Proposal for new features

[ketgo]

@kolotaev Wanted to propose a couple of features which can enhance the usability and power of the project.

1. Have a user-friendly JSON schema for marshaling the policy objects. Currently, the jsonpickle package is being used to load and covert policies from JSON. However, this serializer inserts the py/objects fields to keep track of the classes for de-serialization. As an example, the policy

vakt.Policy(
    str(uuid.uuid4()),
    actions=[Eq('fork'), Eq('clone')],
    resources=[StartsWith('repos/Google', ci=True)],
    subjects=[{'name': Any(), 'stars': And(Greater(50), Less(999))}],
    effect=vakt.ALLOW_ACCESS,
    context={'referer': Eq('https://github.com')},
    description="""
    Allow to fork or clone any Google repository for
    users that have > 50 and < 999 stars and came from Github
    """
)

has the following JSON form:

{
  "actions": [
    {
      "py/object": "vakt.rules.operator.Eq",
      "val": "fork"
    },
    {
      "py/object": "vakt.rules.operator.Eq",
      "val": "clone"
    }
  ],
  "context": {
    "referer": {
      "py/object": "vakt.rules.operator.Eq",
      "val": "https://github.com"
    }
  },
  "description": "\\n    Allow to fork or clone any Google repository for\\n    users that have > 50 and < 999 stars and came from Github\\n    ",
  "effect": "allow",
  "resources": [
    {
      "py/object": "vakt.rules.string.StartsWith",
      "ci": true,
      "val": "repos/Google"
    }
  ],
  "subjects": [
    {
      "name": {
        "py/object": "vakt.rules.logic.Any"
      },
      "stars": {
        "py/object": "vakt.rules.logic.And",
        "rules": {
          "py/tuple": [
            {
              "py/object": "vakt.rules.operator.Greater",
              "val": 50
            },
            {
              "py/object": "vakt.rules.operator.Less",
              "val": 999
            }
          ]
        }
      }
    }
  ],
  "type": 2,
  "uid": "4d7f9d40-0ef7-41e4-a649-4450cc5be9a8"
}

This JSON has fields which are either unclear (like "ci") or not user friendly (like "py/object"). I think this can be ressolved by using a better marshalling package like marshmallow. I created an implementation of such in this forked version of the code --> https://github.com/ketgo/pyabac.

2. Use of objectPath format for attributes in Policy. This object path can be used to eactract the value of the attribute from the Inquiry. In this way we can support nested attribute based access control. For example, if we have the following inquiry

vakt.Inquiry(
  subjects={"name": "Max", "address": {"city": "Boston", "state": "MA"}},
  resource={"url": "/api/v1.0/users"},
  action={"method": "GET"}
) 

and want to set a policy which includes a rule on city in the adress field, we can do so by following

vakt.Policy(
  subjects=[{"$.address.city": Eq("Boston")}],
  action=[{"$.method": Eq("GET")}],
  effect=ALLOW_ACCESS 
)

Here the sting $.address.city is in object path format. Again, I have a working implementation in the repo --> https://github.com/ketgo/pyabac.

[kolotaev]

Wow, those are good features.

• I don't insist on current JSON serializer and we can look at marshmallow in this regard.
• Nested attributes can be very useful, agree.

[filwaline]

Pydantic can do json serialize too, and it is faster than marshmallow. (At least it claims this itself Benchmarks - pydantic)

[kolotaev]

Thanks for the info! I'll consider Pydantic as well.