Skip to content

Commit

Permalink
feat: support for OIDC providers in identitySource (#173)
Browse files Browse the repository at this point in the history
Adding support for OIDC providers in IdentitySource Construct

---------

Signed-off-by: github-actions <[email protected]>
Co-authored-by: github-actions <[email protected]>
  • Loading branch information
reste85 and github-actions authored Jul 15, 2024
1 parent a15afb5 commit e0ebfda
Show file tree
Hide file tree
Showing 9 changed files with 1,375 additions and 71 deletions.
2 changes: 1 addition & 1 deletion .projen/deps.json

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion .projenrc.ts
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ const project = new CdklabsConstructLibrary({
authorAddress: '[email protected]',
description: 'L2 AWS CDK Constructs for Amazon Verified Permissions',
keywords: ['cdk', 'aws-cdk', 'awscdk', 'aws', 'verified-permissions', 'authorization', 'verifiedpermissions'],
cdkVersion: '2.139.0',
cdkVersion: '2.148.0',
defaultReleaseBranch: 'main',
devDeps: ['cdklabs-projen-project-types'],
bundledDeps: ['@cedar-policy/[email protected]'],
Expand Down
343 changes: 323 additions & 20 deletions API.md

Large diffs are not rendered by default.

111 changes: 108 additions & 3 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -61,7 +61,7 @@ const policyStore = new PolicyStore(scope, "PolicyStore", {

## Schemas

If you want to have type safety when defining a schema, you can accomplish this in typescript. Simply use the `Schema` type exported by the `@cedar-policy/cedar-wasm`.
If you want to have type safety when defining a schema, you can accomplish this **<ins>only</ins>** in typescript. Simply use the `Schema` type exported by the `@cedar-policy/cedar-wasm`.

You can also generate a simple schema from a swagger file using the static function `schemaFromOpenApiSpec` in the PolicyStore construct. This functionality replicates what you can find in the AWS Verified Permissions console.

Expand All @@ -85,7 +85,7 @@ const policyStore = new PolicyStore(scope, "PolicyStore", {

## Identity Source

Define Identity Source with required properties:
Define Identity Source with Cognito Configuration and required properties:

```ts
const userPool = new UserPool(scope, "UserPool"); // Creating a new Cognito UserPool
Expand Down Expand Up @@ -125,7 +125,7 @@ new IdentitySource(scope, "IdentitySource", {
});
```

Define Identity Source with all the properties:
Define Identity Source with Cognito Configuration and all properties:

```ts
const validationSettingsStrict = {
Expand Down Expand Up @@ -171,6 +171,111 @@ new IdentitySource(scope, "IdentitySource", {
});
```

Define Identity Source with OIDC Configuration and Access Token selection config:
```ts
const validationSettingsStrict = {
mode: ValidationSettingsMode.STRICT,
};
const cedarJsonSchema = {
PhotoApp: {
entityTypes: {
User: {},
Photo: {},
},
actions: {
viewPhoto: {
appliesTo: {
principalTypes: ["User"],
resourceTypes: ["Photo"],
},
},
},
},
};
const cedarSchema = {
cedarJson: JSON.stringify(cedarJsonSchema),
};
const policyStore = new PolicyStore(scope, "PolicyStore", {
schema: cedarSchema,
validationSettings: validationSettingsStrict,
});
const issuer = 'https://iamanidp.com';
const principalIdClaim = 'sub';
const entityIdPrefix = 'prefix';
const groupClaim = 'group';
const groupEntityType = 'GroupType';
new IdentitySource(scope, 'IdentitySource', {
configuration: {
openIdConnectConfiguration: {
issuer: issuer,
entityIdPrefix: entityIdPrefix,
groupConfiguration: {
groupClaim: groupClaim,
groupEntityType: groupEntityType,
},
accessTokenOnly: {
audiences: ['testAudience'],
principalIdClaim: principalIdClaim,
},
},
},
policyStore: policyStore,
principalEntityType: 'TestType',
});
```

Define Identity Source with OIDC Configuration and Identity Token selection config:
```ts
const validationSettingsStrict = {
mode: ValidationSettingsMode.STRICT,
};
const cedarJsonSchema = {
PhotoApp: {
entityTypes: {
User: {},
Photo: {},
},
actions: {
viewPhoto: {
appliesTo: {
principalTypes: ["User"],
resourceTypes: ["Photo"],
},
},
},
},
};
const cedarSchema = {
cedarJson: JSON.stringify(cedarJsonSchema),
};
const policyStore = new PolicyStore(scope, "PolicyStore", {
schema: cedarSchema,
validationSettings: validationSettingsStrict,
});
const issuer = 'https://iamanidp.com';
const entityIdPrefix = 'prefix';
const groupClaim = 'group';
const groupEntityType = 'UserGroup';
const principalIdClaim = 'sub';
new IdentitySource(scope, 'IdentitySource', {
configuration: {
openIdConnectConfiguration: {
issuer: issuer,
entityIdPrefix: entityIdPrefix,
groupConfiguration: {
groupClaim: groupClaim,
groupEntityType: groupEntityType,
},
identityTokenOnly: {
clientIds: [],
principalIdClaim: principalIdClaim,
},
},
},
policyStore: policyStore,
});
```

## Policy

Load all the `.cedar` files in a given folder and define Policy objects for each of them. All policies will be associated with the same policy store.
Expand Down
4 changes: 2 additions & 2 deletions package.json

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Loading

0 comments on commit e0ebfda

Please sign in to comment.