Skip to content

Level checking soundness proof#533

Merged
john-h-kastner-aws merged 136 commits intomainfrom
levels-checking
Apr 11, 2025
Merged

Level checking soundness proof#533
john-h-kastner-aws merged 136 commits intomainfrom
levels-checking

Conversation

@john-h-kastner-aws
Copy link
Contributor

@john-h-kastner-aws john-h-kastner-aws commented Feb 7, 2025
edited
Loading

Proves that level based entity slicing at level n cannot change the authorization decision when using polices that validate at level n.

The main theorem is

theorem validate_with_level_is_sound {ps : Policies} {schema : Schema} {n : Nat} {request : Request} {entities slice : Entities}
  (hr : validateRequest schema request = .ok ())
  (he : validateEntities schema entities = .ok ())
  (hs : slice = entities.sliceAtLevel request n)
  (htl : validateWithLevel ps schema n = .ok ()) :
  isAuthorized request entities ps = isAuthorized request slice ps

@john-h-kastner-aws
Initial level impl
61a1442 
Signed-off-by: John Kastner <jkastner@amazon.com>
@john-h-kastner-aws
proof for if at level 0
ded0e6f 
Signed-off-by: John Kastner <jkastner@amazon.com>
@john-h-kastner-aws
iwp
c7ad783 
Signed-off-by: John Kastner <jkastner@amazon.com>
@john-h-kastner-aws
tweak ite
937fc95 
Signed-off-by: John Kastner <jkastner@amazon.com>
@john-h-kastner-aws
reorg
4206195 
Signed-off-by: John Kastner <jkastner@amazon.com>
@john-h-kastner-aws
wip
cd611a0 
Signed-off-by: John Kastner <jkastner@amazon.com>
@john-h-kastner-aws
wip
a94d440
@john-h-kastner-aws
wip
ba9a17c 
Signed-off-by: John Kastner <jkastner@amazon.com>
@john-h-kastner-aws
reorg files
e66599b
@john-h-kastner-aws
tidy
d5261cc 
Signed-off-by: John Kastner <jkastner@amazon.com>
@john-h-kastner-aws
hasattr
ea104a4
@john-h-kastner-aws
work on reachable_attr_step
0b64945
@john-h-kastner-aws
comments
f18e418
@john-h-kastner-aws
introduce lemma to clean up proof
ae34a26
@john-h-kastner-aws
more cases
383e6ba
@john-h-kastner-aws
tidy
a56607b
@john-h-kastner-aws
tidy
2c3c037
@john-h-kastner-aws
reorg
f2158f8
shaobo-he-aws
shaobo-he-aws reviewed Feb 7, 2025
View reviewed changes
@john-h-kastner-aws
use match instead of if
7c52720
@john-h-kastner-aws
tidy: use symm a less
8970e0d 
Signed-off-by: John Kastner <jkastner@amazon.com>
@john-h-kastner-aws
dont need that lemma anymore
e4a5402
@john-h-kastner-aws
tidy
6b780af 
Signed-off-by: John Kastner <jkastner@amazon.com>
@john-h-kastner-aws
work on not_entities_then_not_slice
f5b05c5 
Signed-off-by: John Kastner <jkastner@amazon.com>
@john-h-kastner-aws
slightly simplify lit case
fac2ad4 
Signed-off-by: John Kastner <jkastner@amazon.com>
@john-h-kastner-aws
simplify var cae a little
6670bd1 
Signed-off-by: John Kastner <jkastner@amazon.com>
@john-h-kastner-aws
move lit inversion into litvar.lean
2232933 
Signed-off-by: John Kastner <jkastner@amazon.com>
emina
emina reviewed Feb 11, 2025
View reviewed changes
@john-h-kastner-aws
unary app sound
44ff0df 
Signed-off-by: John Kastner <jkastner@amazon.com>
@john-h-kastner-aws
split checkLevel and checkRoot
3633668 
Signed-off-by: John Kastner <jkastner@amazon.com>
This was referenced Mar 26, 2025
Merged
Merged
@john-h-kastner-aws
Merge remote-tracking branch 'origin/main' into type-annot-inversion
fb802dc
@john-h-kastner-aws
Merge branch 'type-annot-inversion' into levels-checking
fb29c03
@john-h-kastner-aws
cleanup ite case
7da2428 
Signed-off-by: John Kastner <jkastner@amazon.com>
@john-h-kastner-aws
tidy getAttr and hasAttr for records
f4bb08b 
Signed-off-by: John Kastner <jkastner@amazon.com>
@john-h-kastner-aws
tidy
b7c1a7f 
Signed-off-by: John Kastner <jkastner@amazon.com>
@john-h-kastner-aws
record
af9b54b 
Signed-off-by: John Kastner <jkastner@amazon.com>
@john-h-kastner-aws
suffices for nicer proofs
36a7a1a
@john-h-kastner-aws
tidy if case
9fd14e7 
Signed-off-by: John Kastner <jkastner@amazon.com>
Base automatically changed from type-annot-inversion to main April 8, 2025 18:08
@john-h-kastner-aws john-h-kastner-aws marked this pull request as ready for review April 8, 2025 19:27
@john-h-kastner-aws john-h-kastner-aws changed the title Level checking implementation and proof (WIP) Level checking soundness proof Apr 8, 2025
emina
emina reviewed Apr 9, 2025
View reviewed changes
@john-h-kastner-aws
Move more lemmas into data module
f21bba6 
Signed-off-by: John Kastner <jkastner@amazon.com>
emina
emina approved these changes Apr 10, 2025
View reviewed changes
Copy link
Contributor

@emina emina left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me!

chaluli
chaluli approved these changes Apr 11, 2025
View reviewed changes
Copy link

@chaluli chaluli left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good.

@john-h-kastner-aws john-h-kastner-aws merged commit 090f863 into main Apr 11, 2025
6 checks passed
@john-h-kastner-aws john-h-kastner-aws deleted the levels-checking branch April 14, 2025 17:46
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@emina emina emina approved these changes

@chaluli chaluli chaluli approved these changes

@shaobo-he-aws shaobo-he-aws Awaiting requested review from shaobo-he-aws

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@john-h-kastner-aws @emina @shaobo-he-aws @chaluli