Testing time, wildcards, SQLAlchemy and more - Cerbos v0.20 Release

Published by Alex Olivier on August 24, 2022
image

The latest release of Cerbos, v0.20, includes improvements in unit testing with dates and better wildcard support, a SQLAlchemy adapter, some SDK updates and several UX updates to the Playground.

We have been working closely with users of Cerbos such as Utility Warehouse, 9fin, Salesroom, Wizeline, and Doorfeed on this release and can’t wait to hear more on what you would like to see in future releases - join our Slack community to join the conversation.

Cerbos v0.20 Release

Writing policy tests for policies that have time-based conditions is now easier because the value returned by the now function can be fixed for the entire test suite or individual tests. This also influences the timeSince calculations and gives you the ability to write deterministic tests to ensure that your logic is sound. See the policy testing documentation to learn more.

Setting the value of now for the entire test suite:

name: TestSuite
description: Tests for verifying something
options:
  now: "2022-08-02T15:00:00Z"
tests:
  ...

Setting the value of now for a single test:

tests:
  - name: With local now
    options:
      now: "2022-08-03T15:00:00Z"
    ...

The security warnings for default Admin API credentials are now smarter.

An overly strict validation rule that prevented single wildcards from being used for resource names in principal policies has been relaxed.

You can find the full release notes here.

SQLAlchemy Query Plan Adapter

One of the tricky problems with decoupled authorization is filtering a list to retain only those items that a particular user has access to as now the conditions are dynamic based on the request.

The PlanResources API allows you to send a principal, action, and resource kind (plus any available attributes) to obtain a tree representation of the minimal set of conditions that must be satisfied for that principal to be allowed to act on that resource kind.

To make working with this API easier, we have released an adapter library for SQLAlchemy that takes a Query Plan (PlanResources API) response and converts it into a query object. This is designed to work alongside a project using the Cerbos Python SDK.

Much like our existing Prisma adapter, the following conditions are supported: and, or, eq, ne, lt, gt, lte, gte and in. Other operators (eg math operators) can be implemented programmatically, and attached to the query object via the query.where(...) API.

You can find the adapter and example application over on Github.

Javascript SDK - Admin API

Support for the Admin API has been added to the Javascript SDK which makes it simpler to manage policies programmatically if you are making use of a mutable storage engine such as Postgres, MySQL, or SQLServer.

Our other SDKs will be updated in time to include this also.

Playground: Scope Support, .NET, and PHP Snippets

The Cerbos Playground now includes an improved experience when working with scoped policies. it is now possible to set the scope on any resource or principal right in the editor - try it out here.

Additionally, .NET and PHP code snippets are now generated directly in the playground for you to quickly and simply get up and running with Cerbos.

You can find the full release notes here and if you have any questions join our Slack community.

Book a free Policy Workshop to discuss your requirements and get your first policy written by the Cerbos team