "role": ["api-viewer"],
                "permission": ["https://jans.io/oauth/config/openid/clients.readonly", "https://jans.io/oauth/config/scopes.readonly"]
            },
            "username": "John",
            "sub": "dsghsaAJ232345943572348643hadhasdklsa"
        },
        "parents": []
    },
    {
        "uid": { "type": "User", "id": "Ahmad"},
        "attrs" : {
             "rolePermissionsMap":  {
                "role": ["api-admin"],
                "permission": ["https://jans.io/oauth/config/openid/clients.readonly",
                "https://jans.io/oauth/config/openid/clients.write",
                "https://jans.io/oauth/config/openid/clients.delete",
                "https://jans.io/oauth/config/scopes.readonly",
                "https://jans.io/oauth/config/scopes.write",
                "https://jans.io/oauth/config/scopes.delete"]
            },
             "username": "ahmad",
             "sub": "dsghsaAJ232345943572348643hadhasdklsad"
        },
        "parents": []
    },
    {
        "uid": { "type": "Feature", "id": "oidc_client_view"},
        "attrs" : {
             "permission": [
                "https://jans.io/oauth/config/openid/clients.readonly"
             ]
        },
        "parents": []
    },
    {
        "uid": { "type": "Feature", "id": "oidc_client_edit"},
        "attrs" : {
             "permission": [
                "https://jans.io/oauth/config/openid/clients.write"
              ]             
        },
        "parents": []
    },
    {
        "uid": { "type": "Feature", "id": "oidc_client_delete"},
        "attrs" : {
             "permission": [
                "https://jans.io/oauth/config/openid/clients.delete"
             ]
        },
        "parents": []
    },
    {
        "uid": { "type": "Feature", "id": "scope_view"},
        "attrs" : {
             "permission": [
                "https://jans.io/oauth/config/scopes.readonly"
             ]
        },
        "parents": []
    },
    {
        "uid": { "type": "Feature", "id": "scope_edit"},
        "attrs" : {
             "permission": [
                "https://jans.io/oauth/config/scopes.write"
              ]             
        },
        "parents": []
    },
    {
        "uid": { "type": "Feature", "id": "scope_delete"},
        "attrs" : {
             "permission": [
                "https://jans.io/oauth/config/scopes.delete"
             ]
        },
        "parents": []
    }
]

Schema (policies.cedarschema)

type RolePermissionsMap = {
  role: Set<String>,
  permission: Set<String>
};

entity Role;
entity User in [Role] {
    sub: String,
    username: String,
    rolePermissionsMap: RolePermissionsMap,
};

entity Feature= {
    permission: Set<String>,
};

type Context = {
        network: ipaddr,
        network_type: String,
        user_agent: String, 
        operating_system: String,
        device_health: Set<String>,
        current_time: Long,
        geolocation: Set<String>,
        fraud_indicators: Set<String>,
};



//actions
    action Read appliesTo {
        principal: [User, Role],
        resource: Feature
    };
    action Write appliesTo {
        principal: [User, Role],
        resource: Feature
    };
    action Delete appliesTo {
        principal: [User, Role],
        resource: Feature
    };

test.json

//ALLOW
{
    "principal":"User::\"John\"",
    "action":"Action::\"Read\"",
    "resource":"Feature::\"oidc_client_view\"",
    "context":{ }
}

//DENY
{
    "principal":"User::\"John\"",
    "action":"Action::\"Write\"",
    "resource":"Feature::\"oidc_client_edit\"",
    "context":{ }
}
Clone this wiki locally