feat: add support for ...IfExists policy conditions

Author: onebytegone

src/fsaba-types.ts

@@ -66,6 +66,23 @@ export enum PolicyConditionMatchType {
     */
    StringDoesNotMatch = 'string-does-not-match',
 
+   /**
+    * Evaluate the value as a string, seeing if it matches the string in the condition.
+    * If the field is missing from the context, the condition passes automatically.
+    * Like actions and resources, a string-matches-if-exists condition allows for a '*' as
+    * a wildcard.
+    */
+   StringMatchesIfExists = 'string-matches-if-exists',
+
+   /**
+    * Evaluates the value as a string, negating the regular string match. That is, the
+    * condition "passes" if the string value from the context fails to match the string in
+    * the condition. If the field is missing from the context, the condition passes
+    * automatically. Like actions and resources, a string-does-not-match-if-exists
+    * condition allows for a '*' as a wildcard.
+    */
+   StringDoesNotMatchIfExists = 'string-does-not-match-if-exists',
+
 }
 
 

src/utils/conditions-match.ts

@@ -1,4 +1,4 @@
-import { StringMap } from '@silvermine/toolbox';
+import { hasDefined, StringMap } from '@silvermine/toolbox';
 import { isPolicyConditionConjunctionAllOf, isPolicyConditionConjunctionAnyOf, isPolicyConditionMatcher, PolicyCondition } from '..';
 import { PolicyConditionMatcher, PolicyConditionMatchType } from '../fsaba-types';
 import stringMatchesPattern from './string-matches-pattern';
@@ -29,6 +29,14 @@ function singleConditionSatisfied(cond: PolicyCondition, context: StringMap): bo
    throw new Error(`Unreachable: ${typeof cond} (${Object.getOwnPropertyNames(cond)})`);
 }
 
+function ifExists(context: StringMap, field: string, callback: (value: string) => boolean): boolean {
+   if (!hasDefined(context, field)) {
+      return true;
+   }
+
+   return callback(context[field]);
+}
+
 /**
  * EXPORTED ONLY FOR TESTING
  */
@@ -40,6 +48,16 @@ export function matcherSatisfied(matcher: PolicyConditionMatcher, context: Strin
       case PolicyConditionMatchType.StringDoesNotMatch: {
          return !stringMatchesPattern(matcher.value, context[matcher.field]);
       }
+      case PolicyConditionMatchType.StringMatchesIfExists: {
+         return ifExists(context, matcher.field, (value) => {
+            return stringMatchesPattern(matcher.value, value);
+         });
+      }
+      case PolicyConditionMatchType.StringDoesNotMatchIfExists: {
+         return ifExists(context, matcher.field, (value) => {
+            return !stringMatchesPattern(matcher.value, value);
+         });
+      }
       default: {
          return false;
       }

tests/multi-dimensional-context.test.ts

@@ -6,6 +6,11 @@ import {
    BUDGET_VIEWER_MFG_HEAD,
    BUDGET_VIEWER_KAZOO_PM,
    BUDGET_VIEWER_ACCOUNTING_HEAD,
+   VIEW_NON_CONFIDENTIAL_BLUEPRINTS,
+   VIEW_ALL_BLUEPRINTS,
+   BLUEPRINT_VIEWER_ENGINEERING,
+   BLUEPRINT_VIEWER_ENGINEERING_ALL,
+   BLUEPRINT_VIEWER_MULTI_DEPT,
 } from './sample-data';
 
 describe('Multi-dimensional context authorization', () => {
@@ -138,3 +143,132 @@ describe('Multi-dimensional context authorization', () => {
       });
    });
 });
+
+describe('Multi-dimensional IfExists conditions', () => {
+   const blueprintFactory = new AuthorizerFactory([ VIEW_NON_CONFIDENTIAL_BLUEPRINTS, VIEW_ALL_BLUEPRINTS ]),
+         mockBlueprint = 'blueprints:a1b2c3d4-e5f6-7890-abcd-ef1234567890';
+
+   describe('BLUEPRINT_VIEWER_ENGINEERING (non-confidential only via StringDoesNotMatchIfExists)', () => {
+      const authorizer = blueprintFactory.makeAuthorizerForSubject(BLUEPRINT_VIEWER_ENGINEERING);
+
+      it('allows viewing engineering blueprint with no classification (field missing)', () => {
+         const allowed = authorizer.isAllowed('blueprints:View', mockBlueprint, {
+            context: { 'blueprints:OwningDepartment': 'engineering' },
+         });
+
+         expect(allowed).to.strictlyEqual(true);
+      });
+
+      it('allows viewing engineering blueprint classified as public', () => {
+         const allowed = authorizer.isAllowed('blueprints:View', mockBlueprint, {
+            context: { 'blueprints:OwningDepartment': 'engineering', 'blueprints:Classification': 'public' },
+         });
+
+         expect(allowed).to.strictlyEqual(true);
+      });
+
+      it('denies viewing engineering blueprint classified as confidential', () => {
+         const allowed = authorizer.isAllowed('blueprints:View', mockBlueprint, {
+            context: { 'blueprints:OwningDepartment': 'engineering', 'blueprints:Classification': 'confidential' },
+         });
+
+         expect(allowed).to.strictlyEqual(false);
+      });
+
+      it('denies viewing manufacturing blueprint (wrong department)', () => {
+         const allowed = authorizer.isAllowed('blueprints:View', mockBlueprint, {
+            context: { 'blueprints:OwningDepartment': 'manufacturing', 'blueprints:Classification': 'public' },
+         });
+
+         expect(allowed).to.strictlyEqual(false);
+      });
+   });
+
+   describe('BLUEPRINT_VIEWER_ENGINEERING_ALL (all blueprints including confidential)', () => {
+      const authorizer = blueprintFactory.makeAuthorizerForSubject(BLUEPRINT_VIEWER_ENGINEERING_ALL);
+
+      it('allows viewing engineering blueprint with no classification', () => {
+         const allowed = authorizer.isAllowed('blueprints:View', mockBlueprint, {
+            context: { 'blueprints:OwningDepartment': 'engineering' },
+         });
+
+         expect(allowed).to.strictlyEqual(true);
+      });
+
+      it('allows viewing engineering blueprint classified as public', () => {
+         const allowed = authorizer.isAllowed('blueprints:View', mockBlueprint, {
+            context: { 'blueprints:OwningDepartment': 'engineering', 'blueprints:Classification': 'public' },
+         });
+
+         expect(allowed).to.strictlyEqual(true);
+      });
+
+      it('allows viewing engineering blueprint classified as confidential', () => {
+         const allowed = authorizer.isAllowed('blueprints:View', mockBlueprint, {
+            context: { 'blueprints:OwningDepartment': 'engineering', 'blueprints:Classification': 'confidential' },
+         });
+
+         expect(allowed).to.strictlyEqual(true);
+      });
+
+      it('denies viewing manufacturing blueprint (wrong department)', () => {
+         const allowed = authorizer.isAllowed('blueprints:View', mockBlueprint, {
+            context: { 'blueprints:OwningDepartment': 'manufacturing', 'blueprints:Classification': 'public' },
+         });
+
+         expect(allowed).to.strictlyEqual(false);
+      });
+   });
+
+   describe('BLUEPRINT_VIEWER_MULTI_DEPT (non-confidential across engineering + manufacturing)', () => {
+      const authorizer = blueprintFactory.makeAuthorizerForSubject(BLUEPRINT_VIEWER_MULTI_DEPT);
+
+      it('allows viewing engineering blueprint with no classification', () => {
+         const allowed = authorizer.isAllowed('blueprints:View', mockBlueprint, {
+            context: { 'blueprints:OwningDepartment': 'engineering' },
+         });
+
+         expect(allowed).to.strictlyEqual(true);
+      });
+
+      it('allows viewing manufacturing blueprint with no classification', () => {
+         const allowed = authorizer.isAllowed('blueprints:View', mockBlueprint, {
+            context: { 'blueprints:OwningDepartment': 'manufacturing' },
+         });
+
+         expect(allowed).to.strictlyEqual(true);
+      });
+
+      it('allows viewing engineering blueprint classified as internal', () => {
+         const allowed = authorizer.isAllowed('blueprints:View', mockBlueprint, {
+            context: { 'blueprints:OwningDepartment': 'engineering', 'blueprints:Classification': 'internal' },
+         });
+
+         expect(allowed).to.strictlyEqual(true);
+      });
+
+      it('denies viewing engineering confidential blueprint', () => {
+         const allowed = authorizer.isAllowed('blueprints:View', mockBlueprint, {
+            context: { 'blueprints:OwningDepartment': 'engineering', 'blueprints:Classification': 'confidential' },
+         });
+
+         expect(allowed).to.strictlyEqual(false);
+      });
+
+      it('denies viewing manufacturing confidential blueprint', () => {
+         const allowed = authorizer.isAllowed('blueprints:View', mockBlueprint, {
+            context: { 'blueprints:OwningDepartment': 'manufacturing', 'blueprints:Classification': 'confidential' },
+         });
+
+         expect(allowed).to.strictlyEqual(false);
+      });
+
+      it('denies viewing HR blueprint (unauthorized department)', () => {
+         const allowed = authorizer.isAllowed('blueprints:View', mockBlueprint, {
+            context: { 'blueprints:OwningDepartment': 'hr', 'blueprints:Classification': 'public' },
+         });
+
+         expect(allowed).to.strictlyEqual(false);
+      });
+   });
+});

tests/sample-data.ts

@@ -301,6 +301,75 @@ export const BUDGET_VIEWER_ACCOUNTING_HEAD: Claims = {
    ],
 };
 
+export const VIEW_NON_CONFIDENTIAL_BLUEPRINTS: RoleDefinition = {
+   roleID: 'view-non-confidential-blueprints',
+   policies: [
+      {
+         effect: PolicyEffect.Allow,
+         actions: [ 'blueprints:View' ],
+         resources: [ 'blueprints:*' ],
+         conditions: [
+            {
+               type: PolicyConditionMatchType.StringMatches,
+               field: 'blueprints:OwningDepartment',
+               value: '{CONTEXT_VALUE:department}',
+            },
+            {
+               type: PolicyConditionMatchType.StringDoesNotMatchIfExists,
+               field: 'blueprints:Classification',
+               value: 'confidential',
+            },
+         ],
+      },
+   ],
+};
+
+export const VIEW_ALL_BLUEPRINTS: RoleDefinition = {
+   roleID: 'view-all-blueprints',
+   policies: [
+      {
+         effect: PolicyEffect.Allow,
+         actions: [ 'blueprints:View' ],
+         resources: [ 'blueprints:*' ],
+         conditions: [
+            {
+               type: PolicyConditionMatchType.StringMatches,
+               field: 'blueprints:OwningDepartment',
+               value: '{CONTEXT_VALUE:department}',
+            },
+         ],
+      },
+   ],
+};
+
+export const BLUEPRINT_VIEWER_ENGINEERING_ID = 'e5f6a7b8-c9d0-1234-ef01-567890123456';
+
+export const BLUEPRINT_VIEWER_ENGINEERING: Claims = {
+   subjectID: BLUEPRINT_VIEWER_ENGINEERING_ID,
+   roles: [
+      { roleID: VIEW_NON_CONFIDENTIAL_BLUEPRINTS.roleID, contextValue: { department: 'engineering' } },
+   ],
+};
+
+export const BLUEPRINT_VIEWER_ENGINEERING_ALL_ID = 'f6a7b8c9-d0e1-2345-f012-678901234567';
+
+export const BLUEPRINT_VIEWER_ENGINEERING_ALL: Claims = {
+   subjectID: BLUEPRINT_VIEWER_ENGINEERING_ALL_ID,
+   roles: [
+      { roleID: VIEW_ALL_BLUEPRINTS.roleID, contextValue: { department: 'engineering' } },
+   ],
+};
+
+export const BLUEPRINT_VIEWER_MULTI_DEPT_ID = 'a7b8c9d0-e1f2-3456-0123-789012345678';
+
+export const BLUEPRINT_VIEWER_MULTI_DEPT: Claims = {
+   subjectID: BLUEPRINT_VIEWER_MULTI_DEPT_ID,
+   roles: [
+      { roleID: VIEW_NON_CONFIDENTIAL_BLUEPRINTS.roleID, contextValue: { department: 'engineering' } },
+      { roleID: VIEW_NON_CONFIDENTIAL_BLUEPRINTS.roleID, contextValue: { department: 'manufacturing' } },
+   ],
+};
+
 export const ALL_ROLES = [
    ADMINISTER_OWN_AUTH,
    ADMINISTER_OTHER_AUTH,
@@ -310,4 +379,6 @@ export const ALL_ROLES = [
    ADMINISTER_ORG_BUSINESS_ACCOUNTS_CONJUNCTIVE,
    ADMINISTER_ORG_BUSINESS_ACCOUNTS_ROOT_ARRAY,
    VIEW_BUDGET,
+   VIEW_NON_CONFIDENTIAL_BLUEPRINTS,
+   VIEW_ALL_BLUEPRINTS,
 ];

tests/utils/conditions-match.test.ts

@@ -1,8 +1,85 @@
 import { expect } from 'chai';
 import { matcherSatisfied } from '../../src/utils/conditions-match';
+import { PolicyConditionMatchType } from '../../src/fsaba-types';
 
 describe('matcherSatisfied', () => {
    it('returns false on invalid matcher type', () => {
       expect(matcherSatisfied({ type: 'foo' } as any, {})).to.eql(false);
    });
+
+   describe('StringMatchesIfExists', () => {
+      it('returns true when field is missing from context', () => {
+         const matcher = {
+            type: PolicyConditionMatchType.StringMatchesIfExists,
+            field: 'department',
+            value: 'manufacturing',
+         };
+
+         const context = { product: 'kazoo' };
+
+         expect(matcherSatisfied(matcher, context)).to.eql(true);
+      });
+
+      it('returns true when field is present and matches', () => {
+         const matcher = {
+            type: PolicyConditionMatchType.StringMatchesIfExists,
+            field: 'department',
+            value: 'manufacturing',
+         };
+
+         const context = { department: 'manufacturing' };
+
+         expect(matcherSatisfied(matcher, context)).to.eql(true);
+      });
+
+      it('returns false when field is present and does not match', () => {
+         const matcher = {
+            type: PolicyConditionMatchType.StringMatchesIfExists,
+            field: 'department',
+            value: 'manufacturing',
+         };
+
+         const context = { department: 'marketing' };
+
+         expect(matcherSatisfied(matcher, context)).to.eql(false);
+      });
+   });
+
+   describe('StringDoesNotMatchIfExists', () => {
+      it('returns true when field is missing from context', () => {
+         const matcher = {
+            type: PolicyConditionMatchType.StringDoesNotMatchIfExists,
+            field: 'department',
+            value: 'manufacturing',
+         };
+
+         const context = { product: 'kazoo' };
+
+         expect(matcherSatisfied(matcher, context)).to.eql(true);
+      });
+
+      it('returns false when field is present and matches pattern', () => {
+         const matcher = {
+            type: PolicyConditionMatchType.StringDoesNotMatchIfExists,
+            field: 'department',
+            value: 'manufacturing',
+         };
+
+         const context = { department: 'manufacturing' };
+
+         expect(matcherSatisfied(matcher, context)).to.eql(false);
+      });
+
+      it('returns true when field is present and does not match', () => {
+         const matcher = {
+            type: PolicyConditionMatchType.StringDoesNotMatchIfExists,
+            field: 'department',
+            value: 'manufacturing',
+         };
+
+         const context = { department: 'marketing' };
+
+         expect(matcherSatisfied(matcher, context)).to.eql(true);
+      });
+   });
 });