This is very TBD. Just a placeholder

👍

Could this be named rbac instead? I think it might more accurately scope what we're trying to do.

When authn comes in, I think it'll be like this. authz is not my term, https://www.cloudflare.com/learning/access-management/authn-vs-authz/. It's more clear than rbac, as it's the authorize function. TBD on where the roles go.

.
├── auth
│  ├── authz/
│  └── authn/
├── subject.go
├── object.go
├── action.go
├── roles.go
└── authorize.go

Maybe auth/rbac can have roles? Still in the air, just needed to stub until Dean was ready.

Is there a reason to not call them authorization and authentication? I've rarely seen the terms authn and authz used in the wild, so it's confusing to me at a glance.

I think it's only common in this particular domain. Cloudflare for example uses the terms fairly prominently. (EDIT: Steven already linked it 😆)

Why have all these helper functions when you can just access the struct directly?

I don't want to expose this object. I believe the api is cleaner when you have to stem from a resource type. The accessors above are to fulfill an interface.

obj := authz.ResourceWorkspace.Org("default")

// VS

obj := authz.ZObject{
  OrgOwner: "default",
  ResourceType: authz.ResourceWorkspace,
}

I'm in favor of the more verbose option. Especially with something like RBAC, I think we should put extreme emphasis on simplicity in what we expose to the callers. Wrapping these feels unnecessary since they're just setting a struct parameter anyways.

authz.Authorize(user, authz.ResourceWorkspace.Org("default").Owner(user.UserID).AsID("1234"), authz.ActionRead)

authz.Authorize(user, authz.ResourceWorkspace, authz.ActionRead)

To

authz.Authorize(user, authz.ActionRead, authz.ZObject{
  Owner: user.UserID,
  OrgOwner: "default",
  ID: "1234"
  ResourceType: authz.ResourceWorkspace,
})

authz.Authorize(user, authz.ActionRead, authz.ZObject{
  ResourceType: authz.ResourceWorkspace,
})

All of our resource identifiers are UUIDs, can this be one too?

I thought some ids from v1 are still strings. I would like uuid yes, I can change if this is true

This is true! All v1 IDs have been converted to UUIDs.

In the absence of a -, would a + be implicit?

It is yes, I thought it'd be fine to just be explicit. I can roll either way on it

I think I'd prefer implicit, as - nodes should rarely be used from my perspective.

Sure 👍

Are we planning on storing permissions as a comma-separated array? Or is this a helper function?

Just a helper function. It's easier to make permissions this way. We will probably store as json

Could we store it as a string array? Exposing a helper function to the API that's just used for tests may confuse a caller.

What is this?

For testing purposes, we want to ensure a non-relevant permission is in fact not relevant.
So I use this for fields. Like other action should never be relevant

Why do we need abstain?

It's part of the permission model.
Some permissions are not applicable to a given request.
They will return an abstain result in this case.

Is this so we could display to customers which permission node is truly having an impact on the success/failure of an auth request?

It is not. Abstain is just naming the case where a permission node is irrelevant. So it's just naming this case so our language is complete in that we can describe all permissions.

Example: If the input action is read, then the perm *.*.*.update has no effect and passes no judgement. We named this abstain.

By default, if the only effect from a set of permissions is abstain, then we default to deny. Since they have no perm to access the object.

Can we default to allows in the absence of denies?

I don't think that's a good idea.
Default deny is the de-facto behaviour of operation for the other authorization implementations I reviewed.

Just so I understand, workspaces.*.create would be interpreted as a deny by default in those implementations?

Yeah, for example here: https://sourcegraph.com/github.com/fleetdm/fleet/-/blob/server/authz/policy_test.go?L69

A nil user is not allowed to either read or write session. Obviously what you want to deny-by-default depends on what you're building.

Could you add docs on why site is required here? This seems like it'd be attached to a workspace.

Eh, it's probably a bad example. +site:*.*.read might be better here.

Does this need to be prefixed with z? The package already ends with z, so I'd assume not.

I can't find anywhere that OwnerID or OrgOwnerID is used. Can we remove these interfaces?

I don't see in the code how these interfaces are used. Can we remove them?

I think it's generally bad practice to expose a struct parameter under a different name.

OwnerByOrg and OrgOwnerID are the same thing, but in different words. What's the harm in exposing OwnedByOrg? I feel like these wrapper functions are misdirecting.

In idiomatic Go, these would be SetOrgOwnerID https://go.dev/doc/effective_go#Getters

Why did we need to create our own mini-DSL to test these cases? Since there's only 12, could we just write 12 test cases?

This isn't a DSL, it's just labeling categories for communication. It allows understanding a failure in O+ means there is a bug in positive org permissions.

Note that these 12 cases are applied to object permutations too. Using the labels makes this very easy to identify which sets change based on the object input.

So they are just names.

Could we reference these directly instead of abstracting them into abbreviated labels?

Closing this PR, so it doesn't matter, but giving them string names in a map or var names seems identical to me. It's a matter of documenting what the notation means, which I believe I have done in Notion. Would have had to be ported to Git if we continued this route.