diff options
| author | mo khan <mo@mokhan.ca> | 2025-07-11 08:54:41 -0600 |
|---|---|---|
| committer | mo khan <mo@mokhan.ca> | 2025-07-11 08:54:41 -0600 |
| commit | 91dd070fa8a24df1886d59eee6d484be4647c9e3 (patch) | |
| tree | 4687b2d9e13d1fad04e57bb6550a633cd1058cc9 /etc | |
| parent | 6721aaffa33894624c87a54f4ed10eccd3c080e5 (diff) | |
feat: import project policiesgl-policies
Diffstat (limited to 'etc')
| -rw-r--r-- | etc/authzd/gitlab.com/gitlab-org/gitlab/entities.json | 190 | ||||
| -rw-r--r-- | etc/authzd/gitlab.com/gitlab-org/software-supply-chain-security/authorization/authzd/entities.json | 138 | ||||
| -rw-r--r-- | etc/authzd/gitlab.com/gitlab-org/software-supply-chain-security/authorization/sparkled/entities.json | 138 | ||||
| -rw-r--r-- | etc/authzd/gitlab_access.cedar | 127 | ||||
| -rw-r--r-- | etc/authzd/gitlab_schema.cedarschema | 158 | ||||
| -rw-r--r-- | etc/authzd/gitlab_simple.cedar | 144 | ||||
| -rw-r--r-- | etc/authzd/gitlab_visibility.cedar | 127 | ||||
| -rw-r--r-- | etc/authzd/test_simple.cedar | 6 |
8 files changed, 928 insertions, 100 deletions
diff --git a/etc/authzd/gitlab.com/gitlab-org/gitlab/entities.json b/etc/authzd/gitlab.com/gitlab-org/gitlab/entities.json index 1992a9c7..f0e61bf3 100644 --- a/etc/authzd/gitlab.com/gitlab-org/gitlab/entities.json +++ b/etc/authzd/gitlab.com/gitlab-org/gitlab/entities.json @@ -7,7 +7,31 @@ "attrs": { "name": "GitLab", "path": "gitlab", - "full_path": "gitlab-org/gitlab" + "full_path": "gitlab-org/gitlab", + "visibility": "public", + "archived": false, + "members": [ + "User::\"1\"", + "User::\"263716\"", + "User::\"2293\"", + "User::\"283999\"", + "User::\"370493\"", + "User::\"138401\"", + "User::\"516904\"", + "User::\"527558\"", + "User::\"215818\"", + "User::\"429540\"", + "User::\"581582\"", + "User::\"626804\"", + "User::\"597578\"", + "User::\"739252\"", + "User::\"201566\"", + "User::\"829774\"", + "User::\"4849\"", + "User::\"790854\"", + "User::\"273486\"", + "User::\"411701\"" + ] }, "parents": [ { @@ -23,7 +47,10 @@ }, "attrs": { "username": "sytses", - "access_level": 30 + "access_level": 30, + "admin": false, + "blocked": false, + "external": false }, "parents": [] }, @@ -34,7 +61,10 @@ }, "attrs": { "username": "grzesiek", - "access_level": 40 + "access_level": 40, + "admin": false, + "blocked": false, + "external": false }, "parents": [] }, @@ -45,7 +75,38 @@ }, "attrs": { "username": "brodock", - "access_level": 40 + "access_level": 40, + "admin": false, + "blocked": false, + "external": false + }, + "parents": [] + }, + { + "uid": { + "type": "User", + "id": "283999" + }, + "attrs": { + "username": "dbalexandre", + "access_level": 40, + "admin": false, + "blocked": false, + "external": false + }, + "parents": [] + }, + { + "uid": { + "type": "User", + "id": "370493" + }, + "attrs": { + "username": "luke", + "access_level": 30, + "admin": false, + "blocked": false, + "external": false }, "parents": [] }, @@ -56,7 +117,24 @@ }, "attrs": { "username": "chriscool", - "access_level": 30 + "access_level": 30, + "admin": false, + "blocked": false, + "external": false + }, + "parents": [] + }, + { + "uid": { + "type": "User", + "id": "516904" + }, + "attrs": { + "username": "tauriedavis", + "access_level": 30, + "admin": false, + "blocked": false, + "external": false }, "parents": [] }, @@ -67,7 +145,10 @@ }, "attrs": { "username": "eliran.mesika", - "access_level": 30 + "access_level": 30, + "admin": false, + "blocked": false, + "external": false }, "parents": [] }, @@ -78,7 +159,10 @@ }, "attrs": { "username": "tmaczukin", - "access_level": 40 + "access_level": 40, + "admin": false, + "blocked": false, + "external": false }, "parents": [] }, @@ -89,7 +173,10 @@ }, "attrs": { "username": "ahanselka", - "access_level": 30 + "access_level": 30, + "admin": false, + "blocked": false, + "external": false }, "parents": [] }, @@ -100,7 +187,10 @@ }, "attrs": { "username": "arihantar", - "access_level": 30 + "access_level": 30, + "admin": false, + "blocked": false, + "external": false }, "parents": [] }, @@ -111,7 +201,10 @@ }, "attrs": { "username": "pedroms", - "access_level": 30 + "access_level": 30, + "admin": false, + "blocked": false, + "external": false }, "parents": [] }, @@ -122,7 +215,10 @@ }, "attrs": { "username": "WarheadsSE", - "access_level": 30 + "access_level": 30, + "admin": false, + "blocked": false, + "external": false }, "parents": [] }, @@ -133,18 +229,10 @@ }, "attrs": { "username": "jdrumtra", - "access_level": 30 - }, - "parents": [] - }, - { - "uid": { - "type": "User", - "id": "739361" - }, - "attrs": { - "username": "Elsje", - "access_level": 30 + "access_level": 30, + "admin": false, + "blocked": false, + "external": false }, "parents": [] }, @@ -155,7 +243,10 @@ }, "attrs": { "username": "annabeldunstone", - "access_level": 40 + "access_level": 40, + "admin": false, + "blocked": false, + "external": false }, "parents": [] }, @@ -166,7 +257,10 @@ }, "attrs": { "username": "jivanvl", - "access_level": 40 + "access_level": 40, + "admin": false, + "blocked": false, + "external": false }, "parents": [] }, @@ -177,7 +271,10 @@ }, "attrs": { "username": "balasankarc", - "access_level": 30 + "access_level": 30, + "admin": false, + "blocked": false, + "external": false }, "parents": [] }, @@ -188,7 +285,10 @@ }, "attrs": { "username": "harishsr", - "access_level": 30 + "access_level": 30, + "admin": false, + "blocked": false, + "external": false }, "parents": [] }, @@ -199,7 +299,10 @@ }, "attrs": { "username": "jameslopez", - "access_level": 40 + "access_level": 40, + "admin": false, + "blocked": false, + "external": false }, "parents": [] }, @@ -210,29 +313,10 @@ }, "attrs": { "username": "kushalpandya", - "access_level": 40 - }, - "parents": [] - }, - { - "uid": { - "type": "User", - "id": "508743" - }, - "attrs": { - "username": "jarka", - "access_level": 40 - }, - "parents": [] - }, - { - "uid": { - "type": "User", - "id": "506061" - }, - "attrs": { - "username": "ahmadsherif", - "access_level": 30 + "access_level": 40, + "admin": false, + "blocked": false, + "external": false }, "parents": [] }, @@ -244,7 +328,9 @@ "attrs": { "name": "GitLab.org", "path": "gitlab-org", - "full_path": "gitlab-org" + "full_path": "gitlab-org", + "visibility": "private", + "members": [] }, "parents": [] } diff --git a/etc/authzd/gitlab.com/gitlab-org/software-supply-chain-security/authorization/authzd/entities.json b/etc/authzd/gitlab.com/gitlab-org/software-supply-chain-security/authorization/authzd/entities.json index 6bc513fb..6416ec72 100644 --- a/etc/authzd/gitlab.com/gitlab-org/software-supply-chain-security/authorization/authzd/entities.json +++ b/etc/authzd/gitlab.com/gitlab-org/software-supply-chain-security/authorization/authzd/entities.json @@ -7,7 +7,31 @@ "attrs": { "name": "authz.d", "path": "authzd", - "full_path": "gitlab-org/software-supply-chain-security/authorization/authzd" + "full_path": "gitlab-org/software-supply-chain-security/authorization/authzd", + "visibility": "private", + "archived": false, + "members": [ + "User::\"1\"", + "User::\"116\"", + "User::\"13356\"", + "User::\"3585\"", + "User::\"12452\"", + "User::\"64248\"", + "User::\"263716\"", + "User::\"283999\"", + "User::\"2293\"", + "User::\"215818\"", + "User::\"128633\"", + "User::\"273486\"", + "User::\"201566\"", + "User::\"426128\"", + "User::\"138401\"", + "User::\"367626\"", + "User::\"516904\"", + "User::\"527558\"", + "User::\"429540\"", + "User::\"506061\"" + ] }, "parents": [ { @@ -23,7 +47,10 @@ }, "attrs": { "username": "sytses", - "access_level": 30 + "access_level": 30, + "admin": false, + "blocked": false, + "external": false }, "parents": [] }, @@ -34,7 +61,10 @@ }, "attrs": { "username": "marin", - "access_level": 50 + "access_level": 50, + "admin": false, + "blocked": false, + "external": false }, "parents": [] }, @@ -45,7 +75,10 @@ }, "attrs": { "username": "dblessing", - "access_level": 30 + "access_level": 30, + "admin": false, + "blocked": false, + "external": false }, "parents": [] }, @@ -56,7 +89,10 @@ }, "attrs": { "username": "axil", - "access_level": 30 + "access_level": 30, + "admin": false, + "blocked": false, + "external": false }, "parents": [] }, @@ -67,7 +103,10 @@ }, "attrs": { "username": "ayufan", - "access_level": 30 + "access_level": 30, + "admin": false, + "blocked": false, + "external": false }, "parents": [] }, @@ -78,7 +117,10 @@ }, "attrs": { "username": "stanhu", - "access_level": 50 + "access_level": 50, + "admin": false, + "blocked": false, + "external": false }, "parents": [] }, @@ -89,7 +131,10 @@ }, "attrs": { "username": "grzesiek", - "access_level": 30 + "access_level": 30, + "admin": false, + "blocked": false, + "external": false }, "parents": [] }, @@ -100,7 +145,10 @@ }, "attrs": { "username": "dbalexandre", - "access_level": 30 + "access_level": 30, + "admin": false, + "blocked": false, + "external": false }, "parents": [] }, @@ -111,7 +159,10 @@ }, "attrs": { "username": "brodock", - "access_level": 30 + "access_level": 30, + "admin": false, + "blocked": false, + "external": false }, "parents": [] }, @@ -122,7 +173,10 @@ }, "attrs": { "username": "tmaczukin", - "access_level": 30 + "access_level": 30, + "admin": false, + "blocked": false, + "external": false }, "parents": [] }, @@ -133,7 +187,10 @@ }, "attrs": { "username": "rymai", - "access_level": 30 + "access_level": 30, + "admin": false, + "blocked": false, + "external": false }, "parents": [] }, @@ -144,7 +201,10 @@ }, "attrs": { "username": "jameslopez", - "access_level": 40 + "access_level": 40, + "admin": false, + "blocked": false, + "external": false }, "parents": [] }, @@ -155,7 +215,10 @@ }, "attrs": { "username": "annabeldunstone", - "access_level": 30 + "access_level": 30, + "admin": false, + "blocked": false, + "external": false }, "parents": [] }, @@ -166,7 +229,10 @@ }, "attrs": { "username": "felipe_artur", - "access_level": 30 + "access_level": 30, + "admin": false, + "blocked": false, + "external": false }, "parents": [] }, @@ -177,7 +243,10 @@ }, "attrs": { "username": "chriscool", - "access_level": 30 + "access_level": 30, + "admin": false, + "blocked": false, + "external": false }, "parents": [] }, @@ -188,7 +257,10 @@ }, "attrs": { "username": "alejandro", - "access_level": 30 + "access_level": 30, + "admin": false, + "blocked": false, + "external": false }, "parents": [] }, @@ -199,7 +271,10 @@ }, "attrs": { "username": "tauriedavis", - "access_level": 30 + "access_level": 30, + "admin": false, + "blocked": false, + "external": false }, "parents": [] }, @@ -210,7 +285,10 @@ }, "attrs": { "username": "eliran.mesika", - "access_level": 30 + "access_level": 30, + "admin": false, + "blocked": false, + "external": false }, "parents": [] }, @@ -221,7 +299,10 @@ }, "attrs": { "username": "ahanselka", - "access_level": 30 + "access_level": 30, + "admin": false, + "blocked": false, + "external": false }, "parents": [] }, @@ -232,7 +313,10 @@ }, "attrs": { "username": "ahmadsherif", - "access_level": 30 + "access_level": 30, + "admin": false, + "blocked": false, + "external": false }, "parents": [] }, @@ -244,7 +328,9 @@ "attrs": { "name": "GitLab.org", "path": "gitlab-org", - "full_path": "gitlab-org" + "full_path": "gitlab-org", + "visibility": "private", + "members": [] }, "parents": [] }, @@ -256,7 +342,9 @@ "attrs": { "name": "software-supply-chain-security", "path": "software-supply-chain-security", - "full_path": "gitlab-org/software-supply-chain-security" + "full_path": "gitlab-org/software-supply-chain-security", + "visibility": "private", + "members": [] }, "parents": [ { @@ -273,7 +361,9 @@ "attrs": { "name": "Authorization", "path": "authorization", - "full_path": "gitlab-org/software-supply-chain-security/authorization" + "full_path": "gitlab-org/software-supply-chain-security/authorization", + "visibility": "private", + "members": [] }, "parents": [ { diff --git a/etc/authzd/gitlab.com/gitlab-org/software-supply-chain-security/authorization/sparkled/entities.json b/etc/authzd/gitlab.com/gitlab-org/software-supply-chain-security/authorization/sparkled/entities.json index 4846592a..28c07b12 100644 --- a/etc/authzd/gitlab.com/gitlab-org/software-supply-chain-security/authorization/sparkled/entities.json +++ b/etc/authzd/gitlab.com/gitlab-org/software-supply-chain-security/authorization/sparkled/entities.json @@ -7,7 +7,31 @@ "attrs": { "name": "sparkle.d", "path": "sparkled", - "full_path": "gitlab-org/software-supply-chain-security/authorization/sparkled" + "full_path": "gitlab-org/software-supply-chain-security/authorization/sparkled", + "visibility": "private", + "archived": false, + "members": [ + "User::\"1\"", + "User::\"116\"", + "User::\"13356\"", + "User::\"3585\"", + "User::\"12452\"", + "User::\"64248\"", + "User::\"263716\"", + "User::\"283999\"", + "User::\"2293\"", + "User::\"215818\"", + "User::\"128633\"", + "User::\"273486\"", + "User::\"201566\"", + "User::\"426128\"", + "User::\"138401\"", + "User::\"367626\"", + "User::\"516904\"", + "User::\"527558\"", + "User::\"429540\"", + "User::\"506061\"" + ] }, "parents": [ { @@ -23,7 +47,10 @@ }, "attrs": { "username": "sytses", - "access_level": 30 + "access_level": 30, + "admin": false, + "blocked": false, + "external": false }, "parents": [] }, @@ -34,7 +61,10 @@ }, "attrs": { "username": "marin", - "access_level": 50 + "access_level": 50, + "admin": false, + "blocked": false, + "external": false }, "parents": [] }, @@ -45,7 +75,10 @@ }, "attrs": { "username": "dblessing", - "access_level": 30 + "access_level": 30, + "admin": false, + "blocked": false, + "external": false }, "parents": [] }, @@ -56,7 +89,10 @@ }, "attrs": { "username": "axil", - "access_level": 30 + "access_level": 30, + "admin": false, + "blocked": false, + "external": false }, "parents": [] }, @@ -67,7 +103,10 @@ }, "attrs": { "username": "ayufan", - "access_level": 30 + "access_level": 30, + "admin": false, + "blocked": false, + "external": false }, "parents": [] }, @@ -78,7 +117,10 @@ }, "attrs": { "username": "stanhu", - "access_level": 50 + "access_level": 50, + "admin": false, + "blocked": false, + "external": false }, "parents": [] }, @@ -89,7 +131,10 @@ }, "attrs": { "username": "grzesiek", - "access_level": 30 + "access_level": 30, + "admin": false, + "blocked": false, + "external": false }, "parents": [] }, @@ -100,7 +145,10 @@ }, "attrs": { "username": "dbalexandre", - "access_level": 30 + "access_level": 30, + "admin": false, + "blocked": false, + "external": false }, "parents": [] }, @@ -111,7 +159,10 @@ }, "attrs": { "username": "brodock", - "access_level": 30 + "access_level": 30, + "admin": false, + "blocked": false, + "external": false }, "parents": [] }, @@ -122,7 +173,10 @@ }, "attrs": { "username": "tmaczukin", - "access_level": 30 + "access_level": 30, + "admin": false, + "blocked": false, + "external": false }, "parents": [] }, @@ -133,7 +187,10 @@ }, "attrs": { "username": "rymai", - "access_level": 30 + "access_level": 30, + "admin": false, + "blocked": false, + "external": false }, "parents": [] }, @@ -144,7 +201,10 @@ }, "attrs": { "username": "jameslopez", - "access_level": 40 + "access_level": 40, + "admin": false, + "blocked": false, + "external": false }, "parents": [] }, @@ -155,7 +215,10 @@ }, "attrs": { "username": "annabeldunstone", - "access_level": 30 + "access_level": 30, + "admin": false, + "blocked": false, + "external": false }, "parents": [] }, @@ -166,7 +229,10 @@ }, "attrs": { "username": "felipe_artur", - "access_level": 30 + "access_level": 30, + "admin": false, + "blocked": false, + "external": false }, "parents": [] }, @@ -177,7 +243,10 @@ }, "attrs": { "username": "chriscool", - "access_level": 30 + "access_level": 30, + "admin": false, + "blocked": false, + "external": false }, "parents": [] }, @@ -188,7 +257,10 @@ }, "attrs": { "username": "alejandro", - "access_level": 30 + "access_level": 30, + "admin": false, + "blocked": false, + "external": false }, "parents": [] }, @@ -199,7 +271,10 @@ }, "attrs": { "username": "tauriedavis", - "access_level": 30 + "access_level": 30, + "admin": false, + "blocked": false, + "external": false }, "parents": [] }, @@ -210,7 +285,10 @@ }, "attrs": { "username": "eliran.mesika", - "access_level": 30 + "access_level": 30, + "admin": false, + "blocked": false, + "external": false }, "parents": [] }, @@ -221,7 +299,10 @@ }, "attrs": { "username": "ahanselka", - "access_level": 30 + "access_level": 30, + "admin": false, + "blocked": false, + "external": false }, "parents": [] }, @@ -232,7 +313,10 @@ }, "attrs": { "username": "ahmadsherif", - "access_level": 30 + "access_level": 30, + "admin": false, + "blocked": false, + "external": false }, "parents": [] }, @@ -244,7 +328,9 @@ "attrs": { "name": "GitLab.org", "path": "gitlab-org", - "full_path": "gitlab-org" + "full_path": "gitlab-org", + "visibility": "private", + "members": [] }, "parents": [] }, @@ -256,7 +342,9 @@ "attrs": { "name": "software-supply-chain-security", "path": "software-supply-chain-security", - "full_path": "gitlab-org/software-supply-chain-security" + "full_path": "gitlab-org/software-supply-chain-security", + "visibility": "private", + "members": [] }, "parents": [ { @@ -273,7 +361,9 @@ "attrs": { "name": "Authorization", "path": "authorization", - "full_path": "gitlab-org/software-supply-chain-security/authorization" + "full_path": "gitlab-org/software-supply-chain-security/authorization", + "visibility": "private", + "members": [] }, "parents": [ { diff --git a/etc/authzd/gitlab_access.cedar b/etc/authzd/gitlab_access.cedar new file mode 100644 index 00000000..ca17aa67 --- /dev/null +++ b/etc/authzd/gitlab_access.cedar @@ -0,0 +1,127 @@ +// GitLab Access Level Based Authorization +// Maps to Gitlab::Access constants: Guest(10), Reporter(20), Developer(30), Maintainer(40), Owner(50) +// Guest access (read-only operations) +permit ( + principal is User, + action in + [Action::"read_project", + Action::"read_group", + Action::"read_issue", + Action::"read_merge_request", + Action::"read_pipeline", + Action::"read_wiki", + Action::"download_code"], + resource +) +when +{ + principal has access_level && + principal.access_level >= 10 && + resource has visibility && + (resource.visibility == "public" || + resource has members && + principal in resource.members) +}; + +// Reporter access (can create issues, view builds) +permit ( + principal is User, + action in + [Action::"create_issue", + Action::"create_issue_note", + Action::"read_build", + Action::"read_container_image", + Action::"pull_container_image"], + resource +) +when +{ + principal has access_level && + principal.access_level >= 20 && + resource has members && + principal in resource.members +}; + +// Developer access (can push code, create MRs) +permit ( + principal is User, + action in + [Action::"push_code", + Action::"create_merge_request", + Action::"update_merge_request", + Action::"create_pipeline", + Action::"retry_pipeline", + Action::"push_container_image", + Action::"create_release"], + resource +) +when +{ + principal has access_level && + principal.access_level >= 30 && + resource has members && + principal in resource.members +}; + +// Maintainer access (project administration) +permit ( + principal is User, + action in + [Action::"admin_project", + Action::"manage_project_members", + Action::"admin_merge_request", + Action::"push_to_delete_protected_branch", + Action::"admin_pipeline", + Action::"admin_container_registry", + Action::"admin_package_registry"], + resource +) +when +{ + principal has access_level && + principal.access_level >= 40 && + resource has members && + principal in resource.members +}; + +// Owner access (full project control) +permit ( + principal is User, + action in + [Action::"destroy_project", + Action::"transfer_project", + Action::"archive_project", + Action::"change_visibility_level", + Action::"admin_project_hooks", + Action::"admin_project_runners"], + resource +) +when +{ + principal has access_level && + principal.access_level >= 50 && + resource has members && + principal in resource.members +}; + +// Admin override - can do everything +permit ( + principal is User, + action, + resource +) +when +{ + principal has admin && + principal.admin == true && + principal has blocked && + !principal.blocked +}; + +// Block all access for blocked users +forbid ( + principal is User, + action, + resource +) +when { principal has blocked && principal.blocked == true }; diff --git a/etc/authzd/gitlab_schema.cedarschema b/etc/authzd/gitlab_schema.cedarschema new file mode 100644 index 00000000..78d7bd1a --- /dev/null +++ b/etc/authzd/gitlab_schema.cedarschema @@ -0,0 +1,158 @@ +// GitLab Cedar Schema Definition +// Defines entity types and actions for GitLab authorization + +// User entity represents GitLab users +entity User = { + username: String, + name: String, + admin: Bool, + blocked: Bool, + external: Bool, + bot: Bool, + access_level: Long, +}; + +// Group/Namespace entity (can be nested) +entity Namespace = { + name: String, + path: String, + full_path: String, + kind: String, // "user" or "group" + visibility_level: String, + members: Set<User>, +} tags Set<String>; + +// Project entity represents GitLab projects +entity Project = { + name: String, + path: String, + full_path: String, + visibility: String, // "public", "internal", "private" + archived: Bool, + members: Set<User>, // Project members +} tags Set<String>; + +// Group alias for Namespace +entity Group = { + name: String, + path: String, + full_path: String, + visibility: String, + members: Set<User>, +} tags Set<String>; + +// Project membership relationship +entity ProjectMembership = { + user_id: Long, + project_id: Long, + access_level: Long, + expires_at: String, +} tags Set<String>; + +// Group membership relationship +entity GroupMembership = { + user_id: Long, + group_id: Long, + access_level: Long, + expires_at: String, +} tags Set<String>; + +// Issue entity +entity Issue = { + iid: Long, + title: String, + state: String, + confidential: Bool, + author_id: Long, + assignee_ids: Set<Long>, + created_at: String, + updated_at: String, +} tags Set<String>; + +// Merge Request entity +entity MergeRequest = { + iid: Long, + title: String, + state: String, + merge_status: String, + author_id: Long, + assignee_id: Long, + target_branch: String, + source_branch: String, + work_in_progress: Bool, + created_at: String, + updated_at: String, +} tags Set<String>; + +// Actions that can be performed +action "read_project"; +action "admin_project"; +action "destroy_project"; +action "transfer_project"; +action "archive_project"; +action "change_visibility_level"; +action "manage_project_members"; + +action "read_group"; +action "admin_group"; +action "read_group_details"; + +action "read_repository"; +action "download_code"; +action "push_code"; +action "admin_repository"; +action "push_to_delete_protected_branch"; + +action "read_issue"; +action "create_issue"; +action "update_issue"; +action "admin_issue"; +action "create_issue_note"; + +action "read_merge_request"; +action "create_merge_request"; +action "update_merge_request"; +action "admin_merge_request"; +action "merge_merge_request"; + +action "read_wiki"; +action "create_wiki_page"; +action "update_wiki_page"; +action "admin_wiki"; + +action "read_snippet"; +action "create_snippet"; +action "update_snippet"; +action "admin_snippet"; + +action "read_build"; +action "read_pipeline"; +action "create_pipeline"; +action "retry_pipeline"; +action "admin_pipeline"; + +action "read_container_image"; +action "pull_container_image"; +action "push_container_image"; +action "admin_container_registry"; + +action "read_package"; +action "pull_package"; +action "push_package"; +action "admin_package_registry"; + +action "read_analytics"; +action "read_cycle_analytics"; +action "read_repository_analytics"; + +action "read_security_report"; +action "admin_security_policy"; +action "read_vulnerability_report"; + +action "read_release"; +action "create_release"; +action "update_release"; +action "admin_release"; + +action "admin_project_hooks"; +action "admin_project_runners";
\ No newline at end of file diff --git a/etc/authzd/gitlab_simple.cedar b/etc/authzd/gitlab_simple.cedar new file mode 100644 index 00000000..5ea8757d --- /dev/null +++ b/etc/authzd/gitlab_simple.cedar @@ -0,0 +1,144 @@ +// Simplified GitLab Authorization - No Feature or License Checks +// Based purely on user access levels and project visibility +// Guest access (read-only operations) +permit ( + principal is User, + action in + [Action::"read_project", + Action::"read_group", + Action::"read_issue", + Action::"read_merge_request", + Action::"read_pipeline", + Action::"read_wiki", + Action::"read_repository", + Action::"download_code", + Action::"read_snippet", + Action::"read_container_image", + Action::"read_package", + Action::"read_build", + Action::"read_analytics", + Action::"read_release"], + resource +) +when +{ + principal has access_level && + principal.access_level >= 10 && + resource has visibility && + (resource.visibility == "public" || + resource has members && + principal in resource.members) +}; + +// Reporter access (can create issues, notes) +permit ( + principal is User, + action in + [Action::"create_issue", + Action::"create_issue_note", + Action::"pull_container_image", + Action::"pull_package"], + resource +) +when +{ + principal has access_level && + principal.access_level >= 20 && + resource has members && + principal in resource.members +}; + +// Developer access (can push code, create MRs) +permit ( + principal is User, + action in + [Action::"push_code", + Action::"create_merge_request", + Action::"update_merge_request", + Action::"update_issue", + Action::"create_pipeline", + Action::"retry_pipeline", + Action::"push_container_image", + Action::"push_package", + Action::"create_release", + Action::"create_wiki_page", + Action::"update_wiki_page", + Action::"create_snippet", + Action::"update_snippet"], + resource +) +when +{ + principal has access_level && + principal.access_level >= 30 && + resource has members && + principal in resource.members +}; + +// Maintainer access (project administration) +permit ( + principal is User, + action in + [Action::"admin_project", + Action::"manage_project_members", + Action::"admin_merge_request", + Action::"push_to_delete_protected_branch", + Action::"admin_pipeline", + Action::"admin_container_registry", + Action::"admin_package_registry", + Action::"admin_wiki", + Action::"admin_snippet", + Action::"admin_repository", + Action::"admin_issue", + Action::"admin_release"], + resource +) +when +{ + principal has access_level && + principal.access_level >= 40 && + resource has members && + principal in resource.members +}; + +// Owner access (full project control) +permit ( + principal is User, + action in + [Action::"destroy_project", + Action::"transfer_project", + Action::"archive_project", + Action::"change_visibility_level", + Action::"admin_project_hooks", + Action::"admin_project_runners"], + resource +) +when +{ + principal has access_level && + principal.access_level >= 50 && + resource has members && + principal in resource.members +}; + +// Admin override - can do everything +permit ( + principal is User, + action, + resource +) +when +{ + principal has admin && + principal.admin == true && + principal has blocked && + !principal.blocked +}; + +// Block all access for blocked users +forbid ( + principal is User, + action, + resource +) +when { principal has blocked && principal.blocked == true }; diff --git a/etc/authzd/gitlab_visibility.cedar b/etc/authzd/gitlab_visibility.cedar new file mode 100644 index 00000000..78049cae --- /dev/null +++ b/etc/authzd/gitlab_visibility.cedar @@ -0,0 +1,127 @@ +// GitLab Visibility Level Authorization +// Controls access based on project/group visibility: public, internal, private +// Public projects - anyone can read +permit ( + principal, + action in + [Action::"read_project", + Action::"read_repository", + Action::"download_code", + Action::"read_issue", + Action::"read_merge_request", + Action::"read_wiki", + Action::"read_snippet"], + resource +) +when +{ + resource has visibility && + resource.visibility == "public" && + principal has blocked && + !principal.blocked +}; + +// Internal projects - authenticated users can read +permit ( + principal is User, + action in + [Action::"read_project", + Action::"read_repository", + Action::"download_code", + Action::"read_issue", + Action::"read_merge_request", + Action::"read_wiki", + Action::"read_snippet"], + resource +) +when +{ + resource has visibility && + resource.visibility == "internal" && + principal has external && + !principal.external && + principal has blocked && + !principal.blocked +}; + +// Private projects - only members can access +permit ( + principal is User, + action in + [Action::"read_project", + Action::"read_repository", + Action::"download_code", + Action::"read_issue", + Action::"read_merge_request", + Action::"read_wiki", + Action::"read_snippet"], + resource +) +when +{ + resource has visibility && + resource.visibility == "private" && + principal in resource.members && + principal has blocked && + !principal.blocked +}; + +// Prevent external users from accessing internal projects +forbid ( + principal is User, + action, + resource +) +when +{ + resource has visibility && + resource.visibility == "internal" && + principal has external && + principal.external == true +}; + +// Group visibility rules - similar to projects +permit ( + principal, + action in [Action::"read_group", Action::"read_group_details"], + resource is Group +) +when { resource has visibility && resource.visibility == "public" }; + +permit ( + principal is User, + action in [Action::"read_group", Action::"read_group_details"], + resource is Group +) +when +{ + resource has visibility && + resource.visibility == "internal" && + principal has external && + !principal.external +}; + +permit ( + principal is User, + action in [Action::"read_group", Action::"read_group_details"], + resource is Group +) +when +{ + resource has visibility && + resource.visibility == "private" && + principal in resource.members +}; + +// Archived projects have limited access +forbid ( + principal, + action in + [Action::"push_code", + Action::"create_issue", + Action::"create_merge_request", + Action::"update_issue", + Action::"update_merge_request"], + resource +) +when { resource has archived && resource.archived == true }; diff --git a/etc/authzd/test_simple.cedar b/etc/authzd/test_simple.cedar new file mode 100644 index 00000000..d236bc7f --- /dev/null +++ b/etc/authzd/test_simple.cedar @@ -0,0 +1,6 @@ +// Simple test policy to validate basic Cedar syntax +permit ( + principal is User, + action == Action::"read_project", + resource is Project +); |