From fa92e7d1b3a61deb3d16db2f6546677040e395cd Mon Sep 17 00:00:00 2001 From: mo khan Date: Mon, 14 Jul 2025 11:34:18 -0600 Subject: chore: add make targets to setup spice schema --- etc/authzd/spice.schema | 7 +++++++ 1 file changed, 7 insertions(+) create mode 100644 etc/authzd/spice.schema (limited to 'etc') diff --git a/etc/authzd/spice.schema b/etc/authzd/spice.schema new file mode 100644 index 00000000..74d0a7d6 --- /dev/null +++ b/etc/authzd/spice.schema @@ -0,0 +1,7 @@ +definition user {} +definition post { + relation reader: user + relation writer: user + permission read = reader + writer + permission write = writer +} -- cgit v1.2.3 From 30ffd692e3749e38f9ab05d04a15d0dcdf186610 Mon Sep 17 00:00:00 2001 From: mo khan Date: Mon, 14 Jul 2025 11:45:00 -0600 Subject: chore: rework examples to use project and gitlab roles --- Makefile | 12 +++++++++--- etc/authzd/spice.schema | 10 +++++----- 2 files changed, 14 insertions(+), 8 deletions(-) (limited to 'etc') diff --git a/Makefile b/Makefile index 35886d64..8eeadc86 100644 --- a/Makefile +++ b/Makefile @@ -83,8 +83,14 @@ production-entities: $(AUTHZD_BIN) check-gitlab-token run-spicedb: @spicedb serve --grpc-preshared-key "secret" -run-spice-schema-load: +run-spicedb-setup: @zed --endpoint ":50051" --token "secret" --insecure schema write etc/authzd/spice.schema - -run-spice-schema-read: @zed --endpoint ":50051" --token "secret" --insecure schema read + @zed --endpoint ":50051" --token "secret" --insecure relationship create project:1 maintainer user:mokhax + @zed --endpoint ":50051" --token "secret" --insecure relationship create project:1 developer user:tanuki + +run-spicedb-permission-check: + @zed --endpoint ":50051" --token "secret" --insecure permission check project:1 read user:mokhax + @zed --endpoint ":50051" --token "secret" --insecure permission check project:1 write user:mokhax + @zed --endpoint ":50051" --token "secret" --insecure permission check project:1 read user:tanuki + @zed --endpoint ":50051" --token "secret" --insecure permission check project:1 write user:tanuki diff --git a/etc/authzd/spice.schema b/etc/authzd/spice.schema index 74d0a7d6..0d6a6482 100644 --- a/etc/authzd/spice.schema +++ b/etc/authzd/spice.schema @@ -1,7 +1,7 @@ definition user {} -definition post { - relation reader: user - relation writer: user - permission read = reader + writer - permission write = writer +definition project { + relation developer: user + relation maintainer: user + permission read = developer + maintainer + permission write = maintainer } -- cgit v1.2.3 From 2e6d541b2d182f3750dd7033d0e60b849b3e23f8 Mon Sep 17 00:00:00 2001 From: mo khan Date: Mon, 14 Jul 2025 14:02:17 -0600 Subject: chore: run authzd on 50052 instead of 50051 to prevent port collision --- Procfile | 2 +- etc/envoy/envoy.yaml | 2 +- src/bin/cli.rs | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) (limited to 'etc') diff --git a/Procfile b/Procfile index 6483045c..4db49ea7 100644 --- a/Procfile +++ b/Procfile @@ -1,3 +1,3 @@ -authzd: ./bin/authzd server +authzd: ./bin/authzd server --addr 127.0.0.1:50052 envoy: ./bin/envoy -c ./etc/envoy/envoy.yaml --base-id 1 --log-level warn --component-log-level admin:warn,connection:warn,grpc:warn,http:warn,http2:warn,router:warn,upstream:warn spicedb: spicedb serve --grpc-preshared-key "secret" --http-addr :8080 --grpc-addr :50051 --datastore-engine memory diff --git a/etc/envoy/envoy.yaml b/etc/envoy/envoy.yaml index 19df6a4f..9594c9e4 100644 --- a/etc/envoy/envoy.yaml +++ b/etc/envoy/envoy.yaml @@ -34,7 +34,7 @@ static_resources: address: socket_address: address: 127.0.0.1 - port_value: 50051 + port_value: 50052 typed_extension_protocol_options: envoy.extensions.upstreams.http.v3.HttpProtocolOptions: "@type": type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions diff --git a/src/bin/cli.rs b/src/bin/cli.rs index 837ef80f..78aa1ba1 100644 --- a/src/bin/cli.rs +++ b/src/bin/cli.rs @@ -40,7 +40,7 @@ enum Commands { }, Server { /// Address to bind to - #[arg(short, long, env = "BIND_ADDR", default_value = "127.0.0.1:50051")] + #[arg(short, long, env = "BIND_ADDR", default_value = "127.0.0.1:50052")] addr: String, }, } -- cgit v1.2.3 From d3b876c7181731a8596d58750d1c2046bad8e8a5 Mon Sep 17 00:00:00 2001 From: mo khan Date: Mon, 14 Jul 2025 14:23:07 -0600 Subject: chore: update envoy to proxy requests directly to spicedb --- etc/envoy/envoy.yaml | 42 ++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 40 insertions(+), 2 deletions(-) (limited to 'etc') diff --git a/etc/envoy/envoy.yaml b/etc/envoy/envoy.yaml index 9594c9e4..bfe2ce16 100644 --- a/etc/envoy/envoy.yaml +++ b/etc/envoy/envoy.yaml @@ -53,6 +53,37 @@ static_resources: max_pending_requests: 1024 max_requests: 1024 max_retries: 3 + - name: spicedb + connect_timeout: 5s + type: STATIC + lb_policy: ROUND_ROBIN + load_assignment: + cluster_name: spicedb + endpoints: + - lb_endpoints: + - endpoint: + address: + socket_address: + address: 127.0.0.1 + port_value: 50051 + typed_extension_protocol_options: + envoy.extensions.upstreams.http.v3.HttpProtocolOptions: + "@type": type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions + explicit_http_config: + http2_protocol_options: {} + health_checks: + - timeout: 3s + interval: 5s + unhealthy_threshold: 2 + healthy_threshold: 2 + grpc_health_check: {} + circuit_breakers: + thresholds: + - priority: DEFAULT + max_connections: 1024 + max_pending_requests: 1024 + max_requests: 1024 + max_retries: 3 listeners: - name: main_listener address: @@ -120,14 +151,21 @@ static_resources: key: "x-xss-protection" value: "1; mode=block" virtual_hosts: - - name: backend + - name: grpc_services domains: ["*"] routes: + # Route ext_authz to authzd - match: - prefix: "/" + prefix: "/envoy.service.auth.v3.Authorization/" route: cluster: authzd timeout: 30s + # Default route - everything else goes to SpiceDB + - match: + prefix: "/" + route: + cluster: spicedb + timeout: 30s retry_policy: retry_on: "5xx,reset,connect-failure,retriable-status-codes" num_retries: 3 -- cgit v1.2.3 From debf8403c595c98213bf17913824b081262c15e2 Mon Sep 17 00:00:00 2001 From: mo khan Date: Mon, 14 Jul 2025 14:32:53 -0600 Subject: chore: handle health checks in envoy rather than authzd --- Cargo.toml | 2 -- etc/envoy/envoy.yaml | 3 +++ src/authorization/server.rs | 16 +--------------- 3 files changed, 4 insertions(+), 17 deletions(-) (limited to 'etc') diff --git a/Cargo.toml b/Cargo.toml index c99f5625..0a3f3483 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -22,8 +22,6 @@ serde = { version = "1.0", features = ["derive"] } serde_json = "1.0" tokio = { version = "1.0.0", features = ["macros", "rt-multi-thread"] } tonic = "0.13.1" -tonic-health = "0.13.1" -tonic-reflection = "0.13.1" tracing = "0.1" tracing-subscriber = { version = "0.3", features = ["json"] } urlencoding = "2.1" diff --git a/etc/envoy/envoy.yaml b/etc/envoy/envoy.yaml index bfe2ce16..62f8345b 100644 --- a/etc/envoy/envoy.yaml +++ b/etc/envoy/envoy.yaml @@ -131,6 +131,9 @@ static_resources: - name: ":path" string_match: exact: "/health" + cluster_min_healthy_percentages: + authzd: 100.0 + spicedb: 100.0 - name: envoy.filters.http.router typed_config: "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router diff --git a/src/authorization/server.rs b/src/authorization/server.rs index 90d3edf6..31bf2af8 100644 --- a/src/authorization/server.rs +++ b/src/authorization/server.rs @@ -9,25 +9,11 @@ pub struct Server { impl Server { pub fn new(authorizer: T) -> Result> { - let (health_reporter, health_service) = tonic_health::server::health_reporter(); - std::mem::drop( - health_reporter.set_service_status("", tonic_health::ServingStatus::Serving), - ); let authorization_service = AuthorizationServer::new(CheckService::new(Arc::new(authorizer))); - let reflection_service = tonic_reflection::server::Builder::configure() - .register_encoded_file_descriptor_set(tonic_health::pb::FILE_DESCRIPTOR_SET) - .register_encoded_file_descriptor_set(include_bytes!( - "../../vendor/envoy-types/src/generated/types.bin" - )) - .build_v1()?; - Ok(Self::new_with(|mut builder| { - builder - .add_service(authorization_service) - .add_service(health_service) - .add_service(reflection_service) + builder.add_service(authorization_service) })) } -- cgit v1.2.3 From 52640fad10e8d0c07230ca552dac5d168f5b8deb Mon Sep 17 00:00:00 2001 From: mo khan Date: Mon, 14 Jul 2025 14:55:28 -0600 Subject: chore: remove invalid envoy configuration --- etc/envoy/envoy.yaml | 3 --- 1 file changed, 3 deletions(-) (limited to 'etc') diff --git a/etc/envoy/envoy.yaml b/etc/envoy/envoy.yaml index 62f8345b..bfe2ce16 100644 --- a/etc/envoy/envoy.yaml +++ b/etc/envoy/envoy.yaml @@ -131,9 +131,6 @@ static_resources: - name: ":path" string_match: exact: "/health" - cluster_min_healthy_percentages: - authzd: 100.0 - spicedb: 100.0 - name: envoy.filters.http.router typed_config: "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router -- cgit v1.2.3 From 56276ca9000d0ada5c6412fcb6437024ae6358d7 Mon Sep 17 00:00:00 2001 From: mo khan Date: Mon, 14 Jul 2025 15:16:46 -0600 Subject: feat: allow access to sparkle in development --- etc/authzd/policy1.cedar | 11 +++++++++++ tests/authorization/cedar_authorizer_test.rs | 18 ++++++++++++++++++ 2 files changed, 29 insertions(+) (limited to 'etc') diff --git a/etc/authzd/policy1.cedar b/etc/authzd/policy1.cedar index 15776ab7..6fe51b16 100644 --- a/etc/authzd/policy1.cedar +++ b/etc/authzd/policy1.cedar @@ -28,3 +28,14 @@ when context.host == "sparkle.staging.runway.gitlab.net" && principal has username }; + +permit ( + principal == User::"1", + action == Action::"GET", + resource == Resource::"/dashboard" +) +when +{ + context has host && + context.host == "localhost:10000" +}; diff --git a/tests/authorization/cedar_authorizer_test.rs b/tests/authorization/cedar_authorizer_test.rs index 7a99a7d9..58563832 100644 --- a/tests/authorization/cedar_authorizer_test.rs +++ b/tests/authorization/cedar_authorizer_test.rs @@ -128,4 +128,22 @@ mod tests { let authorizer = subject(); assert_eq!(authorizer.authorize(request), true); } + + #[test] + fn test_sparkle_dashboard() { + let request = build_request(|item: &mut HttpRequest| { + item.method = "GET".to_string(); + item.path = "/dashboard".to_string(); + item.host = "localhost:10000".to_string(); + item.headers = build_headers(vec![ + (String::from("x-jwt-claim-sub"), "1".to_string()), + (String::from(":path"), item.path.to_string()), + (String::from(":method"), item.method.to_string()), + (String::from(":authority"), item.host.to_string()), + ]); + }); + + let authorizer = subject(); + assert_eq!(authorizer.authorize(request), true); + } } -- cgit v1.2.3 From 7893dc14eeb28770c85860a1ae453edbdfa5a8f2 Mon Sep 17 00:00:00 2001 From: mo khan Date: Mon, 14 Jul 2025 15:59:15 -0600 Subject: chore: fix linter error in cedar policy --- etc/authzd/policy1.cedar | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) (limited to 'etc') diff --git a/etc/authzd/policy1.cedar b/etc/authzd/policy1.cedar index 6fe51b16..966bbcfb 100644 --- a/etc/authzd/policy1.cedar +++ b/etc/authzd/policy1.cedar @@ -34,8 +34,4 @@ permit ( action == Action::"GET", resource == Resource::"/dashboard" ) -when -{ - context has host && - context.host == "localhost:10000" -}; +when { context has host && context.host == "localhost:10000" }; -- cgit v1.2.3