How can I give permissions based on entity type?

Question

I'm trying to set permissions based on the types of entities Orion is going to save. As the permissions are associated to "endpoints" I had tried to set as endpoint /entities?type=Truck (for example). The problem is that it tells me (Keyrock through PEP response) that the user is not authorized in the application. I have looked at all the connections in the database and it appears to me that he is authorized, has his role, his permission, and his assigned organization, all within the only application that has been created.

In the tutorial something similar appears with the POST request, but this is because in the body of the message the type of entity is sent. In the case of the GET I don't see it so clear, since it goes in the URL, but trying this hasn't worked.

Is it possible that this should not be done in this way? How should this type of permissions be created?

Answer 1

It seems like overkill to use Authzforce for this, but you could achieve this using string-starts-with and a string-at-least-one-member-of condition e.g.:

<Target>
  <AnyOf>
     <AllOf>
        <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
           <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">GET</AttributeValue>
           <AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true" />
       </Match>
    </AllOf>
  </AnyOf>
</Target>
 <Condition>
   <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of">
      <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag">
         <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">/v2/entities?type=Car</AttributeValue>
         <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">/v2/entities?type=Truck</AttributeValue>
         <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">/v2/entities?type=Bicycle</AttributeValue>
      </Apply>
      <AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" AttributeId="urn:thales:xacml:2.0:resource:sub-resource-id" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true" />
   </Apply>
</Condition>

This <target> checks for the GET HTTP Verb, the <condition> ensures - the resource URL will match Truck, Car or Bicycle