Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore: set raw claims if they exist in authz metadata #3125

Merged
merged 5 commits into from
May 28, 2024
Merged

chore: set raw claims if they exist in authz metadata #3125

merged 5 commits into from
May 28, 2024

Conversation

markphelps
Copy link
Collaborator

  • rm roleAttributePath in authz config
  • set "io.flipt.auth.claims" in authn.metadata field to the raw claims from the OIDC jwt to be used in authz policies if applicable
  • rm unused code/tests

@markphelps markphelps requested a review from a team as a code owner May 27, 2024 16:43
GeorgeMac
GeorgeMac approved these changes May 27, 2024
View reviewed changes
Copy link
Member

@GeorgeMac GeorgeMac left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good 💪

erka
erka reviewed May 27, 2024
View reviewed changes
internal/server/authn/method/oidc/server.go
cfg, err := s.configFor(req.Provider)
if err != nil {
rawClaims := make(map[string]interface{})
if err := responseToken.IDToken().Claims(&rawClaims); err != nil {
Copy link
Collaborator

@erka erka May 27, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

FYI, opa has built-in function io.jwt.decode which could decode the token @markphelps

@markphelps markphelps merged commit b15e83e into authz May 28, 2024
27 checks passed
@markphelps markphelps deleted the authz-raw-claims branch May 28, 2024 18:51
markphelps added a commit that referenced this pull request May 28, 2024
@markphelps
Merge branch 'authz' of https://github.com/flipt-io/flipt into authz
c39af9a 
* 'authz' of https://github.com/flipt-io/flipt:
  chore: set raw claims if they exist in authz metadata (#3125)
kodiakhq bot added a commit that referenced this pull request May 30, 2024
@markphelps @GeorgeMac @kodiakhq
feat: Authz (#3008)
6ab00f7 
* feat(wip): authz/rbac

feat: impl authz middleware

feat: impl authz middleware

chore: fix panic and bad redux selector

chore: fmt ui

chore: refactor

chore: fix build, change to single role, default role

chore: fix build, change to single role, default role

chore: rm unneeded files

feat: configurable roles/policies

chore: config schema and tests

chore: mv back events to audit package

chore: reset ui folder

chore: revert ui back to main

chore: policy schema, visibility of errors

chore: add policy schema test

chore: rebase on main

Signed-off-by: Mark Phelps <[email protected]>

* chore: start adding role attribute path/jmes

* chore: mod tidy

* Authz OIDC tests (#3098)

* chore: fix tests, add role attribute path / role mapping to oidc server tests

Signed-off-by: Mark Phelps <[email protected]>

* chore: authz middleware tests

Signed-off-by: Mark Phelps <[email protected]>

* chore: fix audit tests

Signed-off-by: Mark Phelps <[email protected]>

* chore: proto regen

Signed-off-by: Mark Phelps <[email protected]>

* chore: try to fix marshal audit events behaviour

Signed-off-by: Mark Phelps <[email protected]>

* chore: fix failing test

Signed-off-by: Mark Phelps <[email protected]>

---------

Signed-off-by: Mark Phelps <[email protected]>

* chore: refactor request models to include scope

Signed-off-by: Mark Phelps <[email protected]>

* chore: fix engine_test

* chore: make scope optional and use subject if not provided

* chore: fix executor_test

Signed-off-by: Mark Phelps <[email protected]>

* chore: fix log sink test

Signed-off-by: Mark Phelps <[email protected]>

* chore: consolidate some auth metadata to make creating policies simpler (#3106)

* refactor(server/authz): make policy and data external dependencies (#3108)

* refactor(server/authz): rename scope to resource

Signed-off-by: George MacRorie <[email protected]>

* feat(config/authz): add policy and data source configuration

Signed-off-by: George MacRorie <[email protected]>

* refactor(server/authz): make policy and data external dependencies

Signed-off-by: George MacRorie <[email protected]>

* refactor(cmd/grpc): integrate new authz Engine changes

Signed-off-by: George MacRorie <[email protected]>

* fix(server/authz): ensure error is captured in return

Signed-off-by: George MacRorie <[email protected]>

* fix(config): allow policy and data sources to be empty

Signed-off-by: George MacRorie <[email protected]>

* refactor(server/authz): support separate poll durations for policy and data

Signed-off-by: George MacRorie <[email protected]>

* fix(config): validate non zero poll duration for authz sources

Signed-off-by: George MacRorie <[email protected]>

* fix(cmd/grpc): calls to authz engine with changes to polling

Signed-off-by: George MacRorie <[email protected]>

---------

Signed-off-by: George MacRorie <[email protected]>

* refactor(authz): pass entire request and authentication to IsAllowed (#3126)

Signed-off-by: George MacRorie <[email protected]>

* chore: set raw claims if they exist in authz metadata (#3125)

* chore: go mod tidy

Signed-off-by: Mark Phelps <[email protected]>

* chore: set raw claims if they exist in authz metadata

Signed-off-by: Mark Phelps <[email protected]>

* chore: fix authn oidc server test

Signed-off-by: Mark Phelps <[email protected]>

* chore: skip authz on auth public server

Signed-off-by: Mark Phelps <[email protected]>

* chore: log for debugging

Signed-off-by: Mark Phelps <[email protected]>

---------

Signed-off-by: Mark Phelps <[email protected]>

* fix: Authz fixes (#3132)

* chore: go mod tidy

Signed-off-by: Mark Phelps <[email protected]>

* fix: authz endpoint skip for getauthself/deleteauthself

Signed-off-by: Mark Phelps <[email protected]>

* chore: rm claims unmarshal for now

* chore: make authorization experimental

Signed-off-by: Mark Phelps <[email protected]>

* chore: add request methods to auth requests

Signed-off-by: Mark Phelps <[email protected]>

* chore: add schema

* chore: set package name to flipt.authz.v1

* chore: fix telemetry test

Signed-off-by: Mark Phelps <[email protected]>

---------

Signed-off-by: Mark Phelps <[email protected]>

* chore: rename poll duration to poll interval

Signed-off-by: Mark Phelps <[email protected]>

* chore: mod/work sync

Signed-off-by: Mark Phelps <[email protected]>

* chore: fix config test

Signed-off-by: Mark Phelps <[email protected]>

* chore: rm unused supports authz config; fmt cache config

---------

Signed-off-by: Mark Phelps <[email protected]>
Signed-off-by: George MacRorie <[email protected]>
Co-authored-by: George <[email protected]>
Co-authored-by: kodiakhq[bot] <49736102+kodiakhq[bot]@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@erka erka erka left review comments

@GeorgeMac GeorgeMac GeorgeMac approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@markphelps @erka @GeorgeMac