Rego template endpoint #96
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
wcalderipe
approved these changes
Feb 7, 2024
apps/authz/src/app/http/rest/dto/policy-criterion-builder.dto.ts
Outdated
Show resolved
Hide resolved
| @@ -84,4 +87,10 @@ export class AdminService { | |||
|
|
|||
| return payload.request.data | |||
| } | |||
|
|
|||
| async setPolicyRules(payload: SetPolicyRulesRequest): Promise<PolicyCriterionBuilder[]> { | |||
| await this.opaService.generateRegoFile(payload.request.data) | |||
There was a problem hiding this comment.
Do you plan to save these policies in the database as well, no?
There was a problem hiding this comment.
yes but not on the engine part. see this discussion:
https://narvalxyz.slack.com/archives/C067Q1TDA9G/p1707310563319479
Comment on lines
37
to
94
| generateRegoFile(policies: PolicyCriterionBuilder[]): void { | ||
| Handlebars.registerHelper('criterion', function (item) { | ||
| const criterion: Criterion = item.criterion | ||
| const args = item.args | ||
|
|
||
| if (args === null) { | ||
| return `${criterion}` | ||
| } | ||
|
|
||
| if (!isEmpty(args)) { | ||
| if (Array.isArray(args)) { | ||
| if (typeof args[0] === 'string') { | ||
| return `${criterion}({${args.map((el) => `"${el}"`).join(', ')}})` | ||
| } | ||
|
|
||
| if (criterion === Criterion.CHECK_APPROVALS) { | ||
| return `approvals = ${criterion}([${args.map((el) => JSON.stringify(el)).join(', ')}])` | ||
| } | ||
|
|
||
| return `${criterion}([${args.map((el) => JSON.stringify(el)).join(', ')}])` | ||
| } | ||
|
|
||
| return `${criterion}(${JSON.stringify(args)})` | ||
| } | ||
| }) | ||
|
|
||
| Handlebars.registerHelper('reason', function (item) { | ||
| if (item.then === Then.PERMIT) { | ||
| const reason = [ | ||
| `"type": "${item.then}"`, | ||
| `"policyId": "${item.name}"`, | ||
| '"approvalsSatisfied": approvals.approvalsSatisfied', | ||
| '"approvalsMissing": approvals.approvalsMissing' | ||
| ] | ||
| return `reason = {${reason.join(', ')}}` | ||
| } | ||
|
|
||
| if (item.then === Then.FORBID) { | ||
| const reason = { | ||
| type: item.then, | ||
| policyId: item.name, | ||
| approvalsSatisfied: [], | ||
| approvalsMissing: [] | ||
| } | ||
| return `reason = ${JSON.stringify(reason)}` | ||
| } | ||
| }) | ||
|
|
||
| const templateSource = readFileSync('./apps/authz/src/opa/template/template.hbs', 'utf-8') | ||
|
|
||
| const template = Handlebars.compile(templateSource) | ||
|
|
||
| const regoContent = template({ policies }) | ||
|
|
||
| writeFileSync(`./apps/authz/src/opa/rego/generated/${uuidv4()}.rego`, regoContent, 'utf-8') | ||
|
|
||
| console.log('Policy .rego file generated successfully.') | ||
| } |
There was a problem hiding this comment.
Here's a suggestion on how to unit test this logic:
- Separate side effects from policy generation logic. If you move the template file reading and Rego file writing elsewhere, the logic essentially becomes: given a policy schema and a template string, you produce a policy string on the other side (the Rego logic).
- Unit test each criterion defined in
policy-build.type.ts. For a given template and criterion A, specify what you expect as a policy. Do this without merging criteria into a single policy. This approach will provide comprehensive documentation of what you expect for smaller system components. - Unit test a few criteria together to generate a policy and check if the outcome matches your expectations. This will provide us confidence on criteria composition.
There was a problem hiding this comment.
These types of logic to map from standard A to B are often a major source of bugs. Let's get that covered so we can move faster without breaking things 😉
wcalderipe
reviewed
Feb 9, 2024
packages/authz-shared/src/lib/decorators/is-account-id.decorator.ts
Outdated
Show resolved
Hide resolved
packages/authz-shared/src/lib/decorators/is-asset-id.decorator.ts
Outdated
Show resolved
Hide resolved
mattschoch
pushed a commit
that referenced
this pull request
Jun 19, 2024
wcalderipe
added a commit
that referenced
this pull request
Feb 5, 2025
* Migration, data is persisted per-connection (#88) * schema migration to scope all data per connection * data migration script * fix provider type per connection * unique keys order * fixed failing tests * added connectionId to mock data in transfer and sync tests * handle known destination connections to connectionId * abstract away single tie to connection change from known destinations * filter on correct row in wallet repository * updated migration script to duplicate provider resources * updates existing transfers * Pass through known destination (#90) * Add CSR public key format for FB connection (#92) * Add CSR public key format for FB connection * Add optional CSR format in the public key DTO * Add describe block * Pin node-forge version * Remove wallet connections list (#95) * Scope operations by connection (#96) * Scope operations by connection * Scope sync operations by connection * Fix supertest wrapper to work with query method * Use signed request util in the wallet E2E tests * Fix flaky tests * Add back connection list endpoint * Fix address E2E tests * Bump SDK version * Add network and asset endpoints in the SDK * Adding BitGo connection * ScopedSync by RawAccounts (#84) * duplicated sync, poc working * fixed rebase conflicts and format * cleanup rebase merge, correctly insert connectionId on scope sync * fireblocks scoped-sync updates * use vault label * added updates to anchorage's scoped sync service * add tests on anchorage scoped sync * cleaned up anchorage scope sync tests * map fireblocks assetWallets to network specific accounts * fixed not found test expectation * test fireblocks scoped sync * fixed rebase conflicts * changed externalId standard * Adding Raw Accounts endpoint & Assed/Network bootstrap * Adding includeAddress query param so fireblocks does not always fetch addresses * Cache assets & refactor network cache (#98) * Cache asset Refactor network to use cache manager * Remove draft config * Pin cache-manager version * Lower case cache keys * Fix findAll method * Endpoints to fetch scoped-syncs (#101) * scoped sync persists stringified raw accounts * add status fetching endpoints for scoped syncs * use prismaservice methods to json stringify and parse * Minor fixes before release connection-specific (#102) * Add back the nested wallet and account endpoints in the connection * Minor fix on scope sync logs Connection ID is mandatory in the Vault Client * connect a new connection triggers full sync on anchorage (#103) * connect a new connection triggers full sync on anchorage * fix test excpetation for empty raw accounts on anchorage * Add listProviderRawAccounts method in the Vault SDK * removed references to 'sync' and dropped table * removed syncService from connection test * deleted sync e2e test * re-generated sdk without scoped sync methods * Revert "re-generated sdk without scoped sync methods" This reverts commit 66dccdfa2bd909d2f6c015b153e87c3728004dd2. * Revert "removed references to 'sync' and dropped table" This reverts commit 9c2cd022b95439ce9bc4a45a44d7c67da0cdc535. * Revert "deleted sync e2e test" This reverts commit 2f4a252650fb871662cbe92ba149aa9e2dc5d0c6. * Revert "removed syncService from connection test" This reverts commit 450ece6a34ec5ef04bf170c176f56de4e71b97c9. * removed sync functionality except list * removed deprecated imports --------- Co-authored-by: Ptroger <[email protected]> Co-authored-by: Pierre Troger <[email protected]> * Feature/nar 2059 make scoped sync quicker (#104) * fireblocks query uniquely scoped accounts, handle duplicated rawAccounts * optimized queries per wallet * anchorage scoped syncs swallow not found errors * batch requests to control rate limiting * removed connection-sync event handler * manage error handling in promiseAllSettled * use httpstatus * expect precisely one account * Asset fallback (#105) * Asset fallback for Anchorage and Fireblocks * Add TransferAssetService * Remove findTransferAsset from AssetService * Remove fallback type * Refactor TransferAssetService * Fix integration test types * Fix E2E tests * Fix provider --------- Co-authored-by: Ptroger <[email protected]> Co-authored-by: Matt Schoch <[email protected]> Co-authored-by: Pierre Troger <[email protected]>
wcalderipe
added a commit
that referenced
this pull request
Feb 5, 2025
* Migration, data is persisted per-connection (#88) * schema migration to scope all data per connection * data migration script * fix provider type per connection * unique keys order * fixed failing tests * added connectionId to mock data in transfer and sync tests * handle known destination connections to connectionId * abstract away single tie to connection change from known destinations * filter on correct row in wallet repository * updated migration script to duplicate provider resources * updates existing transfers * Pass through known destination (#90) * Add CSR public key format for FB connection (#92) * Add CSR public key format for FB connection * Add optional CSR format in the public key DTO * Add describe block * Pin node-forge version * Remove wallet connections list (#95) * Scope operations by connection (#96) * Scope operations by connection * Scope sync operations by connection * Fix supertest wrapper to work with query method * Use signed request util in the wallet E2E tests * Fix flaky tests * Add back connection list endpoint * Fix address E2E tests * Bump SDK version * Add network and asset endpoints in the SDK * Adding BitGo connection * ScopedSync by RawAccounts (#84) * duplicated sync, poc working * fixed rebase conflicts and format * cleanup rebase merge, correctly insert connectionId on scope sync * fireblocks scoped-sync updates * use vault label * added updates to anchorage's scoped sync service * add tests on anchorage scoped sync * cleaned up anchorage scope sync tests * map fireblocks assetWallets to network specific accounts * fixed not found test expectation * test fireblocks scoped sync * fixed rebase conflicts * changed externalId standard * Adding Raw Accounts endpoint & Assed/Network bootstrap * Adding includeAddress query param so fireblocks does not always fetch addresses * Cache assets & refactor network cache (#98) * Cache asset Refactor network to use cache manager * Remove draft config * Pin cache-manager version * Lower case cache keys * Fix findAll method * Endpoints to fetch scoped-syncs (#101) * scoped sync persists stringified raw accounts * add status fetching endpoints for scoped syncs * use prismaservice methods to json stringify and parse * Minor fixes before release connection-specific (#102) * Add back the nested wallet and account endpoints in the connection * Minor fix on scope sync logs Connection ID is mandatory in the Vault Client * connect a new connection triggers full sync on anchorage (#103) * connect a new connection triggers full sync on anchorage * fix test excpetation for empty raw accounts on anchorage * Add listProviderRawAccounts method in the Vault SDK * removed references to 'sync' and dropped table * removed syncService from connection test * deleted sync e2e test * re-generated sdk without scoped sync methods * Revert "re-generated sdk without scoped sync methods" This reverts commit 66dccdfa2bd909d2f6c015b153e87c3728004dd2. * Revert "removed references to 'sync' and dropped table" This reverts commit 9c2cd022b95439ce9bc4a45a44d7c67da0cdc535. * Revert "deleted sync e2e test" This reverts commit 2f4a252650fb871662cbe92ba149aa9e2dc5d0c6. * Revert "removed syncService from connection test" This reverts commit 450ece6a34ec5ef04bf170c176f56de4e71b97c9. * removed sync functionality except list * removed deprecated imports --------- Co-authored-by: Ptroger <[email protected]> Co-authored-by: Pierre Troger <[email protected]> * Feature/nar 2059 make scoped sync quicker (#104) * fireblocks query uniquely scoped accounts, handle duplicated rawAccounts * optimized queries per wallet * anchorage scoped syncs swallow not found errors * batch requests to control rate limiting * removed connection-sync event handler * manage error handling in promiseAllSettled * use httpstatus * expect precisely one account * Asset fallback (#105) * Asset fallback for Anchorage and Fireblocks * Add TransferAssetService * Remove findTransferAsset from AssetService * Remove fallback type * Refactor TransferAssetService * Fix integration test types * Fix E2E tests * Fix provider * Update Unified API examples * Remove pagination * Update README * Update quickstart README * Quickstart, Select Accounts section * Adding `.` before quickstart readme so it orders first in gist * Update SDK version * Ignore config.*.yaml files in git --------- Co-authored-by: Ptroger <[email protected]> Co-authored-by: Matt Schoch <[email protected]> Co-authored-by: Pierre Troger <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.