From c583bcd1473205104a1e1af812ed4976d30c7baa Mon Sep 17 00:00:00 2001
From: mo khan <mo@mokhan.ca>
Date: Fri, 2 May 2025 14:29:41 -0600
Subject: refactor: remove anything unrelated to the authz daemon

---
 README.md | 107 +++++++++++++++++++++-----------------------------------------
 1 file changed, 36 insertions(+), 71 deletions(-)

(limited to 'README.md')

diff --git a/README.md b/README.md
index a8da10cc..32a926d2 100644
--- a/README.md
+++ b/README.md
@@ -1,13 +1,7 @@
-# Authx - Proof of Concept
+# authzd - Authorization Daemon
 
-This repository explores various authentication and authorization workflows by introducing a separate authn/authz service.
-It serves as a proof of concept to illustrate potential workflows, not a production ready implementation.
-
-To keep the implementation accessible, external dependencies have been minimized, ensuring a clear reference for understanding key concepts, including:
-
-* SAML based authentication including IdP chaining to external identity providers
-* OIDC based authentication
-* OAuth endpoints with links to relevant RFCs for proper usage guidance
+This repository host a minimal PDP service used for making authorization
+decisions via a gRPC endpoint.
 
 ## Architecture
 
@@ -17,84 +11,57 @@ To keep the implementation accessible, external dependencies have been minimized
  -------------
        |
        V
-----|:8080|-----------------------------------------------
+----|:443|-------------------------------------------------------------
        |
        V
- ---------------
- | API Gateway | (use casbin to evict early, reverse proxy, inject context headers)
- ---------------
-        |
-        |    --------------------
-        |--->| IdP (saml, oidc) |
-        |    --------------------
-        |    | :http   | :grpc  | (use declarative_policy)
-        |    --------------------
-        |        A         A
-   -----------   |         |
-   |         |   |         |
-   V         V   |         |
- ------    ------------    |
- | UI |    | REST API |----|
- ------    ------------
-
-[UI]: ui.example.com
-[REST API]: api.example.com
-[IdP]: idp.example.com
+       |         ----------------------------------------
+       |         |              ______________________  |
+       |-->(:443)| envoy ->(:80)| /var/run/sparkled  |  |
+       |         |              ----------------------  |
+       |         ----------------------------------------
+       |
+       |    -------------------
+       |    | IdP / IAM       |
+       |    |--------         |
+       |--->| :http |         |---- pub membership change ---|
+       |    |--------         |                              |
+       |    -------------------                              |
+       |                                                  ( nats.io)
+       |                                                     |
+       |                       |---- sub membership change ---
+       |                       |
+       |                       V      (update acls)
+       |         -------------------------------------
+       |         |              ___________________  |
+       |-->(:443)| envoy ->(:80)| /var/run/authzd |  |
+                 |              ------------------|  |
+                 -------------------------------------
+                             |
+                             |----> cron reconciliation process >---->-------|
+                                A                                            |
+                                |- audit, validate list, notify, remediate --|
 ```
 
-I have ommitted TLS, RS256 from the prototype to offload the decision of key
-management and rotation. See [smallstep](https://smallstep.com/docs/step-cli/)
-for PKI management.
-
-CSV files are used instead of a database to simulate different types of
-scenarios. The following organizational hierarchy is demonstrated here:
+## Getting Started
 
-```
-Organization(name: "default")
-  * Group(name: "A")
-    * Project(name: "A1")
-  * Group(name: "B")
-    * Project(name: "B1")
-Organization(name: "gitlab")
-  * Group(name: "gitlab-org")
-    * Project(name: "gitlab")
-  * Group(name: "gitlab-com")
-    * Group(name: "gl-security")
-      * Group(name: "test-projects")
-        * Project(name: "eicar-test-project")
-      * Project(name: "disclosures")
-    * Group(name: "support")
-      * Group(name: "toolbox")
-        * Project(name: "changelog-parser")
-    * Project(name: "handbook")
-    * Project(name: "www-gitlab-com")
-```
+### Prerequisites
 
-## Getting Started
+- [mise](https://mise.jdx.dev/)
+- [make](https://www.gnu.org/software/make/)
 
 1. Install tools:
 
     ```sh
     $ mise install
-    ```
-
-1. Add entries to `/etc/hosts`:
-
-    ```sh
-    $ tail -n3 /etc/hosts
-    127.0.0.1 api.example.com
-    127.0.0.1 idp.example.com
-    127.0.0.1 ui.example.com
+    $ make install-tools
     ```
 
 1. Start servers:
 
     ```sh
-    $ mage
+    $ mage servers
     ```
 
-1. Open a browser to `http://ui.example.com:8080/`.
-
 ## Questions
 
 See the [FAQ][9]
@@ -106,9 +73,7 @@ See the [FAQ][9]
 * [protocol buffers][7]
 * [twirp][8]
 
-[2]: https://gitlab.com/gitlab-org/gitlab/-/tree/master/app/policies
 [5]: https://tip.golang.org/doc/modules/managing-dependencies#tools
 [6]: https://grpc.io/docs/
 [7]: https://protobuf.dev/programming-guides/proto3/
 [8]: https://github.com/arthurnn/twirp-ruby/wiki/Code-Generation
-[9]: ./doc/share/authz/FAQ.md
-- 
cgit v1.2.3