0

I want to create ACL-based authorization system for a web application that uses SQL database as storage.

My problem is - I want to use the authorization rules defined as ACLs to filter the searches. For this I need to convert the ACLs to flat boolean expressions I could use in WHERE clause.

My ACL system would be simple. Every entry would be either ALLOW or DENY and will add a condition. The list will be scanned from top to bottom. The first entry that matches the condition will apply. So e.g. if I have an ACL like:

ALLOW x = 3
ALLOW x = 5
DENY true

I will need to filter with: x = 3 OR x = 5

If I have:

DENY x = 3
DENY x = 5
ALLOW true

the filter will be NOT (x = 3 OR x = 5)

I am still however not sure how to create an universal method of conversion that would apply to any mixture of DENY and ALLOW rules in any order. We can however assume that there must be one rule that would evaluate to true. We can achieve that by ACL inheritance and putting DENY true at the end of every list.

Could you help me solve this riddle?

zefciu
  • 1,967
  • 2
  • 17
  • 39

1 Answers1

0

I have solved this problem already. The key to avoid the three-value logic which was the problem before is to start from the end of the list. The algorithm will look like this:

group the acl into packs of ALLOW and DENY
discard the last pack (which should be DENY and end with DENY true)
add 'false' to the result
for every pack from the end:
    combine all the conditions with OR
    if pack is ALLOW:
        add "or condition" to the result
    elif pack is DENY:
        add "and not condition" to the result
if result == 'false':
    don't perform search, return empty list
else:
    discard 'false or' from the beginning of the list (redundant)

So for example:

DENY x = 7
ALLOW x > 3
DENY true

would become false OR x > 3 AND NOT (x = 7)

zefciu
  • 1,967
  • 2
  • 17
  • 39