diff options
Diffstat (limited to 'README.md')
| -rw-r--r-- | README.md | 107 |
1 files changed, 36 insertions, 71 deletions
@@ -1,13 +1,7 @@ -# Authx - Proof of Concept +# authzd - Authorization Daemon -This repository explores various authentication and authorization workflows by introducing a separate authn/authz service. -It serves as a proof of concept to illustrate potential workflows, not a production ready implementation. - -To keep the implementation accessible, external dependencies have been minimized, ensuring a clear reference for understanding key concepts, including: - -* SAML based authentication including IdP chaining to external identity providers -* OIDC based authentication -* OAuth endpoints with links to relevant RFCs for proper usage guidance +This repository host a minimal PDP service used for making authorization +decisions via a gRPC endpoint. ## Architecture @@ -17,84 +11,57 @@ To keep the implementation accessible, external dependencies have been minimized ------------- | V -----|:8080|----------------------------------------------- +----|:443|------------------------------------------------------------- | V - --------------- - | API Gateway | (use casbin to evict early, reverse proxy, inject context headers) - --------------- - | - | -------------------- - |--->| IdP (saml, oidc) | - | -------------------- - | | :http | :grpc | (use declarative_policy) - | -------------------- - | A A - ----------- | | - | | | | - V V | | - ------ ------------ | - | UI | | REST API |----| - ------ ------------ - -[UI]: ui.example.com -[REST API]: api.example.com -[IdP]: idp.example.com + | ---------------------------------------- + | | ______________________ | + |-->(:443)| envoy ->(:80)| /var/run/sparkled | | + | | ---------------------- | + | ---------------------------------------- + | + | ------------------- + | | IdP / IAM | + | |-------- | + |--->| :http | |---- pub membership change ---| + | |-------- | | + | ------------------- | + | ( nats.io) + | | + | |---- sub membership change --- + | | + | V (update acls) + | ------------------------------------- + | | ___________________ | + |-->(:443)| envoy ->(:80)| /var/run/authzd | | + | ------------------| | + ------------------------------------- + | + |----> cron reconciliation process >---->-------| + A | + |- audit, validate list, notify, remediate --| ``` -I have ommitted TLS, RS256 from the prototype to offload the decision of key -management and rotation. See [smallstep](https://smallstep.com/docs/step-cli/) -for PKI management. - -CSV files are used instead of a database to simulate different types of -scenarios. The following organizational hierarchy is demonstrated here: +## Getting Started -``` -Organization(name: "default") - * Group(name: "A") - * Project(name: "A1") - * Group(name: "B") - * Project(name: "B1") -Organization(name: "gitlab") - * Group(name: "gitlab-org") - * Project(name: "gitlab") - * Group(name: "gitlab-com") - * Group(name: "gl-security") - * Group(name: "test-projects") - * Project(name: "eicar-test-project") - * Project(name: "disclosures") - * Group(name: "support") - * Group(name: "toolbox") - * Project(name: "changelog-parser") - * Project(name: "handbook") - * Project(name: "www-gitlab-com") -``` +### Prerequisites -## Getting Started +- [mise](https://mise.jdx.dev/) +- [make](https://www.gnu.org/software/make/) 1. Install tools: ```sh $ mise install - ``` - -1. Add entries to `/etc/hosts`: - - ```sh - $ tail -n3 /etc/hosts - 127.0.0.1 api.example.com - 127.0.0.1 idp.example.com - 127.0.0.1 ui.example.com + $ make install-tools ``` 1. Start servers: ```sh - $ mage + $ mage servers ``` -1. Open a browser to `http://ui.example.com:8080/`. - ## Questions See the [FAQ][9] @@ -106,9 +73,7 @@ See the [FAQ][9] * [protocol buffers][7] * [twirp][8] -[2]: https://gitlab.com/gitlab-org/gitlab/-/tree/master/app/policies [5]: https://tip.golang.org/doc/modules/managing-dependencies#tools [6]: https://grpc.io/docs/ [7]: https://protobuf.dev/programming-guides/proto3/ [8]: https://github.com/arthurnn/twirp-ruby/wiki/Code-Generation -[9]: ./doc/share/authz/FAQ.md |