Issue #59, Switch some older "0.5" IDQL versions and switched to hexa…

…policy.IdqlVersion Signed-off-by: Phil Hunt <phil.hunt@independentid.com>
hexa-org · Sep 14, 2024 · d559e07 · d559e07
1 parent c8a1cb3
commit d559e07
Show file tree

Hide file tree

Showing 8 changed files with 181 additions and 8 deletions.
diff --git a/models/rar/policy_transformer.go b/models/rar/policy_transformer.go
@@ -131,7 +131,7 @@ func ResourcePolicyMap(origPolicies []hexapolicy.PolicyInfo) map[string]hexapoli
 		newMembers := CompactMembers(existingMembers, pol.Subjects)
 
 		newPol := hexapolicy.PolicyInfo{
-			Meta:    hexapolicy.MetaInfo{Version: "0.5"},
+			Meta:    hexapolicy.MetaInfo{Version: hexapolicy.IdqlVersion},
 			Actions: mergedActions,
 			Subjects: hexapolicy.SubjectInfo{Members: newMembers},
 			Object:  hexapolicy.ObjectInfo{ResourceID: resource},

diff --git a/models/rar/testsupport/policytestsupport/policy_checker_support.go b/models/rar/testsupport/policytestsupport/policy_checker_support.go
@@ -55,7 +55,7 @@ func MakePolicies(actionMembers map[string][]string, resourceId string) []hexapo
         }
 
         pol := hexapolicy.PolicyInfo{
-            Meta:     hexapolicy.MetaInfo{Version: "0.5"},
+            Meta:     hexapolicy.MetaInfo{Version: hexapolicy.IdqlVersion},
             Actions:  []hexapolicy.ActionInfo{hexapolicy.ActionInfo(action)},
             Subjects: members,
             Object:   hexapolicy.ObjectInfo(resourceId),

diff --git a/models/rar/testsupport/policytestsupport/policy_data_support.go b/models/rar/testsupport/policytestsupport/policy_data_support.go
@@ -81,7 +81,7 @@ func MakeRoleSubjectTestPolicies(actionMembers map[string][]string) []hexapolicy
 
 func MakeRoleSubjectTestPolicy(resourceId string, action string, roles []string) hexapolicy.PolicyInfo {
     return hexapolicy.PolicyInfo{
-        Meta:     hexapolicy.MetaInfo{Version: "0.5"},
+        Meta:     hexapolicy.MetaInfo{Version: hexapolicy.IdqlVersion},
         Actions:  []hexapolicy.ActionInfo{hexapolicy.ActionInfo(action)},
         Subjects: roles,
         Object:   hexapolicy.ObjectInfo(resourceId),
@@ -90,7 +90,7 @@ func MakeRoleSubjectTestPolicy(resourceId string, action string, roles []string)
 
 func MakeTestPolicy(resourceId string, action string, actionMembers ActionMembers) hexapolicy.PolicyInfo {
     return hexapolicy.PolicyInfo{
-        Meta:     hexapolicy.MetaInfo{Version: "0.5"},
+        Meta:     hexapolicy.MetaInfo{Version: hexapolicy.IdqlVersion},
         Actions:  []hexapolicy.ActionInfo{hexapolicy.ActionInfo(action)},
         Subjects: MakePolicyTestUsers(actionMembers),
         Object:   hexapolicy.ObjectInfo(resourceId),

diff --git a/pkg/hexapolicy/hexa_policy_test.go b/pkg/hexapolicy/hexa_policy_test.go
@@ -73,6 +73,69 @@ var oldPolicy1 = `{
       }
 }`
 
+var oldPolicies = `{
+  "policies": [
+    {
+      "meta": {"version": "0.6"},
+      "actions": [{"actionUri": "http:GET:/"}],
+      "subject": {
+        "members": [
+          "allusers", "allauthenticated"
+        ]
+      },
+      "condition": {
+        "rule": "req.ip sw 127 and req.method eq POST",
+        "action": "allow"
+      },
+      "object": {
+        "resource_id": "aResourceId1"
+      }
+    },
+    {
+      "meta": {"version": "0.6"},
+      "actions": [{"actionUri": "http:GET:/sales"}, {"actionUri": "http:GET:/marketing"}],
+      "subject": {
+        "members": [
+          "allauthenticated",
+          "sales@hexaindustries.io",
+          "marketing@hexaindustries.io"
+        ]
+      },
+      "object": {
+        "resource_id": "aResourceId2"
+      }
+    },
+    {
+      "meta": {"version": "0.6"},
+      "actions": [{"actionUri": "http:GET:/accounting"}, {"actionUri": "http:POST:/accounting"}],
+      "subject": {
+        "members": [
+          "accounting@hexaindustries.io"
+        ]
+      },
+      "condition": {
+        "rule": "req.ip sw 127 and req.method eq POST",
+        "action": "allow"
+      },
+      "object": {
+        "resource_id": "aResourceId3"
+      }
+    },
+    {
+      "meta": {"version": "0.6"},
+      "actions": [{"actionUri": "http:GET:/humanresources"}],
+      "subject": {
+        "members": [
+          "humanresources@hexaindustries.io"
+        ]
+      },
+      "object": {
+        "resource_id": "aResourceId1"
+      }
+    }
+  ]
+}`
+
 func getPolicies(t *testing.T) Policies {
     t.Helper()
     var policy1, policy2 PolicyInfo
@@ -113,6 +176,11 @@ func TestReadOldPolicy(t *testing.T) {
     assert.Len(t, pol.Subjects, 1, "should be one subject")
     assert.Len(t, pol.Actions, 1, "should be one action")
     assert.Equal(t, "cedar:Photo::\"VacationPhoto94.jpg\"", pol.Object.String(), "resource id should be converted")
+
+    var policies Policies
+    err = json.Unmarshal([]byte(oldPolicies), &policies)
+    assert.NoError(t, err, "Check no policy parse error on old policy")
+    assert.Len(t, policies.Policies, 4, "should be 4 policies")
 }
 
 func TestSubjectInfo_equals(t *testing.T) {

diff --git a/pkg/hexapolicysupport/test/oldPolicy.json b/pkg/hexapolicysupport/test/oldPolicy.json
@@ -0,0 +1,103 @@
+{
+  "policies": [
+    {
+      "meta": {
+        "policyId": "GetUsers",
+        "version": "0.6",
+        "description": "Get information (e.g. email, picture) associated with a user"
+      },
+      "subject": {
+        "members": ["anyAuthenticated"]
+      },
+      "actions": [
+        {
+          "actionUri": "can_read_user"
+        }
+      ],
+      "object": {
+        "resource_id": "todo"
+      }
+    },
+    {
+      "meta": {
+        "policyId": "GetTodos",
+        "version": "0.6",
+
+        "description": "Get the list of todos. Always returns true for every user??"
+      },
+      "subject": {
+        "members": ["anyAuthenticated"]
+      },
+      "actions": [
+        {
+          "actionUri": "can_read_todos"
+        }
+      ],
+      "object": {
+        "resource_id": "todo"
+      }
+    },
+    {
+      "meta": {
+        "version": "0.6",
+        "description": "Create a new Todo",
+        "policyId": "PostTodo"
+      },
+      "subject": {
+        "members": ["role:admin","role:editor"]
+      },
+      "actions": [
+        {
+          "actionUri": "can_create_todo"
+        }
+      ],
+      "object": {
+        "resource_id": "todo"
+      }
+    },
+    {
+      "meta": {
+        "version": "0.6",
+        "description": "Edit(complete) a todo.",
+        "policyId": "PutTodo"
+      },
+      "subject": {
+        "members": ["anyAuthenticated"]
+      },
+      "actions": [
+        {
+          "actionUri": "can_update_todo"
+        }
+      ],
+      "condition": {
+        "rule": "subject.roles co evil_genius or ( subject.roles co editor and resource.ownerID eq subject.claims.id )",
+        "action": "allow"
+      },
+      "object": {
+        "resource_id": "todo"
+      }
+    },
+    {
+      "meta": {
+        "version": "0.6",
+        "description": "Delete a todo if admin or owner of todo",
+        "policyId": "DeleteTodo"
+      },
+      "subject": {
+        "members": ["anyAuthenticated"]
+      },
+      "actions": [
+        {
+          "actionUri": "can_delete_todo"
+        }
+      ],
+      "condition": {
+        "rule": "subject.roles co admin or ( subject.roles co editor and resource.ownerID eq subject.claims.id )",
+        "action": "allow"
+      },
+      "object": {
+        "resource_id": "todo"
+      }
+    }
+  ]
+}
diff --git a/providers/aws/avpProvider/avp_provider_test.go b/providers/aws/avpProvider/avp_provider_test.go
@@ -260,7 +260,7 @@ func TestAvp_3_Reconcile(t *testing.T) {
     // now append a policy by copying and modifying the first
     newPolicy := policies[0]
     newPolicy.Meta = hexapolicy.MetaInfo{
-        Version:     "0.5",
+        Version:     hexapolicy.IdqlVersion,
         Description: "Test New Policy",
         Created:     &now,
         Modified:    &now,

diff --git a/providers/openpolicyagent/opa_provider_test.go b/providers/openpolicyagent/opa_provider_test.go
@@ -426,7 +426,7 @@ func TestSetPolicyInfo_WithHTTPSBundleServer(t *testing.T) {
         policyprovider.ApplicationInfo{ObjectID: "aResourceId"},
         []hexapolicy.PolicyInfo{
             {
-                Meta:     hexapolicy.MetaInfo{Version: "0.5"},
+                Meta:     hexapolicy.MetaInfo{Version: hexapolicy.IdqlVersion},
                 Actions:  []hexapolicy.ActionInfo{"http:GET"},
                 Subjects: []string{"allusers"},
                 Object:   "aResourceId",

diff --git a/sdk/providerTools_test.go b/sdk/providerTools_test.go
@@ -68,6 +68,7 @@ func (s *testSuite) Test2_GetPolicies() {
     s.mockClient.MockGetPolicyTemplateWithHttpStatus(http.StatusOK, avpTestSupport.TestCedarTemplatePolicyId+"0")
 
     policySet, err := s.Integration.GetPolicies(s.papId)
+    assert.NotNil(s.T(), policySet)
     policies := policySet.Policies
     assert.NoError(s.T(), err)
     assert.NotNil(s.T(), policies)
@@ -85,7 +86,7 @@ func (s *testSuite) Test3_Reconcile() {
     s.mockClient.MockGetPolicyTemplateWithHttpStatus(http.StatusOK, avpTestSupport.TestCedarTemplatePolicyId+"0")
 
     policySet, err := s.Integration.GetPolicies(s.papId)
-
+    assert.NotNil(s.T(), policySet)
     policies := policySet.Policies
 
     assert.True(s.T(), s.mockClient.VerifyCalled())
@@ -115,7 +116,7 @@ func (s *testSuite) Test3_Reconcile() {
     // now append a policy by copying and modifying the first
     newPolicy := policies[0]
     newPolicy.Meta = hexapolicy.MetaInfo{
-        Version:     "0.5",
+        Version:     hexapolicy.IdqlVersion,
         Description: "Test New Policy",
         Created:     &now,
         Modified:    &now,
@@ -152,6 +153,7 @@ func (s *testSuite) Test4_SetPolicies() {
     s.mockClient.MockGetPolicyWithHttpStatus(http.StatusOK, avpTestSupport.TestCedarStaticPolicyId+"0")
     s.mockClient.MockGetPolicyTemplateWithHttpStatus(http.StatusOK, avpTestSupport.TestCedarTemplatePolicyId+"0")
     policySet, err := s.Integration.GetPolicies(s.papId)
+    assert.NotNil(s.T(), policySet)
     policies := policySet.Policies
     assert.True(s.T(), s.mockClient.VerifyCalled())