Tutorial: Using Cerbos with Prisma

Prisma has come onto the Node/Typescript scene recently as a new generation of ORM. With it’s strongly-typed client, schema abstraction and great documentation, it is turning into the natural choice for modern applications.

This article covers setting up a basic CRM web application using Prisma for data storage and Cerbos for authorization to create, read, update and delete contacts based on who the user is. Our business requirements for who can do what are as follows:

  • Admins can do all actions

  • Users in the Sales department can read and create contacts

  • Only the user who created the contact can update and delete it

The last point is an important one as the authorization decision requires context of what is being accessed to make the decision if an action can be performed.

Note that whilst authentication is out of scope of this article, Cerbos is compatible with any authentication system - be it basic auth, JWT or a service like Auth0.

You can find the Github repo for this tutorial here.

Setting up Prisma

To get started, we need to install our various dependencies. Copy and run the following:

mkdir express-prisma-cerbos
cd express-prisma-cerbos

cat << EOF > package.json
{
  "prisma": {
      "seed": "ts-node prisma/seed.ts"
  }
}
EOF

npm i express @cerbos/grpc @prisma/client &&
npm i --save-dev @types/express ts-node

For this simplified tutorial, we will use a simple Prisma model to represent a CRM contact. We’ll also opt to use a SQLite database, but this can be swapped out to your DB of choice. You can find the Prisma documentation here for more details.

Create a prisma folder and add the basic Prisma schema to prisma/schema.prisma, by copying and running the following:

mkdir prisma && cat << EOF > prisma/schema.prisma
// This is your Prisma schema file,
// learn more about it in the docs: https://pris.ly/d/prisma-schema

datasource db {
  provider = "sqlite"
  url      = "file:./dev.db"
}

generator client {
  provider = "prisma-client-js"
}

model Contact {
  id             String   @id @default(cuid())
  createdAt      DateTime @default(now())
  updatedAt      DateTime @updatedAt
  firstName      String
  lastName       String
  ownerId        String
  active         Boolean  @default(false)
  marketingOptIn Boolean  @default(false)
}
EOF

Next, we define the seed script which will be used to populate the database with the following contacts:

ID First Name Marketing Opt-In Active Owner ID

1

Nick

Yes

Yes

1

2

Simon

Yes

No

1

3

Mary

No

Yes

1

4

Christina

Yes

No

2

5

Aleks

Yes

Yes

2

Run the following to generate the script:

cat << EOF > prisma/seed.ts
import { PrismaClient } from "@prisma/client";

const prisma = new PrismaClient();

const contactData = [
  {
    id: "1",
    firstName: "Nick",
    lastName: "Smyth",
    marketingOptIn: true,
    active: true,
    ownerId: "1",
  },
  {
    id: "2",
    firstName: "Simon",
    lastName: "Jaff",
    marketingOptIn: true,
    active: false,
    ownerId: "1",
  },
  {
    id: "3",
    firstName: "Mary",
    lastName: "Jane",
    active: true,
    marketingOptIn: false,
    ownerId: "1",
  },
  {
    id: "4",
    firstName: "Christina",
    lastName: "Baker",
    marketingOptIn: true,
    active: false,
    ownerId: "2",
  },
  {
    id: "5",
    firstName: "Aleks",
    lastName: "Kozlov",
    marketingOptIn: true,
    active: true,
    ownerId: "2",
  }
];

async function main() {
  console.log("Start seeding ...");
  for (const c of contactData) {
    const contact = await prisma.contact.create({
      data: c,
    });
    console.log("Created contact with id: " + contact.id);
  }
  console.log("Seeding finished.");
}

main()
  .catch((e) => {
    console.error(e);
    process.exit(1);
  })
  .finally(async () => {
    await prisma.\$disconnect();
  });
EOF

Now, to initialize our DB, generate the Prisma client and seed the database, run the following:

npx prisma migrate dev --name init

Creating an access policy

We will be using a Docker container to run the Cerbos PDP instance, so ensure that you have Docker set up first!

The first step is to create a resource policy file. Our requirements, as a reminder, were:

  • Admins can do all actions

  • Users in the Sales department can read and create contacts

  • Only the user who created the contact can update and delete it

  • A resource policy file called ‘contacts.yaml’ should be created in the policies folder with the following:

Let’s create a cerbos directory (see repo) with a subdirectory; policies, and a file contacts.yaml inside there. To do this, run the following:

mkdir -p cerbos/policies && cat << EOF > cerbos/policies/contacts.yaml
---
apiVersion: api.cerbos.dev/v1
resourcePolicy:
  version: default
  resource: contact
  rules:
  # Admins can do all actions
  - actions: ["*"]
    effect: EFFECT_ALLOW
    roles:
      - admin

  # Users in the Sales department can read and create contacts
  - actions: ["read", "create"]
    effect: EFFECT_ALLOW
    roles:
      - user
    condition:
      match:
        expr: request.principal.attr.department == "Sales"

  # Only the user who created the contact can update and delete it
  - actions: ["update", "delete"]
    effect: EFFECT_ALLOW
    roles:
      - user
    condition:
      match:
        expr: request.resource.attr.ownerId == request.principal.id
EOF

Conditions are the powerful part of Cerbos which enables authorization decisions to be made at request time using context from both the principal (the user) and the resource they are trying to access. In this policy we are using conditions to check the department of the user for read and create actions, then again in the update and delete policy to check that the owner of the resource is the principal making the request.

As you are working on the policies, you can run the following to check that they are valid. If no errors are logged then you are good to go.

cd cerbos
docker run -i -t -p 3592:3592 \
  -v $(pwd)/policies:/policies \
  ghcr.io/cerbos/cerbos:0.24.0 \
  compile /policies

Now let’s fire up the Cerbos PDP. We provide an image to do this easily — simply run the following:

docker run -i -t -p 3592:3592 \
  -v $(pwd)/policies:/policies \
  ghcr.io/cerbos/cerbos:0.24.0 \
  server

If everything is correct, we should see the following output:

2022-12-07T16:43:40.626Z        INFO    cerbos.server   maxprocs: Leaving GOMAXPROCS=4: CPU quota undefined
2022-12-07T16:43:40.626Z        INFO    cerbos.server   Loading configuration from /conf.default.yaml
2022-12-07T16:43:40.630Z        INFO    cerbos.index    Found 1 executable policies
2022-12-07T16:43:40.631Z        INFO    cerbos.telemetry        Anonymous telemetry enabled. Disable via the config file or by setting the CERBOS_NO_TELEMETRY=1 environment variable
2022-12-07T16:43:40.631Z        INFO    cerbos.dir.watch        Watching directory for changes  {"dir": "/policies"}
2022-12-07T16:43:40.632Z        INFO    cerbos.http     Starting HTTP server at :3592
2022-12-07T16:43:40.632Z        INFO    cerbos.grpc     Starting gRPC server at :3593

Setting up the server

Having now set up both our Cerbos policy and our Prisma database, it is time to implement our web server. For this example we will be using Express to set up a simple server running on port 3000. We will also import our Prisma and Cerbos clients which we will use later on.

mkdir src
cat << EOF > src/index.ts
import { PrismaClient } from "@prisma/client";
import express, { Request, Response } from "express";
import { GRPC } from "@cerbos/grpc";

const prisma = new PrismaClient({ log: ["query", "info", "warn", "error"] });
const cerbos = new GRPC("localhost:3592", { tls: false }); // The Cerbos PDP instance

const app = express();

app.use(express.json());

const server = app.listen(3000, () =>
  console.log("🚀 Server ready at: http://localhost:3000")
);
EOF

Now we need to create our routes which we will authorize. For this simple example, we will create a GET for a contact resource.

Using the Prisma client, query for the contact which matches the ID of the URL parameter. If it is not found, return an error message. Add the following to src/index.ts:

// Implementing an authentication provider is out of scope of this article and you will more than likely already have one in place,
// So we build a static one here for indicative use
const user = {
  "id": "1", // user id
  "role": "user", // single role (user, admin)
  //"role": "admin",
  "department": "Sales" // department of the user
  //"department": "Marketing"
};

app.get("/contacts/:id", async ({ params }, res) => {
  // load the contact
  const contact = await prisma.contact.findUnique({
    where: {
      id: params.id,
    },
  });
  if (!contact) return res.status(404).json({ error: "Contact not found" });

  // TODO check authz and return a response
});

Authorizing requests

With our policy defined, we can call Cerbos from our request handler to authorize the principal to take the action on the resource.

To do this, we need to update our GET handler and replace the TODO with a call to Cerbos; passing in the details about the user and the attributes of the contact resource, as well as the action being made:

  // check user is authorized
  const decision = await cerbos.checkResource({
    principal: {
      id: `${user.id}`,
      roles: [user.role],
      attributes: {
        department: user.department,
      },
    },
    resource: {
      kind: "contact",
      id: contact.id + '',
      attributes: JSON.parse(JSON.stringify(contact)),
    },
    actions: ["read"],
  });

  // authorized for read action
  if (decision.isAllowed("read")) {
    return res.json(contact);
  } else {
    return res.status(403).json({ error: "Unauthorized" });
  }

In this case, we are only checking a single contact using the checkResource method. There is also a checkResources method available which supports batching resources into a single request (perhaps for use in a list endpoint). A checkResources call could be used like this:

  const decision = await cerbos.checkResources({
    principal: {
        id: `${user.id}`,
        roles: [user.role]
        attributes: {
          department: user.department,
        },
    },
    resources: [
      {
        resource: {
          kind: "contact",
          id: contact.id + '',
          attributes: JSON.parse(JSON.stringify(contact)),
        },
        actions: ["read"],
      },
      ...
    ],
  });

  decision.isAllowed({
    resource: { kind: "contact", id: ${user.id} },
    action: "read",
  }); // => true

Once we get the response back from Cerbos, calling the .isAllowed method for the required action (and optionally, the given resource ID in the checkResources case) will return a simple boolean of whether the user is authorized or not. Using this, we can either return the contact or throw an HTTP 403 Unauthorized response.

The query planner

If we provide Cerbos with a principal, a description of the resource they’re trying to access and the required action, we can ask it for a query plan.

Start by installing the following dependency:

npm i express @cerbos/orm-prisma

Then add the following to index.js:

import { queryPlanToPrisma, PlanKind } from "@cerbos/orm-prisma";

app.get("/contacts", async (req, res) => {
  // Fetch the query plan from Cerbos passing in the principal
  // resource type and action
  const contactQueryPlan = await cerbos.planResources({
    principal: {
      id: `${user.id}`,
      roles: [user.role],
      attributes: {
        department: user.department,
      },
    },
    resource: {
      kind: "contact",
    },
    action: "read",
  });

  // TODO convert query plan to a Prisma adapater instance
});

We can then use the Cerbos Prisma ORM adapter to convert this query plan response, like so:

  const queryPlanResult = queryPlanToPrisma({
    queryPlan: contactQueryPlan,
    // map or function to change field names to match the prisma model
    fieldNameMapper: {
      "request.resource.attr.ownerId": "ownerId",
      "request.resource.attr.department": "department",
      "request.resource.attr.active": "active",
      "request.resource.attr.marketingOptIn": "marketingOptIn",
    },
  });

  let contacts: any[];

  if (queryPlanResult.kind === PlanKind.ALWAYS_DENIED) {
    contacts = [];
  } else {
    // Pass the filters in as where conditions
    // If you have prexisting where conditions, you can pass them in an AND clause
    contacts = await prisma.contact.findMany({
      where: {
        AND: queryPlanResult.filters
      },
      select: {
        firstName: true,
        lastName: true,
        active: true,
        marketingOptIn: true,
      },
    });
  }

  return res.json({
    contacts,
  });

In the case that the result kind is not ALWAYS_DENIED, we retrieve the filters from the adapter instance, and use them to construct a query using the Prisma ORM.

Trying it out

Run the Cerbos PDP, as described above, and separately, fire up the node server as follows:

npx ts-node src/index.ts

Then, hit it with some requests:

curl -i http://localhost:3000/contacts/1
curl -i http://localhost:3000/contacts

Conclusion

Through this simple example, we have used Primsa as our ORM to create a REST API which is authorized using Cerbos for a simple CRM system. This can be built upon to add more complex requirements, for example:

  • Checking the IP address of the request to ensure it is within the corporate IP range

  • Check if the incoming change is within an acceptable boundary eg only allow 20% discounts on a product unless an admin

  • Ensure only certain actions are done during work-hours

You can find a sample repo of integrating Primsa and Cerbos in an Express server on Github, as well as many other example projects of implementing Cerbos.