Add policy support for warrants (#13)

* Add support for context in access checks

* Add policy support for creating / deleting warrants

* Add tests for creating, checking, and deleting a warrant with a policy

* Fix lint errors

* Only pass policy if not empty when creating / deleting warrants

Author: stanleyphu

examples/example.py

@@ -167,6 +167,17 @@
 result = warrant.Authz.check("permission", "permission1", "member", user1_subject)
 print(f"Does [{user1.id}] have the [permission1] permission? (should be true) -> {result}")
 
+# Create, check, and delete warrant with a policy
+test_user_subject = warrant.Subject("user", "test-user")
+warrant.Warrant.create("permission", "test-permission", "member", test_user_subject, "geo == 'us'")
+print("Manually assigned [test-permission] permission to test-user with the context [geo == 'us']")
+result = warrant.Authz.check("permission", "test-permission", "member", test_user_subject, {"geo": "us"})
+print(f"Does test-user have the [test-permission] permission with the following context [geo == 'us']? (should be true) -> {result}")
+result = warrant.Authz.check("permission", "test-permission", "member", test_user_subject, {"geo": "eu"})
+print(f"Does test-user have the [test-permission] permission with the following context [geo == 'eu']? (should be false) -> {result}")
+warrant.Warrant.delete("permission", "test-permission", "member", test_user_subject, "geo == 'us'")
+print("Manually removed [test-permission] permission from test-user with the context [geo == 'us']")
+
 # Query warrants
 # warrants = warrant.Warrant.query(select="explicit warrants", for_clause="subject=user:"+user1.id, where="relation=member")
 # print("Query warrants results:")

warrant/authz.py

@@ -5,7 +5,7 @@
 class Authz(APIResource):
 
     @classmethod
-    def check(cls, object_type, object_id, relation, subject):
+    def check(cls, object_type, object_id, relation, subject, context={}):
         warrantToCheck = {
             "objectType": object_type,
             "objectId": object_id,
@@ -14,7 +14,8 @@ def check(cls, object_type, object_id, relation, subject):
                 "objectType": subject.object_type,
                 "objectId": subject.object_id,
                 "relation": subject.relation
-            }
+            },
+            "context": context
         }
         payload = {
             "op": "anyOf",

warrant/warrant.py

@@ -27,7 +27,7 @@ def __init__(self, obj):
         self.subject = obj["subject"]
 
     @classmethod
-    def create(cls, object_type, object_id, relation, subject):
+    def create(cls, object_type, object_id, relation, subject, policy=""):
         payload = {
             "objectType": object_type,
             "objectId": object_id,
@@ -41,6 +41,8 @@ def create(cls, object_type, object_id, relation, subject):
             }
         else:
             raise WarrantException(msg="Invalid type for \'subject\'. Must be of type Subject")
+        if policy != "":
+            payload["policy"] = policy
         cls._post(uri="/v1/warrants", json=payload)
 
     @classmethod
@@ -53,7 +55,7 @@ def query(cls, select, for_clause, where):
         return cls._get(uri="/v1/query", params=params, object_hook=Warrant.from_json)
 
     @classmethod
-    def delete(cls, object_type, object_id, relation, subject):
+    def delete(cls, object_type, object_id, relation, subject, policy=""):
         payload = {
             "objectType": object_type,
             "objectId": object_id,
@@ -67,6 +69,8 @@ def delete(cls, object_type, object_id, relation, subject):
             }
         else:
             raise WarrantException(msg="Invalid type for \'subject\'. Must be of type Subject")
+        if policy != "":
+            payload["policy"] = policy
         cls._delete(uri="/v1/warrants", json=payload)
 
     """