Appeal approval outside Guardian

[singhvikash11]

Summary
Complex appeal approval flow can't be modelled using policy config YAML file so in that case, Guardian should be able to integrate with existing complex approval flow like bpmn.

Proposed solution
Guardian can integrate with exiting approval flow either by webhook or subscribe to events.

[rahmatrhd]

my rough thought for now is, we can introduce type field in the approval step configuration. If the approach for this is to fetch to external service, we can set the type as fetch and provide the host, creds, payload etc. While the existing human/auto approval step would be the normal type

[ravisuhag]

Hmm. This is interesting. I can think of a couple of types.

• manual: By Humans. (I think this is what you refer as normal)
• http: Guardian will call an http API to check. (Referred as fetch)
• auto: Approve automatically if a certain condition is met.

Thoughts?

[rahmatrhd]

pardon me, I just realized that we already have strategy field with possible values auto and manual, we can simply introduce http for this 😁

[rahmatrhd]

@singhvikash11 we need to define a contract for the http api, can you help with that?

[rahmatrhd]

my proposal for this:

# policy
id: my-policy
steps:
- name: owner-approval
  strategy: manual
  approvers:
  - $appeal.resource.details.owner
- name: external-approval
  strategy: auto
  http:
    url: http://example.com/approval/$appeal.account_id
    headers:
      X-Foo-Bar: baz
    authorization:
      type: basic
      username: user
      password: pass
  approve_if: '$response.body.foo == "bar"' 

1. can just use existing auto strategy with the same resolution using existing approve_if.
2. approve_if will get evaluated only if response status is 200 OK
3. add $response param to approve_if evaluation if http config is present and response status is 200 OK
4. one field addition which is http containing target API info (GET only)
5. no API contract required with guardian

[ravisuhag]

@rahmatrhd any reason to use auto and not http?

[rahmatrhd]

@ravisuhag because http fetch approval is essentially an automatic approval that doesn't require human approval

[ravisuhag]

@rahmatrhd One concern I have is that lot of params will become conditional. If the strategy is this then set this and this and so on. So it might get tricky for policy users to figure out for which strategy which params I should use. Same on the implementation side and combinations start to increase. So, would it make sense to actually segregate it as per strategy? thoughts?

[bsushmith]

I think in addition to the above and detailed documentation, we should have also a command/api similar to guardian policy validate or guardian policy lint so that one can run it and check if the policy file that they have created is valid. and if valid, detailed error output to describe what is incorrect.

[ravisuhag]

@bsushmith can you create an issue for this please?

[bsushmith]

Created issue #237