Skip to content

Better rule matching #129

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jul 7, 2025
Merged

Better rule matching #129

merged 1 commit into from
Jul 7, 2025

Conversation

josephschorr
Copy link
Member

@josephschorr josephschorr commented Jul 3, 2025
edited
Loading

Adds support for CEL expression if statements that must be true for a rule to be used

@github-actions github-actions bot added area/core area/tooling Affects the dev or user toolchain labels Jul 3, 2025
vroldanbet
vroldanbet approved these changes Jul 7, 2025
View reviewed changes
Copy link
Contributor

@vroldanbet vroldanbet left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. My primary concern is ending up with a partial list of filtered rules due to a corner case in the rule if condition. For example, a request may end up with 2 out of 3 rules, because someone manipulated the request body in a way we did not anticipate. As a consequence, the request has a partial enforcement of rules, and could escalate privileges.

@josephschorr
Add support for CEL conditionals on rules
d8829d3 
This allows for much finer grain control of which rules match which operation(s)
@josephschorr josephschorr force-pushed the better-rule-matching branch from 6e5a627 to d8829d3 Compare July 7, 2025 15:09
@josephschorr
Copy link
Member Author

LGTM. My primary concern is ending up with a partial list of filtered rules due to a corner case in the rule if condition. For example, a request may end up with 2 out of 3 rules, because someone manipulated the request body in a way we did not anticipate. As a consequence, the request has a partial enforcement of rules, and could escalate privileges.

If no rules match, then it would fail closed. There is a risk, as you mentioned, that the "wrong" rule could be used, but that's less likely.

@josephschorr josephschorr marked this pull request as ready for review July 7, 2025 15:10
@josephschorr josephschorr merged commit 042746f into authzed:main Jul 7, 2025
6 checks passed
@josephschorr josephschorr deleted the better-rule-matching branch July 7, 2025 15:36
@github-actions github-actions bot locked and limited conversation to collaborators Jul 7, 2025
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@vroldanbet vroldanbet vroldanbet approved these changes

Assignees
No one assigned
Labels
area/core area/tooling Affects the dev or user toolchain
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@josephschorr @vroldanbet