ExCop is a flexible policy DSL allowing you to write easy-to-navigate policies. ExCop doesn't make any assumption about what kind of layer is on top or under it - and even though it was designed to work particularily easily with Absinthe, it should also work for many other environments.
If available in Hex, the package can be installed
by adding ex_cop
to your list of dependencies in mix.exs
:
def deps do
[
{:ex_cop, "~> 0.1.0"}
]
end
Documentation can be generated with ExDoc and published on HexDocs. Once published, the docs can be found at https://hexdocs.pm/ex_cop.
Once installed, you must tell ExCop which one is your user module. You do that in your configuration by adding something like:
config :ex_cop,
user_module: MyApp.User
To write a policy, simply create a module looking like something like the following:
defmodule MyApp.PostPolicy do
alias MyApp.{Post, User}
use ExCop, target: Post
allowance "all users can see a post title and body if it's valid" do
# We require that the `%Post{}` subject has a field `valid` set to `true`.
subject %{valid: true}
field_in [:title, :body]
end
allowance "logged-in users can see the author of a post" do
requires_logged_in_user()
field :author
end
allowance "users can see everything on posts they authored" do
subject %{author_id: user_id}
user %User{id: user_id}
end
allowance "posts with less than three comments can be seen by logged-in users" do
# Here, we guard against the shape of a particular subject, and later use that binding.
subject %{comment_count: count}
# This is a shortcut to `user %User{}`.
requires_logged_in_user()
guard count < 3
end
allowance "allows CIA users to see everything on posts for area 51" do
subject %{cia_post: true, mission: mission}
check do
String.downcase(user.agency) == "cia" && mission =~ "area 51"
end
end
allowance "administrators can see everything in a post" do
# This is a shortcut to `user %User{is_admin: true}`.
requires_admin_user()
end
end
If you're using Absinthe and want to control what is happening at the root of your schema, you'll have to implement a policy such as this one:
defmodule MyApp.RootPolicy do
@moduledoc false
use ExCop.Policy, target: Map
# Shortcut to using `parent :query`.
query_allowance "users can access certain queries" do
requires_logged_in_user()
field_in [:me, :users, :onboards, :documents]
end
# Shortcut to using `parent :mutation`.
mutation_allowance "guests can create new users and authenticate" do
requires_guest_user()
field_in [:create_user, :authenticate]
end
end
Another trick you can leverage while using ExCop is the policy delegation feature. Consider something like the following:
defmodule MyApp.RootPolicy do
@moduledoc false
use ExCop.Policy, target: Map
# Shortcut to using `parent :query`.
mutation_allowance "users can access certain queries" do
field :add_comment
delegated()
end
end
This particular policy would destructure the context
into %{fetched: %{subject: subject}}
and call
ExCop.Policy.Protocol.can?/6
, effectivelly replacing the subject by the one found in context. Therefore,
if the subject is of a different type, the protocol would in turn try to find a matching policy for the new
subject.
Note that for this mechanism to work, you will need to have the context fetched before you try and apply policies to your subject. See the "Loading Subjects" paragraph for more information.
Policies are compiled into Elixir. A module will be created conforming to the ExCop.Policy
and
declaring a series of can?/6
functions, one per policy
you called.
At runtime, policies are evaluated from top to bottom - so it might be a good idea to keep the most used ones on top and the most expensive ones to run at the bottom, like you would usually do with pattern-matching.
In case of a default:
- If no policy module exists for the target, it will return
{:error, :missing_policy}
. - When no policy is found matching the arguments,
{:error, :unauthorized}
will be returned.
Note that most of the builder is defined using macros - so you will get compile-time errors and warnings if you define a guard using a variable that is unknown, or if you declare a binding that is not used.
For more informations about how policies can be written, please check test/ex_cop/police_test.exs
and
its fixtures.
If you decide to use the check
function, be mindful of the following:
- You can use the following bindings
subject
,user
,parent
,field
,context
andargs
. - Your check block will allow access if it returns anything else than
false
-ey. - The check function is performed after pattern matching - meaning that once the check block is entered, no further policy will be evaluated, even if the check block returns
false
-ey.
To check for a policy, you can do something like this:
source |> ExCop.Police.check(user, parent, field, context, args)
For certain policies, you want to make sure that the subject is loaded before the policies are ran. In the
case of Absinthe, it means that you might want to have your subject
loaded before your authorization layer
kicks-in.