blob: a8da10cc7f0fdbd74fd220ceec8b5bf2d5ae17cc (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
|
# Authx - Proof of Concept
This repository explores various authentication and authorization workflows by introducing a separate authn/authz service.
It serves as a proof of concept to illustrate potential workflows, not a production ready implementation.
To keep the implementation accessible, external dependencies have been minimized, ensuring a clear reference for understanding key concepts, including:
* SAML based authentication including IdP chaining to external identity providers
* OIDC based authentication
* OAuth endpoints with links to relevant RFCs for proper usage guidance
## Architecture
```plaintext
-------------
| user-agent |
-------------
|
V
----|:8080|-----------------------------------------------
|
V
---------------
| API Gateway | (use casbin to evict early, reverse proxy, inject context headers)
---------------
|
| --------------------
|--->| IdP (saml, oidc) |
| --------------------
| | :http | :grpc | (use declarative_policy)
| --------------------
| A A
----------- | |
| | | |
V V | |
------ ------------ |
| UI | | REST API |----|
------ ------------
[UI]: ui.example.com
[REST API]: api.example.com
[IdP]: idp.example.com
```
I have ommitted TLS, RS256 from the prototype to offload the decision of key
management and rotation. See [smallstep](https://smallstep.com/docs/step-cli/)
for PKI management.
CSV files are used instead of a database to simulate different types of
scenarios. The following organizational hierarchy is demonstrated here:
```
Organization(name: "default")
* Group(name: "A")
* Project(name: "A1")
* Group(name: "B")
* Project(name: "B1")
Organization(name: "gitlab")
* Group(name: "gitlab-org")
* Project(name: "gitlab")
* Group(name: "gitlab-com")
* Group(name: "gl-security")
* Group(name: "test-projects")
* Project(name: "eicar-test-project")
* Project(name: "disclosures")
* Group(name: "support")
* Group(name: "toolbox")
* Project(name: "changelog-parser")
* Project(name: "handbook")
* Project(name: "www-gitlab-com")
```
## Getting Started
1. Install tools:
```sh
$ mise install
```
1. Add entries to `/etc/hosts`:
```sh
$ tail -n3 /etc/hosts
127.0.0.1 api.example.com
127.0.0.1 idp.example.com
127.0.0.1 ui.example.com
```
1. Start servers:
```sh
$ mage
```
1. Open a browser to `http://ui.example.com:8080/`.
## Questions
See the [FAQ][9]
## References
* [go tool][5]
* [gRPC][6]
* [protocol buffers][7]
* [twirp][8]
[2]: https://gitlab.com/gitlab-org/gitlab/-/tree/master/app/policies
[5]: https://tip.golang.org/doc/modules/managing-dependencies#tools
[6]: https://grpc.io/docs/
[7]: https://protobuf.dev/programming-guides/proto3/
[8]: https://github.com/arthurnn/twirp-ruby/wiki/Code-Generation
[9]: ./doc/share/authz/FAQ.md
|
