Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

typesafe attributes in client calls #540

Open
mdugue opened this issue May 30, 2023 · 2 comments
Open

typesafe attributes in client calls #540

mdugue opened this issue May 30, 2023 · 2 comments
Labels
enhancement New feature or request

Comments

@mdugue
Copy link

mdugue commented May 30, 2023

We recently started stepping into cerbos as an AuthZ solutions and are very happy so far with the onboarding experience and the clean yet powerfull modelling possibilities. Great job 💪

I was wondering if there is a way to provide type safety to the attributes that get provided to Principal and Resource in @cerbos/grpc or @cerbos/http? One example that came to my mind is the usage of the schemas.

If we provide a schema for a resource policy, this schema could also be used for generating stricter swagger / OpenAPI SDKs. Are there any approaches / ideas / hints for achieving this or similar?

Thanks a lot in advance!
@haines
Copy link
Member

haines commented May 30, 2023

Hi @mdugue! Being able to generate "smarter" clients from your actual policies and schemas is definitely a use case we are interested in supporting, but isn't likely to be implemented imminently.

For now, the approach I would take would be to generate TypeScript types from your principal and resource schemas (using e.g. json-schema-to-typescript), and create a wrapper around the Cerbos GRPC/HTTP client that uses the generate types to define type-safe versions of the API methods you want to use.

@haines haines added the enhancement New feature or request label May 30, 2023
@mdugue
Copy link
Author

mdugue commented Jun 14, 2023

Hey @haines, thanks a lot for your reply. Meanwhile we have started exploring this field and created an interim solution. Instead of creating a wrapper we opted for generating TypeScript Declaration files, that allows using the original cerbos API.

It's basically a codegen CLI npx @estino/cerbos-ts-codegen that outputs sth like:

// cerbos.d.ts
import type {
	Principal,
	IsAllowedRequest,
} from "@cerbos/core/lib/types/external"

declare module "@cerbos/http" {
	interface HTTP {
		isAllowed(request: isAllowedParams): Promise<boolean>
	}
	export interface ContractPrincipal {
		department: "tech" | "legal"
		organisation: string
		[k: string]: unknown
	}
	export interface Contract {
		organisation: string
		[k: string]: unknown
	}

	type isAllowedParamsContract = {
		principal: Principal & {
			attributes?: ContractPrincipal
		}
		resource: { kind: "contract"; attributes: Contract }
		action: "view" | "edit"
	}
	type isAllowedParams = IsAllowedRequest & isAllowedParamsContract
}

You can find more details on https://github.com/optiscaners/cerbos-ts-codegen
What do you think about this approach, is it worth digging deeper here or do you see any architectonical disadvantages?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@haines @mdugue