-
Notifications
You must be signed in to change notification settings - Fork 7
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(policy): filter statements subset by selector #27
Conversation
capability/policy/policy.go
Outdated
// assuming the first statement's selector is representative | ||
if len(c.statements) > 0 { | ||
return c.statements[0].Selector() | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@MichaelMure I'm not sure about this 💭
// NewFieldSegment creates a new segment for a field. | ||
func NewFieldSegment(field string) segment { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@MichaelMure we don't use all those constructors atm. But I needed to deal w/ segment
from the parent pkg (tests) and didn't want to make that type public. wdyt
func (c connective) Selector() selector.Selector { | ||
// assuming the first statement's selector is representative | ||
if len(c.statements) > 0 { | ||
return c.statements[0].Selector() |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This doesn't seem right to me...
In general I don't really have enough context in the PR description to understand why this is necessary, plus I'm not sure I understand why policy statements need to have a selector now?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is arguably off-spec (and very exploratory for now), but the idea is that when you pass a UCAN as a HTTP bearer (the off-spec part), you likely want to do some or all of the following:
- include "external args" (http.method, http.path, ...) into your normal invocation
args
, and have the policies operate on those elements - evaluate the policies in multiple stages in your server because different aspects are handled in different part of the pipeline (some args might come from the HTTP header, some from the body ...)
To be clear, all this HTTP bearer features are not going to be in go-ucan, but this specific facility in this PR might come handy even outside of this scenario, for example when you want to sub-delegate on a subset of the original policies. TBD.
That HTTP bearer thing might become a UCAN extension in the future.
require.NoError(t, err) | ||
|
||
p = Policy{stmt1, stmt2} | ||
filtered = p.FilterWithMatcher(selector.Selector{selector.NewFieldSegment(".http")}, selector.SegmentStartsWith) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@MichaelMure here .http
"startsWith" selector matches .http.host
statement.
Based on exploration work #27
Based on exploration work #27
Based on exploration work #27
Based on exploration work #27
closing in favor of #44 |
Based on exploration work #27
Based on exploration work #27
Requirement: splitting the policy evaluation into different chunks.
capability.Policy
has now aMatch
method (refactored from standalone function) and aFilter
method which allows to filter policy statements bySelector
.