diff options
| author | mo khan <mo@mokhan.ca> | 2025-07-10 17:49:29 -0600 |
|---|---|---|
| committer | mo khan <mo@mokhan.ca> | 2025-07-10 17:49:29 -0600 |
| commit | ef572ae666732e87a35417710669ce88233a754a (patch) | |
| tree | 3cc32004dee9600014417d404dbe01ac0e1faca9 /etc | |
| parent | 8417a15087cc6f42c77fe070011ac2207f8d852d (diff) | |
| parent | 6721aaffa33894624c87a54f4ed10eccd3c080e5 (diff) | |
Merge branch 'entities' into 'main'
Use a static ACL file(s) to make authorization decisions
See merge request gitlab-org/software-supply-chain-security/authorization/authzd!6
Diffstat (limited to 'etc')
6 files changed, 922 insertions, 27 deletions
diff --git a/etc/authzd/gitlab.com/gitlab-org/gitlab/entities.json b/etc/authzd/gitlab.com/gitlab-org/gitlab/entities.json new file mode 100644 index 00000000..1992a9c7 --- /dev/null +++ b/etc/authzd/gitlab.com/gitlab-org/gitlab/entities.json @@ -0,0 +1,251 @@ +[ + { + "uid": { + "type": "Project", + "id": "278964" + }, + "attrs": { + "name": "GitLab", + "path": "gitlab", + "full_path": "gitlab-org/gitlab" + }, + "parents": [ + { + "type": "Group", + "id": "9970" + } + ] + }, + { + "uid": { + "type": "User", + "id": "1" + }, + "attrs": { + "username": "sytses", + "access_level": 30 + }, + "parents": [] + }, + { + "uid": { + "type": "User", + "id": "263716" + }, + "attrs": { + "username": "grzesiek", + "access_level": 40 + }, + "parents": [] + }, + { + "uid": { + "type": "User", + "id": "2293" + }, + "attrs": { + "username": "brodock", + "access_level": 40 + }, + "parents": [] + }, + { + "uid": { + "type": "User", + "id": "138401" + }, + "attrs": { + "username": "chriscool", + "access_level": 30 + }, + "parents": [] + }, + { + "uid": { + "type": "User", + "id": "527558" + }, + "attrs": { + "username": "eliran.mesika", + "access_level": 30 + }, + "parents": [] + }, + { + "uid": { + "type": "User", + "id": "215818" + }, + "attrs": { + "username": "tmaczukin", + "access_level": 40 + }, + "parents": [] + }, + { + "uid": { + "type": "User", + "id": "429540" + }, + "attrs": { + "username": "ahanselka", + "access_level": 30 + }, + "parents": [] + }, + { + "uid": { + "type": "User", + "id": "581582" + }, + "attrs": { + "username": "arihantar", + "access_level": 30 + }, + "parents": [] + }, + { + "uid": { + "type": "User", + "id": "626804" + }, + "attrs": { + "username": "pedroms", + "access_level": 30 + }, + "parents": [] + }, + { + "uid": { + "type": "User", + "id": "597578" + }, + "attrs": { + "username": "WarheadsSE", + "access_level": 30 + }, + "parents": [] + }, + { + "uid": { + "type": "User", + "id": "739252" + }, + "attrs": { + "username": "jdrumtra", + "access_level": 30 + }, + "parents": [] + }, + { + "uid": { + "type": "User", + "id": "739361" + }, + "attrs": { + "username": "Elsje", + "access_level": 30 + }, + "parents": [] + }, + { + "uid": { + "type": "User", + "id": "201566" + }, + "attrs": { + "username": "annabeldunstone", + "access_level": 40 + }, + "parents": [] + }, + { + "uid": { + "type": "User", + "id": "829774" + }, + "attrs": { + "username": "jivanvl", + "access_level": 40 + }, + "parents": [] + }, + { + "uid": { + "type": "User", + "id": "4849" + }, + "attrs": { + "username": "balasankarc", + "access_level": 30 + }, + "parents": [] + }, + { + "uid": { + "type": "User", + "id": "790854" + }, + "attrs": { + "username": "harishsr", + "access_level": 30 + }, + "parents": [] + }, + { + "uid": { + "type": "User", + "id": "273486" + }, + "attrs": { + "username": "jameslopez", + "access_level": 40 + }, + "parents": [] + }, + { + "uid": { + "type": "User", + "id": "411701" + }, + "attrs": { + "username": "kushalpandya", + "access_level": 40 + }, + "parents": [] + }, + { + "uid": { + "type": "User", + "id": "508743" + }, + "attrs": { + "username": "jarka", + "access_level": 40 + }, + "parents": [] + }, + { + "uid": { + "type": "User", + "id": "506061" + }, + "attrs": { + "username": "ahmadsherif", + "access_level": 30 + }, + "parents": [] + }, + { + "uid": { + "type": "Group", + "id": "9970" + }, + "attrs": { + "name": "GitLab.org", + "path": "gitlab-org", + "full_path": "gitlab-org" + }, + "parents": [] + } +]
\ No newline at end of file diff --git a/etc/authzd/gitlab.com/gitlab-org/software-supply-chain-security/authorization/authzd/entities.json b/etc/authzd/gitlab.com/gitlab-org/software-supply-chain-security/authorization/authzd/entities.json new file mode 100644 index 00000000..6bc513fb --- /dev/null +++ b/etc/authzd/gitlab.com/gitlab-org/software-supply-chain-security/authorization/authzd/entities.json @@ -0,0 +1,285 @@ +[ + { + "uid": { + "type": "Project", + "id": "69516684" + }, + "attrs": { + "name": "authz.d", + "path": "authzd", + "full_path": "gitlab-org/software-supply-chain-security/authorization/authzd" + }, + "parents": [ + { + "type": "Group", + "id": "76595764" + } + ] + }, + { + "uid": { + "type": "User", + "id": "1" + }, + "attrs": { + "username": "sytses", + "access_level": 30 + }, + "parents": [] + }, + { + "uid": { + "type": "User", + "id": "116" + }, + "attrs": { + "username": "marin", + "access_level": 50 + }, + "parents": [] + }, + { + "uid": { + "type": "User", + "id": "13356" + }, + "attrs": { + "username": "dblessing", + "access_level": 30 + }, + "parents": [] + }, + { + "uid": { + "type": "User", + "id": "3585" + }, + "attrs": { + "username": "axil", + "access_level": 30 + }, + "parents": [] + }, + { + "uid": { + "type": "User", + "id": "12452" + }, + "attrs": { + "username": "ayufan", + "access_level": 30 + }, + "parents": [] + }, + { + "uid": { + "type": "User", + "id": "64248" + }, + "attrs": { + "username": "stanhu", + "access_level": 50 + }, + "parents": [] + }, + { + "uid": { + "type": "User", + "id": "263716" + }, + "attrs": { + "username": "grzesiek", + "access_level": 30 + }, + "parents": [] + }, + { + "uid": { + "type": "User", + "id": "283999" + }, + "attrs": { + "username": "dbalexandre", + "access_level": 30 + }, + "parents": [] + }, + { + "uid": { + "type": "User", + "id": "2293" + }, + "attrs": { + "username": "brodock", + "access_level": 30 + }, + "parents": [] + }, + { + "uid": { + "type": "User", + "id": "215818" + }, + "attrs": { + "username": "tmaczukin", + "access_level": 30 + }, + "parents": [] + }, + { + "uid": { + "type": "User", + "id": "128633" + }, + "attrs": { + "username": "rymai", + "access_level": 30 + }, + "parents": [] + }, + { + "uid": { + "type": "User", + "id": "273486" + }, + "attrs": { + "username": "jameslopez", + "access_level": 40 + }, + "parents": [] + }, + { + "uid": { + "type": "User", + "id": "201566" + }, + "attrs": { + "username": "annabeldunstone", + "access_level": 30 + }, + "parents": [] + }, + { + "uid": { + "type": "User", + "id": "426128" + }, + "attrs": { + "username": "felipe_artur", + "access_level": 30 + }, + "parents": [] + }, + { + "uid": { + "type": "User", + "id": "138401" + }, + "attrs": { + "username": "chriscool", + "access_level": 30 + }, + "parents": [] + }, + { + "uid": { + "type": "User", + "id": "367626" + }, + "attrs": { + "username": "alejandro", + "access_level": 30 + }, + "parents": [] + }, + { + "uid": { + "type": "User", + "id": "516904" + }, + "attrs": { + "username": "tauriedavis", + "access_level": 30 + }, + "parents": [] + }, + { + "uid": { + "type": "User", + "id": "527558" + }, + "attrs": { + "username": "eliran.mesika", + "access_level": 30 + }, + "parents": [] + }, + { + "uid": { + "type": "User", + "id": "429540" + }, + "attrs": { + "username": "ahanselka", + "access_level": 30 + }, + "parents": [] + }, + { + "uid": { + "type": "User", + "id": "506061" + }, + "attrs": { + "username": "ahmadsherif", + "access_level": 30 + }, + "parents": [] + }, + { + "uid": { + "type": "Group", + "id": "9970" + }, + "attrs": { + "name": "GitLab.org", + "path": "gitlab-org", + "full_path": "gitlab-org" + }, + "parents": [] + }, + { + "uid": { + "type": "Group", + "id": "97830335" + }, + "attrs": { + "name": "software-supply-chain-security", + "path": "software-supply-chain-security", + "full_path": "gitlab-org/software-supply-chain-security" + }, + "parents": [ + { + "type": "Group", + "id": "9970" + } + ] + }, + { + "uid": { + "type": "Group", + "id": "76595764" + }, + "attrs": { + "name": "Authorization", + "path": "authorization", + "full_path": "gitlab-org/software-supply-chain-security/authorization" + }, + "parents": [ + { + "type": "Group", + "id": "97830335" + } + ] + } +]
\ No newline at end of file diff --git a/etc/authzd/gitlab.com/gitlab-org/software-supply-chain-security/authorization/sparkled/entities.json b/etc/authzd/gitlab.com/gitlab-org/software-supply-chain-security/authorization/sparkled/entities.json new file mode 100644 index 00000000..4846592a --- /dev/null +++ b/etc/authzd/gitlab.com/gitlab-org/software-supply-chain-security/authorization/sparkled/entities.json @@ -0,0 +1,285 @@ +[ + { + "uid": { + "type": "Project", + "id": "68877410" + }, + "attrs": { + "name": "sparkle.d", + "path": "sparkled", + "full_path": "gitlab-org/software-supply-chain-security/authorization/sparkled" + }, + "parents": [ + { + "type": "Group", + "id": "76595764" + } + ] + }, + { + "uid": { + "type": "User", + "id": "1" + }, + "attrs": { + "username": "sytses", + "access_level": 30 + }, + "parents": [] + }, + { + "uid": { + "type": "User", + "id": "116" + }, + "attrs": { + "username": "marin", + "access_level": 50 + }, + "parents": [] + }, + { + "uid": { + "type": "User", + "id": "13356" + }, + "attrs": { + "username": "dblessing", + "access_level": 30 + }, + "parents": [] + }, + { + "uid": { + "type": "User", + "id": "3585" + }, + "attrs": { + "username": "axil", + "access_level": 30 + }, + "parents": [] + }, + { + "uid": { + "type": "User", + "id": "12452" + }, + "attrs": { + "username": "ayufan", + "access_level": 30 + }, + "parents": [] + }, + { + "uid": { + "type": "User", + "id": "64248" + }, + "attrs": { + "username": "stanhu", + "access_level": 50 + }, + "parents": [] + }, + { + "uid": { + "type": "User", + "id": "263716" + }, + "attrs": { + "username": "grzesiek", + "access_level": 30 + }, + "parents": [] + }, + { + "uid": { + "type": "User", + "id": "283999" + }, + "attrs": { + "username": "dbalexandre", + "access_level": 30 + }, + "parents": [] + }, + { + "uid": { + "type": "User", + "id": "2293" + }, + "attrs": { + "username": "brodock", + "access_level": 30 + }, + "parents": [] + }, + { + "uid": { + "type": "User", + "id": "215818" + }, + "attrs": { + "username": "tmaczukin", + "access_level": 30 + }, + "parents": [] + }, + { + "uid": { + "type": "User", + "id": "128633" + }, + "attrs": { + "username": "rymai", + "access_level": 30 + }, + "parents": [] + }, + { + "uid": { + "type": "User", + "id": "273486" + }, + "attrs": { + "username": "jameslopez", + "access_level": 40 + }, + "parents": [] + }, + { + "uid": { + "type": "User", + "id": "201566" + }, + "attrs": { + "username": "annabeldunstone", + "access_level": 30 + }, + "parents": [] + }, + { + "uid": { + "type": "User", + "id": "426128" + }, + "attrs": { + "username": "felipe_artur", + "access_level": 30 + }, + "parents": [] + }, + { + "uid": { + "type": "User", + "id": "138401" + }, + "attrs": { + "username": "chriscool", + "access_level": 30 + }, + "parents": [] + }, + { + "uid": { + "type": "User", + "id": "367626" + }, + "attrs": { + "username": "alejandro", + "access_level": 30 + }, + "parents": [] + }, + { + "uid": { + "type": "User", + "id": "516904" + }, + "attrs": { + "username": "tauriedavis", + "access_level": 30 + }, + "parents": [] + }, + { + "uid": { + "type": "User", + "id": "527558" + }, + "attrs": { + "username": "eliran.mesika", + "access_level": 30 + }, + "parents": [] + }, + { + "uid": { + "type": "User", + "id": "429540" + }, + "attrs": { + "username": "ahanselka", + "access_level": 30 + }, + "parents": [] + }, + { + "uid": { + "type": "User", + "id": "506061" + }, + "attrs": { + "username": "ahmadsherif", + "access_level": 30 + }, + "parents": [] + }, + { + "uid": { + "type": "Group", + "id": "9970" + }, + "attrs": { + "name": "GitLab.org", + "path": "gitlab-org", + "full_path": "gitlab-org" + }, + "parents": [] + }, + { + "uid": { + "type": "Group", + "id": "97830335" + }, + "attrs": { + "name": "software-supply-chain-security", + "path": "software-supply-chain-security", + "full_path": "gitlab-org/software-supply-chain-security" + }, + "parents": [ + { + "type": "Group", + "id": "9970" + } + ] + }, + { + "uid": { + "type": "Group", + "id": "76595764" + }, + "attrs": { + "name": "Authorization", + "path": "authorization", + "full_path": "gitlab-org/software-supply-chain-security/authorization" + }, + "parents": [ + { + "type": "Group", + "id": "97830335" + } + ] + } +]
\ No newline at end of file diff --git a/etc/authzd/policy0.cedar b/etc/authzd/policy0.cedar index 9410eced..bcc9a316 100644 --- a/etc/authzd/policy0.cedar +++ b/etc/authzd/policy0.cedar @@ -1,16 +1,9 @@ -permit ( - principal, - action == Action::"check", - resource -) -when { context has bearer_token && context.bearer_token == "valid-token" }; - permit (principal, action, resource) when { context has path && context has method && - context.method == "GET" && + (context.method == "GET" || context.method == "HEAD") && (context.path like "*.css" || context.path like "*.js" || context.path like "*.ico" || @@ -21,22 +14,3 @@ when context.path like "*.bmp" || context.path like "*.html") }; - -permit (principal, action, resource) -when -{ - context has host && - context has method && - context has path && - ((context.host == "sparkle.runway.gitlab.net" || - context.host == "sparkle.staging.runway.gitlab.net" || - context.host like "localhost:*") && - ((context.method == "GET" && - (context.path == "/" || - context.path == "/callback" || - context.path == "/dashboard/nav" || - context.path == "/health" || - context.path == "/signout" || - context.path == "/sparkles")) || - (context.method == "POST" && (context.path == "/sparkles/restore")))) -}; diff --git a/etc/authzd/policy1.cedar b/etc/authzd/policy1.cedar new file mode 100644 index 00000000..15776ab7 --- /dev/null +++ b/etc/authzd/policy1.cedar @@ -0,0 +1,30 @@ +permit (principal, action, resource) +when +{ + context has host && + context has method && + context has path && + ((context.host == "sparkle.runway.gitlab.net" || + context.host == "sparkle.staging.runway.gitlab.net" || + context.host like "localhost:*") && + ((context.method == "GET" && + (context.path == "/" || + context.path == "/callback" || + context.path == "/dashboard/nav" || + context.path == "/health" || + context.path == "/signout" || + context.path == "/sparkles")) || + (context.method == "POST" && (context.path == "/sparkles/restore")))) +}; + +permit ( + principal is User, + action == Action::"POST", + resource == Resource::"/sparkles" +) +when +{ + context has host && + context.host == "sparkle.staging.runway.gitlab.net" && + principal has username +}; diff --git a/etc/authzd/staging.gitlab.com/authorization/sparkle/team/entities.json b/etc/authzd/staging.gitlab.com/authorization/sparkle/team/entities.json new file mode 100644 index 00000000..5515d6a1 --- /dev/null +++ b/etc/authzd/staging.gitlab.com/authorization/sparkle/team/entities.json @@ -0,0 +1,70 @@ +[ + { + "uid": { + "type": "Project", + "id": "16781932" + }, + "attrs": { + "name": "team", + "path": "team", + "full_path": "authorization/sparkle/team" + }, + "parents": [ + { + "type": "Group", + "id": "24445167" + } + ] + }, + { + "uid": { + "type": "User", + "id": "1675940" + }, + "attrs": { + "username": "mokhax", + "access_level": 50 + }, + "parents": [] + }, + { + "uid": { + "type": "User", + "id": "1676317" + }, + "attrs": { + "username": "jayswain", + "access_level": 30 + }, + "parents": [] + }, + { + "uid": { + "type": "Group", + "id": "24445166" + }, + "attrs": { + "name": "authorization", + "path": "authorization", + "full_path": "authorization" + }, + "parents": [] + }, + { + "uid": { + "type": "Group", + "id": "24445167" + }, + "attrs": { + "name": "sparkle", + "path": "sparkle", + "full_path": "authorization/sparkle" + }, + "parents": [ + { + "type": "Group", + "id": "24445166" + } + ] + } +]
\ No newline at end of file |