feat(kas): authorization decisions #431

pflynn-virtru · 2024-03-19T19:48:02Z

resolves #392 Authorization service integrate Access PDP into GetDecisions
resolves #312 KAS using Authorization Service

Removes unused code from KAS
Adds client_id to GetEntitlements endpoint

{
    "entities": [
        {
            "id": "0",
            "client_id": "opentdf"
        }
    ],
    "scope": {
        "attribute_value_fqns": [
        "https://brightonhealthclinic.org/attr/healthrecordtype/value/basicpatientinfo"
    ]}
}

example-opentdf.yaml

examples/cmd/decrypt.go

internal/entitlements/pdp.go

internal/idpplugin/keycloak_plugin.go

internal/idpplugin/keycloak_plugin_test.go

policies/entitlements/entitlements.rego

services/kas/access/accessPdp.go

- these are used by some build scripts to temporarily build gencode, then move it

- you need to update buf.gen.yaml when updating the protocol/go module deps

# Conflicts: # protocol/go/go.sum # services/kas/access/fetchAttributes_test.go

internal/idpplugin/keycloak_plugin.go

internal/server/server.go

policies/entitlements/entitlements.rego

services/authorization/authorization.go

Co-authored-by: Ryan Schumacher <[email protected]>

jakedoublev · 2024-04-01T19:44:37Z

This LGTM to merge with iterative improvement, but perhaps it could get a final review and ✅ from someone in @opentdf/opentdf-architecture ?

ttschampel

LGTM. Follow-on PRs may come from the output of #472

🤖 I have created a release *beep* *boop* --- ## [0.1.0](protocol/go-v0.1.0...protocol/go/v0.1.0) (2024-04-22) ### Features * **attr value lookup by fqn:** adds GetAttributesByFqns rpc in attributes service [#243](#243) ([#250](#250)) ([b810d33](b810d33)) * **auth:** add authorization via casbin ([#417](#417)) ([292f2bd](292f2bd)) * **authorization service:** Gets the attributes from the in-memory service connection inside the GetDecisions request ([#273](#273)) ([ce57117](ce57117)) * **authorization:** entitlements ([#247](#247)) ([42c4f27](42c4f27)) * **core:** exposes new well-known configuration endpoint ([#299](#299)) ([d52cd21](d52cd21)) * **idp-add-on:** PLAT-3005 Add keycloak idp add on and idp add on protos ([#233](#233)) ([2365e61](2365e61)) * **kas:** authorization decisions ([#431](#431)) ([82e8895](82e8895)) * **PLAT-2950:** Update buf generated interface code for java ([#240](#240)) ([d7e2642](d7e2642)) * **policy object selectors:** adds initial selector protos, moves policy object type messages to top-level to avoid circular imports, and provides subject mappings in response to GetAttributeValuesByFqns ([#372](#372)) ([e9d9241](e9d9241)) * **policy subject mappings condition sets / migrations:** adds DB schema, fixes migrate down command, adds migrate up command, bumps goose ([#286](#286)) ([4d7a032](4d7a032)) * **policy:** adds support for match subject request to get entitlements without FQN scopes ([#347](#347)) ([63c34a5](63c34a5)) * **policy:** enhance and expand metadata and normalize API ([#314](#314)) ([9389f3b](9389f3b)) * **policy:** enhance subject mappings with subject condition sets ([#321](#321)) ([df692eb](df692eb)) * **policy:** list attrs by namespace ([#479](#479)) ([92d8f8c](92d8f8c)) * **policy:** list attrs by namespace name ([#487](#487)) ([04e723f](04e723f)) * **policy:** rework attribute value members ([#398](#398)) ([1cb7d0c](1cb7d0c)) * **policy:** support attribute value creation ([#454](#454)) ([432ee6b](432ee6b)) * **policy:** update fixtures, proto comments, and proto field names to reflect use of jq selector syntax within Conditions of Subject Sets ([#523](#523)) ([16f40f7](16f40f7)) ### Bug Fixes * **authorization:** remove access pdp internal AttributeInstance type and use policy proto generated struct types instead ([#485](#485)) ([8435f59](8435f59)) * **policy:** Adds policy package infix ([#280](#280)) ([57e8ef9](57e8ef9)) * **protos:** authorization service's ResourceAttribute message should map to updated platform policy schema ([#238](#238)) ([bf381dc](bf381dc)) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please). Co-authored-by: opentdf-automation[bot] <149537512+opentdf-automation[bot]@users.noreply.github.com>

🤖 I have created a release *beep* *boop* --- ## [0.1.0](opentdf/platform@protocol/go-v0.1.0...protocol/go/v0.1.0) (2024-04-22) ### Features * **attr value lookup by fqn:** adds GetAttributesByFqns rpc in attributes service [#243](opentdf/platform#243) ([#250](opentdf/platform#250)) ([b810d33](opentdf/platform@b810d33)) * **auth:** add authorization via casbin ([#417](opentdf/platform#417)) ([292f2bd](opentdf/platform@292f2bd)) * **authorization service:** Gets the attributes from the in-memory service connection inside the GetDecisions request ([#273](opentdf/platform#273)) ([ce57117](opentdf/platform@ce57117)) * **authorization:** entitlements ([#247](opentdf/platform#247)) ([42c4f27](opentdf/platform@42c4f27)) * **core:** exposes new well-known configuration endpoint ([#299](opentdf/platform#299)) ([d52cd21](opentdf/platform@d52cd21)) * **idp-add-on:** PLAT-3005 Add keycloak idp add on and idp add on protos ([#233](opentdf/platform#233)) ([2365e61](opentdf/platform@2365e61)) * **kas:** authorization decisions ([#431](opentdf/platform#431)) ([82e8895](opentdf/platform@82e8895)) * **PLAT-2950:** Update buf generated interface code for java ([#240](opentdf/platform#240)) ([d7e2642](opentdf/platform@d7e2642)) * **policy object selectors:** adds initial selector protos, moves policy object type messages to top-level to avoid circular imports, and provides subject mappings in response to GetAttributeValuesByFqns ([#372](opentdf/platform#372)) ([e9d9241](opentdf/platform@e9d9241)) * **policy subject mappings condition sets / migrations:** adds DB schema, fixes migrate down command, adds migrate up command, bumps goose ([#286](opentdf/platform#286)) ([4d7a032](opentdf/platform@4d7a032)) * **policy:** adds support for match subject request to get entitlements without FQN scopes ([#347](opentdf/platform#347)) ([63c34a5](opentdf/platform@63c34a5)) * **policy:** enhance and expand metadata and normalize API ([#314](opentdf/platform#314)) ([9389f3b](opentdf/platform@9389f3b)) * **policy:** enhance subject mappings with subject condition sets ([#321](opentdf/platform#321)) ([df692eb](opentdf/platform@df692eb)) * **policy:** list attrs by namespace ([#479](opentdf/platform#479)) ([92d8f8c](opentdf/platform@92d8f8c)) * **policy:** list attrs by namespace name ([#487](opentdf/platform#487)) ([04e723f](opentdf/platform@04e723f)) * **policy:** rework attribute value members ([#398](opentdf/platform#398)) ([1cb7d0c](opentdf/platform@1cb7d0c)) * **policy:** support attribute value creation ([#454](opentdf/platform#454)) ([432ee6b](opentdf/platform@432ee6b)) * **policy:** update fixtures, proto comments, and proto field names to reflect use of jq selector syntax within Conditions of Subject Sets ([#523](opentdf/platform#523)) ([16f40f7](opentdf/platform@16f40f7)) ### Bug Fixes * **authorization:** remove access pdp internal AttributeInstance type and use policy proto generated struct types instead ([#485](opentdf/platform#485)) ([8435f59](opentdf/platform@8435f59)) * **policy:** Adds policy package infix ([#280](opentdf/platform#280)) ([57e8ef9](opentdf/platform@57e8ef9)) * **protos:** authorization service's ResourceAttribute message should map to updated platform policy schema ([#238](opentdf/platform#238)) ([bf381dc](opentdf/platform@bf381dc)) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please). Co-authored-by: opentdf-automation[bot] <149537512+opentdf-automation[bot]@users.noreply.github.com>

feat(kas): authorization decisions

7558ea2

pflynn-virtru mentioned this pull request Mar 19, 2024

feat(kas): authorization GetDecisions #319

Closed

pflynn-virtru added 6 commits March 19, 2024 16:27

feat(kas): authorization decisions

d2f11c9

feat(kas): entityID

0173e3d

feat(kas): client_id

082993d

feat(kas): client_id

b5f24c3

feat(kas): sdk call

1b3712d

feat(kas): jwt roles groups

0ada2ff