feat(kas): authorization decisions (#431)

resolves #392 Authorization
service integrate Access PDP into GetDecisions
resolves #312 KAS using
Authorization Service
- Removes unused code from KAS
- Adds `client_id` to GetEntitlements endpoint
```
{
    "entities": [
        {
            "id": "0",
            "client_id": "opentdf"
        }
    ],
    "scope": {
        "attribute_value_fqns": [
        "https://brightonhealthclinic.org/attr/healthrecordtype/value/basicpatientinfo"
    ]}
}
```

---------

Co-authored-by: Dave Mihalcik <[email protected]>
Co-authored-by: Sean Trantalis <[email protected]>
Co-authored-by: Ryan Schumacher <[email protected]>
Co-authored-by: Jake Van Vorhis <[email protected]>
Co-authored-by: Elizabeth Healy <[email protected]>
Co-authored-by: Morgan Kleene <[email protected]>
Co-authored-by: Tim Tschampel <[email protected]>
Co-authored-by: Krish Suchak <[email protected]>
Co-authored-by: sujankota <[email protected]>

Author: 10 people

docs/grpc/index.html

@@ -46,7 +46,7 @@ func encrypt(cmd *cobra.Command, args []string) error {
 	defer tdfFile.Close()
 
 	tdf, err := client.CreateTDF(tdfFile, strReader,
-		//sdk.WithDataAttributes("https://example.com/attributes/1", "https://example.com/attributes/2"),
+		//sdk.WithDataAttributes("https://example.com/attr/attr1/value/value1"),
 		sdk.WithKasInformation(
 			sdk.KASInfo{
 				URL:       "http://localhost:8080",

docs/openapi/authorization/authorization.swagger.json

@@ -16,7 +16,6 @@ require (
 	github.com/grpc-ecosystem/grpc-gateway/v2 v2.19.1
 	github.com/jackc/pgerrcode v0.0.0-20220416144525-469b46aa5efa
 	github.com/jackc/pgx/v5 v5.5.5
-	github.com/jarcoal/httpmock v1.3.1
 	github.com/lestrrat-go/jwx/v2 v2.0.21
 	github.com/miekg/pkcs11 v1.1.1
 	github.com/open-policy-agent/opa v0.62.1
@@ -29,7 +28,6 @@ require (
 	github.com/stretchr/testify v1.9.0
 	github.com/testcontainers/testcontainers-go v0.28.0
 	github.com/valyala/fasthttp v1.52.0
-	github.com/virtru/access-pdp v1.11.0
 	golang.org/x/exp v0.0.0-20240222234643-814bf88cf225
 	golang.org/x/oauth2 v0.18.0
 	google.golang.org/grpc v1.62.1
@@ -141,7 +139,6 @@ require (
 	go.opentelemetry.io/otel/sdk v1.24.0 // indirect
 	go.opentelemetry.io/otel/trace v1.24.0 // indirect
 	go.uber.org/multierr v1.11.0 // indirect
-	go.uber.org/zap v1.27.0 // indirect
 	golang.org/x/mod v0.15.0 // indirect
 	golang.org/x/time v0.5.0 // indirect
 	golang.org/x/tools v0.18.0 // indirect

examples/cmd/encrypt.go

@@ -190,8 +190,6 @@ github.com/jackc/pgx/v5 v5.5.5 h1:amBjrZVmksIdNjxGW/IiIMzxMKZFelXbUoPNb+8sjQw=
 github.com/jackc/pgx/v5 v5.5.5/go.mod h1:ez9gk+OAat140fv9ErkZDYFWmXLfV+++K0uAOiwgm1A=
 github.com/jackc/puddle/v2 v2.2.1 h1:RhxXJtFG022u4ibrCSMSiu5aOq1i77R3OHKNJj77OAk=
 github.com/jackc/puddle/v2 v2.2.1/go.mod h1:vriiEXHvEE654aYKXXjOvZM39qJ0q+azkZFrfEOc3H4=
-github.com/jarcoal/httpmock v1.3.1 h1:iUx3whfZWVf3jT01hQTO/Eo5sAYtB2/rqaUuOtpInww=
-github.com/jarcoal/httpmock v1.3.1/go.mod h1:3yb8rc4BI7TCBhFY8ng0gjuLKJNquuDNiPaZjnENuYg=
 github.com/joeshaw/multierror v0.0.0-20140124173710-69b34d4ec901 h1:rp+c0RAYOWj8l6qbCUTSiRLG/iKnW3K3/QfPPuSsBt4=
 github.com/joeshaw/multierror v0.0.0-20140124173710-69b34d4ec901/go.mod h1:Z86h9688Y0wesXCyonoVr47MasHilkuLMqGhRZ4Hpak=
 github.com/jonboulle/clockwork v0.4.0 h1:p4Cf1aMWXnXAUh8lVfewRBx1zaTSYKrKMF2g3ST4RZ4=
@@ -232,8 +230,6 @@ github.com/marcboeker/go-duckdb v1.5.6 h1:5+hLUXRuKlqARcnW4jSsyhCwBRlu4FGjM0UTf2
 github.com/marcboeker/go-duckdb v1.5.6/go.mod h1:wm91jO2GNKa6iO9NTcjXIRsW+/ykPoJbQcHSXhdAl28=
 github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY=
 github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
-github.com/maxatome/go-testdeep v1.12.0 h1:Ql7Go8Tg0C1D/uMMX59LAoYK7LffeJQ6X2T04nTH68g=
-github.com/maxatome/go-testdeep v1.12.0/go.mod h1:lPZc/HAcJMP92l7yI6TRz1aZN5URwUBUAfUNvrclaNM=
 github.com/mfridman/interpolate v0.0.2 h1:pnuTK7MQIxxFz1Gr+rjSIx9u7qVjf5VOoM/u6BbAxPY=
 github.com/mfridman/interpolate v0.0.2/go.mod h1:p+7uk6oE07mpE/Ik1b8EckO0O4ZXiGAfshKBWLUM9Xg=
 github.com/miekg/dns v1.1.57 h1:Jzi7ApEIzwEPLHWRcafCN9LZSBbqQpxjt/wpgvg7wcM=
@@ -363,8 +359,6 @@ github.com/valyala/fasthttp v1.52.0 h1:wqBQpxH71XW0e2g+Og4dzQM8pk34aFYlA1Ga8db7g
 github.com/valyala/fasthttp v1.52.0/go.mod h1:hf5C4QnVMkNXMspnsUlfM3WitlgYflyhHYoKol/szxQ=
 github.com/vertica/vertica-sql-go v1.3.3 h1:fL+FKEAEy5ONmsvya2WH5T8bhkvY27y/Ik3ReR2T+Qw=
 github.com/vertica/vertica-sql-go v1.3.3/go.mod h1:jnn2GFuv+O2Jcjktb7zyc4Utlbu9YVqpHH/lx63+1M4=
-github.com/virtru/access-pdp v1.11.0 h1:JmMUo5EExOg99TKNQ6AdwUDLdBwVvSpjxUVVJxJ0RR4=
-github.com/virtru/access-pdp v1.11.0/go.mod h1:7OkDvrJX9qtzZ8KYFv7uvbp3IuhJZBqjVaPcH+Irnc0=
 github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb h1:zGWFAtiMcyryUHoUjUJX0/lt1H2+i2Ka2n+D3DImSNo=
 github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb/go.mod h1:N2zxlSyiKSe5eX1tZViRH5QA0qijqEDrYZiPEAiq3wU=
 github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 h1:EzJWgHovont7NscjpAxXsDA8S8BMYve8Y5+7cuRE7R0=
@@ -402,12 +396,8 @@ go.opentelemetry.io/otel/trace v1.24.0 h1:CsKnnL4dUAr/0llH9FKuc698G04IrpWV0MQA/Y
 go.opentelemetry.io/otel/trace v1.24.0/go.mod h1:HPc3Xr/cOApsBI154IU0OI0HJexz+aw5uPdbs3UCjNU=
 go.opentelemetry.io/proto/otlp v1.0.0 h1:T0TX0tmXU8a3CbNXzEKGeU5mIVOdf0oykP+u2lIVU/I=
 go.opentelemetry.io/proto/otlp v1.0.0/go.mod h1:Sy6pihPLfYHkr3NkUbEhGHFhINUSI/v80hjKIs5JXpM=
-go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto=
-go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE=
 go.uber.org/multierr v1.11.0 h1:blXXJkSxSSfBVBlC76pxqeO+LN3aDfLQo+309xJstO0=
 go.uber.org/multierr v1.11.0/go.mod h1:20+QtiLqy0Nd6FdQB9TLXag12DsQkrbs3htMFfDN80Y=
-go.uber.org/zap v1.27.0 h1:aJMhYGrd5QSmlpLMr2MftRKl7t8J8PTZPA732ud/XR8=
-go.uber.org/zap v1.27.0/go.mod h1:GB2qFLM7cTU87MWRP2mPIjqfIDnGu+VIO4V/SdhGo2E=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=

go.mod

@@ -13,8 +13,15 @@ func OpaInput(entity *authorization.Entity, sms map[string]*attributes.GetAttrib
 	inputUnstructured["attribute_mappings"] = sms
 	// Entity
 	ea := make(map[string]interface{})
-	ea["id"] = entity.Id
-	ea["email_address"] = entity.GetEmailAddress()
+	ea["id"] = entity.GetId()
+	switch entity.GetEntityType().(type) {
+	case *authorization.Entity_ClientId:
+		ea["client_id"] = entity.GetClientId()
+	case *authorization.Entity_EmailAddress:
+		ea["email_address"] = entity.GetEmailAddress()
+	case *authorization.Entity_Jwt:
+		ea["jwt"] = entity.GetJwt()
+	}
 	inputUnstructured["entity"] = ea
 
 	inputUnstructured["idp"] = config

go.sum

@@ -31,9 +31,9 @@ type KeyCloakConnector struct {
 
 func EntityResolution(ctx context.Context,
 	req *authorization.IdpPluginRequest, config *authorization.IdpConfig) (*authorization.IdpPluginResponse, error) {
-	slog.Info(fmt.Sprintf("req: %+v", req))
-	slog.Info(fmt.Sprintf("config: %+v", config))
-	jsonString, err := json.Marshal(config.Config.AsMap())
+	// note this only logs when run in test not when running in the OPE engine.
+	slog.DebugContext(ctx, "EntityResolution", "req", fmt.Sprintf("%+v", req), "config", fmt.Sprintf("%+v", config))
+	jsonString, err := json.Marshal(config.GetConfig().AsMap())
 	if err != nil {
 		slog.Error("Error marshalling keycloak config!", "error", err)
 		return nil, err
@@ -52,26 +52,55 @@ func EntityResolution(ctx context.Context,
 	payload := req.GetEntities()
 
 	var resolvedEntities []*authorization.IdpEntityRepresentation
-	slog.Debug("EntityResolution invoked with", "payload", payload)
+	slog.DebugContext(ctx, "EntityResolution invoked", "payload", payload)
 
-	for i, ident := range payload {
-		slog.Debug("Lookup", "entity", ident.GetEntityType())
+	for _, ident := range payload {
+		slog.DebugContext(ctx, "Lookup", "entity", ident.GetEntityType())
 		var keycloakEntities []*gocloak.User
 		var getUserParams gocloak.GetUsersParams
-
 		exactMatch := true
-		switch ident.EntityType.(type) {
+		switch ident.GetEntityType().(type) {
+		case *authorization.Entity_ClientId:
+			slog.DebugContext(ctx, "GetClient", "client_id", ident.GetClientId())
+			clientID := ident.GetClientId()
+			clients, err := connector.client.GetClients(ctx, connector.token.AccessToken, kcConfig.Realm, gocloak.GetClientsParams{
+				ClientID: &clientID,
+			})
+			if err != nil {
+				slog.Error(err.Error())
+				return &authorization.IdpPluginResponse{},
+					status.Error(codes.Internal, services.ErrGetRetrievalFailed)
+			}
+			var jsonEntities []*structpb.Struct
+			for _, client := range clients {
+				json, err := typeToGenericJSONMap(client)
+				if err != nil {
+					slog.Error("Error serializing entity representation!", "error", err)
+					return &authorization.IdpPluginResponse{},
+						status.Error(codes.Internal, services.ErrCreationFailed)
+				}
+				var mystruct, struct_err = structpb.NewStruct(json)
+				if struct_err != nil {
+					slog.Error("Error making struct!", "error", err)
+					return &authorization.IdpPluginResponse{},
+						status.Error(codes.Internal, services.ErrCreationFailed)
+				}
+				jsonEntities = append(jsonEntities, mystruct)
+			}
+			resolvedEntities = append(
+				resolvedEntities,
+				&authorization.IdpEntityRepresentation{
+					OriginalId:      ident.GetId(),
+					AdditionalProps: jsonEntities,
+				},
+			)
+			return &authorization.IdpPluginResponse{
+				EntityRepresentations: resolvedEntities,
+			}, nil
 		case *authorization.Entity_EmailAddress:
-			getUserParams = gocloak.GetUsersParams{Email: func() *string { t := payload[i].GetEmailAddress(); return &t }(), Exact: &exactMatch}
+			getUserParams = gocloak.GetUsersParams{Email: func() *string { t := ident.GetEmailAddress(); return &t }(), Exact: &exactMatch}
 		case *authorization.Entity_UserName:
-			getUserParams = gocloak.GetUsersParams{Username: func() *string { t := payload[i].GetUserName(); return &t }(), Exact: &exactMatch}
-		// case "":
-		// 	return &authorization.IdpPluginResponse{},
-		// 		status.Error(codes.InvalidArgument, services.ErrNotFound)
-		default:
-			typeErr := fmt.Errorf("Unsupported/unknown type for entity %s", ident.String())
-			return &authorization.IdpPluginResponse{},
-				status.Error(codes.InvalidArgument, typeErr.Error())
+			getUserParams = gocloak.GetUsersParams{Username: func() *string { t := ident.GetUserName(); return &t }(), Exact: &exactMatch}
 		}
 
 		users, err := connector.client.GetUsers(ctx, connector.token.AccessToken, kcConfig.Realm, getUserParams)
@@ -93,7 +122,7 @@ func EntityResolution(ctx context.Context,
 					ctx,
 					connector.token.AccessToken,
 					kcConfig.Realm,
-					gocloak.GetGroupsParams{Search: func() *string { t := payload[i].GetEmailAddress(); return &t }()},
+					gocloak.GetGroupsParams{Search: func() *string { t := ident.GetEmailAddress(); return &t }()},
 				)
 				if groupErr != nil {
 					slog.Error("Error getting group", "group", groupErr)
@@ -153,7 +182,7 @@ func EntityResolution(ctx context.Context,
 				OriginalId:      ident.GetId(),
 				AdditionalProps: jsonEntities},
 		)
-		slog.Debug("Entities", "resolved", fmt.Sprintf("%+v", resolvedEntities))
+		slog.DebugContext(ctx, "Entities", "resolved", fmt.Sprintf("%+v", resolvedEntities))
 	}
 
 	return &authorization.IdpPluginResponse{

internal/entitlements/pdp.go

@@ -7,6 +7,7 @@ import (
 	"io"
 	"net/http"
 	"net/http/httptest"
+	"os"
 	"strings"
 	"testing"
 
@@ -76,13 +77,15 @@ func test_server_resp(t *testing.T, w http.ResponseWriter, r *http.Request, k st
 	}
 }
 func test_server(t *testing.T, userSearchQueryAndResp map[string]string, groupSearchQueryAndResp map[string]string,
-	groupByIdAndResponse map[string]string, groupMemberQueryAndResponse map[string]string) *httptest.Server {
+	groupByIdAndResponse map[string]string, groupMemberQueryAndResponse map[string]string, clientsSearchQueryAndResp map[string]string) *httptest.Server {
 	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		if r.URL.Path == "/realms/tdf/protocol/openid-connect/token" {
 			_, err := io.WriteString(w, token_resp)
 			if err != nil {
 				t.Error(err)
 			}
+		} else if r.URL.Path == "/admin/realms/tdf/clients" {
+			test_server_resp(t, w, r, r.URL.RawQuery, clientsSearchQueryAndResp)
 		} else if r.URL.Path == "/admin/realms/tdf/users" {
 			test_server_resp(t, w, r, r.URL.RawQuery, userSearchQueryAndResp)
 		} else if r.URL.Path == "/admin/realms/tdf/groups" && groupSearchQueryAndResp != nil {
@@ -101,12 +104,44 @@ func test_server(t *testing.T, userSearchQueryAndResp map[string]string, groupSe
 	return server
 }
 
+func Test_KCEntityResolutionByClientId(t *testing.T) {
+
+	var validBody []*authorization.Entity
+	validBody = append(validBody, &authorization.Entity{Id: "1234", EntityType: &authorization.Entity_ClientId{ClientId: "opentdf"}})
+
+	var ctxb = context.Background()
+
+	var req = authorization.IdpPluginRequest{}
+	req.Entities = validBody
+	csqr := map[string]string{
+		"clientId=opentdf": by_email_bob_resp,
+	}
+	server := test_server(t, nil, nil, nil, nil, csqr)
+	defer server.Close()
+	var kcconfig = test_keycloakConfig(server)
+	var kcConfigInterface map[string]interface{}
+	inrec, err := json.Marshal(kcconfig)
+	assert.Nil(t, err)
+
+	require.NoError(t, json.Unmarshal(inrec, &kcConfigInterface))
+	kcConfigStruct, err := structpb.NewStruct(kcConfigInterface)
+	var resp, reserr = idpplugin.EntityResolution(ctxb, &req, &authorization.IdpConfig{
+		Config: kcConfigStruct,
+	})
+
+	assert.Nil(t, reserr)
+	_ = json.NewEncoder(os.Stdout).Encode(resp)
+	var entity_representations = resp.GetEntityRepresentations()
+	assert.NotNil(t, entity_representations)
+	assert.Equal(t, 1, len(entity_representations))
+}
+
 func Test_KCEntityResolutionByEmail(t *testing.T) {
 
 	server := test_server(t, map[string]string{
 		"email=bob%40sample.org&exact=true":   by_email_bob_resp,
 		"email=alice%40sample.org&exact=true": by_email_alice_resp,
-	}, nil, nil, nil)
+	}, nil, nil, nil, nil)
 	defer server.Close()
 
 	var validBody []*authorization.Entity
@@ -150,7 +185,7 @@ func Test_KCEntityResolutionByUsername(t *testing.T) {
 	server := test_server(t, map[string]string{
 		"exact=true&username=bob.smith":   by_username_bob_resp,
 		"exact=true&username=alice.smith": by_username_alice_resp,
-	}, nil, nil, nil)
+	}, nil, nil, nil, nil)
 	defer server.Close()
 
 	// validBody := `{"entity_identifiers": [{"type": "username","identifier": "bob.smith"}]}`
@@ -200,7 +235,8 @@ func Test_KCEntityResolutionByGroupEmail(t *testing.T) {
 		"group1-uuid": group_resp,
 	}, map[string]string{
 		"group1-uuid": group_submember_resp,
-	})
+	},
+		nil)
 	defer server.Close()
 
 	var validBody []*authorization.Entity
@@ -246,7 +282,7 @@ func Test_KCEntityResolutionNotFoundError(t *testing.T) {
 		"group1-uuid": group_resp,
 	}, map[string]string{
 		"group1-uuid": group_submember_resp,
-	})
+	}, nil)
 	defer server.Close()
 
 	var validBody []*authorization.Entity

internal/idpplugin/keycloak_plugin.go

@@ -48,7 +48,7 @@ type Config struct {
 	HSM                     security.HSMConfig `yaml:"hsm"`
 	TLS                     TLSConfig          `yaml:"tls"`
 	WellKnownConfigRegister func(namespace string, config any) error
-	Port                    int    `yaml:"port" default:"9000"`
+	Port                    int    `yaml:"port" default:"8080"`
 	Host                    string `yaml:"host,omitempty"`
 }
 

internal/idpplugin/keycloak_plugin_test.go

@@ -43,7 +43,7 @@ server:
   auth:
     enabled: false
     audience: "http://localhost:8080"
-    issuer: http://localhost:8888/auth/realms/opentdf
+    issuer: http://localhost:8888/auth/realms/tdf
     clients:
       - "opentdf"
   grpc: