Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Upgrade to support Policy-Mapper 0.7 with revised IDQL format #53

Merged
merged 4 commits into from
Sep 15, 2024
Merged

Upgrade to support Policy-Mapper 0.7 with revised IDQL format #53

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
70fea7e
Issue #52 Update to 0.7 IDQL
independentid Sep 11, 2024
ff74f90
Issue #52 Update to 0.7 IDQL
independentid Sep 11, 2024
a9b3e68
Merge remote-tracking branch 'origin/0.7.0-dev' into 0.7.0-dev
independentid Sep 11, 2024
cf997dc
Issue #52 Revised go mod to final 0.7 policy-mapper and go1.23.1
independentid Sep 15, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
38 changes: 10 additions & 28 deletions ReadME.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -238,25 +238,17 @@ Example IDQL with Condition Statement:
```json
{
"meta": {
"version": "0.6",
"version": "0.7",
"date": "2021-08-01 21:32:44 UTC",
"description": "Test that allows jwt authenticated specific subject *and* has a role",
"policyId": "TestJwtRole"
},
"subject": {
"members" : ["user:BaSicBob"]
},
"subject": ["user:BaSicBob"],
"actions": [
{
"actionUri": "ietf:http:POST:/testpath*"
},
{
"actionUri": "ietf:http:GET:/testpath*"
}
"http:POST:/testpath*",
"http:GET:/testpath*"
],
"object": {
"resource_id": "CanaryProfileService"
},
"object": "CanaryProfileService",
"condition": {
"rule": "subject.type eq jwt and subject.iss eq testIssuer and subject.aud co testAudience and subject.roles co abc",
"action": "allow"
Expand Down Expand Up @@ -308,7 +300,7 @@ For any value above, the Hexa Filter extension process these condition variables

## Writing IDQL Policy for the HexaOpa

In OPA Rego, IDQL policy is submitted in a JSON format as data input to OPA servers. The [hexaPolicy rego package](server/hexaFilter/test/bundle/hexaPolicyV2.rego) is then used
In OPA Rego, IDQL policy is submitted in a JSON format as data input to OPA servers. The [hexaPolicy rego package](https://raw.githubusercontent.com/hexa-org/policy-mapper/main/providers/openpolicyagent/resources/bundles/bundle/hexaPolicy.rego) is then used
to compare input (previous section) with IDQL data to determine if access is `allow`ed.

The following is a template for a typical IDQL policy. The values in brackets are described below:
Expand All @@ -320,31 +312,21 @@ The following is a template for a typical IDQL policy. The values in brackets ar
"description": "<descriptive text>",
"policyId": "<policyId>"
},
"subject": {
"members": [
"<type>:<member>"
]
},
"actions": [
{
"actionUri": "<actionUri>"
}
],
"subject": [ "<type>:<member>", ... ],
"actions": [ "<actionUri>", ... ],
"condition": {
"rule": "<idql-filter>",
"action": "<allow|deny>"
},
"object": {
"resource_id": "<app-resource-id>"
}
"object": "<app-resource-id>"
}
```

IDQL field values, format and how to use:

| Field | Format | Use | Description |
|-----------------|------------------------------------------------------------------------------|--------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| idql_version | n.n (currently 0.6.9) | Informational | Typically reflects the current IDQL version from [hexa-org/policy-mapper](https://github.com/hexa-org/policy-mapper). |
| idql_version | n.n (currently 0.7) | Informational | Typically reflects the current IDQL version from [hexa-org/policy-mapper](https://github.com/hexa-org/policy-mapper). |
| policyId | string | Required - OPA returns policy ids in `allowSet` | Used to identify which IDQL policy was matched in rego |
| type:member | multi-value string | Matches input subjects | Types: `any`, `anyAuthenticated`, `user:`username/sub, `domain:`domain suffix, `role:`role name, `net:`cidr |
| | | | `any` means any user or anonymous subject<br/>`anyAuthenticated` means any authenticated subject<br/>`user` matches `input.subject.sub` (e.g. `[email protected]`)<br/>`domain` matches the suffix of `input.subject.sub` (e.g. `@hexa.org`)<br/>`role` matches `input.subject.roles` (e.g. `admin`)<br/>`net` matches a [CIDR](https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing) with `input.req.ip` (e.g. `198.51.100.14/24`) |
Expand Down
86 changes: 33 additions & 53 deletions cmd/hexaAuthZen/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -73,101 +73,81 @@ The following IDQL policies are used:
{
"meta": {
"policyId": "GetUsers",
"version": "0.6",
"version": "0.7",
"description": "Get information (e.g. email, picture) associated with a user"
},
"subject": {
"members": ["anyAuthenticated"]
},
"subjects": [
"anyAuthenticated"
],
"actions": [
{
"actionUri": "can_read_user"
}
"can_read_user"
],
"object": {
"resource_id": "todo"
}
"object": "todo"
},
{
"meta": {
"policyId": "GetTodos",
"version": "0.6",

"version": "0.7",
"description": "Get the list of todos. Always returns true for every user??"
},
"subject": {
"members": ["anyAuthenticated"]
},
"subjects": [
"anyAuthenticated"
],
"actions": [
{
"actionUri": "can_read_todos"
}
"can_read_todos"
],
"object": {
"resource_id": "todo"
}
"object": "todo"
},
{
"meta": {
"version": "0.6",
"version": "0.7",
"description": "Create a new Todo",
"policyId": "PostTodo"
},
"subject": {
"members": ["role:admin","role:editor"]
},
"subjects": [
"role:admin",
"role:editor"
],
"actions": [
{
"actionUri": "can_create_todo"
}
"can_create_todo"
],
"object": {
"resource_id": "todo"
}
"object": "todo"
},
{
"meta": {
"version": "0.6",
"version": "0.7",
"description": "Edit(complete) a todo.",
"policyId": "PutTodo"
},
"subject": {
"members": ["anyAuthenticated"]
},
"subjects": [
"anyAuthenticated"
],
"actions": [
{
"actionUri": "can_update_todo"
}
"can_update_todo"
],
"condition": {
"rule": "subject.roles co evil_genius or (subject.roles co editor and resource.ownerID eq subject.claims.id)",
"rule": "subject.roles co evil_genius or resource.ownerID eq subject.claims.email",
"action": "allow"
},
"object": {
"resource_id": "todo"
}
"object": "todo"
},
{
"meta": {
"version": "0.6",
"version": "0.7",
"description": "Delete a todo if admin or owner of todo",
"policyId": "DeleteTodo"
},
"subject": {
"members": ["anyAuthenticated"]
},
"subjects": [
"anyAuthenticated"
],
"actions": [
{
"actionUri": "can_delete_todo"
}
"can_delete_todo"
],
"condition": {
"rule": "subject.roles co admin or (subject.roles co editor and resource.ownerID eq subject.claims.id)",
"rule": "subject.roles co admin or resource.ownerID eq subject.claims.email",
"action": "allow"
},
"object": {
"resource_id": "todo"
}
"object": "todo"
}
]
}
Expand Down
82 changes: 31 additions & 51 deletions cmd/hexaAuthZen/resources/data.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,101 +3,81 @@
{
"meta": {
"policyId": "GetUsers",
"version": "0.6",
"version": "0.7",
"description": "Get information (e.g. email, picture) associated with a user"
},
"subject": {
"members": ["anyAuthenticated"]
},
"subjects": [
"anyAuthenticated"
],
"actions": [
{
"actionUri": "can_read_user"
}
"can_read_user"
],
"object": {
"resource_id": "todo"
}
"object": "todo"
},
{
"meta": {
"policyId": "GetTodos",
"version": "0.6",

"version": "0.7",
"description": "Get the list of todos. Always returns true for every user??"
},
"subject": {
"members": ["anyAuthenticated"]
},
"subjects": [
"anyAuthenticated"
],
"actions": [
{
"actionUri": "can_read_todos"
}
"can_read_todos"
],
"object": {
"resource_id": "todo"
}
"object": "todo"
},
{
"meta": {
"version": "0.6",
"version": "0.7",
"description": "Create a new Todo",
"policyId": "PostTodo"
},
"subject": {
"members": ["role:admin","role:editor"]
},
"subjects": [
"role:admin",
"role:editor"
],
"actions": [
{
"actionUri": "can_create_todo"
}
"can_create_todo"
],
"object": {
"resource_id": "todo"
}
"object": "todo"
},
{
"meta": {
"version": "0.6",
"version": "0.7",
"description": "Edit(complete) a todo.",
"policyId": "PutTodo"
},
"subject": {
"members": ["anyAuthenticated"]
},
"subjects": [
"anyAuthenticated"
],
"actions": [
{
"actionUri": "can_update_todo"
}
"can_update_todo"
],
"condition": {
"rule": "subject.roles co evil_genius or resource.ownerID eq subject.claims.email",
"action": "allow"
},
"object": {
"resource_id": "todo"
}
"object": "todo"
},
{
"meta": {
"version": "0.6",
"version": "0.7",
"description": "Delete a todo if admin or owner of todo",
"policyId": "DeleteTodo"
},
"subject": {
"members": ["anyAuthenticated"]
},
"subjects": [
"anyAuthenticated"
],
"actions": [
{
"actionUri": "can_delete_todo"
}
"can_delete_todo"
],
"condition": {
"rule": "subject.roles co admin or resource.ownerID eq subject.claims.email",
"action": "allow"
},
"object": {
"resource_id": "todo"
}
"object": "todo"
}
]
}
Loading