fix: properly set casbin authz policy (#1776)

### Proposed Changes

When calling the SetPolicy function it was overwrittng what ever was
defined within the yaml configuration. This pr addresses this by
changing the current functionality to overwrite the default policy while
still allowing the policy in configuration to take precedence.

The pull request also introduces two new fields `UsernameClaim` and
`GroupsClaim` aligning more with openid based claim names and not
keycloak realm roles. The authz policy will pull the username and list
of groups and run them through the casbin enforce function now. A user
can now scope a policy to a username.

```
p, strantalis, policy.attributes.*, read, allow
```

### Checklist

- [ ] I have added or updated unit tests
- [ ] I have added or updated integration tests (if appropriate)
- [ ] I have added or updated documentation

### Testing Instructions

Author: strantalis

docs/configuration.md

@@ -243,11 +243,12 @@ OpenTDF uses Casbin to manage authorization policies. This document provides an
 
 #### Key Aspects of Authorization Configuration
 
-1. **Default Role**: The default role assigned to an authorized user if no specific role is found.
-2. **Claim**: The claim in the OIDC token that should be used to map roles.
-3. **Map**: Mapping between policy roles and IdP roles.
-4. **CSV**: The authorization policy in CSV format.
-5. **Model**: The Casbin policy model.
+2. **Username Claim**: The claim in the OIDC token that should be used to extract a username.
+3. **Group Claim**: The claim in the OIDC token that should be used to find the group claims.
+4. **Map (Deprecated)**: Mapping between policy roles and IdP roles.
+4. **Extension**: Policy that will extend the builtin policy
+4. **CSV**: The authorization policy in CSV format. This will override the builtin policy.
+5. **Model**: The Casbin policy model. This should only be set if you have a deep understanding of how casbin works.
 
 #### Configuration in opentdf-example.yaml
 
@@ -263,19 +264,34 @@ server:
     audience: 'http://localhost:8080'
     issuer: http://keycloak:8888/auth/realms/opentdf
     policy:
-      ## Default role for all requests
-      default: "role:standard"
       
+      ## Deprecated
       ## Dot notation is used to access nested claims (i.e. realm_access.roles)
       claim: "realm_access.roles"
+
+      ## Dot notation is used to access the username claim
+      username_claim: "email"
+
+      ## Dot notation is used to access the groups claim
+      group_claim: "realm_access.roles"
       
+      ## Deprecated: Use standard casbin policy groupings (g, <user/group>, <role>)
       ## Maps the external role to the OpenTDF role
       ## Note: left side is used in the policy, right side is the external role
       map:
         standard: opentdf-standard
         admin: opentdf-admin
 
+      ## Policy that will extend the builtin policy.
+      extension: |
+        p, role:admin, *, *, allow
+        p, role:standard, policy:attributes, read, allow
+        p, role:standard, policy:subject-mappings, read, allow
+        g, opentdf-admin, role:admin
+        g, [email protected], role:standard
+
       ## Custom policy (see examples https://github.com/casbin/casbin/tree/master/examples)
+      ## This will overwrite the builtin policy. Use with caution. 
       csv: |
         p, role:admin, *, *, allow
         p, role:standard, policy:attributes, read, allow
@@ -286,6 +302,7 @@ server:
         p, role:unknown, kas.AccessService/Rewrap, *, allow
 
       ## Custom model (see https://casbin.org/docs/syntax-for-models/)
+      ## Avoid setting this unless you have a deep understanding of how casbin works. 
       model: |
         [request_definition]
         r = sub, res, act, obj
@@ -305,8 +322,7 @@ server:
 
 #### Role Permissions
 
-- **Org Admin**: Can read, write, and perform unsafe mutations.
-- **Admin**: Can read and write.
+- **Admin**: Can perform all operations.
 - **Standard User**: Can read.
 - **Public Endpoints**: Accessible without specific roles.
 

opentdf-dev.yaml

@@ -49,20 +49,18 @@ server:
     audience: 'http://localhost:8080'
     issuer: http://localhost:8888/auth/realms/opentdf
     policy:
-      ## Default policy for all requests
-      default: #"role:standard"
       ## Dot notation is used to access nested claims (i.e. realm_access.roles)
-      claim: # realm_access.roles
-      ## Maps the external role to the opentdf role
-      ## Note: left side is used in the policy, right side is the external role
-      map:
-        # standard: opentdf-standard
-        # admin: opentdf-admin
-
-      ## Custom policy (see examples https://github.com/casbin/casbin/tree/master/examples)
+      # Claim that represents the user (i.e. email)
+      username_claim: # preferred_username
+      # That claim to access groups (i.e. realm_access.roles)
+      groups_claim: # realm_access.roles
+      ## Extends the builtin policy
+      extension: |
+        g, opentdf-admin, role:admin
+        g, opentdf-standard, role:standard
+      ## Custom policy that overrides builtin policy (see examples https://github.com/casbin/casbin/tree/master/examples)
       csv: #|
       #  p, role:admin, *, *, allow
-
       ## Custom model (see https://casbin.org/docs/syntax-for-models/)
       model: #|
       #  [request_definition]

opentdf-example.yaml

@@ -36,17 +36,16 @@ server:
     audience: 'http://localhost:8080'
     issuer: http://keycloak:8888/auth/realms/opentdf
     policy:
-      ## Default policy for all requests
-      default: #"role:standard"
       ## Dot notation is used to access nested claims (i.e. realm_access.roles)
-      claim: # realm_access.roles
-      ## Maps the external role to the opentdf role
-      ## Note: left side is used in the policy, right side is the external role
-      map:
-      #  standard: opentdf-standard
-      #  admin: opentdf-admin
-
-      ## Custom policy (see examples https://github.com/casbin/casbin/tree/master/examples)
+      # Claim that represents the user (i.e. email)
+      username_claim: # preferred_username
+      # That claim to access groups (i.e. realm_access.roles)
+      groups_claim: # realm_access.roles
+      ## Extends the builtin policy
+      extension: |
+        g, opentdf-admin, role:admin
+        g, opentdf-standard, role:standard
+      ## Custom policy that overrides builtin policy (see examples https://github.com/casbin/casbin/tree/master/examples)
       csv: #|
       #  p, role:admin, *, *, allow
       ## Custom model (see https://casbin.org/docs/syntax-for-models/)

opentdf-with-hsm.yaml

@@ -10,7 +10,7 @@ require (
 	github.com/Nerzal/gocloak/v13 v13.9.0
 	github.com/bmatcuk/doublestar v1.3.4
 	github.com/bufbuild/protovalidate-go v0.6.0
-	github.com/casbin/casbin/v2 v2.84.0
+	github.com/casbin/casbin/v2 v2.101.0
 	github.com/creasty/defaults v1.7.0
 	github.com/go-chi/cors v1.2.1
 	github.com/go-playground/validator/v10 v10.22.0
@@ -43,7 +43,8 @@ require (
 	github.com/andybalholm/brotli v1.1.0 // indirect
 	github.com/antlr4-go/antlr/v4 v4.13.0 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
-	github.com/casbin/govaluate v1.1.0 // indirect
+	github.com/bmatcuk/doublestar/v4 v4.6.1 // indirect
+	github.com/casbin/govaluate v1.2.0 // indirect
 	github.com/cenkalti/backoff/v4 v4.3.0 // indirect
 	github.com/cespare/xxhash/v2 v2.3.0 // indirect
 	github.com/containerd/containerd v1.7.21 // indirect

service/go.mod

@@ -44,14 +44,20 @@ github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
 github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw=
 github.com/bmatcuk/doublestar v1.3.4 h1:gPypJ5xD31uhX6Tf54sDPUOBXTqKH4c9aPY66CyQrS0=
 github.com/bmatcuk/doublestar v1.3.4/go.mod h1:wiQtGV+rzVYxB7WIlirSN++5HPtPlXEo9MEoZQC/PmE=
+github.com/bmatcuk/doublestar/v4 v4.6.1 h1:FH9SifrbvJhnlQpztAx++wlkk70QBf0iBWDwNy7PA4I=
+github.com/bmatcuk/doublestar/v4 v4.6.1/go.mod h1:xBQ8jztBU6kakFMg+8WGxn0c6z1fTSPVIjEY1Wr7jzc=
 github.com/bufbuild/protovalidate-go v0.6.0 h1:Jgs1kFuZ2LHvvdj8SpCLA1W/+pXS8QSM3F/E2l3InPY=
 github.com/bufbuild/protovalidate-go v0.6.0/go.mod h1:1LamgoYHZ2NdIQH0XGczGTc6Z8YrTHjcJVmiBaar4t4=
 github.com/bytecodealliance/wasmtime-go/v3 v3.0.2 h1:3uZCA/BLTIu+DqCfguByNMJa2HVHpXvjfy0Dy7g6fuA=
 github.com/bytecodealliance/wasmtime-go/v3 v3.0.2/go.mod h1:RnUjnIXxEJcL6BgCvNyzCCRzZcxCgsZCi+RNlvYor5Q=
 github.com/casbin/casbin/v2 v2.84.0 h1:WioxdvRbG/1lR7GMIhEHk4GwPcVOxQqhCGWpEUKJoGI=
 github.com/casbin/casbin/v2 v2.84.0/go.mod h1:jX8uoN4veP85O/n2674r2qtfSXI6myvxW85f6TH50fw=
+github.com/casbin/casbin/v2 v2.101.0 h1:y8qZRXcgv5omd3k/7kpaP03Hov82sXzCC5FAfm17lkw=
+github.com/casbin/casbin/v2 v2.101.0/go.mod h1:LO7YPez4dX3LgoTCqSQAleQDo0S0BeZBDxYnPUl95Ng=
 github.com/casbin/govaluate v1.1.0 h1:6xdCWIpE9CwHdZhlVQW+froUrCsjb6/ZYNcXODfLT+E=
 github.com/casbin/govaluate v1.1.0/go.mod h1:G/UnbIjZk/0uMNaLwZZmFQrR72tYRZWQkO70si/iR7A=
+github.com/casbin/govaluate v1.2.0 h1:wXCXFmqyY+1RwiKfYo3jMKyrtZmOL3kHwaqDyCPOYak=
+github.com/casbin/govaluate v1.2.0/go.mod h1:G/UnbIjZk/0uMNaLwZZmFQrR72tYRZWQkO70si/iR7A=
 github.com/cenkalti/backoff/v4 v4.3.0 h1:MyRJ/UdXutAwSAT+s3wNd7MfTIcy71VQueUuFK343L8=
 github.com/cenkalti/backoff/v4 v4.3.0/go.mod h1:Y3VNntkOUPxTVeUxJ/G5vcM//AlwfmyYozVcomhLiZE=
 github.com/cespare/xxhash v1.1.0 h1:a6HrQnmkObjyL+Gs60czilIUGqrzKutQD6XZog3p+ko=

service/go.sum

@@ -197,16 +197,6 @@ func normalizeURL(o string, u *url.URL) string {
 	return ou.String()
 }
 
-// deprecated
-func (a *Authentication) ExtendAuthzDefaultPolicy(policies [][]string) error {
-	return a.enforcer.ExtendDefaultPolicy(policies)
-}
-
-// SetAuthzPolicy sets the policy for the casbin enforcer
-func (a *Authentication) SetAuthzPolicy(policy string) error {
-	return a.enforcer.SetPolicy(policy)
-}
-
 // verifyTokenHandler is a http handler that verifies the token
 func (a Authentication) MuxHandler(handler http.Handler) http.Handler {
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {

service/internal/auth/authn.go

@@ -21,6 +21,7 @@ import (
 	"time"
 
 	"connectrpc.com/connect"
+	"github.com/creasty/defaults"
 	"github.com/lestrrat-go/jwx/v2/jwa"
 	"github.com/lestrrat-go/jwx/v2/jwk"
 	"github.com/lestrrat-go/jwx/v2/jws"
@@ -145,6 +146,10 @@ func (s *AuthSuite) SetupTest() {
 		}
 	}))
 
+	policyCfg := PolicyConfig{}
+	err = defaults.Set(&policyCfg)
+	s.Require().NoError(err)
+
 	auth, err := NewAuthenticator(
 		context.Background(),
 		Config{
@@ -154,6 +159,7 @@ func (s *AuthSuite) SetupTest() {
 				Audience:    "test",
 				DPoPSkew:    time.Hour,
 				TokenSkew:   time.Minute,
+				Policy:      policyCfg,
 			},
 			PublicRoutes: []string{
 				"/public",
@@ -549,15 +555,6 @@ func (s *AuthSuite) TestDPoPEndToEnd_HTTP() {
 	s.Equal(dpopJWK.N(), dpopJWKFromRequest.N())
 }
 
-func (s *AuthSuite) Test_AddAuthzPolicies() {
-	err := s.auth.ExtendAuthzDefaultPolicy([][]string{
-		{"p", "role:admin", "/path", "*", "allow"},
-		{"p", "role:standard", "/path2", "read", "deny"},
-	})
-	s.Require().NoError(err)
-	s.False(s.auth.enforcer.isDefaultPolicy)
-}
-
 func makeDPoPToken(t *testing.T, tc dpopTestCase) string {
 	jtiBytes := make([]byte, sdkauth.JTILength)
 	_, err := rand.Read(jtiBytes)