Policy information in allowed response

[otternq]

Hello,

I'm evaluating Ory systems and I'm interested in supplying Keto policy information to an Oathkeeper upstream application (maybe as part of a id_token mutation?). The Keto policy would allow the upstream application to run a slightly different query for different subjects.

For an example request

GET /tenant/1/resource

subject 1 who has access through a primary-user policy would receive

[
    {"id": 1, "data": "data1"},
    {"id": 2, "data": "data2"}
]

while subject 2 accessing the same endpoint through a limited-user policy would receive

[
    {"id": 2, "data": "data2"}
]

It seems possible for Keto's rego queries to bind the policies allowing access to its ResultSet. With that information in Keto's response perhaps Oathkeeper could make it available through the AuthenticationSession.

Would this functionality be helpful? Is this an anti-pattern?

--- a/engine/ladon/rego/core/effect.rego
+++ b/engine/ladon/rego/core/effect.rego
@@ -8,3 +8,12 @@ effect_allow(effects) {
 any_effect_deny(effects) {
 	effects[_] == "deny"
 }
+
+policies_effect_allow(policies) {
+	policies[_].effect == "allow"
+	not policies_effect_deny(policies)
+}
+
+policies_effect_deny(policies) {
+	policies[_].effect == "deny"
+}
\ No newline at end of file
diff --git a/engine/ladon/rego/regex/main.rego b/engine/ladon/rego/regex/main.rego
index 3d2a03f..097ab37 100644
--- a/engine/ladon/rego/regex/main.rego
+++ b/engine/ladon/rego/regex/main.rego
@@ -6,11 +6,16 @@ import data.ory.condition as condition
 import input as request

 default allow = false
+default allow_policies = {"allowed": false, "policies": []}

 allow {
     decide_allow(store.policies, store.roles)
 }

+allow_policies() = x {
+    x := decide_policies(store.policies, store.roles)
+}
+
 decide_allow(policies, roles) {
 	effects := [effect | effect := policies[i].effect
 	        matcher(policies[i].resources, request.resource)
@@ -25,6 +30,21 @@ decide_allow(policies, roles) {
 	core.effect_allow(effects)
 }

+decide_policies(policies, roles) = x {
+    policies = [policy | policy := policies[i]
+	        matcher(policies[i].resources, request.resource)
+	        match_subjects(policies[i].subjects, roles, request.subject)
+	        matcher(policies[i].actions, request.action)
+			condition.all_conditions_true(policies[i])
+		]
+
+    count(policies, c)
+    c > 0
+    core.policies_effect_allow(policies)
+
+    x := {"allowed": decide_allow(policies, roles), "policies": policies}
+}
+
 matcher(patterns, compare) {
     pattern := patterns[_]
     regex.template_match(pattern, compare, "<", ">", output)
diff --git a/engine/ladon/handler.go b/engine/ladon/handler.go
index a62989c..97690b4 100644
--- a/engine/ladon/handler.go
+++ b/engine/ladon/handler.go
-	query := fmt.Sprintf("data.ory.%s.allow", f)
+	query := fmt.Sprintf("x = data.ory.%s.allow_policies", f)
 	store, err := e.s.Storage(ctx, schema, []string{policyCollection(f), roleCollection(f)})

[aeneasr]

Hello @otternq - thank you for the detail of these issues and the suggested ideas. The problem is that we do not accept functional changes to Ory Keto as is. Maybe you have seen the pinned issue #267 or the PR #266. We're actually quite close to a release, pending documentation, and are running the new Ory Keto in our staging environment.

I hope this doesn't frustrate you too much - we'll be able to provide more details on the refactoring soon. We have not yet defined migrations paths but are planning on doing that with community support.