opentdf · strantalis · Aug 12, 2024 · Aug 6, 2024 · Aug 6, 2024 · Aug 6, 2024
@@ -1580,7 +1580,6 @@ github.com/willf/bitset v1.1.11 h1:N7Z7E9UvjW+sGsEl7k/SJrvY2reP1A07MrGuCjIOjRE=
 github.com/willf/bitset v1.1.11/go.mod h1:83CECat5yLh5zVOf4P1ErAgKA5UDvKtgyUABdr3+MjI=
 github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM=
 github.com/x448/float16 v0.8.4/go.mod h1:14CWIYCyZA/cWjXOioeEpHeN/83MdbZDRQHoFcYsOfg=
-github.com/xeipuuv/gojsonpointer v0.0.0-20180127040702-4e3ac2762d5f/go.mod h1:N2zxlSyiKSe5eX1tZViRH5QA0qijqEDrYZiPEAiq3wU=
 github.com/xeipuuv/gojsonschema v0.0.0-20180618132009-1d523034197f/go.mod h1:5yf86TLmAcydyeJq5YvxkGPE2fm/u4myDekKRoLuqhs=
 github.com/xhit/go-str2duration/v2 v2.1.0 h1:lxklc02Drh6ynqX+DdPyp5pCKLUQpRT8bp8Ydu2Bstc=
 github.com/xhit/go-str2duration/v2 v2.1.0/go.mod h1:ohY8p+0f07DiV6Em5LKB0s2YpLtXVyJfNt1+BlmyAsU=
@@ -1891,6 +1890,7 @@ golang.org/x/oauth2 v0.15.0/go.mod h1:q48ptWNTY5XWf+JNten23lcvHpLJ0ZSxF5ttTHKVCA
 golang.org/x/oauth2 v0.16.0/go.mod h1:hqZ+0LWXsiVoZpeld6jVt06P3adbS2Uu911W1SsJv2o=
 golang.org/x/oauth2 v0.17.0/go.mod h1:OzPDGQiuQMguemayvdylqddI7qcD9lnSDb+1FiwQ5HA=
 golang.org/x/oauth2 v0.18.0/go.mod h1:Wf7knwG0MPoWIMMBgFlEaSUDaKskp0dCfrlJRJXbBi8=
+golang.org/x/oauth2 v0.20.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbhtI=
 golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=

@@ -21,11 +21,6 @@ services:
       - kid: r1
         alg: rsa:2048
         legacy: true
-  authorization:
-    ersurl: http://localhost:8080/entityresolution/resolve
-    clientid: tdf-authorization-svc
-    clientsecret: secret
-    tokenendpoint: http://localhost:8888/auth/realms/opentdf/protocol/openid-connect/token
   entityresolution:
     url: http://localhost:8888/auth
     clientid: 'tdf-entity-resolution'

@@ -23,11 +23,6 @@ services:
       from:
         email: true
         username: true
-  authorization:
-    ersurl: http://localhost:8080/entityresolution/resolve
-    clientid: tdf-authorization-svc
-    clientsecret: secret
-    tokenendpoint: http://keycloak:8888/auth/realms/opentdf/protocol/openid-connect/token
 server:
   auth:
     enabled: true

@@ -24,10 +24,6 @@ services:
     legacykeycloak: true
   authorization:
     enabled: true
-    ersurl: http://localhost:8080/entityresolution/resolve
-    clientid: tdf-authorization-svc
-    clientsecret: secret
-    tokenendpoint: http://localhost:8888/auth/realms/opentdf/protocol/openid-connect/token
 server:
   auth:
     enabled: true

@@ -30,30 +30,19 @@ import (
 	"github.com/opentdf/platform/service/pkg/db"
 	"github.com/opentdf/platform/service/pkg/serviceregistry"
 	"github.com/opentdf/platform/service/policies"
-	"golang.org/x/oauth2"
-	"golang.org/x/oauth2/clientcredentials"
 )
 
 const EntityIDPrefix string = "entity_idx_"
 
 type AuthorizationService struct { //nolint:revive // AuthorizationService is a valid name for this struct
 	authorization.UnimplementedAuthorizationServiceServer
-	sdk         *otdf.SDK
-	config      Config
-	logger      *logger.Logger
-	tokenSource *oauth2.TokenSource
-	eval        rego.PreparedEvalQuery
+	sdk    *otdf.SDK
+	config Config
+	logger *logger.Logger
+	eval   rego.PreparedEvalQuery
 }
 
 type Config struct {
-	// Entity Resolution Service URL
-	ERSURL string `mapstructure:"ersurl" validate:"required,http_url"`
-	// OAuth Client ID
-	ClientID string `mapstructure:"clientid" validate:"required"`
-	// OAuth Client secret
-	ClientSecret string `mapstructure:"clientsecret" validate:"required"`
-	// OAuth token endpoint
-	TokenEndpoint string `mapstructure:"tokenendpoint" validate:"required,http_url"`
 	// Custom Rego Policy To Load
 	Rego CustomRego `mapstructure:"rego"`
 }
@@ -65,8 +54,6 @@ type CustomRego struct {
 	Query string `mapstructure:"query" default:"data.opentdf.entitlements.attributes"`
 }
 
-const tokenExpiryDelay = 100
-
 func NewRegistration() serviceregistry.Registration {
 	return serviceregistry.Registration{
 		Namespace:   "authorization",
@@ -90,8 +77,11 @@ func NewRegistration() serviceregistry.Registration {
 				panic(fmt.Errorf("failed to set defaults for authorization service config: %w", err))
 			}
 
-			if err := mapstructure.Decode(srp.Config, &authZCfg); err != nil {
-				panic(fmt.Errorf("invalid auth svc cfg [%v] %w", srp.Config, err))
+			// Only decode config if it exists
+			if srp.Config != nil {
+				if err := mapstructure.Decode(srp.Config, &authZCfg); err != nil {
+					panic(fmt.Errorf("invalid auth svc cfg [%v] %w", srp.Config, err))
+				}
 			}
 
 			// Validate Config
@@ -141,11 +131,7 @@ func NewRegistration() serviceregistry.Registration {
 				panic(fmt.Errorf("failed to prepare entitlements.rego for eval: %w", err))
 			}
 
-			clientCredsConfig := clientcredentials.Config{ClientID: authZCfg.ClientID, ClientSecret: authZCfg.ClientSecret, TokenURL: authZCfg.TokenEndpoint}
-			newTokenSource := oauth2.ReuseTokenSourceWithExpiry(nil, clientCredsConfig.TokenSource(context.Background()), tokenExpiryDelay)
-
 			as.config = *authZCfg
-			as.tokenSource = &newTokenSource
 
 			return as, func(ctx context.Context, mux *runtime.ServeMux, server any) error {
 				authServer, okAuth := server.(authorization.AuthorizationServiceServer)

@@ -6,7 +6,6 @@ import (
 	"fmt"
 	"log/slog"
 	"testing"
-	"time"
 
 	"github.com/open-policy-agent/opa/rego"
 	"github.com/opentdf/platform/protocol/go/authorization"
@@ -18,7 +17,6 @@ import (
 	"github.com/opentdf/platform/service/logger"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
-	"golang.org/x/oauth2"
 	"google.golang.org/grpc"
 	"google.golang.org/protobuf/types/known/structpb"
 )
@@ -187,11 +185,6 @@ func Test_GetDecisionsAllOf_Pass(t *testing.T) {
 		},
 	}
 
-	testTokenSource := oauth2.StaticTokenSource(&oauth2.Token{
-		AccessToken: "AccessToken",
-		Expiry:      time.Now().Add(1 * time.Hour),
-	})
-
 	ctxb := context.Background()
 
 	testrego := rego.New(
@@ -226,7 +219,7 @@ func Test_GetDecisionsAllOf_Pass(t *testing.T) {
 	as := AuthorizationService{logger: logger, sdk: &otdf.SDK{
 		SubjectMapping: &mySubjectMappingClient{},
 		Attributes:     &myAttributesClient{}, EntityResoution: &myERSClient{}},
-		tokenSource: &testTokenSource, eval: prepared}
+		eval: prepared}
 
 	resp, err := as.GetDecisions(ctxb, &req)
 
@@ -364,11 +357,6 @@ func Test_GetDecisions_AllOf_Fail(t *testing.T) {
 		},
 	}}
 
-	testTokenSource := oauth2.StaticTokenSource(&oauth2.Token{
-		AccessToken: "AccessToken",
-		Expiry:      time.Now().Add(1 * time.Hour),
-	})
-
 	ctxb := context.Background()
 
 	testrego := rego.New(
@@ -385,7 +373,7 @@ func Test_GetDecisions_AllOf_Fail(t *testing.T) {
 	as := AuthorizationService{logger: logger, sdk: &otdf.SDK{
 		SubjectMapping: &mySubjectMappingClient{},
 		Attributes:     &myAttributesClient{}, EntityResoution: &myERSClient{}},
-		tokenSource: &testTokenSource, eval: prepared}
+		eval: prepared}
 
 	resp, err := as.GetDecisions(ctxb, &req)
 
@@ -441,11 +429,6 @@ func Test_GetDecisionsAllOfWithEnvironmental_Pass(t *testing.T) {
 		},
 	}
 
-	testTokenSource := oauth2.StaticTokenSource(&oauth2.Token{
-		AccessToken: "AccessToken",
-		Expiry:      time.Now().Add(1 * time.Hour),
-	})
-
 	ctxb := context.Background()
 
 	testrego := rego.New(
@@ -481,7 +464,7 @@ func Test_GetDecisionsAllOfWithEnvironmental_Pass(t *testing.T) {
 	as := AuthorizationService{logger: logger, sdk: &otdf.SDK{
 		SubjectMapping: &mySubjectMappingClient{},
 		Attributes:     &myAttributesClient{}, EntityResoution: &myERSClient{}},
-		tokenSource: &testTokenSource, eval: prepared}
+		eval: prepared}
 
 	resp, err := as.GetDecisions(ctxb, &req)
 
@@ -535,11 +518,6 @@ func Test_GetDecisionsAllOfWithEnvironmental_Fail(t *testing.T) {
 		},
 	}
 
-	testTokenSource := oauth2.StaticTokenSource(&oauth2.Token{
-		AccessToken: "AccessToken",
-		Expiry:      time.Now().Add(1 * time.Hour),
-	})
-
 	ctxb := context.Background()
 
 	testrego := rego.New(
@@ -575,7 +553,7 @@ func Test_GetDecisionsAllOfWithEnvironmental_Fail(t *testing.T) {
 	as := AuthorizationService{logger: logger, sdk: &otdf.SDK{
 		SubjectMapping: &mySubjectMappingClient{},
 		Attributes:     &myAttributesClient{}, EntityResoution: &myERSClient{}},
-		tokenSource: &testTokenSource, eval: prepared}
+		eval: prepared}
 
 	resp, err := as.GetDecisions(ctxb, &req)
 
@@ -629,10 +607,6 @@ func Test_GetEntitlementsSimple(t *testing.T) {
 		},
 		},
 	}
-	testTokenSource := oauth2.StaticTokenSource(&oauth2.Token{
-		AccessToken: "AccessToken",
-		Expiry:      time.Now().Add(1 * time.Hour),
-	})
 
 	ctxb := context.Background()
 
@@ -650,7 +624,7 @@ func Test_GetEntitlementsSimple(t *testing.T) {
 	as := AuthorizationService{logger: logger, sdk: &otdf.SDK{
 		SubjectMapping: &mySubjectMappingClient{},
 		Attributes:     &myAttributesClient{}, EntityResoution: &myERSClient{}},
-		tokenSource: &testTokenSource, eval: prepared}
+		eval: prepared}
 
 	req := authorization.GetEntitlementsRequest{
 		Entities: []*authorization.Entity{{Id: "e1", EntityType: &authorization.Entity_ClientId{ClientId: "testclient"}, Category: authorization.Entity_CATEGORY_ENVIRONMENT}},
@@ -708,10 +682,6 @@ func Test_GetEntitlementsWithComprehensiveHierarchy(t *testing.T) {
 		},
 		},
 	}
-	testTokenSource := oauth2.StaticTokenSource(&oauth2.Token{
-		AccessToken: "AccessToken",
-		Expiry:      time.Now().Add(1 * time.Hour),
-	})
 
 	ctxb := context.Background()
 
@@ -728,7 +698,7 @@ func Test_GetEntitlementsWithComprehensiveHierarchy(t *testing.T) {
 	as := AuthorizationService{logger: logger, sdk: &otdf.SDK{
 		SubjectMapping: &mySubjectMappingClient{},
 		Attributes:     &myAttributesClient{}, EntityResoution: &myERSClient{}},
-		tokenSource: &testTokenSource, eval: prepared}
+		eval: prepared}
 
 	withHierarchy := true
 	req := authorization.GetEntitlementsRequest{

@@ -31,7 +31,6 @@ require (
 	github.com/valyala/fasthttp v1.52.0
 	github.com/wI2L/jsondiff v0.5.2
 	golang.org/x/exp v0.0.0-20240222234643-814bf88cf225
-	golang.org/x/oauth2 v0.20.0
 	google.golang.org/grpc v1.63.2
 	google.golang.org/protobuf v1.34.1
 	gopkg.in/yaml.v2 v2.4.0

@@ -447,8 +447,6 @@ golang.org/x/net v0.21.0/go.mod h1:bIjVDfnllIU7BJ2DNgfnXvpSvtn8VRwhlsaeUTyUS44=
 golang.org/x/net v0.22.0/go.mod h1:JKghWKKOSdJwpW2GEx0Ja7fmaKnMsbu+MWVZTokSYmg=
 golang.org/x/net v0.26.0 h1:soB7SVo0PWrY4vPW/+ay0jKDNScG2X9wFeYlXIvJsOQ=
 golang.org/x/net v0.26.0/go.mod h1:5YKkiSynbBIh3p6iOc/vibscux0x38BZDkn8sCUPxHE=
-golang.org/x/oauth2 v0.20.0 h1:4mQdhULixXKP1rwYBW0vAijoXnkTG0BLCDRzfe1idMo=
-golang.org/x/oauth2 v0.20.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbhtI=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=