fix(core): update casbin policy to allow authorization service (#1041)

This adds authorization service rpc to `org-admin` and `admin` role. It
also adds kas `rewrap` to the unknown role.

---------

Co-authored-by: Jake Van Vorhis <[email protected]>

Author: strantalis

service/internal/auth/authn.go

@@ -49,6 +49,7 @@ var (
 		// KAS Public Key Endpoints
 		"/kas.AccessService/PublicKey",
 		"/kas.AccessService/LegacyPublicKey",
+		"/kas.AccessService/Info",
 		"/kas/kas_public_key",
 		"/kas/v2/kas_public_key",
 		// HealthZ

service/internal/auth/authn_test.go

@@ -57,12 +57,7 @@ type FakeAccessServiceServer struct {
 	kas.UnimplementedAccessServiceServer
 }
 
-func (f *FakeAccessServiceServer) Info(ctx context.Context, _ *kas.InfoRequest) (*kas.InfoResponse, error) {
-	if md, ok := metadata.FromIncomingContext(ctx); ok {
-		f.accessToken = md.Get("authorization")
-		f.dpopKey = GetJWKFromContext(ctx)
-	}
-
+func (f *FakeAccessServiceServer) Info(context.Context, *kas.InfoRequest) (*kas.InfoResponse, error) {
 	return &kas.InfoResponse{}, nil
 }
 
@@ -74,7 +69,11 @@ func (f *FakeAccessServiceServer) LegacyPublicKey(context.Context, *kas.LegacyPu
 	return &wrapperspb.StringValue{}, nil
 }
 
-func (f *FakeAccessServiceServer) Rewrap(context.Context, *kas.RewrapRequest) (*kas.RewrapResponse, error) {
+func (f *FakeAccessServiceServer) Rewrap(ctx context.Context, _ *kas.RewrapRequest) (*kas.RewrapResponse, error) {
+	if md, ok := metadata.FromIncomingContext(ctx); ok {
+		f.accessToken = md.Get("authorization")
+		f.dpopKey = GetJWKFromContext(ctx)
+	}
 	return &kas.RewrapResponse{}, nil
 }
 
@@ -454,7 +453,7 @@ func (s *AuthSuite) TestDPoPEndToEnd_GRPC() {
 
 	client := kas.NewAccessServiceClient(conn)
 
-	_, err = client.Info(context.Background(), &kas.InfoRequest{})
+	_, err = client.Rewrap(context.Background(), &kas.RewrapRequest{})
 	s.Require().NoError(err)
 	s.NotNil(fakeServer.dpopKey)
 	dpopJWKFromRequest, ok := fakeServer.dpopKey.(jwk.RSAPublicKey)

service/internal/auth/casbin.go

@@ -45,35 +45,35 @@ var defaultPolicy = `
 ## gRPC routes
 p,	role:org-admin,		policy.*,																*,			allow
 p,	role:org-admin,		kasregistry.*,													*,			allow
-p,	role:org-admin,		kas.AccessService/Rewrap, 			            *,			allow
+p,	role:org-admin,		kas.AccessService/Rewrap, 			        *,			allow
+p,  role:org-admin,   authorization.*,                        *,      allow
 ## HTTP routes
 p,	role:org-admin,		/attributes*,														*,			allow
 p,	role:org-admin,		/namespaces*,														*,			allow
 p,	role:org-admin,		/subject-mappings*,											*,			allow
 p,	role:org-admin,		/resource-mappings*,										*,			allow
 p,	role:org-admin,		/key-access-servers*,										*,			allow
-p,	role:org-admin, 	/kas/v2/rewrap,						  		*,      allow
-p,	role:org-admin,		/unsafe*,										*,			allow
+p,	role:org-admin, 	/kas/v2/rewrap,						  		        *,      allow
+p,	role:org-admin,		/unsafe*,										            *,			allow
 
 # Role: Admin
 ## gRPC routes
-p,	role:admin,		policy.*,																		*,			allow
-p,	role:admin,		kasregistry.*,															*,			allow
-p,	role:admin,		kas.AccessService/Info,					            *,			allow
-p,	role:admin,		kas.AccessService/Rewrap, 			            *,			allow
+p,	role:admin,		    policy.*,																*,			allow
+p,	role:admin,		    kasregistry.*,													*,			allow
+p,	role:admin,		    kas.AccessService/Rewrap, 			        *,			allow
+p,  role:admin,   authorization.*,                        *,      allow
 ## HTTP routes
 p,	role:admin,		/attributes*,																*,			allow
 p,	role:admin,		/namespaces*,																*,			allow
 p,	role:admin,		/subject-mappings*,													*,			allow
 p,	role:admin,		/resource-mappings*,												*,			allow
 p,	role:admin,		/key-access-servers*,												*,			allow
-p,	role:admin,		/kas/v2/rewrap,						  				*,      allow
+p,	role:admin,		/kas/v2/rewrap,						  				        *,      allow
 
 ## Role: Standard
 ## gRPC routes
 p,	role:standard,		policy.*,																read,			allow
 p,	role:standard,		kasregistry.*,													read,			allow
-p,	role:standard,		kas.AccessService/Info,		 		             *,			allow
 p,	role:standard,    kas.AccessService/Rewrap, 			           *,			allow
 ## HTTP routes
 p,	role:standard,		/attributes*,														read,			allow
@@ -87,10 +87,13 @@ p,	role:standard,		/entityresolution/resolve,							write,  	allow
 # Public routes
 ## gRPC routes
 ## for ERS, right now we don't care about requester role, just that a valid jwt is provided when the OPA engine calls (enforced in the ERS itself, not casbin)
-p,	role:unknown,			entityresolution.EntityResolutionService.ResolveEntities,										write,		allow
+p,	role:unknown,			entityresolution.EntityResolutionService.ResolveEntities,					write,		allow
+p,	role:unknown,     kas.AccessService/Rewrap, 			                                  write,	  allow
 ## HTTP routes
 ## for ERS, right now we don't care about requester role, just that a valid jwt is provided when the OPA engine calls (enforced in the ERS itself, not casbin)
-p,	role:unknown,			/entityresolution/resolve,										write,		allow
+p,	role:unknown,			/entityresolution/resolve,							  write,		allow
+p,	role:unknown,		  /kas/v2/rewrap,													  write,		allow
+
 `
 
 var defaultModel = `

service/internal/auth/casbin_test.go

@@ -260,18 +260,6 @@ func (s *AuthnCasbinSuite) Test_Enforcement() {
 			resource: "non-existent",
 			action:   "read",
 		},
-		{
-			allowed:  true,
-			roles:    standard,
-			resource: "/kas/kas_public_key",
-			action:   "read",
-		},
-		{
-			allowed:  true,
-			roles:    standard,
-			resource: "/kas/v2/kas_public_key",
-			action:   "read",
-		},
 		{
 			allowed:  true,
 			roles:    standard,