more intuitive policies (#59)

Author: subroseio

.air.toml

@@ -7,23 +7,14 @@ args_bin = ["--configFile", "./conf/dev.conf.toml"]
 bin = "./tmp/main"
 cmd = "go build -buildvcs=false -o ./tmp/main ./api/."
 delay = 1000
-exclude_dir = [
-  "assets",
-  "tmp",
-  "vendor",
-  "testdata",
-  "simulator",
-  "website",
-  "img",
-  "keydb",
-]
+exclude_dir = ["assets", "tmp", "vendor", "testdata", "website", "img", "keydb"]
 exclude_file = []
 exclude_regex = ["_test.go"]
 exclude_unchanged = false
 follow_symlink = false
 full_bin = ""
 include_dir = []
-include_ext = ["go", "tpl", "tmpl", "html"]
+include_ext = ["go", "py"]
 kill_delay = "0s"
 log = "build-errors.log"
 send_interrupt = false

docker-compose.yml

@@ -10,7 +10,7 @@ services:
       - THORN_ENCRYPTION_KEY=#.9U#JW#XbB12345
       - THORN_ENCRYPTION_SECRET=abc&1*~#^2^#s0^=)^^7%b34
       - THORN_SIGNING_KEY=secret
-      - THORN_DEV_MODE=false
+      - THORN_DEV_MODE=true
       - THORN_LOG_LEVEL=debug
       - THORN_LOG_SINK=stdout
       - THORN_LOG_FORMAT=text

simulator/ecommerce.py

@@ -53,7 +53,7 @@
         effect="allow",
         actions=["read"],
         resources=[
-            "/collections/customers/*/masked/*",
+            "/collections/customers/records/*/*.masked",
         ],
     ),
     expected_statuses=[201, 409],
@@ -66,7 +66,7 @@
         effect="allow",
         actions=["read"],
         resources=[
-            "/collections/customers/*/plain/*",
+            "/collections/customers/records/*/*.plain",
         ],
     ),
     expected_statuses=[201, 409],

simulator/pci.py

@@ -43,7 +43,7 @@
         effect="allow",
         actions=["read"],
         resources=[
-            "/collections/credit_cards/*/masked/*",
+            "/collections/credit_cards/records/*/*.masked",
         ],
     ),
     expected_statuses=[201, 409],
@@ -56,7 +56,7 @@
         effect="allow",
         actions=["read"],
         resources=[
-            "/collections/credit_cards/*/plain/*",
+            "/collections/credit_cards/records/*/*.plain",
         ],
     ),
     expected_statuses=[201, 409],

vault/policy.go

@@ -10,6 +10,9 @@ func matchRune(pattern, str []rune) bool {
 		case '*':
 			return matchRune(pattern[1:], str) ||
 				(len(str) > 0 && matchRune(pattern, str[1:]))
+		case '.':
+			return matchRune(pattern[2:], str) ||
+				(len(str) > 0 && matchRune(pattern, str[1:]))
 		}
 		str = str[1:]
 		pattern = pattern[1:]

vault/vault.go

@@ -82,13 +82,11 @@ type Vault struct {
 	Signer Signer
 }
 
-// TODO: These probably should be renamed to have _PATH
 const (
 	COLLECTIONS_PPATH = "/collections"
 	PRINCIPALS_PPATH  = "/principals"
 	RECORDS_PPATH     = "/records"
 	POLICIES_PPATH    = "/policies"
-	FIELDS_PPATH      = "/fields"
 )
 
 type VaultDB interface {
@@ -263,7 +261,7 @@ func (vault Vault) GetRecords(
 	// TODO: This is horribly inefficient, we should be able to do this in one go using ValidateActions(...)
 	for _, recordID := range recordIDs {
 		for field, format := range returnFormats {
-			_request := Request{principal, PolicyActionRead, fmt.Sprintf("%s/%s%s/%s/%s%s/%s", COLLECTIONS_PPATH, collectionName, RECORDS_PPATH, recordID, format, FIELDS_PPATH, field)}
+			_request := Request{principal, PolicyActionRead, fmt.Sprintf("%s/%s%s/%s/%s.%s", COLLECTIONS_PPATH, collectionName, RECORDS_PPATH, recordID, field, format)}
 			allowed, err := vault.ValidateAction(ctx, _request)
 			if err != nil {
 				return nil, err