Collision:

All the policies, that are already created, needs to be specified to execute this verification. Then, the datas treated in each policy are stored in sets. We then check whether the sets are disjoint or not. If they are not, there will be an intersection between different sets, and respective policies. There is our Collision. Actually theres only one way to verify the Collision, that is manually. Making this verification occurs automatically, where for each new Policy created in Hapi the test is executed, it is a future project.

Example

User X was given the task of defining Resource access: ID, PRODUCTS, EMAIL for Actors Alice and Bob. In user X's system there are hundreds of defined Policies that work perfectly. A Policy A that defines Resources: SSN, EMAIL and CCN already exists in the system, expressed as follows:

data: [SSN, EMAIL, CCN]
rules:
  - identities:
      users: Alice
      Updates:
        data: [CCN, EMAIL]
      Deletes:
        data: [CCN, EMAIL]
  - identities:
      users: Bob
      Updates:
        data: [CCN, EMAIL]
      Deletes:
        data: [EMAIL]

However, not knowing about the existence of such a policy, and that it already governed what happened with Resource EMAIL, user X decides to create a new Policy B to define what happens with all the Resources requested in the task. This new policy being expressed as follows:

data: [ID, PRODUCTS, EMAIL]
rules:
  - identities:
      users: Alice
      Updates:
        data: [PRODUCTS, ID]
      Deletes:
        data: [PRODUCTS, ID]
  - identities:
      users: Bob
      Updates:
        data: [PRODUCTS, EMAIL]
      Deletes:
        data: [PRODUCTS]

As you can see, both Policies A and B define different access restrictions under Resource EMAIL, which can generate errors in the system since the Policies overlap. With the collision verification being performed, the user will receive a warning as it follows:

Collision_result_example

Indicating the conflicting Resource: EMAIL; and also the two Policies in which this Resource is defined: Policies A and B. Then he will need to correct this error if he wants to maintain the Consitency of the system.

Implementation:

The verification of the Collision property occurs with multiple YAML Policy files being passed as a reference in the Verification Call.

Within the plugin, the framework reads every policy and stores all Resources (data) that are treated in each one in different Sets (One set for each Policy):

#...While there is policies...

with open("fixtures/yaml/first-deny.yaml", "r") as ymlfile: #Opening the policy
      cfg = yaml.load(ymlfile)

  Policy_name_1 = set(cfg["data"]) #Getting the defined Resources

Finally, all the Sets containing the Resources that are treated in each policy, are added to a list. In this way, we obtain a list of Sets.

In the second moment, we used two Loops while, to compare all the sets stored in the List. If two sets are 'disjunct', that is, without similar elements, the loop advances to compare the next set:

while iterator < len(list_of_policiess):
    aux = iterator + 1
    while aux < len(list_of_policiess):

        if not list_of_policiess[iterator].isdisjoint(list_of_policiess[aux]):
            overlapped_resources = list_of_policiess[iterator].intersection(list_of_policiess[iterator+1])
            collision_boolean = True
            break
        aux += 1

    if collision_boolean == True:
        break
    iterator += 1

If there are similar elements in two different sets: the loops are closed, the names of the Policies corresponding to each Set are stored in an auxiliary variable, and these two sets are intersected, that will return the similar elements.

After the loop, an auxiliary variable called collision_boolean is used to indicate whether a 'collision' has occurred or not. Being 'True', the test returns the Conflict Policies and Resources governed by both simultaneously. Being 'False', the test passes, telling the user that there are no conflicting policies.

Pre-built execution test: python main.py -collision_verifier None

Note: To run the "Pre-builted execution tests" you need to be on the '../hapi/test' folder