Add IAM policies

[ramizpolic]

Description

Addresses openclarity/openclarity#726

All changes summarised in https://github.com/openclarity/vmclarity/tree/feature/rbac/pkg/apiserver/iam#readme

High level architecture

https://github.com/openclarity/vmclarity/tree/feature/rbac/pkg/apiserver/iam/testdata/architecture.png

Server-side stack

• Authenticator - Interacts with IDP to authenticate request and obtain user identity data. Part of API middleware.
• RoleSyncer - Interacts with some kind of store (e.g. database or from JWT token claim) to fetch and sync user role data. Used in API middleware.
• Authorizer - Decides if a User can perform a given action on an asset based on provided rules.
  Separate component that is used to check user-action permissions.
  Used in API middleware for API asset-action (e.g. api:put) authorization.

Test environment

Requires Docker to run. This will create a Zitadel instance with bootstrapped data which you can use
out-of-the-box to enable IAM for VMClarity.

# Create Zitadel
cd pkg/apiserver/iam/testdata/zitadel
chmod +x ./create-zitadel
RECREATE=true ./create-zitadel

# Get autogenerated file and obtain VMClarity config data.
# Update if required.
cat bootstrap/generated/vmclarity-data.env

Config parameters

# IAM global config
IAM_ENABLED=true

# Authentication config
AUTH_OIDC_ISSUER=http://localhost:8080
AUTH_OIDC_CLIENT_ID=app_client_id
AUTH_OIDC_CLIENT_SECRET=app_client_secret

# RoleSynchronization config
ROLESYNCER_JWT_ROLE_CLAIM=roles-claim-key

# Authorization config
AUTHZ_LOCAL_RBAC_RULE_FILEPATH=path-to/rbac_rule_policy_example.csv

# Injection - Client service account
APISERVER_TOKEN=Service Account PAM

TODO (next iterations)

• Add Zitadel component into VMClarity stack. Use Zitadel bootstrapping without using Terraform.
• Add support for injecting auth data into different parts of request (e.g. cookies).
• Handle http response codes properly (currently only 403 is returned on Auth/Z failure)
• Add Authorizer that uses database as Role permission source. Also add bootstrapping for the Role and Rule data.
• Add RoleSyncer that uses database as User Role source to avoid using non-intuitive JWT Claim Role Source.
• Add support for different IAM components (Authenticator and RoleSyncer) to avoid relying only on Zitadel.
• Add support to dynamically add/remove (CRUD) multiple Authenticators in IAM stack.
• Add tests

More resources

• Zitadel - used to create OIDP app and auth roles via JWT token claims - https://zitadel.com/
• Casbin - used to validate roles against defined role policies - https://casbin.org/
• Casbin Adapters - to extend role rule data synchronization - https://casbin.org/docs/adapters

Type of Change

[ ] Bug Fix
[x] New Feature
[x] Breaking Change
[ ] Refactor
[ ] Documentation
[ ] Other (please describe)

Checklist

• I have read the contributing guidelines
• Existing issues have been referenced (where applicable)
• I have verified this change is not present in other open pull requests
• Functionality is documented
• All code style checks pass
• New code contribution is covered by automated tests
• All new and existing tests pass

[github-actions]

Hey there and thank you for opening this pull request! 👋🏼

We require pull request titles to follow the Conventional Commits specification and it looks like your proposed title needs to be adjusted.

Details:

No release type found in pull request title "Add IAM policies". Add a prefix to indicate what kind of release this pull request corresponds to. For reference, see https://www.conventionalcommits.org/

Available types:
 - BREAKING
 - build
 - chore
 - ci
 - docs
 - feat
 - fix
 - perf
 - refactor
 - revert
 - style
 - test
 - release