Merge branch 'main' into remote-ers-connection

opentdf · Nov 20, 2024 · d394cd8 · d394cd8
2 parents 4aa15b0 + ec46a3a
commit d394cd8
Show file tree

Hide file tree

Showing 132 changed files with 5,686 additions and 3,045 deletions.
diff --git a/.github/workflows/checks.yaml b/.github/workflows/checks.yaml
@@ -90,6 +90,8 @@ jobs:
   integration:
     name: integration tests
     runs-on: ubuntu-22.04
+    env:
+      TLS_ENABLED: "true"
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
       - uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7
@@ -105,9 +107,18 @@ jobs:
         run: ./.github/scripts/work-init.sh
       - run: go mod download
       - run: go mod verify
+      - name: Install mkcert
+        run: |
+          sudo apt-get install -y libnss3-tools
+          curl -JLO "https://dl.filippo.io/mkcert/latest?for=linux/amd64"
+          chmod +x mkcert-v*-linux-amd64
+          sudo cp mkcert-v*-linux-amd64 /usr/local/bin/mkcert
       - run: |
           .github/scripts/init-temp-keys.sh
+          mkcert -install
+          mkcert -cert-file ./keys/platform.crt -key-file ./keys/platform-key.pem localhost
           cp opentdf-dev.yaml opentdf.yaml
+          yq eval '.server.tls.enabled = true' -i opentdf.yaml
       - name: Added Trusted Certs
         run: |
           sudo chmod -R 777 ./keys

diff --git a/.release-please-manifest.json b/.release-please-manifest.json
@@ -1,8 +1,8 @@
 {
-  "lib/fixtures": "0.2.7",
-  "lib/ocrypto": "0.1.6",
-  "lib/flattening": "0.1.1",
-  "protocol/go": "0.2.20",
-  "sdk": "0.3.18",
-  "service": "0.4.26"
+  "lib/fixtures": "0.2.9",
+  "lib/ocrypto": "0.1.7",
+  "lib/flattening": "0.1.2",
+  "protocol/go": "0.2.22",
+  "sdk": "0.3.21",
+  "service": "0.4.29"
 }
diff --git a/docker-compose.yaml b/docker-compose.yaml
@@ -8,7 +8,7 @@ services:
     - ./keys/localhost.key:/etc/x509/tls/localhost.key
     - ./keys/ca.jks:/truststore/truststore.jks
     # This is kc 24.0.1 with opentdf protocol mapper on board
-    image: cgr.dev/chainguard/keycloak@sha256:37895558d2e0e93ffff75da5900f9ae7e79ec6d1c390b18b2ecea6cee45ec26f
+    image: keycloak/keycloak:25.0
     restart: always
     command:
     - "start-dev"
@@ -32,6 +32,7 @@ services:
       KC_HTTP_ENABLED: "true"
       KC_HTTP_PORT: "8888"
       KC_HTTPS_PORT: "8443"
+      KC_HTTP_MANAGEMENT_PORT: "9001"
       KEYCLOAK_ADMIN: admin
       KEYCLOAK_ADMIN_PASSWORD: changeme
       #KC_HOSTNAME_URL: http://localhost:8888/auth
@@ -43,11 +44,29 @@ services:
       KC_HTTPS_CERTIFICATE_KEY_FILE: "/etc/x509/tls/localhost.key"
       KC_HTTPS_CLIENT_AUTH: "request"
     ports:
+      - "9001:9001"
       - "8888:8888"
       - "8443:8443"
     healthcheck:
-      test: ['CMD-SHELL', '[ -f /tmp/HealthCheck.java ] || echo "public class HealthCheck { public static void main(String[] args) throws java.lang.Throwable { System.exit(java.net.HttpURLConnection.HTTP_OK == ((java.net.HttpURLConnection)new java.net.URL(args[0]).openConnection()).getResponseCode() ? 0 : 1); } }" > /tmp/HealthCheck.java && java /tmp/HealthCheck.java http://localhost:8888/auth/health/live']
-      interval: 5s
+      test: 
+        - CMD-SHELL
+        - |
+          [ -f /tmp/HealthCheck.java ] || echo "public class HealthCheck { 
+            public static void main(String[] args) throws java.lang.Throwable { 
+              javax.net.ssl.HttpsURLConnection.setDefaultHostnameVerifier((hostname, session) -> true); 
+              javax.net.ssl.SSLContext sc = javax.net.ssl.SSLContext.getInstance(\"SSL\"); 
+              sc.init(null, new javax.net.ssl.TrustManager[]{ 
+                new javax.net.ssl.X509TrustManager() { 
+                  public java.security.cert.X509Certificate[] getAcceptedIssuers() { return null; } 
+                  public void checkClientTrusted(java.security.cert.X509Certificate[] certs, String authType) {} 
+                  public void checkServerTrusted(java.security.cert.X509Certificate[] certs, String authType) {} 
+                } 
+              }, new java.security.SecureRandom()); 
+              javax.net.ssl.HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory()); 
+              java.net.HttpURLConnection conn = (java.net.HttpURLConnection)new java.net.URL(args[0]).openConnection(); 
+              System.exit(java.net.HttpURLConnection.HTTP_OK == conn.getResponseCode() ? 0 : 1); 
+            } 
+          }" > /tmp/HealthCheck.java && java /tmp/HealthCheck.java https://localhost:9001/auth/health/live      
       timeout: 10s
       retries: 3
       start_period: 2m

diff --git a/docs/configuration.md b/docs/configuration.md
@@ -221,6 +221,24 @@ services:
       query: data.opentdf.entitlements.attributes
 ```
 
+### Policy
+
+Root level key `policy`
+
+| Field                        | Description                                            | Default | Environment Variables                              |
+| ---------------------------- | ------------------------------------------------------ | ------- | -------------------------------------------------- |
+| `list_request_limit_default` | Policy List request limit default when not provided    | 1000    | OPENTDF_SERVICES_POLICY_LIST_REQUEST_LIMIT_DEFAULT |
+| `list_request_limit_max`     | Policy List request limit maximum enforced by services | 2500    | OPENTDF_SERVICES_POLICY_LIST_REQUEST_LIMIT_MAX     |
+
+Example:
+
+```yaml
+services:
+  policy:
+    list_request_limit_default: 1000
+    list_request_limit_max: 2500
+```
+
 ### Casbin Endpoint Authorization
 
 OpenTDF uses Casbin to manage authorization policies. This document provides an overview of how to configure and manage the default authorization policy in OpenTDF.
@@ -258,19 +276,10 @@ server:
       map:
         standard: opentdf-standard
         admin: opentdf-admin
-        org-admin: opentdf-org-admin
 
       ## Custom policy (see examples https://github.com/casbin/casbin/tree/master/examples)
       csv: |
-        p, role:org-admin, policy:attributes, *, *, allow
-        p, role:org-admin, policy:subject-mappings, *, *, allow
-        p, role:org-admin, policy:resource-mappings, *, *, allow
-        p, role:org-admin, policy:kas-registry, *, *, allow
-        p, role:org-admin, policy:unsafe, *, *, allow
-        p, role:admin, policy:attributes, read, allow
-        p, role:admin, policy:subject-mappings, read, allow
-        p, role:admin, policy:resource-mappings, read, allow
-        p, role:admin, policy:kas-registry, read, allow
+        p, role:admin, *, *, allow
         p, role:standard, policy:attributes, read, allow
         p, role:standard, policy:subject-mappings, read, allow
         p, role:standard, policy:resource-mappings, read, allow