View Source Policies
Policies determine what actions on a resource are permitted for a given actor.
Read and understand the Security guide before proceeding, which explains actors, how to set them, and other relevant configurations.
setup
Setup
You'll need to add the extension to your resource, like so:
use Ash.Resource, authorizers: [Ash.Policy.Authorizer]
Then you can start defining policies for your resource.
policies
Policies
anatomy-of-a-policy
Anatomy of a Policy
Each policy defined in a resource has two parts -
- a condition, such as
action_type(:read)
oractor_attribute_equals(:admin, true)
oralways()
. If this condition is true for a given action request, then the policy will be applied to the request. - a set of policy checks, each of which will be evaluated individually if a policy applies to a request.
If more than one policy applies to any given request (eg. an admin actor calls a read action) then all applicable policies must pass for the action to be performed.
A policy will produce one of three results: :forbidden
, :authorized
, or :unknown
. :unknown
is treated the same as :forbidden
.
the-simplest-policy
The Simplest Policy
Let's start with the simplest (most permissive) policy:
policies do
policy always() do
authorize_if always()
end
end
The first argument to policy
is the condition. In this case, the condition is always()
- a built-in helper always returning true, meaning that the policy applies to every request.
Within this policy we have a single policy check, declared with authorize_if
. Checks logically apply from top to bottom, based on their check type. In this case, we'd read the policy as "this policy always applies, and authorizes always".
There are four check types, all of which do what they sound like they do:
authorize_if
- if the check is true, the whole policy is authorized.authorize_unless
- if the check is false, the whole policy is authorized.forbid_if
- if the check is true, the whole policy is forbidden.forbid_unless
- if the check is false, the whole policy is forbidden.
If a single check does not explicitly authorize or forbid the whole policy, then the flow moves to the next check. For example, if an authorize_if
check does NOT return true, this does not mean the whole policy is forbidden - it means that further checking is required.
how-a-decision-is-reached
How a Decision is Reached
Not every check in a policy must pass! This is described above, but is very important so another example is provided here. Checks go from top to bottom, are evaluated independently of each other, and the first one that reaches a decision determines the overall policy result. For example:
policy action_type(:create) do
authorize_if IsSuperUser
forbid_if Deactivated
authorize_if IsAdminUser
forbid_if RegularUserCanCreate
authorize_if RegularUserAuthorized
end
We check those from top to bottom, so the first one of those that returns :authorized
or :forbidden
determines the entire outcome. For example:
authorize_if IsSuperUser # If this is true, the actor is a superuser
# None of the rest of the checks matter, even if the actor is deactivated.
forbid_if Deactivated
authorize_if IsAdminUser
forbid_if RegularUserCanCreate
authorize_if RegularUserAuthorized
Conversely:
authorize_if IsSuperUser # This can be false
forbid_if Deactivated # This can be false
authorize_if IsAdminUser # If this is true, then the policy is still authorized.
# And none of these checks matter
forbid_if RegularUserCanCreate
authorize_if RegularUserAuthorized
not-all-policy-checks-have-yes-no-answers
Not all policy checks have yes/no answers
This will be covered in greater detail in Checks, but will be briefly mentioned here.
Ash provides two basic types of policy checks - simple checks and filter checks. Simple checks are what we commonly think of with authorization, and what the above example would suggest - is an actor allowed to perform a given operation, yes or no? But we can also use filter checks - given a list of resources, which ones is an actor allowed to perform the operation on?
Filter checks are frequently used with read actions, as they can refer to multiple instances (eg. "list all products"), but may also be applied to actions like bulk-deleting records (which is not currently supported, but will be eventually).
bypass-policies
Bypass policies
A bypass policy is just like a regular policy, except if a bypass passes, then other policies after it do not need to pass. This can be useful for writing complex access rules, or for a simple rule like "an admin can do anything" without needing to specify it as part of every other policy.
a-realistic-policy
A realistic policy
In this example, we use some of the provided built-in checks.
policies do
# Anything you can use in a condition, you can use in a check, and vice-versa
# This policy applies if the actor is a super_user
# Additionally, this policy is declared as a `bypass`. That means that this check is allowed to fail without
# failing the whole request, and that if this check *passes*, the entire request passes.
bypass actor_attribute_equals(:super_user, true) do
authorize_if always()
end
# This will likely be a common occurrence. Specifically, policies that apply to all read actions
policy action_type(:read) do
# unless the actor is an active user, forbid
forbid_unless actor_attribute_equals(:active, true)
# if the record is marked as public, authorize
authorize_if attribute(:public, true)
# if the actor is related to the data via that data's `owner` relationship, authorize
authorize_if relates_to_actor_via(:owner)
end
end
checks
Checks
Checks evaluate from top to bottom within a policy. A check can produce one of three results, the same that a policy can produce. While checks are not necessarily evaluated in order, they logically apply in that order, so you may as well think of it in that way. It can be thought of as a step-through algorithm.
For each check, starting from the top:
- Run the check.
- If it returns
:authorized
, the policy is:authorized
- If it returns
:forbidden
, the policy is:forbidden
- If it returns
:unknown
, the next check down is checked
- If it returns
For the example from earlier:
authorize_if IsSuperUser
- If this check succeeds, it returns
:authorized
, the whole policy is:authorized
, and checks stop running - If this check fails, it returns
:unknown
and the next check is checked
- If this check succeeds, it returns
forbid_if Deactivated
- We only care about this result if the previous check failed, ie. the actor is not a super user.
- If this check succeeds, it returns
:forbidden
, the whole policy is:forbidden
, and checks stop running - If this check fails, it returns
:unknown
and the next check is checked
authorize_if IsAdminUser
- We only care about this result if the previous checks failed, ie. the actor is not a super user and is not deactivated.
- If this check succeeds, it returns
:authorized
, the whole policy is:authorized
and checks stop running. - If this check fails, it returns
:unknown
and the next check is checked
authorize_if RegularUserAuthorized
- We only care about this result if the previous checks failed, ie. the actor is not a super user, not deactivated and not an admin user.
- If this check succeeds, it returns
:authorized
, the whole policy is:authorized
and checks stop running. - If this check fails, it returns
:unknown
. As there are no more checks to run, the whole policy returns:unknown
, which is treated as forbidden and the actor is not allowed to perform the action.
types-of-checks
Types of checks
As mentioned earlier, there are two distinct types of checks - simple checks and filter checks. So far we've seen examples of both - let's look in a bit more detail.
(Both simple and filter checks are a subset of a third type of check - a manual check - but you will almost always want to write simple or filter checks.)
Simple checks
Simple checks are determined at the outset of a request, and can only cause a request to be authorized or forbidden. These are typically yes/no questions - is the actor an admin? Did the actor create the post they want to call the update
action on? Is the actor old enough to drink alcohol?
You can write a simple check by creating a new module and using the Ash.Policy.SimpleCheck
module:
defmodule MyApp.Checks.ActorIsOldEnough do
use Ash.Policy.SimpleCheck
# This is used when logging a breakdown of how a policy is applied - see Logging below.
def describe(_) do
"actor is old enough"
end
# The context here may have a changeset, query, resource, and api module, depending
# on the action being run.
# `match?` should return true or false, and answer the statement being posed in the description,
# i.e "is the actor old enough?"
def match?(%MyApp.User{age: age} = _actor, %{resource: MyApp.Beer} = _context, _opts) do
age >= 21
end
def match?(_, _, _), do: true
end
You can then use this module as the check name, as part of a policy:
defmodule MyApp.Beer do
# ...
policies do
policy action(:drink) do
authorize_if MyApp.Checks.ActorIsOldEnough
end
end
# ...
end
Ash will internally convert the true/false return value from match?/3
to a :authorized
/:forbidden
/:unknown
response, depending on how the check is being run (ie. whether it's part of an authorize_if
/forbid_if
/etc.)
Filter checks
Many checks won't return a status yes/no, but instead return a "filter" to apply to a collection of data. They are most commonly used for read actions, but can be used for all types of actions.
For update and destroy actions, they apply to the data before the action is run.
For read actions, they will automatically restrict the returned data to be compliant with the filter. Using the drinking example from earlier, we could write a filter check to list only users that are old enough to drink alcohol.
There are two ways to write a filter check - by creating a module and using the Ash.Policy.FilterCheck
module, or by using inline expression syntax.
defmodule MyApp.Checks.ActorOverAgeLimit do
use Ash.Policy.FilterCheck
require Ash.Query
import Ash.Filter.TemplateHelpers, only: [actor: 1]
# A description is not necessary, as it will be derived from the filter, but one could be added
# def describe(_opts), do: "actor is over the age limit"
# Filter checks don't have a `context` available to them
def filter(_options) do
Ash.Query.expr(age_limit <= ^actor(:age))
end
end
You can then use this module as the check name, as part of a policy:
defmodule MyApp.User do
# ...
policies do
policy action(:of_drinking_age) do
authorize_if MyApp.Checks.ActorOverAgeLimit
end
end
# ...
end
Inline checks
Inline checks are filter checks, but are different enough to warrant their own documentation. These are written directly in a policy, eg.
policy action_type(:read) do
# Allow records with the attribute `public` set to true to be read
authorize_if attribute(:public, true)
# Allow records with the attribute `level` less than the value of the `level`
# argument to the action to be read
authorize_if expr(level <= ^arg(:level))
end
Keep in mind that, for create actions, many expr/1
checks won't make sense, and may return false
when you wouldn't expect. Expression (and other filter) policies apply to "a synthesized result" of applying the action, so related values won't be available. For this reason, you may end up wanting to use other checks that are built for working against changesets, or only simple attribute-based filter checks. Custom checks may also be warranted here.
Ash also comes with a set of built-in helpers for writing inline checks - see Ash.Policy.Check.Builtins
for more information.
Referencing the actor
In expression checks, the actor
template can be used (other templates that may work in filter expressions, for example, are not available). For example:
# Authorize records that have an author relationship with the author ID the same as the actor ID
# ie. records authored by the actor
authorize_if expr(author.id == ^actor(:id))
Using exists
A common mistake when using related data in filters is to be too restrictive. Imagine a scenario where you have an action like this:
read :friends_of_ted do
filter expr(friends.first_name == "ted")
end
If this was in a User resource, it would return users that have a friend with the first name "ted". So far so good. Then someone calls it like so:
Resource
|> Ash.Query.for_read(:friends_of_ted)
|> Ash.Query.filter(friends.last_name == "dansen")
The resulting filter is friends.first_name == "ted" and friends.last_name == "dansen"
- this means that you'll get users that have a friend with the full name "ted dansen". That might be what you meant, but more likely you would want "users that have a friend with the first name "ted", that also have a friend with the last name 'dansen'".
To accomplish that, we can use the exists
helper and rework the example like so:
# There exists a friend with the first name "ted"
read :friends_of_ted do
filter expr(exists(friends, first_name == "ted"))
end
# And there also exists a friend with the last name "dansen"
# They may be the same friend if the user is friends with Ted Dansen!
Resource
|> Ash.Query.for_read(:friends_of_ted)
|> Ash.Query.filter(exists(friends, last_name == "dansen"))
In policies (and often any time you mean "a related thing exists where some condition is true"), it is advised to use exists/2
when referring to relationships because of the way that the policy authorizer may mix & match your policies when building filters. This is also true when adding filters to actions. If you use exists
, then your policies can be used in filters without excluding unnecessary data.
debugging-and-logging
Debugging and Logging
policy-breakdowns
Policy Breakdowns
Policy breakdowns can be fetched on demand for a given forbidden error (either an Ash.Error.Forbidden
that contains one ore more Ash.Error.Forbidden.Policy
errors, or an Ash.Error.Forbidden.Policy
error itself), via Ash.Error.Forbidden.Policy.report/2
.
Here is an example policy breakdown from tests:
Policy Breakdown
A check status of `?` implies that the solver did not need to determine that check.
Some checks may look like they failed when in reality there was no need to check them.
Look for policies with `✘` and `✓` in check statuses.
A check with a `⬇` means that it didn't determine if the policy was authorized or forbidden, and so moved on to the next check.
`🌟` and `⛔` mean that the check was responsible for producing an authorized or forbidden (respectively) status.
If no check results in a status (they all have `⬇`) then the policy is assumed to have failed. In some cases, however, the policy
may have just been ignored, as described above.
Admins and managers can create posts | ⛔:
authorize if: actor.admin == true | ✘ | ⬇
authorize if: actor.manager == true | ✘ | ⬇
To remove the help text, you can pass the help_text?: false
option, which would leave you with:
Policy Breakdown
Admins and managers can create posts | ⛔:
authorize if: actor.admin == true | ✘ | ⬇
authorize if: actor.manager == true | ✘ | ⬇
including-in-error-messages
Including in error messages
IMPORTANT WARNING: The following configuration should only ever be used in development mode!
For security reasons, authorization errors don't include any extra information, aside from forbidden
. To have authorization errors include a policy breakdown (without help text) use the following config.
config :ash, :policies, show_policy_breakdowns?: true
logging
Logging
It is generally safe to log authorization error details, even in production. This can be very helpful when investigating certain classes of issue.
To have Ash automatically log each authorization failure, use
config :ash, :policies, log_policy_breakdowns: :error # Use whatever log level you'd like to use here
To have Ash log all policy breakdowns, even successful ones (this will be lots of noise, and should only be used for dev testing)
config :ash, :policies, log_successful_policy_breakdowns: :error # Use whatever log level you'd like to use here