DEV Community: David Hatch The latest articles on DEV Community by David Hatch (@dhatch). https://dev.to/dhatch https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F543155%2F4190f808-761b-4b00-a807-f2ce63ec6167.jpeg DEV Community: David Hatch https://dev.to/dhatch en GraphQL Authorization with Graphene, SQLAlchemy and oso David Hatch Fri, 18 Dec 2020 23:18:47 +0000 https://dev.to/dhatch/graphql-authorization-with-graphene-sqlalchemy-and-oso-5fhi https://dev.to/dhatch/graphql-authorization-with-graphene-sqlalchemy-and-oso-5fhi <p>GraphQL has been seeing a rapid uptick in adoption. It enables a more expressive interface between frontend and backend code by allowing developers to specify exactly what data is required to render a given page. While there are numerous wins for frontend engineers, the backend team needs a different mindset. Instead of writing route handlers that return a fixed set of data (or maybe a few variations), the backend team must write <strong>resolver functions</strong> which return portions of the dataset individually. </p> <p>We've seen that many developers will apply route-level checks as a starting point for authorization in their applications. A common pattern is using decorators or other route level guards that ensure a user meets certain requirements (the user is an admin, the user has a certain role, etc.) before the route code is run.</p> <p>This approach is easy to get started with, but is typically not feasible in GraphQL. There is one route in a GraphQL application, and the potential set of data returned is highly variable. There are many more combinations of fields in a GraphQL query than the number of routes in a typical REST application.</p> <p>Since GraphQL is oriented around access to individual data elements, a natural place to enforce authorization is during data access. GraphQL's official documentation acknowledges as much:</p> <blockquote> <p>Where should you perform validation and authorization checks? The answer: inside a dedicated business logic layer. Your business logic layer should act as the single source of truth for enforcing <em>business domain rules</em> [emphasis added].</p> </blockquote> <p>– <a href="https://graphql.org/learn/thinking-in-graphs/#business-logic-layer">https://graphql.org/learn/thinking-in-graphs/#business-logic-layer</a></p> <p>Great. Easy. But how does that actually work? How do we enforce a business domain rule? Is there a simple abstraction for specifying them?</p> <p>In this post, we'll look at using oso—an open source authorization library—for enforcing authorization rules. We'll see how to declaratively specify authorization rules in Polar, oso's policy language, and how to integrate oso into a GraphQL application in only a few lines of code.</p> <p>We'll use SQLAlchemy as our ORM, and Graphene — a popular Python GraphQL library. The <code>sqlalchemy-oso</code> <a href="https://docs.osohq.com/using/frameworks/sqlalchemy.html#installation">library</a> will provide the glue between oso, GraphQL and SQLAlchemy, allowing us to enforce authorization consistency.</p> <h1> Getting setup </h1> <p>We'll start with a basic Flask app representing an expense management application. To follow along, <a href="https://github.com/osohq/oso-graphene-sqlalchemy-app">clone the project on GitHub</a>. We'll walk through the parts of this app relevant to authorization, but the full code is available in the project. We'll assume some familiarity with Flask, SQLAlchemy and GraphQL. Each section of this post is based on a commit in the repository, and we'll link to the relevant commit at the beginning of the section.</p> <p>If you plan on following along and trying out the examples as you read, make sure to follow the <a href="https://github.com/osohq/oso-graphene-sqlalchemy-app/blob/main/README.md">README</a> to install the dependencies so you can run the code. This section covers the <a href="https://github.com/osohq/oso-graphene-sqlalchemy-app/tree/922af81fc265efc82f9572e174833689f051ae9a">initial commit</a>.</p> <p>Our app has a few models:</p> <ul> <li> <strong>Expense:</strong> An expense created by a user.</li> <li> <strong>User:</strong> A user accessing the application.</li> </ul> <p>We'll start with these, and add some more later. Here are our initial models from <code>models.py</code>. These are regular SQLAlchemy models. We used the <a href="https://flask-sqlalchemy.palletsprojects.com/en/2.x/">flask_sqlalchemy</a> library to integrate with Flask and make our setup a bit easier.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="nn">flask_sqlalchemy</span> <span class="kn">import</span> <span class="n">SQLAlchemy</span> <span class="kn">from</span> <span class="nn">sqlalchemy.orm</span> <span class="kn">import</span> <span class="n">relationship</span> <span class="n">db</span> <span class="o">=</span> <span class="n">SQLAlchemy</span><span class="p">()</span> <span class="k">class</span> <span class="nc">Expense</span><span class="p">(</span><span class="n">db</span><span class="p">.</span><span class="n">Model</span><span class="p">):</span> <span class="n">__tablename__</span> <span class="o">=</span> <span class="s">'expenses'</span> <span class="nb">id</span> <span class="o">=</span> <span class="n">db</span><span class="p">.</span><span class="n">Column</span><span class="p">(</span><span class="n">db</span><span class="p">.</span><span class="n">Integer</span><span class="p">,</span> <span class="n">primary_key</span><span class="o">=</span><span class="bp">True</span><span class="p">)</span> <span class="n">amount</span> <span class="o">=</span> <span class="n">db</span><span class="p">.</span><span class="n">Column</span><span class="p">(</span><span class="n">db</span><span class="p">.</span><span class="n">Integer</span><span class="p">)</span> <span class="n">created_by_id</span> <span class="o">=</span> <span class="n">db</span><span class="p">.</span><span class="n">Column</span><span class="p">(</span><span class="n">db</span><span class="p">.</span><span class="n">Integer</span><span class="p">,</span> <span class="n">db</span><span class="p">.</span><span class="n">ForeignKey</span><span class="p">(</span><span class="s">'users.id'</span><span class="p">))</span> <span class="n">created_by</span> <span class="o">=</span> <span class="n">relationship</span><span class="p">(</span><span class="s">"User"</span><span class="p">)</span> <span class="n">description</span> <span class="o">=</span> <span class="n">db</span><span class="p">.</span><span class="n">Column</span><span class="p">(</span><span class="n">db</span><span class="p">.</span><span class="n">Text</span><span class="p">)</span> <span class="k">class</span> <span class="nc">User</span><span class="p">(</span><span class="n">db</span><span class="p">.</span><span class="n">Model</span><span class="p">):</span> <span class="n">__tablename__</span> <span class="o">=</span> <span class="s">'users'</span> <span class="nb">id</span> <span class="o">=</span> <span class="n">db</span><span class="p">.</span><span class="n">Column</span><span class="p">(</span><span class="n">db</span><span class="p">.</span><span class="n">Integer</span><span class="p">,</span> <span class="n">primary_key</span><span class="o">=</span><span class="bp">True</span><span class="p">)</span> <span class="n">email</span> <span class="o">=</span> <span class="n">db</span><span class="p">.</span><span class="n">Column</span><span class="p">(</span><span class="n">db</span><span class="p">.</span><span class="n">String</span><span class="p">(</span><span class="mi">256</span><span class="p">))</span> </code></pre> </div> <p>An Expense is created by a user, available at the <code>Expense.created_by</code> property.</p> <p>We also have a GraphQL schema defined using Graphene over these models in <code>app/schema.py</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="nn">graphene</span> <span class="kn">from</span> <span class="nn">graphene</span> <span class="kn">import</span> <span class="n">relay</span> <span class="kn">from</span> <span class="nn">graphene_sqlalchemy</span> <span class="kn">import</span> <span class="n">SQLAlchemyConnectionField</span><span class="p">,</span> <span class="n">SQLAlchemyObjectType</span> <span class="kn">from</span> <span class="nn">flask</span> <span class="kn">import</span> <span class="n">g</span> <span class="kn">from</span> <span class="nn">.</span> <span class="kn">import</span> <span class="n">models</span> <span class="k">class</span> <span class="nc">Expense</span><span class="p">(</span><span class="n">SQLAlchemyObjectType</span><span class="p">):</span> <span class="k">class</span> <span class="nc">Meta</span><span class="p">:</span> <span class="n">model</span> <span class="o">=</span> <span class="n">models</span><span class="p">.</span><span class="n">Expense</span> <span class="n">interfaces</span> <span class="o">=</span> <span class="p">(</span><span class="n">relay</span><span class="p">.</span><span class="n">Node</span><span class="p">,)</span> <span class="k">class</span> <span class="nc">User</span><span class="p">(</span><span class="n">SQLAlchemyObjectType</span><span class="p">):</span> <span class="k">class</span> <span class="nc">Meta</span><span class="p">:</span> <span class="n">model</span> <span class="o">=</span> <span class="n">models</span><span class="p">.</span><span class="n">User</span> <span class="n">interfaces</span> <span class="o">=</span> <span class="p">(</span><span class="n">relay</span><span class="p">.</span><span class="n">Node</span><span class="p">,)</span> <span class="k">class</span> <span class="nc">Query</span><span class="p">(</span><span class="n">graphene</span><span class="p">.</span><span class="n">ObjectType</span><span class="p">):</span> <span class="n">expenses</span> <span class="o">=</span> <span class="n">SQLAlchemyConnectionField</span><span class="p">(</span><span class="n">Expense</span><span class="p">.</span><span class="n">connection</span><span class="p">)</span> <span class="n">user</span> <span class="o">=</span> <span class="n">graphene</span><span class="p">.</span><span class="n">Field</span><span class="p">(</span><span class="n">User</span><span class="p">)</span> <span class="n">node</span> <span class="o">=</span> <span class="n">graphene</span><span class="p">.</span><span class="n">relay</span><span class="p">.</span><span class="n">Node</span><span class="p">.</span><span class="n">Field</span><span class="p">()</span> <span class="k">def</span> <span class="nf">resolve_user</span><span class="p">(</span><span class="n">parent</span><span class="p">,</span> <span class="n">info</span><span class="p">):</span> <span class="k">return</span> <span class="p">(</span><span class="n">g</span><span class="p">.</span><span class="n">current_user</span> <span class="k">if</span> <span class="nb">isinstance</span><span class="p">(</span><span class="n">g</span><span class="p">.</span><span class="n">current_user</span><span class="p">,</span> <span class="n">models</span><span class="p">.</span><span class="n">User</span><span class="p">)</span> <span class="k">else</span> <span class="bp">None</span><span class="p">)</span> <span class="c1"># ... snip ... </span> <span class="n">schema</span> <span class="o">=</span> <span class="n">graphene</span><span class="p">.</span><span class="n">Schema</span><span class="p">(</span><span class="n">query</span><span class="o">=</span><span class="n">Query</span><span class="p">)</span> </code></pre> </div> <p>This schema uses the <a href="https://docs.graphene-python.org/projects/sqlalchemy/en/latest/">Graphene-SQLAlchemy library</a> to create Graphene schema objects for our SQLAlchemy models. This is a <a href="https://docs.graphene-python.org/projects/sqlalchemy/en/latest/tutorial/#defining-our-models">standard approach</a> for using SQLAlchemy with Graphene.</p> <p>We can make a simple query (I'm using the awesome <a href="https://github.com/graphql/graphiql">GraphiQL</a> tool for this, but you can also just go to <a href="http://localhost:5000/graphql">http://localhost:5000/graphql</a> in your browser) and see that our app is working:</p> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--uQKVDRo4--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/i/l7bbf9p6av86ofmjmoky.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--uQKVDRo4--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/i/l7bbf9p6av86ofmjmoky.png" alt="Alt Text"></a></p> <h2> Adding authorization </h2> <p>At this point, we have a basic GraphQL app, without authorization. Let's set that up. Here's the <a href="https://github.com/osohq/oso-graphene-sqlalchemy-app/commit/8bf8c4a411f83e640fdd3537ddcc3d59049edecf">commit on GitHub</a>.</p> <p>Our initial authorization rule will be based on the concept of data owners: <em>users can view their own expenses.</em></p> <p>To implement this rule, we would need to perform filtering at the SQLAlchemy level. Which means:</p> <ol> <li>Adding a custom resolver for Expense</li> <li>Checking all other places the GraphQL schema might access expenses</li> <li>Implementing the custom SQLAlchemy query</li> <li>Repeating for every other model and authorization check.</li> </ol> <p>This authorization rule is based on each database record—sometimes referred to as object-level permissions. It can be challenging to abstract as middleware, and is certainly more complex than just adding the simple decorator we discussed earlier. </p> <p>Instead, we'll use the <code>sqlalchemy-oso</code> library. We need to make two changes to set this up:</p> <ol> <li>Add an instance of <code>Oso</code> to our application.</li> <li>Write a policy containing our authorization rules.</li> </ol> <p>To add oso, we'll modify the <code>create_app</code> function:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="nn">oso</span> <span class="kn">import</span> <span class="n">Oso</span> <span class="kn">from</span> <span class="nn">sqlalchemy_oso</span> <span class="kn">import</span> <span class="n">register_models</span> <span class="k">def</span> <span class="nf">create_app</span><span class="p">():</span> <span class="c1"># snip ... </span> <span class="c1"># Create oso instance which will hold our policy. </span> <span class="n">oso</span> <span class="o">=</span> <span class="n">Oso</span><span class="p">()</span> <span class="c1"># Make SQLAlchemy models available in the policy. </span> <span class="n">register_models</span><span class="p">(</span><span class="n">oso</span><span class="p">,</span> <span class="n">db</span><span class="p">.</span><span class="n">Model</span><span class="p">)</span> <span class="c1"># Load policy file into oso. </span> <span class="n">oso</span><span class="p">.</span><span class="n">load_file</span><span class="p">(</span><span class="n">Path</span><span class="p">(</span><span class="n">__file__</span><span class="p">).</span><span class="n">parent</span> <span class="o">/</span> <span class="s">"policy.polar"</span><span class="p">)</span> <span class="c1"># ... </span></code></pre> </div> <p>Then, we swap out the <code>SQLAlchemy</code> object in our app with <code>AuthorizedSQLAlchemy</code>. In <code>models.py</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="nn">sqlalchemy_oso.flask</span> <span class="kn">import</span> <span class="n">AuthorizedSQLAlchemy</span> <span class="n">db</span> <span class="o">=</span> <span class="n">AuthorizedSQLAlchemy</span><span class="p">(</span> <span class="n">get_oso</span><span class="o">=</span><span class="k">lambda</span><span class="p">:</span> <span class="n">current_app</span><span class="p">.</span><span class="n">oso</span><span class="p">,</span> <span class="n">get_user</span><span class="o">=</span><span class="k">lambda</span><span class="p">:</span> <span class="nb">getattr</span><span class="p">(</span><span class="n">g</span><span class="p">,</span> <span class="s">"current_user"</span><span class="p">,</span> <span class="bp">None</span><span class="p">),</span> <span class="n">get_action</span><span class="o">=</span><span class="k">lambda</span><span class="p">:</span> <span class="s">"read"</span> <span class="p">)</span> </code></pre> </div> <p>We use this object instead of <code>flask_sqlalchemy.SQLAlchemy</code>. It provides a <a href="https://docs.sqlalchemy.org/en/13/orm/session.html">SQLAlchemy Session object</a> that filters queries to only return objects that are authorized for the current user and action.</p> <p>Our policy file, <code>app/policy.polar</code> is empty for now.</p> <p>Now, let's check our query results:</p> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--vN9kaPi5--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/i/mlbwai71zbo4altjurey.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--vN9kaPi5--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/i/mlbwai71zbo4altjurey.png" alt="Alt Text"></a></p> <p>Nothing's returned anymore. Why? The policy file is empty. Polar is deny by default, so we'll need to add some rules. Before we do that, let's take a look at how this is working. Our app has an endpoint that will log the SQL used to execute our last query. If you're following along, run the app with:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ FLASK_RUN_EXTRA_FILES</span><span class="o">=</span>app/policy.polar <span class="nv">FLASK_DEBUG</span><span class="o">=</span>1 flask run </code></pre> </div> <p>Run a query in GraphiQL. Below is a good starting point.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight graphql"><code><span class="p">{</span><span class="w"> </span><span class="n">expenses</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="n">edges</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="n">node</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="n">id</span><span class="w"> </span><span class="n">description</span><span class="w"> </span><span class="n">createdBy</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="n">email</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>Now visit, <a href="http://localhost:5000/sql">http://localhost:5000/sql</a>.</p> <p>Here, we see:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">SELECT</span> <span class="k">count</span><span class="p">(</span><span class="o">*</span><span class="p">)</span> <span class="k">AS</span> <span class="n">count_1</span> <span class="k">FROM</span> <span class="p">(</span> <span class="k">SELECT</span> <span class="n">expenses</span><span class="p">.</span><span class="n">id</span> <span class="k">AS</span> <span class="n">expenses_id</span><span class="p">,</span> <span class="n">expenses</span><span class="p">.</span><span class="n">amount</span> <span class="k">AS</span> <span class="n">expenses_amount</span><span class="p">,</span> <span class="n">expenses</span><span class="p">.</span><span class="n">created_by_id</span> <span class="k">AS</span> <span class="n">expenses_created_by_id</span><span class="p">,</span> <span class="n">expenses</span><span class="p">.</span><span class="n">description</span> <span class="k">AS</span> <span class="n">expenses_description</span> <span class="k">FROM</span> <span class="n">expenses</span> <span class="k">WHERE</span> <span class="mi">0</span> <span class="o">=</span> <span class="mi">1</span> <span class="k">ORDER</span> <span class="k">BY</span> <span class="n">expenses</span><span class="p">.</span><span class="n">id</span> <span class="k">ASC</span> <span class="p">)</span> <span class="k">AS</span> <span class="n">anon_1</span> </code></pre> </div> <p>Notice our WHERE clause: <code>0 = 1</code>. Where's that coming from? <code>sqlalchemy-oso</code> enforces our Polar policy by translating rules from the policy into SQL filters. <code>0 = 1</code> is always false, which causes no records to be returned from the database.</p> <h2> Adding some rules </h2> <p>Now that we have oso integrated, let's finish implementing our authorization rule. Keep the app running, the <code>FLASK_RUN_EXTRA_FILES</code> environment variable we set will ensure that Flask reloads the app when you change the policy.</p> <p>Let's try the following (in <code>app/policy.polar</code>):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="n">allow</span><span class="p">(</span><span class="n">_actor</span><span class="p">,</span> <span class="n">_action</span><span class="p">,</span> <span class="n">_resource</span><span class="p">);</span> </code></pre> </div> <p>This policy allows the user to access any object. In Polar, each statement in the policy is called a rule. The <code>allow</code> rule is a special rule that is used as the entrypoint to policies. It has three arguments, the <strong>actor</strong> (who's making the request), the <strong>action</strong> (what the request will do), and the <strong>resource</strong> (what the request is operating over). Our policy has one rule. Each parameter starts with <code>_</code> which indicates an anonymous variable (one that matches anything because there are no constraints on it).</p> <p>Rerun the query, and check out the SQL (Just refresh <a href="http://localhost:5000/sql">http://localhost:5000/sql</a>. You'll see a few statements there, I've picked out the primary SQL query used to resolve the GraphQL query):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">SELECT</span> <span class="n">expenses</span><span class="p">.</span><span class="n">id</span> <span class="k">AS</span> <span class="n">expenses_id</span><span class="p">,</span> <span class="n">expenses</span><span class="p">.</span><span class="n">amount</span> <span class="k">AS</span> <span class="n">expenses_amount</span><span class="p">,</span> <span class="n">expenses</span><span class="p">.</span><span class="n">created_by_id</span> <span class="k">AS</span> <span class="n">expenses_created_by_id</span><span class="p">,</span> <span class="n">expenses</span><span class="p">.</span><span class="n">description</span> <span class="k">AS</span> <span class="n">expenses_description</span> <span class="k">FROM</span> <span class="n">expenses</span> <span class="k">WHERE</span> <span class="mi">1</span> <span class="o">=</span> <span class="mi">1</span> <span class="k">ORDER</span> <span class="k">BY</span> <span class="n">expenses</span><span class="p">.</span><span class="n">id</span> <span class="k">ASC</span> <span class="k">LIMIT</span> <span class="mi">4</span> <span class="k">OFFSET</span> <span class="mi">0</span> </code></pre> </div> <p>Now, we see <code>WHERE 1 = 1</code>. This is always true! As a result, everything's been returned. </p> <p>Let's go a little further:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="n">allow</span><span class="p">(</span><span class="n">_</span><span class="p">:</span> <span class="n">User</span><span class="p">,</span> <span class="s">"read"</span><span class="p">,</span> <span class="n">_</span><span class="p">:</span> <span class="n">Expense</span><span class="p">);</span> </code></pre> </div> <p>This policy is saying all users can read all expenses. Again, the <code>_</code> denotes an anonymous or ignored variable, but the <code>: User</code> syntax is checking that the input data matches a specific type. In this case, the User and Expense models from our <a href="http://models.py/">models.py</a> file.</p> <p>Here's the returned data:</p> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--zJ8H1_g1--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/i/gslz33tyz854pcf72v8i.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--zJ8H1_g1--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/i/gslz33tyz854pcf72v8i.png" alt="Alt Text"></a></p> <p>Notice that the <code>createdBy</code> field of each expense is now <code>null</code>. Since we have no rule for the <code>User</code> resource, the user cannot view any expenses. Add a rule for <code>User</code> now:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="n">allow</span><span class="p">(</span><span class="n">_</span><span class="p">:</span> <span class="n">User</span><span class="p">,</span> <span class="s">"read"</span><span class="p">,</span> <span class="n">_</span><span class="p">:</span> <span class="n">Expense</span><span class="p">);</span> <span class="n">allow</span><span class="p">(</span><span class="n">_</span><span class="p">:</span> <span class="n">User</span><span class="p">,</span> <span class="s">"read"</span><span class="p">,</span> <span class="n">_</span><span class="p">:</span> <span class="n">User</span><span class="p">);</span> </code></pre> </div> <p>The above policy is in <a href="https://github.com/osohq/oso-graphene-sqlalchemy-app/commit/972fa730a7bf957f4f50fce3820555b2775bb21b">this commit on GitHub.</a></p> <p>Now, let's get to our rule: users can view their own expenses. Polar rules can have a body, indicated by the <code>if</code> keyword. Here's a rule that will do what we want: <em>a user can read an expense if the expense was created by the user</em>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="n">allow</span><span class="p">(</span><span class="n">user</span><span class="p">:</span> <span class="n">User</span><span class="p">,</span> <span class="s">"read"</span><span class="p">,</span> <span class="n">expense</span><span class="p">:</span> <span class="n">Expense</span><span class="p">)</span> <span class="k">if</span> <span class="n">expense</span><span class="p">.</span><span class="n">created_by</span> <span class="o">=</span> <span class="n">user</span><span class="p">;</span> <span class="n">allow</span><span class="p">(</span><span class="n">_</span><span class="p">:</span> <span class="n">User</span><span class="p">,</span> <span class="s">"read"</span><span class="p">,</span> <span class="n">_</span><span class="p">:</span> <span class="n">User</span><span class="p">);</span> </code></pre> </div> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--bxhfwhlS--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/i/6qj0r945zguipj6fc08y.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--bxhfwhlS--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/i/6qj0r945zguipj6fc08y.png" alt="Alt Text"></a></p> <p>Let's look at the SQL:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">SELECT</span> <span class="n">expenses</span><span class="p">.</span><span class="n">id</span> <span class="k">AS</span> <span class="n">expenses_id</span><span class="p">,</span> <span class="n">expenses</span><span class="p">.</span><span class="n">amount</span> <span class="k">AS</span> <span class="n">expenses_amount</span><span class="p">,</span> <span class="n">expenses</span><span class="p">.</span><span class="n">created_by_id</span> <span class="k">AS</span> <span class="n">expenses_created_by_id</span><span class="p">,</span> <span class="n">expenses</span><span class="p">.</span><span class="n">description</span> <span class="k">AS</span> <span class="n">expenses_description</span> <span class="k">FROM</span> <span class="n">expenses</span> <span class="k">WHERE</span> <span class="mi">1</span> <span class="o">=</span> <span class="n">expenses</span><span class="p">.</span><span class="n">created_by_id</span> <span class="k">ORDER</span> <span class="k">BY</span> <span class="n">expenses</span><span class="p">.</span><span class="n">id</span> <span class="k">ASC</span> <span class="k">LIMIT</span> <span class="mi">2</span> <span class="k">OFFSET</span> <span class="mi">0</span> </code></pre> </div> <p>Now, we see <code>WHERE 1 = expenses.created_by_id</code>. <code>1</code> is the id of the current user. Our policy has translated into SQL! Check out <a href="https://github.com/osohq/oso-graphene-sqlalchemy-app/commit/eb2586f1d5bfe587e8efade57db14a4e203163d4">this commit to run it</a>!</p> <h2> Going further </h2> <p>So far, we've showed a small policy example. oso gives us a consistent abstraction for expressing authorization rules even though we can't just use simple decorators with GraphQL. To implement it, we didn't have to alter our resolvers, or write any new ones. Polar and GraphQL are both declarative approaches to their problem domains: Polar provides an abstraction for declaring authorization rules, while GraphQL provides a declarative abstraction for obtaining data from a backend. </p> <p>If you want to see a bit more, we've taken this policy a bit further in the example app <a href="https://github.com/osohq/oso-graphene-sqlalchemy-app/commit/5405736f601c8e5876593dd6d83f30c6d4438bad">here</a>. This policy shows:</p> <ul> <li>A new authorization rule that uses relationships: <em>users can view expenses for projects they are in.</em> Polar supports expressive rules involving relationships, which are extremely common in authorization policies (relationships often group users &amp; resources together in ways that reflect the business domain).</li> <li>Generalization of authorization concepts (like creation) using rules. Writing new rules allows you to abstract functionality, and keep your policy DRY—equivalent to lifting common functionality into a function in the rest of your code (Polar's just code after all!).</li> </ul> <p>To learn more about what we walked through:</p> <ul> <li>Check out our documentation on <a href="https://docs.osohq.com/getting-started/list-filtering/index.html">List Filtering</a> &amp; <a href="https://docs.osohq.com/getting-started/list-filtering/sqlalchemy.html">SQLAlchemy</a>.</li> <li> <a href="https://docs.osohq.com/using/frameworks/sqlalchemy.html#installation">Install</a> the <code>sqlalchemy-oso</code> library.</li> <li> <a href="http://join-slack.osohq.com/">Join our Slack</a> to chat with our engineering team. We're rapidly expanding the features discussed in this post, and would love to hear about your use cases!</li> </ul> graphql authorization sqlalchemy python