From 3d7745e618dfd824afb83d860abcc8af90b0bd14 Mon Sep 17 00:00:00 2001 From: mo khan Date: Wed, 9 Jul 2025 09:45:31 -0600 Subject: chore: start to provide entities to cedar --- tests/support/factory_bot.rs | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'tests/support') diff --git a/tests/support/factory_bot.rs b/tests/support/factory_bot.rs index 007f0cb7..14969f87 100644 --- a/tests/support/factory_bot.rs +++ b/tests/support/factory_bot.rs @@ -36,10 +36,10 @@ pub fn build_headers(headers: Vec<(String, String)>) -> HashMap }) } -pub fn build_cedar_authorizer() -> authzd::CedarAuthorizer { +pub fn build_cedar_authorizer(entities: cedar_policy::Entities) -> authzd::CedarAuthorizer { let realpath = std::fs::canonicalize("./etc/authzd").unwrap(); let path = realpath.as_path(); - authzd::CedarAuthorizer::new_from(path, cedar_policy::Entities::empty()) + authzd::CedarAuthorizer::new_from(path, entities) } pub async fn build_channel(addr: SocketAddr) -> Channel { -- cgit v1.2.3 From 5abf4b1db876161ef028398c9d600dd5ab9f6f6e Mon Sep 17 00:00:00 2001 From: mo khan Date: Wed, 9 Jul 2025 16:28:12 -0600 Subject: test: extract common test setup to initialize logger --- tests/authorization/cedar_authorizer_test.rs | 2 ++ tests/support/common.rs | 12 ++++++++++++ tests/support/mod.rs | 1 + 3 files changed, 15 insertions(+) create mode 100644 tests/support/common.rs (limited to 'tests/support') diff --git a/tests/authorization/cedar_authorizer_test.rs b/tests/authorization/cedar_authorizer_test.rs index 4a319c09..27b676ba 100644 --- a/tests/authorization/cedar_authorizer_test.rs +++ b/tests/authorization/cedar_authorizer_test.rs @@ -1,12 +1,14 @@ #[cfg(test)] mod tests { use crate::support::factory_bot::*; + use crate::support::*; use authzd::Authorizer; use envoy_types::pb::envoy::service::auth::v3::attribute_context::HttpRequest; use std::collections::HashMap; use std::str::FromStr; fn subject() -> authzd::CedarAuthorizer { + common::setup(); subject_with(cedar_policy::Entities::empty()) } diff --git a/tests/support/common.rs b/tests/support/common.rs new file mode 100644 index 00000000..8db5c52b --- /dev/null +++ b/tests/support/common.rs @@ -0,0 +1,12 @@ +use std::sync::Once; + +static INIT: Once = Once::new(); + +pub fn setup() { + INIT.call_once(|| { + tracing_subscriber::fmt() + .with_test_writer() + .with_max_level(tracing::Level::WARN) + .init(); + }); +} diff --git a/tests/support/mod.rs b/tests/support/mod.rs index 5e2a6d78..c46f39e5 100644 --- a/tests/support/mod.rs +++ b/tests/support/mod.rs @@ -1 +1,2 @@ +pub mod common; pub mod factory_bot; -- cgit v1.2.3 From b3cbfaed168b8c28d1c740f705d92008608b6dcd Mon Sep 17 00:00:00 2001 From: mo khan Date: Wed, 9 Jul 2025 17:50:37 -0600 Subject: refactor: extract build_user function --- tests/authorization/cedar_authorizer_test.rs | 15 +++------------ tests/support/factory_bot.rs | 13 +++++++++++++ 2 files changed, 16 insertions(+), 12 deletions(-) (limited to 'tests/support') diff --git a/tests/authorization/cedar_authorizer_test.rs b/tests/authorization/cedar_authorizer_test.rs index 88357058..8add9868 100644 --- a/tests/authorization/cedar_authorizer_test.rs +++ b/tests/authorization/cedar_authorizer_test.rs @@ -5,7 +5,6 @@ mod tests { use authzd::Authorizer; use envoy_types::pb::envoy::service::auth::v3::attribute_context::HttpRequest; use std::collections::HashMap; - use std::str::FromStr; fn subject() -> authzd::CedarAuthorizer { common::setup(); @@ -73,7 +72,7 @@ mod tests { // * delete sparkles: `:delete, gid://sparkle/Sparkle/*` // * delete single sparkle: `:delete, gid://sparkle/Sparkle/:id` #[test] - fn test_authenticated_sparkle_endpoints() { + fn test_authenticated_create_sparkle() { let request = build_request(|item: &mut HttpRequest| { item.method = "GET".to_string(); item.path = "/sparkles".to_string(); @@ -86,16 +85,8 @@ mod tests { ]); }); - let user = cedar_policy::Entity::new( - cedar_policy::EntityUid::from_type_name_and_id( - cedar_policy::EntityTypeName::from_str("User").unwrap(), - cedar_policy::EntityId::from_str("1675940").unwrap(), - ), - std::collections::HashMap::new(), - std::collections::HashSet::new(), - ); - - let entities = cedar_policy::Entities::from_entities([user.unwrap()], None).unwrap(); + let user = build_user("1675940"); + let entities = cedar_policy::Entities::from_entities([user], None).unwrap(); let authorizer = subject_with(entities); assert!(authorizer.authorize(request)); } diff --git a/tests/support/factory_bot.rs b/tests/support/factory_bot.rs index 14969f87..969080a3 100644 --- a/tests/support/factory_bot.rs +++ b/tests/support/factory_bot.rs @@ -3,6 +3,7 @@ use envoy_types::pb::envoy::service::auth::v3::AttributeContext; use envoy_types::pb::envoy::service::auth::v3::attribute_context::{HttpRequest, Request}; use std::collections::HashMap; use std::net::SocketAddr; +use std::str::FromStr; use tonic::transport::Channel; #[allow(dead_code)] @@ -56,3 +57,15 @@ where { f(build_channel(addr).await) } + +pub fn build_user(id: &str) -> cedar_policy::Entity { + cedar_policy::Entity::new( + cedar_policy::EntityUid::from_type_name_and_id( + cedar_policy::EntityTypeName::from_str("User").unwrap(), + cedar_policy::EntityId::from_str(id).unwrap(), + ), + std::collections::HashMap::new(), + std::collections::HashSet::new(), + ) + .unwrap() +} -- cgit v1.2.3 From 5d7f37c6508c7308c17659630cff35f4ead6dae4 Mon Sep 17 00:00:00 2001 From: mo khan Date: Thu, 10 Jul 2025 14:58:52 -0600 Subject: fix: allow authenticated+authorized users to create Sparkles --- etc/authzd/policy1.cedar | 12 ++++++++++++ .../authorization/sparkle/team/entities.json | 8 ++------ src/authorization/entities.rs | 2 -- src/gitlab/member.rs | 2 -- tests/authorization/cedar_authorizer_test.rs | 14 ++++++++++++-- tests/support/factory_bot.rs | 7 +++++-- 6 files changed, 31 insertions(+), 14 deletions(-) (limited to 'tests/support') diff --git a/etc/authzd/policy1.cedar b/etc/authzd/policy1.cedar index 2306aaae..15776ab7 100644 --- a/etc/authzd/policy1.cedar +++ b/etc/authzd/policy1.cedar @@ -16,3 +16,15 @@ when context.path == "/sparkles")) || (context.method == "POST" && (context.path == "/sparkles/restore")))) }; + +permit ( + principal is User, + action == Action::"POST", + resource == Resource::"/sparkles" +) +when +{ + context has host && + context.host == "sparkle.staging.runway.gitlab.net" && + principal has username +}; diff --git a/etc/authzd/staging.gitlab.com/authorization/sparkle/team/entities.json b/etc/authzd/staging.gitlab.com/authorization/sparkle/team/entities.json index ef479736..72d50bce 100644 --- a/etc/authzd/staging.gitlab.com/authorization/sparkle/team/entities.json +++ b/etc/authzd/staging.gitlab.com/authorization/sparkle/team/entities.json @@ -22,9 +22,7 @@ "id": "1675940" }, "attrs": { - "username": "mokhax", - "name": "mo khan", - "access_level": 50 + "username": "mokhax" }, "parents": [] }, @@ -34,9 +32,7 @@ "id": "1676317" }, "attrs": { - "username": "jayswain", - "name": "Jay Swain", - "access_level": 30 + "username": "jayswain" }, "parents": [] }, diff --git a/src/authorization/entities.rs b/src/authorization/entities.rs index a26cace2..dd5894f8 100644 --- a/src/authorization/entities.rs +++ b/src/authorization/entities.rs @@ -75,8 +75,6 @@ impl EntitiesRepository { }, attrs: serde_json::json!({ "username": member.username, - "name": member.name, - "access_level": member.access_level, }), parents: vec![], }); diff --git a/src/gitlab/member.rs b/src/gitlab/member.rs index 0b4997e9..7e7f212e 100644 --- a/src/gitlab/member.rs +++ b/src/gitlab/member.rs @@ -4,7 +4,5 @@ use serde::Deserialize; pub struct Member { pub id: u64, pub username: String, - pub name: String, pub state: String, - pub access_level: u8, } diff --git a/tests/authorization/cedar_authorizer_test.rs b/tests/authorization/cedar_authorizer_test.rs index f2dfebd4..f056c8c7 100644 --- a/tests/authorization/cedar_authorizer_test.rs +++ b/tests/authorization/cedar_authorizer_test.rs @@ -91,12 +91,22 @@ mod tests { ]); }); - let user = build_user("1675940"); + let mut attrs = std::collections::HashMap::new(); + attrs.insert( + "username".to_string(), + cedar_policy::RestrictedExpression::new_string("tanuki".to_string()), + ); + let user = build_user("1675940", attrs); let entities = cedar_policy::Entities::from_entities([user], None).unwrap(); let authorizer = subject_with(entities); assert!(authorizer.authorize(request.clone())); - let user = build_user("1"); + let mut attrs = std::collections::HashMap::new(); + attrs.insert( + "username".to_string(), + cedar_policy::RestrictedExpression::new_string("root".to_string()), + ); + let user = build_user("1", attrs); let entities = cedar_policy::Entities::from_entities([user], None).unwrap(); let authorizer = subject_with(entities); assert!(!authorizer.authorize(request.clone())); diff --git a/tests/support/factory_bot.rs b/tests/support/factory_bot.rs index 969080a3..ba0d9c38 100644 --- a/tests/support/factory_bot.rs +++ b/tests/support/factory_bot.rs @@ -58,13 +58,16 @@ where f(build_channel(addr).await) } -pub fn build_user(id: &str) -> cedar_policy::Entity { +pub fn build_user( + id: &str, + attrs: std::collections::HashMap, +) -> cedar_policy::Entity { cedar_policy::Entity::new( cedar_policy::EntityUid::from_type_name_and_id( cedar_policy::EntityTypeName::from_str("User").unwrap(), cedar_policy::EntityId::from_str(id).unwrap(), ), - std::collections::HashMap::new(), + attrs, std::collections::HashSet::new(), ) .unwrap() -- cgit v1.2.3