H-4699: Support policy resource filter on the creator (#7406)

Author: TimDiekmann

apps/hash-ai-worker-ts/src/activities/shared/get-llm-response.ts

@@ -15,7 +15,6 @@ import { generateUuid } from "@local/hash-isomorphic-utils/generate-uuid";
 import { systemLinkEntityTypes } from "@local/hash-isomorphic-utils/ontology-type-ids";
 import { stringifyError } from "@local/hash-isomorphic-utils/stringify-error";
 import type { IncurredIn } from "@local/hash-isomorphic-utils/system-types/usagerecord";
-import type { PrincipalConstraint } from "@rust/hash-graph-authorization/types";
 // import { StatusCode } from "@local/status";
 import { backOff } from "exponential-backoff";
 
@@ -206,19 +205,6 @@ export const getLlmResponse = async <T extends LlmParams>(
         } satisfies OriginProvenance,
       };
 
-      const viewPrincipals: PrincipalConstraint[] = [
-        {
-          type: "actor",
-          actorType: "user",
-          id: userAccountId,
-        },
-        {
-          type: "actor",
-          actorType: "ai",
-          id: aiAssistantAccountId,
-        },
-      ];
-
       const errors = await Promise.all(
         incurredInEntities.map(async ({ entityId }) => {
           try {
@@ -263,12 +249,6 @@ export const getLlmResponse = async <T extends LlmParams>(
                     },
                   },
                 ],
-                policies: viewPrincipals.map((principal) => ({
-                  name: `usage-record-view-entity-${incurredInEntityUuid}`,
-                  effect: "permit",
-                  actions: ["viewEntity"],
-                  principal,
-                })),
               },
             );
 

apps/hash-api/src/graph/knowledge/system-types/user-secret.ts

@@ -21,7 +21,6 @@ import {
 } from "@local/hash-isomorphic-utils/ontology-type-ids";
 import type { UsesUserSecret } from "@local/hash-isomorphic-utils/system-types/google/shared";
 import type { UserSecret } from "@local/hash-isomorphic-utils/system-types/shared";
-import type { PrincipalConstraint } from "@rust/hash-graph-authorization/types";
 import type { Auth } from "googleapis";
 
 import { createEntity } from "../primitive/entity";
@@ -181,19 +180,6 @@ export const createUserSecret = async <
     );
   }
 
-  const viewPrincipals: PrincipalConstraint[] = [
-    {
-      type: "actor",
-      actorType: "user",
-      id: userAccountId,
-    },
-    {
-      type: "actor",
-      actorType: "machine",
-      id: managingBotAccountId,
-    },
-  ];
-
   const userSecretEntityUuid = generateUuid() as EntityUuid;
   const usesUserSecretEntityUuid = generateUuid() as EntityUuid;
 
@@ -206,16 +192,18 @@ export const createUserSecret = async <
       entityUuid: userSecretEntityUuid,
       properties: secretMetadata,
       relationships: botEditorUserViewerOnly,
-      policies: viewPrincipals.map((principal) => ({
-        name: `user-secret-view-entity-${userSecretEntityUuid}`,
-        principal,
-        effect: "permit",
-        actions: ["viewEntity"],
-        resource: {
-          type: "entity",
-          id: userSecretEntityUuid,
+      policies: [
+        {
+          name: `user-secret-view-entity-${userSecretEntityUuid}`,
+          principal: {
+            type: "actor",
+            actorType: "machine",
+            id: managingBotAccountId,
+          },
+          effect: "permit",
+          actions: ["viewEntity"],
         },
-      })),
+      ],
     },
   );
 
@@ -233,16 +221,18 @@ export const createUserSecret = async <
       },
       entityTypeIds: [systemLinkEntityTypes.usesUserSecret.linkEntityTypeId],
       relationships: botEditorUserViewerOnly,
-      policies: viewPrincipals.map((principal) => ({
-        name: `user-secret-view-entity-${usesUserSecretEntityUuid}`,
-        principal,
-        effect: "permit",
-        actions: ["viewEntity"],
-        resource: {
-          type: "entity",
-          id: usesUserSecretEntityUuid,
+      policies: [
+        {
+          name: `user-secret-view-entity-${userSecretEntityUuid}`,
+          principal: {
+            type: "actor",
+            actorType: "machine",
+            id: managingBotAccountId,
+          },
+          effect: "permit",
+          actions: ["viewEntity"],
         },
-      })),
+      ],
     },
   );
 

libs/@local/graph/authorization/schemas/policies.cedarschema

@@ -10,6 +10,7 @@ namespace HASH {
 
   entity Entity in [Web] {
     entity_types: Set<EntityType>,
+    created_by: ActorId,
   };
 
   entity EntityType in [Web] {
@@ -18,9 +19,14 @@ namespace HASH {
   };
 
   entity User, Machine, Ai in [HASH::Web::Role, HASH::Team::Role] {
+    id: ActorId,
   };
 
   entity Public {
+    // This is required to add policies depending on `principal.id`
+    // in Cedar policies. Effectively, we set this to a dummy value
+    // `{"type": "public", "id": "00000000-0000-0000-0000-000000000000"}`.
+    id: ActorId,
   };
 
   action all;
@@ -49,6 +55,11 @@ namespace HASH {
     principal: [User, Machine, Ai],
     resource: [EntityType],
   };
+
+  type ActorId = {
+    type: String,
+    id: String,
+  };
 }
 
 namespace HASH::Team {

libs/@local/graph/authorization/src/policies/cedar/actor.rs

@@ -0,0 +1,102 @@
+use alloc::collections::BTreeMap;
+use core::{error::Error, fmt};
+
+use cedar_policy_core::ast;
+use error_stack::{Report, ResultExt as _};
+use smol_str::SmolStr;
+use type_system::principal::actor::{ActorEntityUuid, ActorId, AiId, MachineId, UserId};
+use uuid::Uuid;
+
+use super::CedarExpressionVisitor;
+
+#[derive(Debug, derive_more::Display)]
+pub(crate) enum ParseActorIdExpressionError {
+    #[display("Unexpected fields: `{}`", _0.join(", "))]
+    UnexpectedField(Vec<String>),
+    #[display("Missing field: `{_0}`")]
+    MissingField(String),
+    #[display("Invalid type: `{_0}`")]
+    InvalidTypeExpression(String),
+    #[display("Invalid type: `{_0}`")]
+    InvalidType(String),
+    #[display("Invalid UUID expression: `{_0}`")]
+    InvalidUuidExpression(String),
+    #[display("Invalid UUID: `{_0}`")]
+    InvalidUuid(String),
+}
+
+impl Error for ParseActorIdExpressionError {}
+
+pub(crate) struct ActorIdVisitor;
+
+impl CedarExpressionVisitor for ActorIdVisitor {
+    type Error = Report<ParseActorIdExpressionError>;
+    type Value = Option<ActorId>;
+
+    fn expecting(&self, fmt: &mut fmt::Formatter<'_>) -> fmt::Result {
+        fmt.write_str("an actor id")
+    }
+
+    fn visit_record(
+        &self,
+        record: &BTreeMap<SmolStr, ast::Expr>,
+    ) -> Option<Result<Self::Value, Self::Error>> {
+        let Some(type_expr) = record.get("type") else {
+            return Some(Err(Report::new(ParseActorIdExpressionError::MissingField(
+                "type".to_owned(),
+            ))));
+        };
+        let Some(uuid_expr) = record.get("id") else {
+            return Some(Err(Report::new(ParseActorIdExpressionError::MissingField(
+                "id".to_owned(),
+            ))));
+        };
+        if record.len() != 2 {
+            return Some(Err(Report::new(
+                ParseActorIdExpressionError::UnexpectedField(
+                    record
+                        .keys()
+                        .filter(|&key| (key != "type" && key != "id"))
+                        .map(SmolStr::to_string)
+                        .collect(),
+                ),
+            )));
+        }
+
+        let ast::ExprKind::Lit(ast::Literal::String(type_string)) = type_expr.expr_kind() else {
+            return Some(Err(Report::new(
+                ParseActorIdExpressionError::InvalidTypeExpression(type_expr.to_string()),
+            )));
+        };
+
+        let ast::ExprKind::Lit(ast::Literal::String(uuid_string)) = uuid_expr.expr_kind() else {
+            return Some(Err(Report::new(
+                ParseActorIdExpressionError::InvalidUuidExpression(uuid_expr.to_string()),
+            )));
+        };
+
+        let actor_entity_uuid = match Uuid::parse_str(uuid_string)
+            .change_context_lazy(|| {
+                ParseActorIdExpressionError::InvalidUuid(uuid_string.to_string())
+            })
+            .attach_printable("Invalid UUID")
+        {
+            Ok(uuid) => ActorEntityUuid::new(uuid),
+            Err(error) => {
+                return Some(Err(error));
+            }
+        };
+
+        Some(Ok(match type_string.as_str() {
+            "user" => Some(ActorId::User(UserId::new(actor_entity_uuid))),
+            "machine" => Some(ActorId::Machine(MachineId::new(actor_entity_uuid))),
+            "ai" => Some(ActorId::Ai(AiId::new(actor_entity_uuid))),
+            "public" => None,
+            _ => {
+                return Some(Err(Report::new(ParseActorIdExpressionError::InvalidType(
+                    type_string.to_string(),
+                ))));
+            }
+        }))
+    }
+}

libs/@local/graph/authorization/src/policies/cedar/expression_tree.rs

@@ -24,6 +24,7 @@ pub enum PolicyExpressionTree {
     BaseUrl(BaseUrl),
     OntologyTypeVersion(OntologyTypeVersion),
     IsOfType(VersionedUrl),
+    CreatedByPrincipal,
 }
 
 #[derive(Debug, derive_more::Display)]
@@ -38,6 +39,8 @@ impl Error for ParseBinaryExpressionError {}
 
 #[derive(Debug, derive_more::Display)]
 pub(crate) enum ParseGetAttrExpressionError {
+    #[display("No principal id found")]
+    NoPrincipalId,
     #[display("No resource variable found")]
     NoResourceVariable,
     #[display("Invalid attribute: `{_0}`")]
@@ -160,6 +163,21 @@ impl PolicyExpressionTree {
         }
     }
 
+    fn expect_principal_id(
+        expr: &Arc<ast::Expr>,
+    ) -> Result<(), Report<ParseGetAttrExpressionError>> {
+        match expr.expr_kind() {
+            ast::ExprKind::GetAttr { expr, attr } => match (expr.expr_kind(), attr.as_str()) {
+                (ast::ExprKind::Var(ast::Var::Principal), "id") => Ok(()),
+                (ast::ExprKind::Unknown(unknown), "id") if unknown.name == "principal" => Ok(()),
+                _ => Err(Report::new(ParseGetAttrExpressionError::NoPrincipalId)
+                    .attach_printable(Arc::clone(expr))),
+            },
+            _ => Err(Report::new(ParseGetAttrExpressionError::NoPrincipalId)
+                .attach_printable(Arc::clone(expr))),
+        }
+    }
+
     fn expect_resource_variable(
         expr: &Arc<ast::Expr>,
     ) -> Result<(), Report<ParseGetAttrExpressionError>> {
@@ -197,13 +215,15 @@ impl PolicyExpressionTree {
             BaseUrl,
             OntologyTypeVersion,
             Resource,
+            CreatedBy,
         }
 
         let attribute_type = match lhs.expr_kind() {
             ast::ExprKind::GetAttr { expr, attr } => {
                 let attr_type = match attr.as_str() {
                     "base_url" => Ok(AttributeType::BaseUrl),
                     "ontology_type_version" => Ok(AttributeType::OntologyTypeVersion),
+                    "created_by" => Ok(AttributeType::CreatedBy),
                     _ => Err(Report::new(ParseGetAttrExpressionError::InvalidAttribute(
                         attr.clone(),
                     ))),
@@ -237,6 +257,9 @@ impl PolicyExpressionTree {
                     .change_context(ParseBinaryExpressionError::Right)
                     .map(|version| Self::OntologyTypeVersion(OntologyTypeVersion::new(version)))
             }
+            (AttributeType::CreatedBy, _) => Self::expect_principal_id(rhs)
+                .change_context(ParseBinaryExpressionError::Right)
+                .map(|()| Self::CreatedByPrincipal),
             (AttributeType::Resource, ast::ExprKind::Lit(ast::Literal::EntityUID(euid))) => {
                 if *euid.entity_type() == **EntityTypeId::entity_type() {
                     EntityTypeId::from_eid(euid.eid())

libs/@local/graph/authorization/src/policies/cedar/mod.rs

@@ -1,3 +1,4 @@
+mod actor;
 mod entity;
 mod expression_tree;
 mod ontology;
@@ -12,6 +13,7 @@ use error_stack::{IntoReport, Report, ResultExt as _};
 
 pub use self::expression_tree::PolicyExpressionTree;
 pub(crate) use self::{
+    actor::ActorIdVisitor,
     entity::EntityUuidVisitor,
     ontology::{BaseUrlVisitor, EntityTypeIdVisitor, OntologyTypeVersionVisitor},
     visitor::{
@@ -22,8 +24,21 @@ pub(crate) use self::{
 };
 use crate::policies::error::FromCedarRefernceError;
 
+pub(crate) trait ToCedarRestrictedExpr {
+    fn to_cedar_restricted_expr(&self) -> ast::RestrictedExpr;
+}
+
 pub(crate) trait ToCedarExpr {
-    fn to_cedar(&self) -> ast::Expr;
+    fn to_cedar_expr(&self) -> ast::Expr;
+}
+
+impl<T> ToCedarExpr for T
+where
+    T: ToCedarRestrictedExpr,
+{
+    fn to_cedar_expr(&self) -> ast::Expr {
+        self.to_cedar_restricted_expr().into()
+    }
 }
 
 pub(crate) trait FromCedarExpr: Sized {

libs/@local/graph/authorization/src/policies/components.rs

@@ -134,6 +134,8 @@ where
                     .build_principal_context(actor_id, &mut self.context)
                     .await
                     .change_context(ContextCreationError::BuildPrincipalContext { actor_id })?;
+            } else {
+                self.context.add_public_actor();
             }
 
             let entity_resources;

libs/@local/graph/authorization/src/policies/context.rs

@@ -11,6 +11,7 @@ use type_system::principal::{Actor, ActorGroup, Role};
 use super::{
     PolicyValidator,
     cedar::ToCedarEntity as _,
+    principal::actor::PublicActor,
     resource::{EntityResource, EntityTypeResource},
 };
 
@@ -52,6 +53,14 @@ impl ContextBuilder {
         self.entities.push(actor.to_cedar_entity());
     }
 
+    /// Adds the public actor to the context for policy evaluation.
+    ///
+    /// This allows the actor to be identified as a principal during authorization,
+    /// making it available for matching against principal constraints in policies.
+    pub fn add_public_actor(&mut self) {
+        self.entities.push(PublicActor.to_cedar_entity());
+    }
+
     /// Adds an actor group to the context for policy evaluation.
     ///
     /// This allows policies associated with the actor group to be considered during authorization,