Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

refactor(jans-cedarling): make all tokens optional when calling Cedarling::authorize #10436

Merged
merged 46 commits into from
Dec 24, 2024
Merged

refactor(jans-cedarling): make all tokens optional when calling Cedarling::authorize #10436

Show file tree
Hide file tree
Changes from 21 commits
Commits
Show all changes
46 commits
Select commit Hold shift + click to select a range
cdcb32d
refactor(jans-cedarling): make process_tokens params optional
rmarinn Dec 12, 2024
c1821f1
feat(jans-cedarling): implement processing single tokens
rmarinn Dec 14, 2024
0a9c4bc
refactor(jans-cedarling): replace jwt validation implementation
rmarinn Dec 14, 2024
7cacde6
feat(jans-cedarling): make tokens optional when calling authorize
rmarinn Dec 14, 2024
9e44ddd
refactor(jans-cedarling): make creation of workload entity optional
rmarinn Dec 15, 2024
e7e8fea
fix(jans-cedarling): user and role entity creation
rmarinn Dec 15, 2024
3b9d727
refactor(jans-cedarling): make creation of user entity optional
rmarinn Dec 15, 2024
9b5eeba
refactor(jans-cedarling): use if-else instead of match for bool
rmarinn Dec 15, 2024
c26ce92
refactor(jans-cedarling): improve functionality for decoded JWTs
rmarinn Dec 15, 2024
3d03121
chore(jans-cedarling): removed unused functions for TrustedIssuer
rmarinn Dec 17, 2024
03fbe87
refactor(jans-cedarling): improve create_workload_entity func impleme…
rmarinn Dec 17, 2024
d547371
refactor(jans-cedarling): improve create_user_entity func implemenation
rmarinn Dec 17, 2024
d37fd2b
chore(jans-cedarling): resolve clippy issues
rmarinn Dec 17, 2024
1a26b7a
refactor(jans-cedarling): error check when loading bootstrap config
rmarinn Dec 17, 2024
7b3769f
Merge branch 'main' into jans-cedarling-10409
rmarinn Dec 17, 2024
94c740b
refactor(jans-cedarling): add new fields to TokenEntityMetadata
rmarinn Dec 17, 2024
eda65f3
refactor(jans-cedarling): remove some cloning when logging authz
rmarinn Dec 17, 2024
9b2e667
test(jans-cedarling): add unit tests for entity creation
rmarinn Dec 17, 2024
0ac1105
refactor(jans-cedarling): improve error handling for entity creation
rmarinn Dec 17, 2024
5ccf4ec
Merge branch 'main' into jans-cedarling-10408
rmarinn Dec 17, 2024
aa9c071
test(jans-cedarling): update python tests expected error
rmarinn Dec 17, 2024
33bdfbf
feat(jans-cedarling): make tokens optional in the python binding
rmarinn Dec 18, 2024
e170008
chore(jans-cedarling): change error message to start with a lowercase…
rmarinn Dec 18, 2024
2051f1c
chore(jans-cedarling): flattened `use` statements for readability
rmarinn Dec 18, 2024
9bbf437
chore(jans-cedarling): remove unused JwtProcessingError variant
rmarinn Dec 18, 2024
4a16d27
refactor(jans-cedarling): simplify iterator creation
rmarinn Dec 18, 2024
818bda4
refactor(jans-cedarling): make workload entity creation optional
rmarinn Dec 18, 2024
8a7ea74
refactor(jans-cedarling): make user entity creation optional
rmarinn Dec 18, 2024
12b5386
chore(jans-cedarling): remove outdated comment
rmarinn Dec 18, 2024
18ed767
refactor(jans-cedarling): convert Token into a struct from an enum
rmarinn Dec 19, 2024
d947320
refactor(jans-cedarling): unify token entity creation logic
rmarinn Dec 19, 2024
a38f03f
refactor(jans-cedarling): eliminate access_token from user entity cre…
rmarinn Dec 19, 2024
6dd4ecc
fix(jans-cedarling): field name conflict for serializing/deserializing
rmarinn Dec 19, 2024
3301ad9
chore(jans-cedarling): remove unused commented code
rmarinn Dec 19, 2024
ddd9c27
refactor(jans-cedarling): token priority when creating userinfo entity
rmarinn Dec 19, 2024
ca4d1eb
Merge branch 'main' into jans-cedarling-10408
rmarinn Dec 20, 2024
028b73c
chore(jans-cedarling): resolve clippy issues
rmarinn Dec 20, 2024
17fd13e
test(jans-cedarling): update expected error in python bindings test
rmarinn Dec 20, 2024
ac7f80c
refactor(jans-cedarling): implement rename for logging info fields
rmarinn Dec 21, 2024
36525fa
chore(jans-cedarling): run cargo fmt and add missing license headers
rmarinn Dec 21, 2024
05440f9
chore(jans-cedarling): rename the Vec of role from `role` to `roles`
rmarinn Dec 21, 2024
87b399f
chore(jans-cedarling): remove unused function
rmarinn Dec 21, 2024
220b39a
refactor(jans-cedarling): rename UserAuthorizeInfo fields
rmarinn Dec 21, 2024
f0030ab
chore(jans-cedarling): run cargo fmt
rmarinn Dec 21, 2024
a4cbbda
chore(jans-cedarling): refactor to avoid unnecessary cloning
olehbozhok Dec 23, 2024
588198d
Merge branch 'main' into jans-cedarling-10408
rmarinn Dec 24, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 3 additions & 5 deletions docs/cedarling/cedarling-policy-store.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -178,18 +178,16 @@ This record contains the information needed to validate tokens from this issuer:
- **description** : (*String*) A brief description of the trusted issuer, providing context for administrators.
- **openid_configuration_endpoint** : (*String*) The HTTPS URL for the OpenID Connect configuration endpoint (usually found at `/.well-known/openid-configuration`).
- **identity_source** : (*Object*, *optional*) Metadata related to the tokens issued by this issuer.

**Notes**:

- The `access_tokens`, `id_tokens`, `userinfo_tokens`, and `tx_tokens` fields will follow the [Token Metadata Schema](#token-metadata-schema).
- The `access_tokens` will contain a `trusted` and `principal_identifier` field in addition to the fields from the `Token Metadata Schema`.
- **`access_tokens`, `id_tokens`, `userinfo_tokens`, and `tx_tokens`**: See: [Token Metadata Schema](#token-metadata-schema).

### Token Metadata Schema

The Token Entity Metadata Schema defines how tokens are mapped, parsed, and transformed within Cedarling. It allows you to specify how to extract user IDs, roles, and other claims from a token using customizable parsers.

```json
{
"trusted": bool,
"principal_identifier": "str",
"user_id": "<field name in token (e.g., 'email', 'sub', 'uid', etc.) or '' if not used>",
"role_mapping": "<field for role assignment (e.g., 'role', 'memberOf', etc.) or '' if not used>",
"claim_mapping": {
Expand Down
8 changes: 4 additions & 4 deletions jans-cedarling/bindings/cedarling_python/src/authorize/errors.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -94,14 +94,14 @@ create_exception!(

create_exception!(
authorize_errors,
CreateRequestWorkloadEntityError,
WorkloadRequestValidationError,
AuthorizeError,
"Error encountered while creating cedar_policy::Request for workload entity principal"
);

create_exception!(
authorize_errors,
CreateRequestUserEntityError,
UserRequestValidationError,
AuthorizeError,
"Error encountered while creating cedar_policy::Request for user entity principal"
);
Expand Down Expand Up @@ -175,8 +175,8 @@ errors_functions! {
RoleEntity => RoleEntityError,
Action => ActionError,
CreateContext => CreateContextError,
CreateRequestWorkloadEntity => CreateRequestWorkloadEntityError,
CreateRequestUserEntity => CreateRequestUserEntityError,
WorkloadRequestValidation => WorkloadRequestValidationError,
UserRequestValidation => UserRequestValidationError,
BuildContext => AddEntitiesIntoContextError,
Entities => EntitiesError,
EntitiesToJson => EntitiesToJsonError
Expand Down
6 changes: 3 additions & 3 deletions jans-cedarling/bindings/cedarling_python/src/authorize/request.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -81,9 +81,9 @@ impl Request {
})?;

Ok(cedarling::Request {
access_token: self.access_token.clone(),
id_token: self.id_token.clone(),
userinfo_token: self.userinfo_token.clone(),
access_token: Some(self.access_token.clone()),
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do you assume that using python binding we always have all tokens?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

fixed in 33bdfbf

id_token: Some(self.id_token.clone()),
userinfo_token: Some(self.userinfo_token.clone()),
action: self.action.clone(),
resource: self.resource.clone().into(),
context,
Expand Down
4 changes: 2 additions & 2 deletions jans-cedarling/bindings/cedarling_python/tests/test_authorize.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -189,7 +189,7 @@ def test_resource_entity_error():
try:
raise_authorize_error(load_bootstrap_config())
except authorize_errors.ResourceEntityError as e:
assert str(e) == "could not create resource entity: could not get attribute value from payload: could not convert json field with key: org_id to: String, got: number"
assert str(e) == "could not create resource entity: could not get attribute value from payload: Type mismatch for key 'org_id': expected: 'String', but found: 'number'"


def test_authorize_error():
Expand All @@ -201,4 +201,4 @@ def test_authorize_error():
try:
raise_authorize_error(load_bootstrap_config())
except authorize_errors.AuthorizeError as e:
assert str(e) == "could not create resource entity: could not get attribute value from payload: could not convert json field with key: org_id to: String, got: number"
assert str(e) == "could not create resource entity: could not get attribute value from payload: Type mismatch for key 'org_id': expected: 'String', but found: 'number'"
6 changes: 3 additions & 3 deletions jans-cedarling/cedarling/examples/authorize_with_jwt_validation.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -62,9 +62,9 @@ fn main() -> Result<(), Box<dyn std::error::Error>> {
// on a specific resource. Each token (access, ID, and userinfo) is required for the
// authorization process, alongside resource and action details.
let result = cedarling.authorize(Request {
access_token,
id_token,
userinfo_token,
access_token: Some(access_token),
id_token: Some(id_token),
userinfo_token: Some(userinfo_token),
action: "Jans::Action::\"Update\"".to_string(),
context: serde_json::json!({}),
resource: ResourceData {
Expand Down
6 changes: 3 additions & 3 deletions jans-cedarling/cedarling/examples/authorize_without_jwt_validation.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -113,9 +113,9 @@ fn main() -> Result<(), Box<dyn std::error::Error>> {
let userinfo_token = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJodHRwczovL2FkbWluLXVpLXRlc3QuZ2x1dS5vcmciLCJzdWIiOiJib0c4ZGZjNU1LVG4zN283Z3NkQ2V5cUw4THBXUXRnb080MW0xS1p3ZHEwIiwiY2xpZW50X2lkIjoiNWI0NDg3YzQtOGRiMS00MDlkLWE2NTMtZjkwN2I4MDk0MDM5IiwiYXVkIjoiNWI0NDg3YzQtOGRiMS00MDlkLWE2NTMtZjkwN2I4MDk0MDM5IiwidXNlcm5hbWUiOiJhZG1pbkBnbHV1Lm9yZyIsIm5hbWUiOiJEZWZhdWx0IEFkbWluIFVzZXIiLCJlbWFpbCI6ImFkbWluQGdsdXUub3JnIiwiY291bnRyeSI6IlVTIiwianRpIjoidXNyaW5mb190a25fanRpIn0.NoR53vPZFpfb4vFk85JH9RPx7CHsaJMZwrH3fnB-N60".to_string();

let result = cedarling.authorize(Request {
access_token,
id_token,
userinfo_token,
access_token: Some(access_token),
id_token: Some(id_token),
userinfo_token: Some(userinfo_token),
action: "Jans::Action::\"Update\"".to_string(),
context: serde_json::json!({}),
resource: ResourceData {
Expand Down
Loading