add more tests

opentdf · Nov 25, 2024 · bc6d285 · bc6d285
1 parent 80bf343
commit bc6d285
Show file tree

Hide file tree

Showing 8 changed files with 193 additions and 217 deletions.
diff --git a/opentdf-dev.yaml b/opentdf-dev.yaml
@@ -49,20 +49,18 @@ server:
     audience: 'http://localhost:8080'
     issuer: http://localhost:8888/auth/realms/opentdf
     policy:
-      ## Default policy for all requests
-      default: #"role:standard"
       ## Dot notation is used to access nested claims (i.e. realm_access.roles)
-      claim: # realm_access.roles
-      ## Maps the external role to the opentdf role
-      ## Note: left side is used in the policy, right side is the external role
-      map:
-        # standard: opentdf-standard
-        # admin: opentdf-admin
-
-      ## Custom policy (see examples https://github.com/casbin/casbin/tree/master/examples)
+      # Claim that represents the user (i.e. email)
+      username_claim: # preferred_username
+      # That claim to access groups (i.e. realm_access.roles)
+      groups_claim: # realm_access.roles
+      ## Extends the builtin policy
+      extension: |
+        g, opentdf-admin, role:admin
+        g, opentdf-standard, role:standard
+      ## Custom policy that overrides builtin policy (see examples https://github.com/casbin/casbin/tree/master/examples)
       csv: #|
       #  p, role:admin, *, *, allow
-
       ## Custom model (see https://casbin.org/docs/syntax-for-models/)
       model: #|
       #  [request_definition]

diff --git a/opentdf-example.yaml b/opentdf-example.yaml
@@ -36,17 +36,16 @@ server:
     audience: 'http://localhost:8080'
     issuer: http://keycloak:8888/auth/realms/opentdf
     policy:
-      ## Default policy for all requests
-      default: #"role:standard"
       ## Dot notation is used to access nested claims (i.e. realm_access.roles)
-      claim: # realm_access.roles
-      ## Maps the external role to the opentdf role
-      ## Note: left side is used in the policy, right side is the external role
-      map:
-      #  standard: opentdf-standard
-      #  admin: opentdf-admin
-
-      ## Custom policy (see examples https://github.com/casbin/casbin/tree/master/examples)
+      # Claim that represents the user (i.e. email)
+      username_claim: # preferred_username
+      # That claim to access groups (i.e. realm_access.roles)
+      groups_claim: # realm_access.roles
+      ## Extends the builtin policy
+      extension: |
+        g, opentdf-admin, role:admin
+        g, opentdf-standard, role:standard
+      ## Custom policy that overrides builtin policy (see examples https://github.com/casbin/casbin/tree/master/examples)
       csv: #|
       #  p, role:admin, *, *, allow
       ## Custom model (see https://casbin.org/docs/syntax-for-models/)

diff --git a/opentdf-with-hsm.yaml b/opentdf-with-hsm.yaml
diff --git a/service/internal/auth/casbin.go b/service/internal/auth/casbin.go
@@ -11,80 +11,20 @@ import (
 	"github.com/lestrrat-go/jwx/v2/jwt"
 	"github.com/opentdf/platform/service/logger"
 	"github.com/opentdf/platform/service/pkg/util"
+
+	_ "embed"
 )
 
 var (
 	rolePrefix  = "role:"
 	defaultRole = "unknown"
 )
 
-var builtinPolicy = `
-## Roles (prefixed with role:)
-# admin - admin
-# standard - standard
-# unknown - unknown role or no role
-
-## Resources
-# Resources beginning with / are HTTP routes. Generally, this does not matter, but when HTTP routes don't map well
-# with the protos this may become important.
-
-## Actions
-# read - read the resource
-# write - write to the resource
-# delete - delete the resource
-# unsafe - unsafe actions
-
-## Grouping Statements - Maps users/groups to roles
-g, opentdf-admin, role:admin
-g, opentdf-standard, role:standard
-
-# Role: Admin
-## gRPC and HTTP routes
-p,	role:admin,		*,					*,			allow
-
-## Role: Standard
-## gRPC routes
-p,	role:standard,		policy.*,																read,			allow
-p,	role:standard,		kasregistry.*,													read,			allow
-p,	role:standard,      kas.AccessService/Rewrap, 			           *,			allow
-p,  role:standard,      authorization.AuthorizationService/GetDecisions,        read, allow
-p,  role:standard,      authorization.AuthorizationService/GetDecisionsByToken, read, allow
-
-## HTTP routes
-p,	role:standard,		/attributes*,														read,			allow
-p,	role:standard,		/namespaces*,														read,			allow
-p,	role:standard,		/subject-mappings*,											read,			allow
-p,	role:standard,		/resource-mappings*,										read,			allow
-p,	role:standard,		/key-access-servers*,										read,			allow
-p,	role:standard,		/kas/v2/rewrap,													write,		allow
-p,  role:standard,      /v1/authorization,                                                              write,          allow
-p,  role:standard,      /v1/token/authorization,                                                        write,          allow
-
-# Public routes
-## gRPC routes
-## for ERS, right now we don't care about requester role, just that a valid jwt is provided when the OPA engine calls (enforced in the ERS itself, not casbin)
-p,	role:unknown,     kas.AccessService/Rewrap, 			                                  *,	  allow
-## HTTP routes
-## for ERS, right now we don't care about requester role, just that a valid jwt is provided when the OPA engine calls (enforced in the ERS itself, not casbin)
-p,	role:unknown,		  /kas/v2/rewrap,													  *,		allow
-`
-
-var defaultModel = `
-[request_definition]
-r = sub,	res,	act
-
-[policy_definition]
-p = sub,	res,	act,	eft
-
-[role_definition]
-g = _,	_
-
-[policy_effect]
-e = some(where (p.eft == allow)) && !some(where (p.eft == deny))
-
-[matchers]
-m = g(r.sub,	p.sub) && keyMatch(r.res,	p.res) && keyMatch(r.act,	p.act)
-`
+//go:embed casbin_policy.csv
+var builtinPolicy string
+
+//go:embed casbin_model.conf
+var defaultModel string
 
 type Enforcer struct {
 	*casbin.Enforcer
@@ -137,6 +77,16 @@ func NewCasbinEnforcer(c CasbinConfig, logger *logger.Logger) (*Enforcer, error)
 		isPolicyExtended = true
 	}
 
+	// Because we provided built in group mappings we need to add them
+	// if extensions and rolemap are not provided
+	if c.RoleMap == nil && c.Extension == "" {
+		c.Csv = strings.Join([]string{
+			c.Csv,
+			"g, opentdf-admin, role:admin",
+			"g, opentdf-standard, role:standard",
+		}, "\n")
+	}
+
 	isDefaultAdapter := false
 	// If adapter is not provided, use the default string adapter
 	if c.Adapter == nil {

diff --git a/service/internal/auth/casbin_model.conf b/service/internal/auth/casbin_model.conf
@@ -0,0 +1,14 @@
+[request_definition]
+r = sub,	res,	act
+
+[policy_definition]
+p = sub,	res,	act,	eft
+
+[role_definition]
+g = _,	_
+
+[policy_effect]
+e = some(where (p.eft == allow)) && !some(where (p.eft == deny))
+
+[matchers]
+m = g(r.sub,	p.sub) && keyMatch(r.res,	p.res) && keyMatch(r.act,	p.act)
diff --git a/service/internal/auth/casbin_policy.csv b/service/internal/auth/casbin_policy.csv
@@ -0,0 +1,44 @@
+## Roles (prefixed with role:)
+# admin - admin
+# standard - standard
+# unknown - unknown role or no role
+
+## Resources
+# Resources beginning with / are HTTP routes. Generally, this does not matter, but when HTTP routes don't map well
+# with the protos this may become important.
+
+## Actions
+# read - read the resource
+# write - write to the resource
+# delete - delete the resource
+# unsafe - unsafe actions
+
+# Role: Admin
+## gRPC and HTTP routes
+p,	role:admin,		*,					*,			allow
+
+## Role: Standard
+## gRPC routes
+p,	role:standard,		policy.*,																read,			allow
+p,	role:standard,		kasregistry.*,													read,			allow
+p,	role:standard,      kas.AccessService/Rewrap, 			           *,			allow
+p,  role:standard,      authorization.AuthorizationService/GetDecisions,        read, allow
+p,  role:standard,      authorization.AuthorizationService/GetDecisionsByToken, read, allow
+
+## HTTP routes
+p,	role:standard,		/attributes*,														read,			allow
+p,	role:standard,		/namespaces*,														read,			allow
+p,	role:standard,		/subject-mappings*,											read,			allow
+p,	role:standard,		/resource-mappings*,										read,			allow
+p,	role:standard,		/key-access-servers*,										read,			allow
+p,	role:standard,		/kas/v2/rewrap,													write,		allow
+p,  role:standard,      /v1/authorization,                                                              write,          allow
+p,  role:standard,      /v1/token/authorization,                                                        write,          allow
+
+# Public routes
+## gRPC routes
+## for ERS, right now we don't care about requester role, just that a valid jwt is provided when the OPA engine calls (enforced in the ERS itself, not casbin)
+p,	role:unknown,     kas.AccessService/Rewrap, 			                                  *,	  allow
+## HTTP routes
+## for ERS, right now we don't care about requester role, just that a valid jwt is provided when the OPA engine calls (enforced in the ERS itself, not casbin)
+p,	role:unknown,		  /kas/v2/rewrap,													  *,		allow