Enable OAuth2 authentication

.github/workflows/on_release.yml

@@ -2,15 +2,7 @@ name: Build and publish to Docker Hub
 on:
   release:
     # job will automatically run after a new "release" is create on github.
-    types: [created]
-
-  # Allows you to run this workflow manually from the Actions tab
-  workflow_dispatch:
-    inputs:
-        dry_run:
-          description: 'If true, will not push the built images to docker hub.'
-          required: false
-          default: 'false'
+    types: [published]
 
 jobs:
   # this job will build, test and (potentially) push the docker images to docker hub
@@ -29,6 +21,12 @@ jobs:
   # - Pushes images (built at BUILD PHASE) to docker hub.
   docker_build_and_publish:
     runs-on: ubuntu-latest
+    env:
+      github_token: ${{ secrets.TOKEN_GITHUB }}
+    permissions:
+      id-token: write
+      contents: write           # 'write' access to repository contents
+      pull-requests: write      # 'write' access to pull requests
     steps:
       # BUILD PHASE
       - name: Checkout
@@ -43,25 +41,19 @@ jobs:
         uses: docker/setup-buildx-action@v2
 
       - name: Login to DockerHub
-        if: ${{ !(github.event_name == 'workflow_dispatch' && github.event.inputs.dry_run == 'true') }}
         uses: docker/login-action@v2
         with:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}
 
-      - name: Get version tag from github release
-        if: github.event_name == 'release' && github.event.action == 'created'
-        run: |
-          echo "opal_version_tag=${{ github.event.release.tag_name }}" >> $GITHUB_ENV
-
-      - name: Get version tag from git history
-        if: ${{ !(github.event_name == 'release' && github.event.action == 'created') }}
+      - name: Docker Compose install
         run: |
-          echo "opal_version_tag=$(git describe --tags --abbrev=0)" >> $GITHUB_ENV
+          curl -L "https://github.com/docker/compose/releases/download/1.29.2/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
+          chmod +x /usr/local/bin/docker-compose
 
       - name: Echo version tag
         run: |
-          echo "The version tag that will be published to docker hub is: ${{ env.opal_version_tag }}"
+          echo "The version tag that will be published to docker hub is: ${{ github.event.release.tag_name }}"
 
       - name: Build client for testing
         id: build_client
@@ -76,19 +68,6 @@ jobs:
           tags: |
             permitio/opal-client:test
 
-      - name: Build client-standalone for testing
-        id: build_client_standalone
-        uses: docker/build-push-action@v4
-        with:
-          file: docker/Dockerfile
-          push: false
-          target: client-standalone
-          cache-from: type=registry,ref=permitio/opal-client-standalone:latest
-          cache-to: type=inline
-          load: true
-          tags: |
-            permitio/opal-client-standalone:test
-
       - name: Build server for testing
         id: build_server
         uses: docker/build-push-action@v4
@@ -122,7 +101,6 @@ jobs:
       # pushes the *same* docker images that were previously tested as part of e2e sanity test.
       # each image is pushed with the versioned tag first, if it succeeds the image is pushed with the latest tag as well.
       - name: Build & Push client
-        if: ${{ !(github.event_name == 'workflow_dispatch' && github.event.inputs.dry_run == 'true') }}
         id: build_push_client
         uses: docker/build-push-action@v4
         with:
@@ -134,10 +112,9 @@ jobs:
           cache-to: type=inline
           tags: |
             permitio/opal-client:latest
-            permitio/opal-client:${{ env.opal_version_tag }}
+            permitio/opal-client:${{ github.event.release.tag_name }}
 
       - name: Build client-standalone
-        if: ${{ !(github.event_name == 'workflow_dispatch' && github.event.inputs.dry_run == 'true') }}
         id: build_push_client_standalone
         uses: docker/build-push-action@v4
         with:
@@ -149,10 +126,9 @@ jobs:
           cache-to: type=inline
           tags: |
             permitio/opal-client-standalone:latest
-            permitio/opal-client-standalone:${{ env.opal_version_tag }}
+            permitio/opal-client-standalone:${{ github.event.release.tag_name }}
 
       - name: Build server
-        if: ${{ !(github.event_name == 'workflow_dispatch' && github.event.inputs.dry_run == 'true') }}
         id: build_push_server
         uses: docker/build-push-action@v4
         with:
@@ -164,4 +140,92 @@ jobs:
           cache-to: type=inline
           tags: |
             permitio/opal-server:latest
-            permitio/opal-server:${{ env.opal_version_tag }}
+            permitio/opal-server:${{ github.event.release.tag_name }}
+
+      - name: Build & Push client cedar
+        id: build_push_client_cedar
+        uses: docker/build-push-action@v4
+        with:
+          file: docker/Dockerfile
+          platforms: linux/amd64,linux/arm64
+          push: true
+          target: client-cedar
+          cache-from: type=registry,ref=permitio/opal-client-cedar:latest
+          cache-to: type=inline
+          tags: |
+            permitio/opal-client-cedar:latest
+            permitio/opal-client-cedar:${{ github.event.release.tag_name }}
+
+      - name: Python setup
+        uses: actions/setup-python@v5
+        with:
+          python-version: '3.11.8'
+
+      # This is the root file representing the package for all the sub-packages.
+      - name: Bump version - packaging__.py
+        run: |
+          version_tag=${{ github.event.release.tag_name }}
+          version_tag=${version_tag#v} # Remove the leading 'v'
+          version_tuple=$(echo $version_tag | sed 's/\./, /g')
+          sed -i "s/VERSION = (.*/VERSION = (${version_tuple})/" packages/__packaging__.py
+          cat packages/__packaging__.py
+
+      - name: Cleanup setup.py and Build every sub-packages
+        run: |
+          pip install wheel
+          cd packages/opal-common/ ; rm -rf *.egg-info build/ dist/
+          python setup.py sdist bdist_wheel
+          cd ../..
+          cd packages/opal-client/ ; rm -rf *.egg-info build/ dist/
+          python setup.py sdist bdist_wheel
+          cd ../..
+          cd packages/opal-server/ ; rm -rf *.egg-info build/ dist/
+          python setup.py sdist bdist_wheel
+          cd ../..
+
+      # Upload package distributions to the release - All assets in one step
+      - name: Upload assets to release
+        uses: shogo82148/[email protected]
+        with:
+          upload_url: ${{ github.event.release.upload_url }}
+          asset_path: |
+            packages/opal-common/dist/*
+            packages/opal-client/dist/*
+            packages/opal-server/dist/*
+
+      # Publish package distributions to PyPI
+      - name: Publish package distributions to PyPI - Opal-Common
+        uses: pypa/gh-action-pypi-publish@release/v1
+        with:
+          password: ${{ secrets.PYPI_TOKEN }}
+          packages-dir: packages/opal-common/dist/
+          # For Test only !
+          # password: ${{ secrets.TEST_PYPI_TOKEN }}
+          # repository-url: https://test.pypi.org/legacy/
+        env:
+          name: pypi
+          url: https://pypi.org/p/opal-common/
+
+      - name: Publish package distributions to PyPI - Opal-Client
+        uses: pypa/gh-action-pypi-publish@release/v1
+        with:
+          password: ${{ secrets.PYPI_TOKEN }}
+          packages-dir: packages/opal-client/dist/
+          # For Test only !
+          # password: ${{ secrets.TEST_PYPI_TOKEN }}
+          # repository-url: https://test.pypi.org/legacy/
+        env:
+          name: pypi
+          url: https://pypi.org/p/opal-client/
+
+      - name: Publish package distributions to PyPI - Opal-Server
+        uses: pypa/gh-action-pypi-publish@release/v1
+        with:
+          password: ${{ secrets.PYPI_TOKEN }}
+          packages-dir: packages/opal-server/dist/
+          # For Test only !
+          # password: ${{ secrets.TEST_PYPI_TOKEN }}
+          # repository-url: https://test.pypi.org/legacy/
+        env:
+          name: pypi
+          url: https://pypi.org/p/opal-server/

.github/workflows/sync_opal_plus.yml

@@ -0,0 +1,65 @@
+name: Sync branch to OPAL Plus
+
+on:
+  push:
+    branches:
+      - master
+  workflow_dispatch:
+
+jobs:
+  sync:
+    name: Sync branch to OPAL Plus
+    if: github.repository == 'permitio/opal'
+    runs-on: ubuntu-latest
+    steps:
+      - name: Set up Git configuration
+        run: |
+          git config --global user.name 'github-actions[bot]'
+          git config --global user.email 'github-actions[bot]@users.noreply.github.com'
+
+      - name: Get Token
+        id: get_workflow_token
+        uses: peter-murray/workflow-application-token-action@v1
+        with:
+          application_id: ${{ secrets.APPLICATION_ID }}
+          application_private_key: ${{ secrets.APPLICATION_PRIVATE_KEY }}
+
+      - name: Checkout permitio/opal repository
+        uses: actions/checkout@v4
+        with:
+          repository: permitio/opal
+          ref: ${{ github.ref_name }}
+          path: opal
+          fetch-depth: 0
+
+      - name: Checkout permitio/opal-plus repository
+        uses: actions/checkout@v4
+        with:
+          repository: permitio/opal-plus
+          path: opal-plus
+          token: ${{ steps.get_workflow_token.outputs.token }}
+
+      - name: Create public-${{ github.ref_name }} branch in opal repository
+        working-directory: opal
+        run: |
+          git checkout -b public-${{ github.ref_name }}
+
+      - name: Rebase opal-plus/public-${{ github.ref_name }} onto opal/${{ github.ref_name }}
+        working-directory: opal-plus
+        run: |
+          git remote add opal ../opal
+          git fetch opal
+          git checkout public-${{ github.ref_name }}
+          git rebase opal/${{ github.ref_name }}
+
+      - name: Push changes to opal-plus/public-${{ github.ref_name }} branch
+        working-directory: opal-plus
+        run: |
+          git push origin public-${{ github.ref_name }}
+
+      - name: Create Pull Request for opal-plus
+        working-directory: opal-plus
+        run: |
+          gh pr create --repo permitio/opal-plus --assignee "$GITHUB_ACTOR" --reviewer "$GITHUB_ACTOR" --base master --head public-${{ github.ref_name }} --title "Sync changes from public OPAL repository" --body "This PR synchronizes changes from the public OPAL repository to the private OPAL Plus repository."
+        env:
+          GITHUB_TOKEN: ${{ steps.get_workflow_token.outputs.token }}

.github/workflows/tests.yml

@@ -66,6 +66,11 @@ jobs:
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v1
 
+      - name: Docker Compose install
+        run: |
+          curl -L "https://github.com/docker/compose/releases/download/1.29.2/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
+          chmod +x /usr/local/bin/docker-compose
+
       - name: Build client
         id: build_client
         uses: docker/build-push-action@v2
@@ -105,7 +110,8 @@ jobs:
       - name: Output container logs
         run: docker-compose -f docker/docker-compose-test.yml logs
 
-      - name: check if opal-client was brought up
+      - name: check if opal-client was brought up successfully
         run: |
           docker-compose -f docker/docker-compose-test.yml logs opal_client | grep "Connected to PubSub server"
           docker-compose -f docker/docker-compose-test.yml logs opal_client | grep "Got policy bundle"
+          docker-compose -f docker/docker-compose-test.yml logs opal_client | grep 'PUT /v1/data/static -> 204'

docker/Dockerfile

@@ -1,7 +1,7 @@
 # BUILD STAGE ---------------------------------------
 # split this stage to save time and reduce image size
 # ---------------------------------------------------
-FROM python:3.10-bookworm as BuildStage
+FROM python:3.10-bookworm AS build-stage
 # from now on, work in the /app directory
 WORKDIR /app/
 # Layer dependency install (for caching)
@@ -15,19 +15,17 @@ RUN pip install --no-cache-dir --upgrade pip && pip install --no-cache-dir -r ./
 # CEDAR AGENT BUILD STAGE ---------------------------
 # split this stage to save time and reduce image size
 # ---------------------------------------------------
-FROM rust:1.69.0 as cedar-builder
-COPY cedar-agent /tmp/cedar-agent/
-ARG cargo_flags="-r"
-RUN cd /tmp/cedar-agent && \
-	cargo build ${cargo_flags} && \
-	cp /tmp/cedar-agent/target/*/cedar-agent /
+FROM rust:1.79 AS cedar-builder
+COPY ./cedar-agent /tmp/cedar-agent
+WORKDIR /tmp/cedar-agent
+RUN CARGO_REGISTRIES_CRATES_IO_PROTOCOL=sparse cargo build --release
 
 # COMMON IMAGE --------------------------------------
 # ---------------------------------------------------
-FROM python:3.10-slim-bookworm as common
+FROM python:3.10-slim-bookworm AS common
 
-# copy libraries from build stage (This won't copy redundant libraries we used in BuildStage)
-COPY --from=BuildStage /usr/local /usr/local
+# copy libraries from build stage (This won't copy redundant libraries we used in build-stage)
+COPY --from=build-stage /usr/local /usr/local
 
 # Add non-root user (with home dir at /opal)
 RUN useradd -m -b / -s /bin/bash opal
@@ -61,7 +59,7 @@ CMD ["./start.sh"]
 
 # STANDALONE IMAGE ----------------------------------
 # ---------------------------------------------------
-FROM common as client-standalone
+FROM common AS client-standalone
 # uvicorn config ------------------------------------
 # install the opal-client package
 RUN cd ./packages/opal-client && python setup.py install
@@ -88,7 +86,7 @@ VOLUME /opal/backup
 
 # IMAGE to extract OPA from official image ----------
 # ---------------------------------------------------
-FROM alpine:latest as opa-extractor
+FROM alpine:latest AS opa-extractor
 USER root
 
 RUN apk update && apk add skopeo tar
@@ -106,7 +104,7 @@ RUN skopeo copy "docker://${opa_image}:${opa_tag}" docker-archive:./image.tar &&
 # OPA CLIENT IMAGE ----------------------------------
 # Using standalone image as base --------------------
 # ---------------------------------------------------
-FROM client-standalone as client
+FROM client-standalone AS client
 
 # Temporarily move back to root for additional setup
 USER root
@@ -123,13 +121,13 @@ USER opal
 # CEDAR CLIENT IMAGE --------------------------------
 # Using standalone image as base --------------------
 # ---------------------------------------------------
-FROM client-standalone as client-cedar
+FROM client-standalone AS client-cedar
 
 # Temporarily move back to root for additional setup
 USER root
 
 # Copy cedar from its build stage
-COPY --from=cedar-builder /cedar-agent /bin/cedar-agent
+COPY --from=cedar-builder /tmp/cedar-agent/target/*/cedar-agent /bin/cedar-agent
 
 # enable inline Cedar agent
 ENV OPAL_POLICY_STORE_TYPE=CEDAR
@@ -142,9 +140,10 @@ USER opal
 
 # SERVER IMAGE --------------------------------------
 # ---------------------------------------------------
-FROM common as server
+FROM common AS server
 
 RUN apt-get update && apt-get install -y openssh-client git && apt-get clean
+RUN git config --global core.symlinks false # Mitigate CVE-2024-32002
 
 USER opal