diff --git a/go.work.sum b/go.work.sum index 46b7ad2691..cc76dac6db 100644 --- a/go.work.sum +++ b/go.work.sum @@ -1580,7 +1580,6 @@ github.com/willf/bitset v1.1.11 h1:N7Z7E9UvjW+sGsEl7k/SJrvY2reP1A07MrGuCjIOjRE= github.com/willf/bitset v1.1.11/go.mod h1:83CECat5yLh5zVOf4P1ErAgKA5UDvKtgyUABdr3+MjI= github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM= github.com/x448/float16 v0.8.4/go.mod h1:14CWIYCyZA/cWjXOioeEpHeN/83MdbZDRQHoFcYsOfg= -github.com/xeipuuv/gojsonpointer v0.0.0-20180127040702-4e3ac2762d5f/go.mod h1:N2zxlSyiKSe5eX1tZViRH5QA0qijqEDrYZiPEAiq3wU= github.com/xeipuuv/gojsonschema v0.0.0-20180618132009-1d523034197f/go.mod h1:5yf86TLmAcydyeJq5YvxkGPE2fm/u4myDekKRoLuqhs= github.com/xhit/go-str2duration/v2 v2.1.0 h1:lxklc02Drh6ynqX+DdPyp5pCKLUQpRT8bp8Ydu2Bstc= github.com/xhit/go-str2duration/v2 v2.1.0/go.mod h1:ohY8p+0f07DiV6Em5LKB0s2YpLtXVyJfNt1+BlmyAsU= @@ -1891,6 +1890,7 @@ golang.org/x/oauth2 v0.15.0/go.mod h1:q48ptWNTY5XWf+JNten23lcvHpLJ0ZSxF5ttTHKVCA golang.org/x/oauth2 v0.16.0/go.mod h1:hqZ+0LWXsiVoZpeld6jVt06P3adbS2Uu911W1SsJv2o= golang.org/x/oauth2 v0.17.0/go.mod h1:OzPDGQiuQMguemayvdylqddI7qcD9lnSDb+1FiwQ5HA= golang.org/x/oauth2 v0.18.0/go.mod h1:Wf7knwG0MPoWIMMBgFlEaSUDaKskp0dCfrlJRJXbBi8= +golang.org/x/oauth2 v0.20.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbhtI= golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= diff --git a/opentdf-dev.yaml b/opentdf-dev.yaml index 1731c8cb84..c095a3cbbe 100644 --- a/opentdf-dev.yaml +++ b/opentdf-dev.yaml @@ -21,11 +21,6 @@ services: - kid: r1 alg: rsa:2048 legacy: true - authorization: - ersurl: http://localhost:8080/entityresolution/resolve - clientid: tdf-authorization-svc - clientsecret: secret - tokenendpoint: http://localhost:8888/auth/realms/opentdf/protocol/openid-connect/token entityresolution: url: http://localhost:8888/auth clientid: 'tdf-entity-resolution' diff --git a/opentdf-example.yaml b/opentdf-example.yaml index f73c23e2d0..7c765e80ec 100644 --- a/opentdf-example.yaml +++ b/opentdf-example.yaml @@ -23,11 +23,6 @@ services: from: email: true username: true - authorization: - ersurl: http://localhost:8080/entityresolution/resolve - clientid: tdf-authorization-svc - clientsecret: secret - tokenendpoint: http://keycloak:8888/auth/realms/opentdf/protocol/openid-connect/token server: auth: enabled: true diff --git a/opentdf-with-hsm.yaml b/opentdf-with-hsm.yaml index 69d569573c..3bde88b14d 100644 --- a/opentdf-with-hsm.yaml +++ b/opentdf-with-hsm.yaml @@ -24,10 +24,6 @@ services: legacykeycloak: true authorization: enabled: true - ersurl: http://localhost:8080/entityresolution/resolve - clientid: tdf-authorization-svc - clientsecret: secret - tokenendpoint: http://localhost:8888/auth/realms/opentdf/protocol/openid-connect/token server: auth: enabled: true diff --git a/service/authorization/authorization.go b/service/authorization/authorization.go index 2d43bff53d..a10009e4cc 100644 --- a/service/authorization/authorization.go +++ b/service/authorization/authorization.go @@ -30,30 +30,19 @@ import ( "github.com/opentdf/platform/service/pkg/db" "github.com/opentdf/platform/service/pkg/serviceregistry" "github.com/opentdf/platform/service/policies" - "golang.org/x/oauth2" - "golang.org/x/oauth2/clientcredentials" ) const EntityIDPrefix string = "entity_idx_" type AuthorizationService struct { //nolint:revive // AuthorizationService is a valid name for this struct authorization.UnimplementedAuthorizationServiceServer - sdk *otdf.SDK - config Config - logger *logger.Logger - tokenSource *oauth2.TokenSource - eval rego.PreparedEvalQuery + sdk *otdf.SDK + config Config + logger *logger.Logger + eval rego.PreparedEvalQuery } type Config struct { - // Entity Resolution Service URL - ERSURL string `mapstructure:"ersurl" validate:"required,http_url"` - // OAuth Client ID - ClientID string `mapstructure:"clientid" validate:"required"` - // OAuth Client secret - ClientSecret string `mapstructure:"clientsecret" validate:"required"` - // OAuth token endpoint - TokenEndpoint string `mapstructure:"tokenendpoint" validate:"required,http_url"` // Custom Rego Policy To Load Rego CustomRego `mapstructure:"rego"` } @@ -65,8 +54,6 @@ type CustomRego struct { Query string `mapstructure:"query" default:"data.opentdf.entitlements.attributes"` } -const tokenExpiryDelay = 100 - func NewRegistration() serviceregistry.Registration { return serviceregistry.Registration{ Namespace: "authorization", @@ -90,8 +77,11 @@ func NewRegistration() serviceregistry.Registration { panic(fmt.Errorf("failed to set defaults for authorization service config: %w", err)) } - if err := mapstructure.Decode(srp.Config, &authZCfg); err != nil { - panic(fmt.Errorf("invalid auth svc cfg [%v] %w", srp.Config, err)) + // Only decode config if it exists + if srp.Config != nil { + if err := mapstructure.Decode(srp.Config, &authZCfg); err != nil { + panic(fmt.Errorf("invalid auth svc cfg [%v] %w", srp.Config, err)) + } } // Validate Config @@ -141,11 +131,7 @@ func NewRegistration() serviceregistry.Registration { panic(fmt.Errorf("failed to prepare entitlements.rego for eval: %w", err)) } - clientCredsConfig := clientcredentials.Config{ClientID: authZCfg.ClientID, ClientSecret: authZCfg.ClientSecret, TokenURL: authZCfg.TokenEndpoint} - newTokenSource := oauth2.ReuseTokenSourceWithExpiry(nil, clientCredsConfig.TokenSource(context.Background()), tokenExpiryDelay) - as.config = *authZCfg - as.tokenSource = &newTokenSource return as, func(ctx context.Context, mux *runtime.ServeMux, server any) error { authServer, okAuth := server.(authorization.AuthorizationServiceServer) diff --git a/service/authorization/authorization_test.go b/service/authorization/authorization_test.go index 0e96fd2362..ab0c468826 100644 --- a/service/authorization/authorization_test.go +++ b/service/authorization/authorization_test.go @@ -6,7 +6,6 @@ import ( "fmt" "log/slog" "testing" - "time" "github.com/open-policy-agent/opa/rego" "github.com/opentdf/platform/protocol/go/authorization" @@ -18,7 +17,6 @@ import ( "github.com/opentdf/platform/service/logger" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" - "golang.org/x/oauth2" "google.golang.org/grpc" "google.golang.org/protobuf/types/known/structpb" ) @@ -187,11 +185,6 @@ func Test_GetDecisionsAllOf_Pass(t *testing.T) { }, } - testTokenSource := oauth2.StaticTokenSource(&oauth2.Token{ - AccessToken: "AccessToken", - Expiry: time.Now().Add(1 * time.Hour), - }) - ctxb := context.Background() testrego := rego.New( @@ -226,7 +219,7 @@ func Test_GetDecisionsAllOf_Pass(t *testing.T) { as := AuthorizationService{logger: logger, sdk: &otdf.SDK{ SubjectMapping: &mySubjectMappingClient{}, Attributes: &myAttributesClient{}, EntityResoution: &myERSClient{}}, - tokenSource: &testTokenSource, eval: prepared} + eval: prepared} resp, err := as.GetDecisions(ctxb, &req) @@ -364,11 +357,6 @@ func Test_GetDecisions_AllOf_Fail(t *testing.T) { }, }} - testTokenSource := oauth2.StaticTokenSource(&oauth2.Token{ - AccessToken: "AccessToken", - Expiry: time.Now().Add(1 * time.Hour), - }) - ctxb := context.Background() testrego := rego.New( @@ -385,7 +373,7 @@ func Test_GetDecisions_AllOf_Fail(t *testing.T) { as := AuthorizationService{logger: logger, sdk: &otdf.SDK{ SubjectMapping: &mySubjectMappingClient{}, Attributes: &myAttributesClient{}, EntityResoution: &myERSClient{}}, - tokenSource: &testTokenSource, eval: prepared} + eval: prepared} resp, err := as.GetDecisions(ctxb, &req) @@ -441,11 +429,6 @@ func Test_GetDecisionsAllOfWithEnvironmental_Pass(t *testing.T) { }, } - testTokenSource := oauth2.StaticTokenSource(&oauth2.Token{ - AccessToken: "AccessToken", - Expiry: time.Now().Add(1 * time.Hour), - }) - ctxb := context.Background() testrego := rego.New( @@ -481,7 +464,7 @@ func Test_GetDecisionsAllOfWithEnvironmental_Pass(t *testing.T) { as := AuthorizationService{logger: logger, sdk: &otdf.SDK{ SubjectMapping: &mySubjectMappingClient{}, Attributes: &myAttributesClient{}, EntityResoution: &myERSClient{}}, - tokenSource: &testTokenSource, eval: prepared} + eval: prepared} resp, err := as.GetDecisions(ctxb, &req) @@ -535,11 +518,6 @@ func Test_GetDecisionsAllOfWithEnvironmental_Fail(t *testing.T) { }, } - testTokenSource := oauth2.StaticTokenSource(&oauth2.Token{ - AccessToken: "AccessToken", - Expiry: time.Now().Add(1 * time.Hour), - }) - ctxb := context.Background() testrego := rego.New( @@ -575,7 +553,7 @@ func Test_GetDecisionsAllOfWithEnvironmental_Fail(t *testing.T) { as := AuthorizationService{logger: logger, sdk: &otdf.SDK{ SubjectMapping: &mySubjectMappingClient{}, Attributes: &myAttributesClient{}, EntityResoution: &myERSClient{}}, - tokenSource: &testTokenSource, eval: prepared} + eval: prepared} resp, err := as.GetDecisions(ctxb, &req) @@ -629,10 +607,6 @@ func Test_GetEntitlementsSimple(t *testing.T) { }, }, } - testTokenSource := oauth2.StaticTokenSource(&oauth2.Token{ - AccessToken: "AccessToken", - Expiry: time.Now().Add(1 * time.Hour), - }) ctxb := context.Background() @@ -650,7 +624,7 @@ func Test_GetEntitlementsSimple(t *testing.T) { as := AuthorizationService{logger: logger, sdk: &otdf.SDK{ SubjectMapping: &mySubjectMappingClient{}, Attributes: &myAttributesClient{}, EntityResoution: &myERSClient{}}, - tokenSource: &testTokenSource, eval: prepared} + eval: prepared} req := authorization.GetEntitlementsRequest{ Entities: []*authorization.Entity{{Id: "e1", EntityType: &authorization.Entity_ClientId{ClientId: "testclient"}, Category: authorization.Entity_CATEGORY_ENVIRONMENT}}, @@ -708,10 +682,6 @@ func Test_GetEntitlementsWithComprehensiveHierarchy(t *testing.T) { }, }, } - testTokenSource := oauth2.StaticTokenSource(&oauth2.Token{ - AccessToken: "AccessToken", - Expiry: time.Now().Add(1 * time.Hour), - }) ctxb := context.Background() @@ -728,7 +698,7 @@ func Test_GetEntitlementsWithComprehensiveHierarchy(t *testing.T) { as := AuthorizationService{logger: logger, sdk: &otdf.SDK{ SubjectMapping: &mySubjectMappingClient{}, Attributes: &myAttributesClient{}, EntityResoution: &myERSClient{}}, - tokenSource: &testTokenSource, eval: prepared} + eval: prepared} withHierarchy := true req := authorization.GetEntitlementsRequest{ diff --git a/service/go.mod b/service/go.mod index df61d6b1ca..c0ae0ebc90 100644 --- a/service/go.mod +++ b/service/go.mod @@ -31,7 +31,6 @@ require ( github.com/valyala/fasthttp v1.52.0 github.com/wI2L/jsondiff v0.5.2 golang.org/x/exp v0.0.0-20240222234643-814bf88cf225 - golang.org/x/oauth2 v0.20.0 google.golang.org/grpc v1.63.2 google.golang.org/protobuf v1.34.1 gopkg.in/yaml.v2 v2.4.0 diff --git a/service/go.sum b/service/go.sum index 4225f5d163..975357cc22 100644 --- a/service/go.sum +++ b/service/go.sum @@ -447,8 +447,6 @@ golang.org/x/net v0.21.0/go.mod h1:bIjVDfnllIU7BJ2DNgfnXvpSvtn8VRwhlsaeUTyUS44= golang.org/x/net v0.22.0/go.mod h1:JKghWKKOSdJwpW2GEx0Ja7fmaKnMsbu+MWVZTokSYmg= golang.org/x/net v0.26.0 h1:soB7SVo0PWrY4vPW/+ay0jKDNScG2X9wFeYlXIvJsOQ= golang.org/x/net v0.26.0/go.mod h1:5YKkiSynbBIh3p6iOc/vibscux0x38BZDkn8sCUPxHE= -golang.org/x/oauth2 v0.20.0 h1:4mQdhULixXKP1rwYBW0vAijoXnkTG0BLCDRzfe1idMo= -golang.org/x/oauth2 v0.20.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbhtI= golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=