From fa92e7d1b3a61deb3d16db2f6546677040e395cd Mon Sep 17 00:00:00 2001 From: mo khan Date: Mon, 14 Jul 2025 11:34:18 -0600 Subject: chore: add make targets to setup spice schema --- Makefile | 10 ++++++++++ 1 file changed, 10 insertions(+) (limited to 'Makefile') diff --git a/Makefile b/Makefile index 82d6f5a7..35886d64 100644 --- a/Makefile +++ b/Makefile @@ -78,3 +78,13 @@ production-entities: $(AUTHZD_BIN) check-gitlab-token @$(AUTHZD_BIN) generate --project gitlab-org/gitlab --output etc/authzd/gitlab.com/gitlab-org/gitlab/entities.json @$(AUTHZD_BIN) generate --project gitlab-org/software-supply-chain-security/authorization/authzd --output etc/authzd/gitlab.com/gitlab-org/software-supply-chain-security/authorization/authzd/entities.json @$(AUTHZD_BIN) generate --project gitlab-org/software-supply-chain-security/authorization/sparkled --output etc/authzd/gitlab.com/gitlab-org/software-supply-chain-security/authorization/sparkled/entities.json + +# spice target +run-spicedb: + @spicedb serve --grpc-preshared-key "secret" + +run-spice-schema-load: + @zed --endpoint ":50051" --token "secret" --insecure schema write etc/authzd/spice.schema + +run-spice-schema-read: + @zed --endpoint ":50051" --token "secret" --insecure schema read -- cgit v1.2.3 From 30ffd692e3749e38f9ab05d04a15d0dcdf186610 Mon Sep 17 00:00:00 2001 From: mo khan Date: Mon, 14 Jul 2025 11:45:00 -0600 Subject: chore: rework examples to use project and gitlab roles --- Makefile | 12 +++++++++--- etc/authzd/spice.schema | 10 +++++----- 2 files changed, 14 insertions(+), 8 deletions(-) (limited to 'Makefile') diff --git a/Makefile b/Makefile index 35886d64..8eeadc86 100644 --- a/Makefile +++ b/Makefile @@ -83,8 +83,14 @@ production-entities: $(AUTHZD_BIN) check-gitlab-token run-spicedb: @spicedb serve --grpc-preshared-key "secret" -run-spice-schema-load: +run-spicedb-setup: @zed --endpoint ":50051" --token "secret" --insecure schema write etc/authzd/spice.schema - -run-spice-schema-read: @zed --endpoint ":50051" --token "secret" --insecure schema read + @zed --endpoint ":50051" --token "secret" --insecure relationship create project:1 maintainer user:mokhax + @zed --endpoint ":50051" --token "secret" --insecure relationship create project:1 developer user:tanuki + +run-spicedb-permission-check: + @zed --endpoint ":50051" --token "secret" --insecure permission check project:1 read user:mokhax + @zed --endpoint ":50051" --token "secret" --insecure permission check project:1 write user:mokhax + @zed --endpoint ":50051" --token "secret" --insecure permission check project:1 read user:tanuki + @zed --endpoint ":50051" --token "secret" --insecure permission check project:1 write user:tanuki diff --git a/etc/authzd/spice.schema b/etc/authzd/spice.schema index 74d0a7d6..0d6a6482 100644 --- a/etc/authzd/spice.schema +++ b/etc/authzd/spice.schema @@ -1,7 +1,7 @@ definition user {} -definition post { - relation reader: user - relation writer: user - permission read = reader + writer - permission write = writer +definition project { + relation developer: user + relation maintainer: user + permission read = developer + maintainer + permission write = maintainer } -- cgit v1.2.3 From 5c9e5b297cdf5d761740e6604b1e36d390aa86a8 Mon Sep 17 00:00:00 2001 From: mo khan Date: Mon, 14 Jul 2025 12:46:58 -0600 Subject: chore: run spicedb via Procfile --- Makefile | 5 +---- Procfile | 1 + 2 files changed, 2 insertions(+), 4 deletions(-) (limited to 'Makefile') diff --git a/Makefile b/Makefile index 8eeadc86..8cc74a9b 100644 --- a/Makefile +++ b/Makefile @@ -79,10 +79,7 @@ production-entities: $(AUTHZD_BIN) check-gitlab-token @$(AUTHZD_BIN) generate --project gitlab-org/software-supply-chain-security/authorization/authzd --output etc/authzd/gitlab.com/gitlab-org/software-supply-chain-security/authorization/authzd/entities.json @$(AUTHZD_BIN) generate --project gitlab-org/software-supply-chain-security/authorization/sparkled --output etc/authzd/gitlab.com/gitlab-org/software-supply-chain-security/authorization/sparkled/entities.json -# spice target -run-spicedb: - @spicedb serve --grpc-preshared-key "secret" - +# spice targets run-spicedb-setup: @zed --endpoint ":50051" --token "secret" --insecure schema write etc/authzd/spice.schema @zed --endpoint ":50051" --token "secret" --insecure schema read diff --git a/Procfile b/Procfile index 39bbbeaf..02173f12 100644 --- a/Procfile +++ b/Procfile @@ -1,2 +1,3 @@ authzd: ./bin/authzd server envoy: ./bin/envoy -c ./etc/envoy/envoy.yaml --base-id 1 --log-level warn --component-log-level admin:warn,connection:warn,grpc:warn,http:warn,http2:warn,router:warn,upstream:warn +spicedb: spicedb serve --grpc-preshared-key "secret" -- cgit v1.2.3 From bd14ac632f7cddc9d256cfc980c0f5331b31c1e7 Mon Sep 17 00:00:00 2001 From: mo khan Date: Mon, 14 Jul 2025 14:58:14 -0600 Subject: chore: validate envoy configuration --- Makefile | 1 + 1 file changed, 1 insertion(+) (limited to 'Makefile') diff --git a/Makefile b/Makefile index 8cc74a9b..9614becd 100644 --- a/Makefile +++ b/Makefile @@ -42,6 +42,7 @@ lint: @cargo clippy @for policy in etc/authzd/*.cedar; do cedar check-parse --policies $$policy; done @for policy in etc/authzd/*.cedar; do cedar format --policies $$policy --check; done + @./bin/envoy --mode validate -c ./etc/envoy/envoy.yaml doc: @cargo doc --open -- cgit v1.2.3 From e0b38f6ca22b28a0c4fe4192d642fceb48030737 Mon Sep 17 00:00:00 2001 From: mo khan Date: Mon, 14 Jul 2025 16:16:58 -0600 Subject: chore: skip envoy validate if envoy is not installed --- Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'Makefile') diff --git a/Makefile b/Makefile index 9614becd..bdc7a3d8 100644 --- a/Makefile +++ b/Makefile @@ -42,7 +42,7 @@ lint: @cargo clippy @for policy in etc/authzd/*.cedar; do cedar check-parse --policies $$policy; done @for policy in etc/authzd/*.cedar; do cedar format --policies $$policy --check; done - @./bin/envoy --mode validate -c ./etc/envoy/envoy.yaml + @./bin/envoy --mode validate -c ./etc/envoy/envoy.yaml || echo "Envoy not available, skipping validation" doc: @cargo doc --open -- cgit v1.2.3