Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Permission check ignores further relationships when a relationship with caveat does not match #2026

Closed
tim-mod opened this issue Aug 15, 2024 · 3 comments · Fixed by #2027
Closed

Permission check ignores further relationships when a relationship with caveat does not match #2026

tim-mod opened this issue Aug 15, 2024 · 3 comments · Fixed by #2027
Labels
area/dispatch Affects dispatching of requests kind/bug Something is broken or regressed

Comments

@tim-mod
Copy link

tim-mod commented Aug 15, 2024

What platforms are affected?

linux

What architectures are affected?

amd64

What SpiceDB version are you using?

v1.35.2

Steps to Reproduce

docker-compose.yaml

services:
  spicedb:
    image: "authzed/spicedb"
    command: "serve"
    restart: "always"
    ports:
      - "50051:50051"
    environment:
      - "SPICEDB_GRPC_PRESHARED_KEY=123456"
      - "SPICEDB_DATASTORE_ENGINE=postgres"
      - "SPICEDB_DATASTORE_CONN_URI=postgres://postgres:postgres@database:5432/spicedb?sslmode=disable"
    depends_on:
      - "migrate"

  migrate:
    image: "authzed/spicedb"
    command: "datastore migrate head"
    restart: "on-failure"
    environment:
      - "SPICEDB_DATASTORE_ENGINE=postgres"
      - "SPICEDB_DATASTORE_CONN_URI=postgres://postgres:postgres@database:5432/spicedb?sslmode=disable"
    depends_on:
      - "database"
      
  database:
    image: "postgres"
    command: -c track_commit_timestamp=on
    ports:
      - "5432:5432"
    environment:
      - "POSTGRES_DB=spicedb"
      - "POSTGRES_PASSWORD=postgres"

schema.yaml

schema: >-
  definition user {}

  /**
   * The count of current entries in the database must be lower than the limit.
   */
  caveat write_limit(limit uint, count uint) {
    count < limit
  }

  definition role {
    relation member: user
  }

  definition database {
      relation writer: role#member with write_limit

      permission write = writer
  }
relationships: |-
  database:listings#writer@role:default#member[write_limit:{"limit":2}]
  database:listings#writer@role:premium#member[write_limit:{"limit":4}]
  role:default#member@user:bob
  role:premium#member@user:bob
assertions:
  assertTrue:
    - 'database:listings#write@user:bob with {"count":3}'
validation: {}

Run

  1. docker compose -f ./docker-compose.yaml up
  2. zed import ./schema.yaml
  3. zed permission check database:listings write user:bob --caveat-context '{"count":3}' --consistency-full

Expected Result

I expected the permission check to succeed, which is the case when running Spicedb with the in-memory database or using zed validate ./schema.yaml.

Actual Result

The permission check fails when using Postgres, MySql or the zed terminal on the Authzed playground.
However, if I switch the values for the limit parameter and have relationships like

 database:listings#writer@role:default#member[write_limit:{"limit":4}]
 database:listings#writer@role:premium#member[write_limit:{"limit":2}]

instead of

database:listings#writer@role:default#member[write_limit:{"limit":2}]
database:listings#writer@role:premium#member[write_limit:{"limit":4}]

the permission check succeeds.
For me, it looks like Spicedb stops evaluation after encountering the first caveat relationship and ignores any further relationships.
@tim-mod tim-mod added the kind/bug Something is broken or regressed label Aug 15, 2024
@josephschorr
Copy link
Member

@tim-mod Its not a datastore issue but rather something in the redispatcher logic. I've identified the issue and we'll issue a fix (and a point release) over the next few days

josephschorr added a commit to josephschorr/spicedb that referenced this issue Aug 15, 2024
@josephschorr
Ensure all resources are returned for relation check when caveats are…
0e4c99e 
… specified

Fixes authzed#2026
@josephschorr josephschorr mentioned this issue Aug 15, 2024
Merged
@josephschorr
Copy link
Member

@tim-mod PR issued for a fix; once its reviewed and merged we'll issue a release

@tim-mod
Copy link
Author

tim-mod commented Aug 15, 2024

@josephschorr That's great! Thank you for the quick fix and reply.

@josephschorr josephschorr added the area/dispatch Affects dispatching of requests label Aug 15, 2024
josephschorr added a commit to josephschorr/spicedb that referenced this issue Aug 15, 2024
@josephschorr
Ensure all resources are returned for relation check when caveats are…
20855de 
… specified

Fixes authzed#2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/dispatch Affects dispatching of requests kind/bug Something is broken or regressed
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Ensure all resources are returned for relation check when caveats are specified josephschorr/spicedb
2 participants
@josephschorr @tim-mod