Skip to content

[FEATURE]: rename policy field in policy configuration flow #105

Description

@araujof

Summary

Improve naming and configuration surface for CPEX authz configuration.

Details

Currently, we have two fields in an authz configuration flow in CPEX: policy and post_policy. We also have identity to signify authentication requirements, and define authorization flows as sequences of args, policy, post_policy, results groups:

global: # for global authz flows, applied to any targets
  identity: [...]
  args: [...]
  policy: [...]
  ...

routes:  # for per-entity authz flows
  - tool: get_employee
    authentication:
      - jwt-user
      - jwt-client
    args:
      employee_id: "str"
    policy:
      - "require(authenticated)"
      - "delegation.depth > 2: deny"
    result:
      ssn: "str | redact(!perm.view_ssn)"
      salary: "int | redact(!role.hr)"
      employee_id: "str | mask(4)"
    post_policy:
      - run(...)

We would like to improve naming and organization of this configuration. A proposal:

global:
  authentication:
    - jwt-user
    - jwt-client
  authorization:
    pre_invocation: [...]
    post_invocation: [...]

routes:
  - tool: get_compensation
    identity: [...]
    args:
      employee_id: "str"      
    authorization:
      pre_invocation:
        - "require(authenticated)"
        - "delegation.depth > 2: deny"
      post_invocation:
        - "run(...)"        
    result: 
        ssn: "str | redact(!perm.view_ssn)"
        salary: "int | redact(!role.hr)"
        employee_id: "str | mask(4)"

Note: args and result are not recognized under global group.

Acceptance Criteria

  • Unit tests
  • Regression testing with Praxis

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementNew feature or request

    Type

    Fields

    No fields configured for Task.

    Projects

    Status
    Backlog

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions