Comments (3)
charithe
commented on May 29, 2024
Do you have an example of this? I can't reproduce it.
from cerbos.
charithe
commented on May 29, 2024
OK, managed to reproduce it. It looks like the fold operator (>) removes the last character of the string regardless of whether it's a newline or not. Curiously, the literal operator (|) doesn't have this problem.
If you have a very aggressive editor that removes all line feeds from the end of the file, then you'd run into this issue. Mine is configured to remove all trailing spaces too but it's not so aggressive as to remove the line feed at the end of the line. I had to explicitly truncate the last byte using truncate -s -1 file.yaml to reproduce this problem.
This fails because there's no line feed at the end.
apiVersion:·api.cerbos.dev/v1␊
resourcePolicy:␊
··version:·"default"␊
··resource:·"foo"␊
··rules:␊
····-·actions:·[·'view'·]␊
······effect:·EFFECT_ALLOW␊
······roles:·[·'user'·]␊
······condition:␊
········match:␊
··········expr:·>␊
············R.attr.accountId·==·P.attr.accountId·&&␊
············(␊
··············(R.attr.creatorId·==·P.id·&&·R.attr.status·==·"draft")·||␊
··············(has(P.attr.roles.admin)·&&·R.attr.creator.orgUnitIds·in·P.attr.roles.admin)·||␊
··············(R.attr.type·==·"organizational"·&&·R.attr.status·==·"published")␊
············)
Notice that the final bracket is missing from the expression. Which means that the > operator must have removed it.
Invalid expression: `R.attr.accountId == P.attr.accountId && ( (R.attr.creatorId == P.id && R.attr.status == "draft") || (has(P.attr.roles.admin) && R.attr.creator.orgUnitIds in P.attr.roles.admin) || (R.attr.type == "organizational" && R.attr.status == "published")` <failed to compile `R.attr.accountId == P.attr.accountId && ( (R.attr.creatorId == P.id && R.attr.status == "draft") || (has(P.attr.roles.admin) && R.attr.creator.orgUnitIds in P.attr.roles.admin) || (R.attr.type == "organizational" && R.attr.status == "published")` [Syntax error: missing ')' at '<EOF>']>
This works because there's a line feed after the last bracket.
apiVersion:·api.cerbos.dev/v1␊
resourcePolicy:␊
··version:·"default"␊
··resource:·"foo"␊
··rules:␊
····-·actions:·[·'view'·]␊
······effect:·EFFECT_ALLOW␊
······roles:·[·'user'·]␊
······condition:␊
········match:␊
··········expr:·>␊
············R.attr.accountId·==·P.attr.accountId·&&␊
············(␊
··············(R.attr.creatorId·==·P.id·&&·R.attr.status·==·"draft")·||␊
··············(has(P.attr.roles.admin)·&&·R.attr.creator.orgUnitIds·in·P.attr.roles.admin)·||␊
··············(R.attr.type·==·"organizational"·&&·R.attr.status·==·"published")␊
············)␊
The | operator doesn't have this issue even if there's no line feed at the end. This works just fine.
apiVersion:·api.cerbos.dev/v1␊
resourcePolicy:␊
··version:·"default"␊
··resource:·"foo"␊
··rules:␊
····-·actions:·[·'view'·]␊
······effect:·EFFECT_ALLOW␊
······roles:·[·'user'·]␊
······condition:␊
········match:␊
··········expr:·|␊
············R.attr.accountId·==·P.attr.accountId·&&␊
············(␊
··············(R.attr.creatorId·==·P.id·&&·R.attr.status·==·"draft")·||␊
··············(has(P.attr.roles.admin)·&&·R.attr.creator.orgUnitIds·in·P.attr.roles.admin)·||␊
··············(R.attr.type·==·"organizational"·&&·R.attr.status·==·"published")␊
············)
I'll look into why > is doing this. In the mean time, the solution is to use the | operator.
from cerbos.
charithe
commented on May 29, 2024
from cerbos.
Related Issues (20)
- Make DBConnectionRetries configurable HOT 3
- Ability to produce output when the rule condition is not satisfied
- Typo in docs causes sample test to fail. HOT 1
- demo-python failes to start HOT 1
- Dynamic Permissions HOT 1
- Update demo-rest to use the new Cerbos Go SDK HOT 5
- Not able to login inside container using bin/bash command HOT 1
- Query plan for 'P.attr.workspaces[R.id].role == "OWNER"' is not simplified
- .NET Quickstart broken
- The navigation links in the docs are hard to read HOT 1
- Enhance the Issue template HOT 4
- Cerbos compile and test Dagger module, please HOT 1
- Omitting an expectation from a test should imply `EFFECT_DENY` HOT 3
- Spurious "more than one YAML document detected" error caused by trailing whitespace in policy HOT 3
- Kafka audit will block even when configured to be flushing records async
- Spurious "more than one YAML document detected" caused by bad indentation
- Add `defaultPolicyVersion` to test options
- Allow specifying list of policies in inspect policies RPC
- Deprecate `storage.git.protocol` and infer the protocol from `storage.git.url`'s scheme HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from cerbos.