diff options
| author | mo khan <mo@mokhan.ca> | 2025-06-18 17:11:42 -0600 |
|---|---|---|
| committer | mo khan <mo@mokhan.ca> | 2025-06-18 17:11:42 -0600 |
| commit | 2694c82d97005ca39f29f540e26249c18a21f6d6 (patch) | |
| tree | 259be3c918a047e26fb357b406d915315aa0ead5 /pkg/policies | |
| parent | c2b8edab01b23fde6cc196a3349ad6aa19a93299 (diff) | |
refactor: switch to a pure rust implementation
Diffstat (limited to 'pkg/policies')
| -rw-r--r-- | pkg/policies/allowed.go | 29 | ||||
| -rw-r--r-- | pkg/policies/allowed_test.go | 146 | ||||
| -rw-r--r-- | pkg/policies/entities.json | 286 | ||||
| -rw-r--r-- | pkg/policies/gtwy.cedar | 12 | ||||
| -rw-r--r-- | pkg/policies/init.go | 60 | ||||
| -rw-r--r-- | pkg/policies/organization.cedar | 5 |
6 files changed, 0 insertions, 538 deletions
diff --git a/pkg/policies/allowed.go b/pkg/policies/allowed.go deleted file mode 100644 index 733c08b8..00000000 --- a/pkg/policies/allowed.go +++ /dev/null @@ -1,29 +0,0 @@ -package policies - -import ( - "context" - - "github.com/cedar-policy/cedar-go" - "github.com/cedar-policy/cedar-go/types" - "github.com/xlgmokha/x/pkg/log" -) - -func Allowed(ctx context.Context, request cedar.Request) bool { - ok, diagnostic := All.IsAuthorized(Entities, request) - - log.WithFields(ctx, log.Fields{ - "ok": ok, - "principal": request.Principal, - "action": request.Action, - "context": request.Context, - "resource": request.Resource, - }) - - if len(diagnostic.Errors) > 0 { - log.WithFields(ctx, log.Fields{"errors": diagnostic.Errors}) - } - if len(diagnostic.Reasons) > 0 { - log.WithFields(ctx, log.Fields{"reasons": diagnostic.Reasons}) - } - return ok == types.Allow -} diff --git a/pkg/policies/allowed_test.go b/pkg/policies/allowed_test.go deleted file mode 100644 index 367bd99f..00000000 --- a/pkg/policies/allowed_test.go +++ /dev/null @@ -1,146 +0,0 @@ -package policies - -import ( - "fmt" - "testing" - - "github.com/cedar-policy/cedar-go" - "github.com/stretchr/testify/assert" - "gitlab.com/gitlab-org/software-supply-chain-security/authorization/authzd.git/pkg/gid" -) - -func build(f func(*cedar.Request)) *cedar.Request { - request := &cedar.Request{ - Principal: gid.NewEntityUID("gid://example/User/1"), - Action: cedar.NewEntityUID("HttpMethod", "GET"), - Resource: cedar.NewEntityUID("HttpPath", "/"), - Context: cedar.NewRecord(cedar.RecordMap{ - "host": cedar.String("example.com"), - }), - } - f(request) - return request -} - -func TestAllowed(t *testing.T) { - allowed := []*cedar.Request{ - build(func(r *cedar.Request) {}), - build(func(r *cedar.Request) { - r.Principal = gid.NewEntityUID("gid://example/User/1") - r.Action = cedar.NewEntityUID("HttpMethod", "POST") - }), - build(func(r *cedar.Request) { - r.Principal = gid.NewEntityUID("gid://example/User/1") - r.Action = cedar.NewEntityUID("HttpMethod", "PUT") - }), - build(func(r *cedar.Request) { - r.Principal = gid.NewEntityUID("gid://example/User/1") - r.Action = cedar.NewEntityUID("HttpMethod", "PATCH") - }), - build(func(r *cedar.Request) { - r.Principal = gid.NewEntityUID("gid://example/User/1") - r.Action = cedar.NewEntityUID("HttpMethod", "DELETE") - }), - build(func(r *cedar.Request) { - r.Principal = gid.NewEntityUID("gid://example/User/1") - r.Action = cedar.NewEntityUID("HttpMethod", "HEAD") - }), - build(func(r *cedar.Request) { - r.Principal = gid.NewEntityUID("gid://example/User/1") - r.Resource = cedar.NewEntityUID("HttpPath", "/organizations.json") - r.Context = cedar.NewRecord(cedar.RecordMap{ - "host": cedar.String("api.example.com"), - }) - }), - build(func(r *cedar.Request) { - r.Principal = gid.NewEntityUID("gid://example/User/1") - r.Resource = cedar.NewEntityUID("HttpPath", "/groups.json") - r.Context = cedar.NewRecord(cedar.RecordMap{ - "host": cedar.String("api.example.com"), - }) - }), - build(func(r *cedar.Request) { - r.Principal = gid.NewEntityUID("gid://example/User/1") - r.Resource = cedar.NewEntityUID("HttpPath", "/.well-known/openid-configuration") - r.Context = cedar.NewRecord(cedar.RecordMap{ - "host": cedar.String("idp.example.com"), - }) - }), - build(func(r *cedar.Request) { - r.Principal = gid.NewEntityUID("gid://example/User/1") - r.Resource = cedar.NewEntityUID("HttpPath", "/.well-known/oauth-authorization-server") - r.Context = cedar.NewRecord(cedar.RecordMap{ - "host": cedar.String("idp.example.com"), - }) - }), - build(func(r *cedar.Request) { - r.Principal = gid.NewEntityUID("gid://example/User/*") - r.Resource = cedar.NewEntityUID("HttpPath", "/.well-known/openid-configuration") - r.Context = cedar.NewRecord(cedar.RecordMap{ - "host": cedar.String("idp.example.com"), - }) - }), - build(func(r *cedar.Request) { - r.Principal = gid.NewEntityUID("gid://example/User/*") - r.Resource = cedar.NewEntityUID("HttpPath", "/.well-known/oauth-authorization-server") - r.Context = cedar.NewRecord(cedar.RecordMap{ - "host": cedar.String("idp.example.com"), - }) - }), - build(func(r *cedar.Request) { - r.Principal = gid.NewEntityUID("gid://example/User/1") - r.Action = cedar.NewEntityUID("HttpMethod", "POST") - r.Resource = cedar.NewEntityUID("HttpPath", "/twirp/authz.rpc.Ability/Allowed") - r.Context = cedar.NewRecord(cedar.RecordMap{ - "host": cedar.String("idp.example.com"), - }) - }), - build(func(r *cedar.Request) { - r.Principal = gid.NewEntityUID("gid://example/User/1") - r.Action = cedar.NewEntityUID("HttpMethod", "GET") - r.Resource = cedar.NewEntityUID("HttpPath", "/index.html") - r.Context = cedar.NewRecord(cedar.RecordMap{ - "host": cedar.String("ui.example.com"), - }) - }), - } - - for _, tt := range allowed { - t.Run(fmt.Sprintf("allows: %v/%v %v %v%v", tt.Principal.Type, tt.Principal.ID, tt.Action.ID, tt.Context.Map()["host"], tt.Resource.ID), func(t *testing.T) { - assert.True(t, Allowed(t.Context(), *tt)) - }) - } - - denied := []*cedar.Request{ - build(func(r *cedar.Request) { - r.Principal = gid.ZeroEntityUID() - r.Action = cedar.NewEntityUID("HttpMethod", cedar.String("POST")) - }), - build(func(r *cedar.Request) { - r.Principal = gid.ZeroEntityUID() - r.Action = cedar.NewEntityUID("HttpMethod", cedar.String("PUT")) - }), - build(func(r *cedar.Request) { - r.Principal = gid.ZeroEntityUID() - r.Action = cedar.NewEntityUID("HttpMethod", cedar.String("PATCH")) - }), - build(func(r *cedar.Request) { - r.Principal = gid.ZeroEntityUID() - r.Action = cedar.NewEntityUID("HttpMethod", cedar.String("DELETE")) - }), - build(func(r *cedar.Request) { - r.Principal = gid.ZeroEntityUID() - r.Action = cedar.NewEntityUID("HttpMethod", cedar.String("HEAD")) - }), - build(func(r *cedar.Request) { - r.Principal = gid.ZeroEntityUID() - r.Action = cedar.NewEntityUID("HttpMethod", cedar.String("TRACE")) - }), - } - - for _, tt := range denied { - t.Run(fmt.Sprintf("denies: %v/%v %v %v%v", tt.Principal.Type, tt.Principal.ID, tt.Action.ID, tt.Context.Map()["host"], tt.Resource.ID), func(t *testing.T) { - assert.False(t, Allowed(t.Context(), *tt)) - }) - } -} diff --git a/pkg/policies/entities.json b/pkg/policies/entities.json deleted file mode 100644 index 8d50e674..00000000 --- a/pkg/policies/entities.json +++ /dev/null @@ -1,286 +0,0 @@ -[ - { - "uid": { - "type": "User", - "id": "1" - }, - "attrs": {}, - "parents": [] - }, - { - "uid": { - "type": "Organization", - "id": "1" - }, - "attrs": { - "name": "default" - }, - "parents": [] - }, - { - "uid": { - "type": "Organization", - "id": "2" - }, - "attrs": { - "name": "gitlab" - }, - "parents": [] - }, - { - "uid": { - "type": "Group", - "id": "1" - }, - "attrs": { - "name": "A" - }, - "parents": [ - { - "type": "Organization", - "id": "1" - } - ] - }, - { - "uid": { - "type": "Group", - "id": "2" - }, - "attrs": { - "name": "B" - }, - "parents": [ - { - "type": "Organization", - "id": "1" - } - ] - }, - { - "uid": { - "type": "Group", - "id": "3" - }, - "attrs": { - "name": "gitlab-org" - }, - "parents": [ - { - "type": "Organization", - "id": "2" - } - ] - }, - { - "uid": { - "type": "Group", - "id": "4" - }, - "attrs": { - "name": "gitlab-com" - }, - "parents": [ - { - "type": "Organization", - "id": "2" - } - ] - }, - { - "uid": { - "type": "Group", - "id": "5" - }, - "attrs": { - "name": "gl-security" - }, - "parents": [ - { - "type": "Organization", - "id": "2" - }, - { - "type": "Group", - "id": "4" - } - ] - }, - { - "uid": { - "type": "Group", - "id": "6" - }, - "attrs": { - "name": "test-projects" - }, - "parents": [ - { - "type": "Organization", - "id": "2" - }, - { - "type": "Group", - "id": "5" - } - ] - }, - { - "uid": { - "type": "Group", - "id": "7" - }, - "attrs": { - "name": "support" - }, - "parents": [ - { - "type": "Organization", - "id": "2" - }, - { - "type": "Group", - "id": "4" - } - ] - }, - { - "uid": { - "type": "Group", - "id": "8" - }, - "attrs": { - "name": "toolbox" - }, - "parents": [ - { - "type": "Organization", - "id": "2" - }, - { - "type": "Group", - "id": "7" - } - ] - }, - { - "uid": { - "type": "Project", - "id": "1" - }, - "attrs": { - "name": "A1" - }, - "parents": [ - { - "type": "Group", - "id": "1" - } - ] - }, - { - "uid": { - "type": "Project", - "id": "2" - }, - "attrs": { - "name": "B1" - }, - "parents": [ - { - "type": "Group", - "id": "2" - } - ] - }, - { - "uid": { - "type": "Project", - "id": "3" - }, - "attrs": { - "name": "gitlab" - }, - "parents": [ - { - "type": "Group", - "id": "3" - } - ] - }, - { - "uid": { - "type": "Project", - "id": "4" - }, - "attrs": { - "name": "eicar-test-project" - }, - "parents": [ - { - "type": "Group", - "id": "6" - } - ] - }, - { - "uid": { - "type": "Project", - "id": "5" - }, - "attrs": { - "name": "disclosures" - }, - "parents": [ - { - "type": "Group", - "id": "5" - } - ] - }, - { - "uid": { - "type": "Project", - "id": "6" - }, - "attrs": { - "name": "changelog-parser" - }, - "parents": [ - { - "type": "Group", - "id": "8" - } - ] - }, - { - "uid": { - "type": "Project", - "id": "7" - }, - "attrs": { - "name": "handbook" - }, - "parents": [ - { - "type": "Group", - "id": "4" - } - ] - }, - { - "uid": { - "type": "Project", - "id": "8" - }, - "attrs": { - "name": "www-gitlab-com" - }, - "parents": [ - { - "type": "Group", - "id": "4" - } - ] - } -] diff --git a/pkg/policies/gtwy.cedar b/pkg/policies/gtwy.cedar deleted file mode 100644 index a236e08b..00000000 --- a/pkg/policies/gtwy.cedar +++ /dev/null @@ -1,12 +0,0 @@ -permit( - principal is User, - action in [ - HttpMethod::"DELETE", - HttpMethod::"GET", - HttpMethod::"HEAD", - HttpMethod::"PATCH", - HttpMethod::"POST", - HttpMethod::"PUT" - ], - resource -); diff --git a/pkg/policies/init.go b/pkg/policies/init.go deleted file mode 100644 index bc270763..00000000 --- a/pkg/policies/init.go +++ /dev/null @@ -1,60 +0,0 @@ -package policies - -import ( - "context" - "embed" - _ "embed" - "io/fs" - "strings" - - "github.com/cedar-policy/cedar-go" - "github.com/xlgmokha/x/pkg/log" -) - -//go:embed *.cedar *.json -var files embed.FS - -var All *cedar.PolicySet = cedar.NewPolicySet() -var Entities cedar.EntityMap = cedar.EntityMap{} - -func init() { - err := fs.WalkDir(files, ".", func(path string, d fs.DirEntry, err error) error { - if err != nil { - return err - } - - if d.IsDir() { - return nil - } - - if strings.HasSuffix(path, ".cedar") { - content, err := fs.ReadFile(files, path) - if err != nil { - return err - } - - policy := cedar.Policy{} - if err := policy.UnmarshalCedar(content); err != nil { - return err - } - policy.SetFilename(path) - - All.Add(cedar.PolicyID(path), &policy) - } else if strings.HasSuffix(path, ".json") { - content, err := fs.ReadFile(files, path) - if err != nil { - return err - } - - if err := Entities.UnmarshalJSON(content); err != nil { - return err - } - } - - return nil - }) - - if err != nil { - log.WithFields(context.Background(), log.Fields{"error": err}) - } -} diff --git a/pkg/policies/organization.cedar b/pkg/policies/organization.cedar deleted file mode 100644 index a853f4e4..00000000 --- a/pkg/policies/organization.cedar +++ /dev/null @@ -1,5 +0,0 @@ -permit ( - principal == User::"1", - action == Permission::"read", - resource == Organization::"2" -); |