From 814a864184affab624f7d1e5314cd1f55d72b90c Mon Sep 17 00:00:00 2001 From: mo khan Date: Thu, 17 Jul 2025 12:37:14 -0600 Subject: refactor: remove cedar --- .../gitlab.com/gitlab-org/gitlab/entities.json | 251 ------------------ .../authorization/authzd/entities.json | 285 --------------------- .../authorization/sparkled/entities.json | 285 --------------------- etc/authzd/policy0.cedar | 16 -- etc/authzd/policy1.cedar | 37 --- etc/authzd/spice.schema | 10 + .../authorization/sparkle/team/entities.json | 70 ----- 7 files changed, 10 insertions(+), 944 deletions(-) delete mode 100644 etc/authzd/gitlab.com/gitlab-org/gitlab/entities.json delete mode 100644 etc/authzd/gitlab.com/gitlab-org/software-supply-chain-security/authorization/authzd/entities.json delete mode 100644 etc/authzd/gitlab.com/gitlab-org/software-supply-chain-security/authorization/sparkled/entities.json delete mode 100644 etc/authzd/policy0.cedar delete mode 100644 etc/authzd/policy1.cedar delete mode 100644 etc/authzd/staging.gitlab.com/authorization/sparkle/team/entities.json (limited to 'etc') diff --git a/etc/authzd/gitlab.com/gitlab-org/gitlab/entities.json b/etc/authzd/gitlab.com/gitlab-org/gitlab/entities.json deleted file mode 100644 index a7af8c80..00000000 --- a/etc/authzd/gitlab.com/gitlab-org/gitlab/entities.json +++ /dev/null @@ -1,251 +0,0 @@ -[ - { - "uid": { - "type": "Project", - "id": "278964" - }, - "attrs": { - "name": "GitLab", - "path": "gitlab", - "full_path": "gitlab-org/gitlab" - }, - "parents": [ - { - "type": "Group", - "id": "9970" - } - ] - }, - { - "uid": { - "type": "User", - "id": "1" - }, - "attrs": { - "username": "sytses", - "access_level": 30 - }, - "parents": [] - }, - { - "uid": { - "type": "User", - "id": "263716" - }, - "attrs": { - "username": "grzesiek", - "access_level": 40 - }, - "parents": [] - }, - { - "uid": { - "type": "User", - "id": "370493" - }, - "attrs": { - "username": "luke", - "access_level": 30 - }, - "parents": [] - }, - { - "uid": { - "type": "User", - "id": "426128" - }, - "attrs": { - "username": "felipe_artur", - "access_level": 40 - }, - "parents": [] - }, - { - "uid": { - "type": "User", - "id": "138401" - }, - "attrs": { - "username": "chriscool", - "access_level": 30 - }, - "parents": [] - }, - { - "uid": { - "type": "User", - "id": "367626" - }, - "attrs": { - "username": "alejandro", - "access_level": 40 - }, - "parents": [] - }, - { - "uid": { - "type": "User", - "id": "516904" - }, - "attrs": { - "username": "tauriedavis", - "access_level": 30 - }, - "parents": [] - }, - { - "uid": { - "type": "User", - "id": "527558" - }, - "attrs": { - "username": "eliran.mesika", - "access_level": 30 - }, - "parents": [] - }, - { - "uid": { - "type": "User", - "id": "215818" - }, - "attrs": { - "username": "tmaczukin", - "access_level": 40 - }, - "parents": [] - }, - { - "uid": { - "type": "User", - "id": "429540" - }, - "attrs": { - "username": "ahanselka", - "access_level": 30 - }, - "parents": [] - }, - { - "uid": { - "type": "User", - "id": "506061" - }, - "attrs": { - "username": "ahmadsherif", - "access_level": 30 - }, - "parents": [] - }, - { - "uid": { - "type": "User", - "id": "581582" - }, - "attrs": { - "username": "arihantar", - "access_level": 30 - }, - "parents": [] - }, - { - "uid": { - "type": "User", - "id": "626804" - }, - "attrs": { - "username": "pedroms", - "access_level": 30 - }, - "parents": [] - }, - { - "uid": { - "type": "User", - "id": "597578" - }, - "attrs": { - "username": "WarheadsSE", - "access_level": 30 - }, - "parents": [] - }, - { - "uid": { - "type": "User", - "id": "739252" - }, - "attrs": { - "username": "jdrumtra", - "access_level": 30 - }, - "parents": [] - }, - { - "uid": { - "type": "User", - "id": "739361" - }, - "attrs": { - "username": "Elsje", - "access_level": 30 - }, - "parents": [] - }, - { - "uid": { - "type": "User", - "id": "201566" - }, - "attrs": { - "username": "annabeldunstone", - "access_level": 40 - }, - "parents": [] - }, - { - "uid": { - "type": "User", - "id": "829774" - }, - "attrs": { - "username": "jivanvl", - "access_level": 40 - }, - "parents": [] - }, - { - "uid": { - "type": "User", - "id": "4849" - }, - "attrs": { - "username": "balasankarc", - "access_level": 30 - }, - "parents": [] - }, - { - "uid": { - "type": "User", - "id": "790854" - }, - "attrs": { - "username": "harishsr", - "access_level": 30 - }, - "parents": [] - }, - { - "uid": { - "type": "Group", - "id": "9970" - }, - "attrs": { - "name": "GitLab.org", - "path": "gitlab-org", - "full_path": "gitlab-org" - }, - "parents": [] - } -] \ No newline at end of file diff --git a/etc/authzd/gitlab.com/gitlab-org/software-supply-chain-security/authorization/authzd/entities.json b/etc/authzd/gitlab.com/gitlab-org/software-supply-chain-security/authorization/authzd/entities.json deleted file mode 100644 index 6bc513fb..00000000 --- a/etc/authzd/gitlab.com/gitlab-org/software-supply-chain-security/authorization/authzd/entities.json +++ /dev/null @@ -1,285 +0,0 @@ -[ - { - "uid": { - "type": "Project", - "id": "69516684" - }, - "attrs": { - "name": "authz.d", - "path": "authzd", - "full_path": "gitlab-org/software-supply-chain-security/authorization/authzd" - }, - "parents": [ - { - "type": "Group", - "id": "76595764" - } - ] - }, - { - "uid": { - "type": "User", - "id": "1" - }, - "attrs": { - "username": "sytses", - "access_level": 30 - }, - "parents": [] - }, - { - "uid": { - "type": "User", - "id": "116" - }, - "attrs": { - "username": "marin", - "access_level": 50 - }, - "parents": [] - }, - { - "uid": { - "type": "User", - "id": "13356" - }, - "attrs": { - "username": "dblessing", - "access_level": 30 - }, - "parents": [] - }, - { - "uid": { - "type": "User", - "id": "3585" - }, - "attrs": { - "username": "axil", - "access_level": 30 - }, - "parents": [] - }, - { - "uid": { - "type": "User", - "id": "12452" - }, - "attrs": { - "username": "ayufan", - "access_level": 30 - }, - "parents": [] - }, - { - "uid": { - "type": "User", - "id": "64248" - }, - "attrs": { - "username": "stanhu", - "access_level": 50 - }, - "parents": [] - }, - { - "uid": { - "type": "User", - "id": "263716" - }, - "attrs": { - "username": "grzesiek", - "access_level": 30 - }, - "parents": [] - }, - { - "uid": { - "type": "User", - "id": "283999" - }, - "attrs": { - "username": "dbalexandre", - "access_level": 30 - }, - "parents": [] - }, - { - "uid": { - "type": "User", - "id": "2293" - }, - "attrs": { - "username": "brodock", - "access_level": 30 - }, - "parents": [] - }, - { - "uid": { - "type": "User", - "id": "215818" - }, - "attrs": { - "username": "tmaczukin", - "access_level": 30 - }, - "parents": [] - }, - { - "uid": { - "type": "User", - "id": "128633" - }, - "attrs": { - "username": "rymai", - "access_level": 30 - }, - "parents": [] - }, - { - "uid": { - "type": "User", - "id": "273486" - }, - "attrs": { - "username": "jameslopez", - "access_level": 40 - }, - "parents": [] - }, - { - "uid": { - "type": "User", - "id": "201566" - }, - "attrs": { - "username": "annabeldunstone", - "access_level": 30 - }, - "parents": [] - }, - { - "uid": { - "type": "User", - "id": "426128" - }, - "attrs": { - "username": "felipe_artur", - "access_level": 30 - }, - "parents": [] - }, - { - "uid": { - "type": "User", - "id": "138401" - }, - "attrs": { - "username": "chriscool", - "access_level": 30 - }, - "parents": [] - }, - { - "uid": { - "type": "User", - "id": "367626" - }, - "attrs": { - "username": "alejandro", - "access_level": 30 - }, - "parents": [] - }, - { - "uid": { - "type": "User", - "id": "516904" - }, - "attrs": { - "username": "tauriedavis", - "access_level": 30 - }, - "parents": [] - }, - { - "uid": { - "type": "User", - "id": "527558" - }, - "attrs": { - "username": "eliran.mesika", - "access_level": 30 - }, - "parents": [] - }, - { - "uid": { - "type": "User", - "id": "429540" - }, - "attrs": { - "username": "ahanselka", - "access_level": 30 - }, - "parents": [] - }, - { - "uid": { - "type": "User", - "id": "506061" - }, - "attrs": { - "username": "ahmadsherif", - "access_level": 30 - }, - "parents": [] - }, - { - "uid": { - "type": "Group", - "id": "9970" - }, - "attrs": { - "name": "GitLab.org", - "path": "gitlab-org", - "full_path": "gitlab-org" - }, - "parents": [] - }, - { - "uid": { - "type": "Group", - "id": "97830335" - }, - "attrs": { - "name": "software-supply-chain-security", - "path": "software-supply-chain-security", - "full_path": "gitlab-org/software-supply-chain-security" - }, - "parents": [ - { - "type": "Group", - "id": "9970" - } - ] - }, - { - "uid": { - "type": "Group", - "id": "76595764" - }, - "attrs": { - "name": "Authorization", - "path": "authorization", - "full_path": "gitlab-org/software-supply-chain-security/authorization" - }, - "parents": [ - { - "type": "Group", - "id": "97830335" - } - ] - } -] \ No newline at end of file diff --git a/etc/authzd/gitlab.com/gitlab-org/software-supply-chain-security/authorization/sparkled/entities.json b/etc/authzd/gitlab.com/gitlab-org/software-supply-chain-security/authorization/sparkled/entities.json deleted file mode 100644 index 4846592a..00000000 --- a/etc/authzd/gitlab.com/gitlab-org/software-supply-chain-security/authorization/sparkled/entities.json +++ /dev/null @@ -1,285 +0,0 @@ -[ - { - "uid": { - "type": "Project", - "id": "68877410" - }, - "attrs": { - "name": "sparkle.d", - "path": "sparkled", - "full_path": "gitlab-org/software-supply-chain-security/authorization/sparkled" - }, - "parents": [ - { - "type": "Group", - "id": "76595764" - } - ] - }, - { - "uid": { - "type": "User", - "id": "1" - }, - "attrs": { - "username": "sytses", - "access_level": 30 - }, - "parents": [] - }, - { - "uid": { - "type": "User", - "id": "116" - }, - "attrs": { - "username": "marin", - "access_level": 50 - }, - "parents": [] - }, - { - "uid": { - "type": "User", - "id": "13356" - }, - "attrs": { - "username": "dblessing", - "access_level": 30 - }, - "parents": [] - }, - { - "uid": { - "type": "User", - "id": "3585" - }, - "attrs": { - "username": "axil", - "access_level": 30 - }, - "parents": [] - }, - { - "uid": { - "type": "User", - "id": "12452" - }, - "attrs": { - "username": "ayufan", - "access_level": 30 - }, - "parents": [] - }, - { - "uid": { - "type": "User", - "id": "64248" - }, - "attrs": { - "username": "stanhu", - "access_level": 50 - }, - "parents": [] - }, - { - "uid": { - "type": "User", - "id": "263716" - }, - "attrs": { - "username": "grzesiek", - "access_level": 30 - }, - "parents": [] - }, - { - "uid": { - "type": "User", - "id": "283999" - }, - "attrs": { - "username": "dbalexandre", - "access_level": 30 - }, - "parents": [] - }, - { - "uid": { - "type": "User", - "id": "2293" - }, - "attrs": { - "username": "brodock", - "access_level": 30 - }, - "parents": [] - }, - { - "uid": { - "type": "User", - "id": "215818" - }, - "attrs": { - "username": "tmaczukin", - "access_level": 30 - }, - "parents": [] - }, - { - "uid": { - "type": "User", - "id": "128633" - }, - "attrs": { - "username": "rymai", - "access_level": 30 - }, - "parents": [] - }, - { - "uid": { - "type": "User", - "id": "273486" - }, - "attrs": { - "username": "jameslopez", - "access_level": 40 - }, - "parents": [] - }, - { - "uid": { - "type": "User", - "id": "201566" - }, - "attrs": { - "username": "annabeldunstone", - "access_level": 30 - }, - "parents": [] - }, - { - "uid": { - "type": "User", - "id": "426128" - }, - "attrs": { - "username": "felipe_artur", - "access_level": 30 - }, - "parents": [] - }, - { - "uid": { - "type": "User", - "id": "138401" - }, - "attrs": { - "username": "chriscool", - "access_level": 30 - }, - "parents": [] - }, - { - "uid": { - "type": "User", - "id": "367626" - }, - "attrs": { - "username": "alejandro", - "access_level": 30 - }, - "parents": [] - }, - { - "uid": { - "type": "User", - "id": "516904" - }, - "attrs": { - "username": "tauriedavis", - "access_level": 30 - }, - "parents": [] - }, - { - "uid": { - "type": "User", - "id": "527558" - }, - "attrs": { - "username": "eliran.mesika", - "access_level": 30 - }, - "parents": [] - }, - { - "uid": { - "type": "User", - "id": "429540" - }, - "attrs": { - "username": "ahanselka", - "access_level": 30 - }, - "parents": [] - }, - { - "uid": { - "type": "User", - "id": "506061" - }, - "attrs": { - "username": "ahmadsherif", - "access_level": 30 - }, - "parents": [] - }, - { - "uid": { - "type": "Group", - "id": "9970" - }, - "attrs": { - "name": "GitLab.org", - "path": "gitlab-org", - "full_path": "gitlab-org" - }, - "parents": [] - }, - { - "uid": { - "type": "Group", - "id": "97830335" - }, - "attrs": { - "name": "software-supply-chain-security", - "path": "software-supply-chain-security", - "full_path": "gitlab-org/software-supply-chain-security" - }, - "parents": [ - { - "type": "Group", - "id": "9970" - } - ] - }, - { - "uid": { - "type": "Group", - "id": "76595764" - }, - "attrs": { - "name": "Authorization", - "path": "authorization", - "full_path": "gitlab-org/software-supply-chain-security/authorization" - }, - "parents": [ - { - "type": "Group", - "id": "97830335" - } - ] - } -] \ No newline at end of file diff --git a/etc/authzd/policy0.cedar b/etc/authzd/policy0.cedar deleted file mode 100644 index bcc9a316..00000000 --- a/etc/authzd/policy0.cedar +++ /dev/null @@ -1,16 +0,0 @@ -permit (principal, action, resource) -when -{ - context has path && - context has method && - (context.method == "GET" || context.method == "HEAD") && - (context.path like "*.css" || - context.path like "*.js" || - context.path like "*.ico" || - context.path like "*.png" || - context.path like "*.jpg" || - context.path like "*.jpeg" || - context.path like "*.gif" || - context.path like "*.bmp" || - context.path like "*.html") -}; diff --git a/etc/authzd/policy1.cedar b/etc/authzd/policy1.cedar deleted file mode 100644 index 966bbcfb..00000000 --- a/etc/authzd/policy1.cedar +++ /dev/null @@ -1,37 +0,0 @@ -permit (principal, action, resource) -when -{ - context has host && - context has method && - context has path && - ((context.host == "sparkle.runway.gitlab.net" || - context.host == "sparkle.staging.runway.gitlab.net" || - context.host like "localhost:*") && - ((context.method == "GET" && - (context.path == "/" || - context.path == "/callback" || - context.path == "/dashboard/nav" || - context.path == "/health" || - context.path == "/signout" || - context.path == "/sparkles")) || - (context.method == "POST" && (context.path == "/sparkles/restore")))) -}; - -permit ( - principal is User, - action == Action::"POST", - resource == Resource::"/sparkles" -) -when -{ - context has host && - context.host == "sparkle.staging.runway.gitlab.net" && - principal has username -}; - -permit ( - principal == User::"1", - action == Action::"GET", - resource == Resource::"/dashboard" -) -when { context has host && context.host == "localhost:10000" }; diff --git a/etc/authzd/spice.schema b/etc/authzd/spice.schema index 0d6a6482..da408b80 100644 --- a/etc/authzd/spice.schema +++ b/etc/authzd/spice.schema @@ -1,7 +1,17 @@ definition user {} + definition project { relation developer: user relation maintainer: user + + permission read = developer + maintainer + permission write = maintainer +} + +definition group { + relation developer: user + relation maintainer: user + permission read = developer + maintainer permission write = maintainer } diff --git a/etc/authzd/staging.gitlab.com/authorization/sparkle/team/entities.json b/etc/authzd/staging.gitlab.com/authorization/sparkle/team/entities.json deleted file mode 100644 index 5515d6a1..00000000 --- a/etc/authzd/staging.gitlab.com/authorization/sparkle/team/entities.json +++ /dev/null @@ -1,70 +0,0 @@ -[ - { - "uid": { - "type": "Project", - "id": "16781932" - }, - "attrs": { - "name": "team", - "path": "team", - "full_path": "authorization/sparkle/team" - }, - "parents": [ - { - "type": "Group", - "id": "24445167" - } - ] - }, - { - "uid": { - "type": "User", - "id": "1675940" - }, - "attrs": { - "username": "mokhax", - "access_level": 50 - }, - "parents": [] - }, - { - "uid": { - "type": "User", - "id": "1676317" - }, - "attrs": { - "username": "jayswain", - "access_level": 30 - }, - "parents": [] - }, - { - "uid": { - "type": "Group", - "id": "24445166" - }, - "attrs": { - "name": "authorization", - "path": "authorization", - "full_path": "authorization" - }, - "parents": [] - }, - { - "uid": { - "type": "Group", - "id": "24445167" - }, - "attrs": { - "name": "sparkle", - "path": "sparkle", - "full_path": "authorization/sparkle" - }, - "parents": [ - { - "type": "Group", - "id": "24445166" - } - ] - } -] \ No newline at end of file -- cgit v1.2.3