feat(policy): register unsafe service in platform (#1066)

jakedoublev · web-flow · commit b7796cdbe3b1 · 2024-07-02T17:43:12.000Z
Relates to #115 Closes #115 Drives authorization with existing casbin action definition matching logic: https://github.com/opentdf/platform/blob/main/service/internal/auth/authn.go#L289-L290 Middleware casbin tests (with local `test-admin` client given the `admin` role for validation): ```shell time=2024-07-01T17:16:31.618-07:00 level=INFO msg="enforcing policy" subject=role:admin resource=policy.unsafe.UnsafeService/UnsafeUpdateNamespace action=unsafe time=2024-07-01T17:16:31.618-07:00 level=WARN msg="permission denied" azp=b007dc27-e9a5-493b-8d2d-b26a92a6752c error="permission denied" ``` ```shell time=2024-07-01T17:18:08.028-07:00 level=INFO msg="enforcing policy" subject=role:standard resource=policy.unsafe.UnsafeService/UnsafeUpdateNamespace action=unsafe time=2024-07-01T17:18:08.028-07:00 level=WARN msg="permission denied" azp=d8949062-977b-498a-a640-61865d633121 error="permission denied" ``` ```shell time=2024-07-01T17:18:30.518-07:00 level=INFO msg="enforcing policy" subject=role:org-admin resource=policy.unsafe.UnsafeService/UnsafeUpdateNamespace action=unsafe time=2024-07-01T17:18:30.519-07:00 level=DEBUG msg=sql sql="SELECT opentdf_policy.attribute_namespaces.id, opentdf_policy.attribute_namespaces.name, opentdf_policy.attribute_namespaces.active, JSON_STRIP_NULLS(JSON_BUILD_OBJECT('labels', metadata->'labels', 'created_at', created_at, 'updated_at', updated_at)) AS metadata, opentdf_policy.attribute_fqns.fqn FROM opentdf_policy ..... ```
diff --git a/opentdf-dev.yaml b/opentdf-dev.yaml
@@ -33,15 +33,15 @@ services:
   entityresolution:
     enabled: true
     url: http://localhost:8888/auth
-    clientid: "tdf-entity-resolution"
-    clientsecret: "secret"
-    realm: "opentdf"
+    clientid: 'tdf-entity-resolution'
+    clientsecret: 'secret'
+    realm: 'opentdf'
     legacykeycloak: true
 server:
   auth:
     enabled: true
     enforceDPoP: false
-    audience: "http://localhost:8080"
+    audience: 'http://localhost:8080'
     issuer: http://localhost:8888/auth/realms/opentdf
     policy:
       ## Default policy for all requests
@@ -61,6 +61,7 @@ server:
       #  p, role:org-admin, policy:subject-mappings, *, *, allow
       #  p, role:org-admin, policy:resource-mappings, *, *, allow
       #  p, role:org-admin, policy:kas-registry, *, *, allow
+      #  p, role:org-admin, policy:unsafe, *, *, allow
 
       ## Custom model (see https://casbin.org/docs/syntax-for-models/)
       model: #|
@@ -81,8 +82,8 @@ server:
   cors:
     enabled: false
     # '*' to allow any origin or a specific domain like 'https://yourdomain.com'
-    allowedorigins: 
-      - "*"
+    allowedorigins:
+      - '*'
     # List of methods. Examples: 'GET,POST,PUT'
     allowedmethods:
       - GET
diff --git a/opentdf-example.yaml b/opentdf-example.yaml
@@ -52,6 +52,7 @@ server:
       #  p, role:org-admin, policy:subject-mappings, *, *, allow
       #  p, role:org-admin, policy:resource-mappings, *, *, allow
       #  p, role:org-admin, policy:kas-registry, *, *, allow
+      #  p, role:org-admin, policy:unsafe, *, *, allow
       ## Custom model (see https://casbin.org/docs/syntax-for-models/)
       model: #|
       #  [request_definition]
diff --git a/opentdf-with-hsm.yaml b/opentdf-with-hsm.yaml
@@ -57,6 +57,7 @@ server:
       #  p, role:org-admin, policy:subject-mappings, *, *, allow
       #  p, role:org-admin, policy:resource-mappings, *, *, allow
       #  p, role:org-admin, policy:kas-registry, *, *, allow
+      #  p, role:org-admin, policy:unsafe, *, *, allow
       ## Custom model (see https://casbin.org/docs/syntax-for-models/)
       model: #|
       #  [request_definition]
diff --git a/protocol/go/policy/unsafe/unsafe.pb.go b/protocol/go/policy/unsafe/unsafe.pb.go
diff --git a/service/buf.yaml b/service/buf.yaml
@@ -9,8 +9,6 @@ breaking:
     - PACKAGE
     - WIRE_JSON
     - WIRE
-  ignore:
-    - policy/unsafe/unsafe.proto
 lint:
   allow_comment_ignores: true
   use:
diff --git a/service/internal/auth/casbin.go b/service/internal/auth/casbin.go
@@ -59,7 +59,9 @@ p,	role:org-admin,		/unsafe*,										            *,			allow
 
 # Role: Admin
 ## gRPC routes
-p,	role:admin,		    policy.*,																*,			allow
+p,	role:admin,		    policy.*,																read,			allow
+p,	role:admin,		    policy.*,																write,			allow
+p,	role:admin,		    policy.*,																delete,			allow
 p,	role:admin,		    kasregistry.*,													*,			allow
 p,	role:admin,		    kas.AccessService/Rewrap, 			        *,			allow
 p,  role:admin,   authorization.*,                        *,      allow
@@ -73,7 +75,6 @@ p,	role:admin,		/kas/v2/rewrap,						  				        *,      allow
 
 ## Role: Standard
 ## gRPC routes
-p,  role:standard,		policy.unsafe.*,													 *,			deny
 p,	role:standard,		policy.*,																read,			allow
 p,	role:standard,		kasregistry.*,													read,			allow
 p,	role:standard,    kas.AccessService/Rewrap, 			           *,			allow
diff --git a/service/policy/db/namespaces.go b/service/policy/db/namespaces.go
@@ -111,12 +111,7 @@ func (c PolicyDBClient) GetNamespace(ctx context.Context, id string) (*policy.Na
 		return nil, err
 	}
 
-	n, err := hydrateNamespaceItem(row, opts)
-	if err != nil {
-		return nil, err
-	}
-
-	return n, nil
+	return hydrateNamespaceItem(row, opts)
 }
 
 func listNamespacesSQL(opts namespaceSelectOptions) (string, []interface{}, error) {
diff --git a/service/policy/policy.go b/service/policy/policy.go
@@ -10,7 +10,7 @@ import (
 	"github.com/opentdf/platform/service/policy/namespaces"
 	"github.com/opentdf/platform/service/policy/resourcemapping"
 	"github.com/opentdf/platform/service/policy/subjectmapping"
-	// "github.com/opentdf/platform/service/policy/unsafe"
+	"github.com/opentdf/platform/service/policy/unsafe"
 )
 
 var Migrations *embed.FS
@@ -33,7 +33,7 @@ func NewRegistrations() []serviceregistry.Registration {
 		resourcemapping.NewRegistration(),
 		subjectmapping.NewRegistration(),
 		kasregistry.NewRegistration(),
-		// unsafe.NewRegistration(),
+		unsafe.NewRegistration(),
 	} {
 		r.Namespace = namespace
 		r.DB = dbRegister
diff --git a/service/policy/unsafe/unsafe.proto b/service/policy/unsafe/unsafe.proto
@@ -19,8 +19,8 @@ message UnsafeUpdateNamespaceRequest {
     (buf.validate.field).string.max_len = 253,
     (buf.validate.field).cel = {
       id: "namespace_name_format",
-      message: "Namespace name must be an alphanumeric string, allowing hyphens and underscores but not as the first or last character. The stored namespace name will be normalized to lower case.",
-      expression: "this.matches('^[a-zA-Z0-9](?:[a-zA-Z0-9_-]*[a-zA-Z0-9])?$')"
+      message: "Namespace must be a valid hostname. It should include at least one dot, with each segment (label) starting and ending with an alphanumeric character. Each label must be 1 to 63 characters long, allowing hyphens but not as the first or last character. The top-level domain (the last segment after the final dot) must consist of at least two alphabetic characters. The stored namespace will be normalized to lower case.",
+      expression: "this.matches('^([a-zA-Z0-9]([a-zA-Z0-9\\\\-]{0,61}[a-zA-Z0-9])?\\\\.)+[a-zA-Z]{2,}$')"
     }
   ];
 }

Original file line number	Diff line number	Diff line change
`@@ -111,12 +111,7 @@ func (c PolicyDBClient) GetNamespace(ctx context.Context, id string) (*policy.Na`
`111`	`111`	`return nil, err`
`112`	`112`	`}`
`113`	`113`
`114`		`- n, err := hydrateNamespaceItem(row, opts)`
`115`		`- if err != nil {`
`116`		`- return nil, err`
`117`		`- }`
`118`		`-`
`119`		`- return n, nil`
	`114`	`+ return hydrateNamespaceItem(row, opts)`
`120`	`115`	`}`
`121`	`116`
`122`	`117`	`func listNamespacesSQL(opts namespaceSelectOptions) (string, []interface{}, error) {`
Original file line number	Diff line number	Diff line change
`@@ -19,8 +19,8 @@ message UnsafeUpdateNamespaceRequest {`
`19`	`19`	`(buf.validate.field).string.max_len = 253,`
`20`	`20`	`(buf.validate.field).cel = {`
`21`	`21`	`id: "namespace_name_format",`
`22`		`- message: "Namespace name must be an alphanumeric string, allowing hyphens and underscores but not as the first or last character. The stored namespace name will be normalized to lower case.",`
`23`		`- expression: "this.matches('^[a-zA-Z0-9](?:[a-zA-Z0-9_-]*[a-zA-Z0-9])?$')"`
	`22`	`+ message: "Namespace must be a valid hostname. It should include at least one dot, with each segment (label) starting and ending with an alphanumeric character. Each label must be 1 to 63 characters long, allowing hyphens but not as the first or last character. The top-level domain (the last segment after the final dot) must consist of at least two alphabetic characters. The stored namespace will be normalized to lower case.",`
	`23`	`+ expression: "this.matches('^([a-zA-Z0-9]([a-zA-Z0-9\\\\-]{0,61}[a-zA-Z0-9])?\\\\.)+[a-zA-Z]{2,}$')"`
`24`	`24`	`}`
`25`	`25`	`];`
`26`	`26`	`}`