CONJSE-1785: Remain with weak privileges in case of policy conflicts

CHANGELOG.md

@@ -9,9 +9,17 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 - Nothing should go in this section, please add to the latest unreleased version
   (and update the corresponding date), or add a new version.
 
+## [1.0.5-cloud] - 2023-08-16
+### Security
+- Previously, attempting to add and remove a privilege in the same policy load
+  resulted in only the positive privilege (grant, permit) taking effect. Now we
+  fail safe and the negative privilege statement (revoke, deny) is the final
+  outcome
+  [CONJSE-1785](https://ca-il-jira.il.cyber-ark.com:8443/browse/CONJSE-1785)
+
 ## [1.0.4-cloud] - 2023-08-10
-### Fixed
-- Support plural syntax for revoke and deny 
+### Security
+- Support plural syntax for revoke and deny
   [CONJSE-1783](https://ca-il-jira.il.cyber-ark.com:8443/browse/CONJSE-1783)
 
 ### Added

app/models/loader/orchestrate.rb

@@ -107,8 +107,6 @@ def setup_db_for_new_policy
         @extensions.call(:before_load_policy, policy_version: @policy_version)
       end
 
-      perform_deletion
-
       create_schema
 
       load_records
@@ -129,6 +127,8 @@ def store_policy_in_db
 
       drop_schema
 
+      perform_deletion
+
       store_passwords
 
       store_public_keys

cucumber/policy/features/deletion.feature

@@ -71,6 +71,12 @@ Feature: Deleting objects and relationships.
       body:
       - !delete
         record: !variable db-password
+    """
+    And I load a policy:
+    """
+    - !policy
+      id: test
+      body:
       - !variable db-password
     """
     Then variable "test/db-password" exists
@@ -264,3 +270,42 @@ Feature: Deleting objects and relationships.
     Then the role list includes host "host-01"
     And the role list includes host "host-02"
     And the role list includes host "host-03"
+
+    @smoke
+    Scenario: Delete statements prevail on conflicting policy statements
+      If a policy contains both adding and deleting statements (delete, deny, revoke),
+      then we want to ensure that we fail safe and the delete statement is the final outcome.
+      Given I update the policy with:
+      """
+      - !variable db/password
+      - !host host-01
+      - !permit
+        resource: !variable db/password
+        privileges: [ execute ]
+        role: !host host-01
+      - !deny
+        resource: !variable db/password
+        privileges: [ execute ]
+        role: !host host-01
+      """
+      When I list the roles permitted to execute variable "db/password"
+      Then the role list does not include host "host-01"
+      Given I update the policy with:
+      """
+      - !group hosts
+      - !grant
+        role: !host host-01
+        member: !group hosts
+      - !revoke
+        role: !host host-01
+        member: !group hosts
+      """
+      When I show the group "hosts"
+      Then host "host-01" is not a role member
+      Given I update the policy with:
+      """
+      - !variable to_be_deleted
+      - !delete
+        record: !variable to_be_deleted
+      """
+      Then variable "to_be_deleted" does not exist