biscuit-auth
`reject if`
Currently, authorization logic can be described with two mechanisms:
checks (andcheck all): when present, a check must be satisfied for the authorization to go through.checkmandates that at least one combination of facts match the predicates and satisfy the expressions, whilecheck allmandates that at least one combination of facts match the predicates, and that all combination of facts that match the predicates, satisfy the expressions.- policies (
allow/deny): those are tried in order, and the first one to match determines is the request is allowed or not (as long as all checks are satisfied).
So checks are there to ensure that a condition holds, not matter what, while policies are useful to try several conditions one after the other.
One missing bit is being able to ensure that a condition does not hold, no matter what. This kind of logic is used in AWS policies for instance: if a deny policy matches, authorization will fail, regardless of all other policies.
This behaviour can be done in biscuit by putting deny policies first, so that no allow policies has the chance to bypass the check of deny policies, but this is a bit fragile. In some cases, check all can also be used to this effect.
reject if
The next biscuit version could introduce a new check kind, that makes authorization fail if it matches. This would allow us to have autonomous exclusion checks.
open questions
- [x] keyword:
reject ifwas the version favoured by people https://framapiaf.org/@clementd/110616658721525331 - [x] behaviour: if present, and there is a combination of facts that matches predicates and satisfy the expressions, then authorization fails.
- [ ] should
check allalso have a negative version as well?
I like the idea, but maybe the name is a bit confusing. Are there alternative ways to express it? check if none comes to mind but it's not great
What about forbid if or reject if? Or maybe check none in opposition to check all?
the new samples are available in https://github.com/biscuit-auth/biscuit/pull/161