fix: auth policy to set backward compatible group to role mapppings (#…

…106)
opentdf · Dec 6, 2024 · 172b0ec · 172b0ec
1 parent 6793219
commit 172b0ec
Show file tree

Hide file tree

Showing 6 changed files with 411 additions and 433 deletions.
diff --git a/.github/workflows/chart-releaser.yaml b/.github/workflows/chart-releaser.yaml
@@ -51,7 +51,7 @@ jobs:
           skip_upload: true
 
       - name: Generate Index
-        run: helm repo index charts --url https://opentdf.github.io/charts/ --merge index.yaml 
+        run: cr index -o ${{github.repository_owner}} -r ${{ github.event.repository.name }} -t ${{steps.app-token.outputs.token}} -i ./index.yaml 
 
       - name: Upload Index
         uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea

diff --git a/.github/workflows/gh-pages.yaml b/.github/workflows/gh-pages.yaml
diff --git a/.release-please-config.json b/.release-please-config.json
@@ -7,10 +7,10 @@
             "bump-minor-pre-major": true,
             "separate-pull-requests": true,
             "include-component-in-tag": true,
-            "include-v-in-tag": true
+            "include-v-in-tag": false
         }
     },
     "release-search-depth": 100,
     "commit-search-depth": 100,
     "$schema": "https://raw.githubusercontent.com/googleapis/release-please/main/schemas/config.json"
-}
+}
diff --git a/charts/platform/README.md b/charts/platform/README.md
@@ -1,6 +1,6 @@
 # platform
 
-![Version: 0.8.1](https://img.shields.io/badge/Version-0.8.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v0.4.32](https://img.shields.io/badge/AppVersion-v0.4.32-informational?style=flat-square)
+![Version: 0.8.2](https://img.shields.io/badge/Version-0.8.2-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v0.4.32](https://img.shields.io/badge/AppVersion-v0.4.32-informational?style=flat-square)
 
 A Helm Chart for OpenTDF Platform
 
@@ -133,7 +133,7 @@ Download the [keycloak_data.yaml](https://raw.githubusercontent.com/opentdf/plat
 | db.required | bool | `true` | If database connection info is required for the service (default: true) |
 | db.sslmode | string | `"prefer"` | The database ssl mode ( disable, prefer, require, verify-ca, verify-full ) |
 | db.user | string | `"opentdf"` | The database user |
-| envFrom | list | `[]` | Environment variables from a configmap or secret  |
+| envFrom | list | `[]` | Environment variables from a configmap or secret |
 | extraEnv | list | `[]` | Extra environment variables to add to the container |
 | fullnameOverride | string | `""` | Overrides the generated fullname |
 | hostAliases | list | `[]` | Host Alias entries to add to pods |
@@ -201,10 +201,11 @@ Download the [keycloak_data.yaml](https://raw.githubusercontent.com/opentdf/plat
 | server.auth.audience | string | `"http://localhost:8080"` | Audience of provided by the identity provider |
 | server.auth.dpopskew | string | `"1h"` | The amount of drift allowed between the server and the client for the DPoP Proof Token |
 | server.auth.issuer | string | `"http://platform-keycloak/realms/opentdf"` | Identity provider issuer |
-| server.auth.policy.claim | string | `nil` |  |
 | server.auth.policy.csv | string | `nil` |  |
-| server.auth.policy.default | string | `nil` |  |
-| server.auth.policy.map | string | `nil` |  |
+| server.auth.policy.extension | string | `"g, opentdf-admin, role:admin\ng, opentdf-standard, role:standard\n"` |  |
+| server.auth.policy.groups_claim | string | `nil` |  |
+| server.auth.policy.model | string | `nil` |  |
+| server.auth.policy.username_claim | string | `nil` |  |
 | server.auth.public_client_id | string | `"opentdf-public"` | The oidc client id, leveraged by otdfctl |
 | server.auth.skew | string | `"1m"` | The amount of drift allowed between the server and the client for the Access Token |
 | server.cors.allowcredentials | bool | `true` | Allow credentials |
@@ -233,7 +234,7 @@ Download the [keycloak_data.yaml](https://raw.githubusercontent.com/opentdf/plat
 | services.entityresolution.clientid | string | `nil` | Client Id for Entity Resolver |
 | services.entityresolution.clientsecret | string | `nil` | Client Secret for Entity Resolver |
 | services.entityresolution.realm | string | `nil` | Entity Resolver Realm |
-| services.entityresolution.subgroups | bool | `false` | Subgroups  |
+| services.entityresolution.subgroups | bool | `false` | Subgroups |
 | services.entityresolution.url | string | `nil` | Identity Provider Entity Resolver |
 | services.extraServices | object | `{}` | Additional services |
 | services.kas.config | object | `{"keyring":[{"alg":"ec:secp256r1","kid":"e1"},{"alg":"rsa:2048","kid":"r1"}]}` | KAS service Configuration as yaml |

diff --git a/charts/platform/values.yaml b/charts/platform/values.yaml
@@ -37,7 +37,8 @@ podAnnotations: {}
 podLabels: {}
 
 # -- Host Alias entries to add to pods
-hostAliases: []
+hostAliases:
+  []
   # - ip: 10.0.0.1
   #   hostnames:
   #     - sharepoint.foo.lab
@@ -56,7 +57,7 @@ podSecurityContext:
 securityContext:
   capabilities:
     drop:
-    - ALL
+      - ALL
   # readOnlyRootFilesystem: true
   runAsNonRoot: true
   allowPrivilegeEscalation: false
@@ -163,7 +164,7 @@ extraEnv: []
 #       name: mysecret
 #       key: mykey
 
-# -- Environment variables from a configmap or secret 
+# -- Environment variables from a configmap or secret
 envFrom: []
 # - configMapRef:
 #     name: configmap
@@ -207,10 +208,11 @@ server:
     # -- Enable CORS (default: false)
     enabled: false
     # -- The allowed origins
-    allowedorigins: []
+    allowedorigins:
+      []
       # - "*"
     # -- The allowed request methods
-    allowedmethods: 
+    allowedmethods:
       - "GET"
       - "POST"
       - "PUT"
@@ -255,25 +257,36 @@ server:
     # -- Identity provider issuer
     issuer: http://platform-keycloak/realms/opentdf
     # -- The oidc client id, leveraged by otdfctl
-    public_client_id: 'opentdf-public'
+    public_client_id: "opentdf-public"
     policy:
-      ## -- Default policy for all requests
-      default: #  "role:readonly"
-      ## -- Dot notation is used to access nested claims (i.e. realm_access.roles)
-      claim: #  realm_access.roles
-      ## -- Maps the external role to the opentdf role
-      ## Note: left side is used in the policy, right side is the external role
-      map:
-      #  readonly: opentdf-readonly
-      #  admin: opentdf-admin
-      #  org-admin: opentdf-org-admin
-
-      ## -- Custom policy (see examples https://github.com/casbin/casbin/tree/master/examples)
-      csv: #  |
-      #  p, role:org-admin, policy:attributes, *, *, allow
-      #  p, role:org-admin, policy:subject-mappings, *, *, allow
-      #  p, role:org-admin, policy:resource-mappings, *, *, allow
-      #  p, role:org-admin, policy:kas-registry, *, *, allow
+      ## Dot notation is used to access nested claims (i.e. realm_access.roles)
+      # Claim that represents the user (i.e. email)
+      username_claim: # preferred_username
+      # That claim to access groups (i.e. realm_access.roles)
+      groups_claim: # realm_access.roles
+      ## Extends the builtin policy
+      extension: |
+        g, opentdf-admin, role:admin
+        g, opentdf-standard, role:standard
+      ## Custom policy that overrides builtin policy (see examples https://github.com/casbin/casbin/tree/master/examples)
+      csv: # |
+      #  p, role:admin, *, *, allow
+      ## Custom model (see https://casbin.org/docs/syntax-for-models/)
+      model: # |
+      #  [request_definition]
+      #  r = sub, res, act, obj
+      #
+      #  [policy_definition]
+      #  p = sub, res, act, obj, eft
+      #
+      #  [role_definition]
+      #  g = _, _
+      #
+      #  [policy_effect]
+      #  e = some(where (p.eft == allow)) && !some(where (p.eft == deny))
+      #
+      #  [matchers]
+      #  m = g(r.sub, p.sub) && globOrRegexMatch(r.res, p.res) && globOrRegexMatch(r.act, p.act) && globOrRegexMatch(r.obj, p.obj)
     # -- The amount of drift allowed between the server and the client for the DPoP Proof Token
     dpopskew: 1h
     # -- The amount of drift allowed between the server and the client for the Access Token
@@ -316,12 +329,12 @@ services:
     # -- Identity Provider Entity Resolver
     url:
     # -- Client Id for Entity Resolver
-    clientid: 
+    clientid:
     # -- Client Secret for Entity Resolver
     clientsecret:
     # -- Entity Resolver Realm
-    realm: 
-    # -- Subgroups 
+    realm:
+    # -- Subgroups
     subgroups: false
 
   kas:
@@ -336,7 +349,8 @@ services:
     # -- KAS secret containing keys
     # kas-private.pem , kas-cert.pem , kas-ec-private.pem , kas-ec-cert.pem
     privateKeysSecret: kas-private-keys
-  authorization: {}
+  authorization:
+    {}
     # -- Overide embedded rego policy
     # rego:
     #   path: /etc/platform/entitlements.rego
@@ -369,8 +383,8 @@ postgresql:
 
 keycloak:
   extraEnvVars:
-  - name: KC_FEATURES
-    value: "preview,token-exchange"
+    - name: KC_FEATURES
+      value: "preview,token-exchange"
   tls:
     enabled: true
     autoGenerated: true