blob: ec665d6913149e23764075672ef058b76a48d73d (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
|
# Cedar Authorization Guide
Cedar provides policy-based authorization using Amazon's Cedar policy
language. This service handles request authorization through Envoy's
`ext_authz` filter.
## Architecture
```
+---------------------------------------------------------------------+
| Client Request |
+---------------------------------------------------------------------+
│
V
+---------------------------------------------------------------------+
│ Envoy Proxy (:20000) |
│ |
│ * JWT Filter extracts x-jwt-claim-sub header |
│ * ext_authz sends CheckRequest to authzd |
+---------------------------------------------------------------------+
| ext_authz
V
+---------------------+
| authzd (:50052) |
| |
| +-----------------+ |
| | Cedar Policies | |
| | * Static Assets | |
| | * JWT Claims | |
| | * Path Rules | |
| +-----------------+ |
+---------------------+
```
## Authorization Flow
```
Client Envoy authzd
| | |
| HTTP Request + JWT | |
|---------------------->| |
| | Extract JWT claims |
| | Add x-jwt-claim-sub |
| | |
| | ext_authz CheckRequest |
| |----------------------->|
| | |
| | | Evaluate
| | | Cedar
| | | policies
| | Allow/Deny |
| |<-----------------------|
| | |
| Forward request | |
| or 403 Forbidden | |
|<----------------------| |
```
## Cedar Policies
### Policy Structure
Policies are stored in `etc/authzd/*.cedar` files using Cedar's policy language:
```cedar
permit (
principal == User::"1",
action == Action::"GET",
resource == Resource::"/sparkle/"
)
when
{
context has host &&
context.host == "sparkle.staging.runway.gitlab.net" &&
principal has username
};
```
## JWT Integration
### JWT Header Extraction
Envoy's JWT filter extracts claims and adds them as headers:
- `x-jwt-claim-sub` - User ID (subject)
## Policy Development
### Adding New Policies
1. Create or edit `.cedar` files in `etc/authzd/`
2. Use Cedar policy syntax for rules
3. Test with `make test`
4. Validate with `make lint`
### Policy Validation
```bash
# Check policy syntax
cedar check-parse --policies etc/authzd/policy1.cedar
# Format policies
cedar format --policies etc/authzd/policy1.cedar --check
```
### Testing Policies
```bash
# Run Cedar authorization tests
cargo test authorization::cedar_authorizer_test
# Test specific scenarios
cargo test test_sparkle_homepage
```
## Make Targets
- `make test` - Run all tests including Cedar policy tests
- `make lint` - Validate Cedar policy syntax and formatting
## References
- [Cedar Policy Language](https://docs.cedarpolicy.com/)
- [Cedar Language Guide](https://docs.cedarpolicy.com/policies/syntax.html)
- [Envoy JWT Authentication](https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/jwt_authn_filter)
|
