feat(opa): Adding jq OPA builtin for selection #527
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Member
Author
|
resolves part 3 of #516 |
Member
Author
|
wait until #523 is merged to include field naming updates |
elizabethhealy
changed the title
pflynn-virtru
previously approved these changes
Apr 5, 2024
jakedoublev
reviewed
Apr 5, 2024
Member
|
@elizabethhealy Should we be building a builtin for jq or should it be for subject mappings? |
Member
Author
@strantalis the subject mapping evaluation takes place in the rego currently, this is just to retrieve the selected field in the jwt/entity obj per #470 |
jakedoublev
approved these changes
Apr 8, 2024
Contributor
jakedoublev
left a comment
jakedoublev
left a comment
There was a problem hiding this comment.
The use of JQ and the unit tests LGTM, but @pflynn-virtru or someone in Arch will need to review the authorization half of this for it to be merge-able. It feels a little odd that we need a plugin to support something the platform currently considers mandatory (subject condition sets with selector syntax and subject mappings), so maybe we should keep this in mind as we continue to evaluate the pros/cons of OPA for this evaluation.
Member
|
@elizabethhealy We want the subject mapping logic to also take place behind a builtin function as well. Someone that provides a custom opa bundle with modified rego shouldn't modify the mapping logic imo. |
Member
Author
|
@strantalis ok that makes sense, i just read through the adr #472, we can open a separate issue when the adr is resolved to encompass that work (it will definitely overwrite some of this work), but in the meantime can we merge this in to unblock downstream users since the other jq spec changes were already made? |
Member
|
@ttschampel @jrschumacher @biscoe916 Can you give this a review. |
Member
ttschampel
approved these changes
Apr 11, 2024
Member
ttschampel
left a comment
ttschampel
left a comment
There was a problem hiding this comment.
Lets quickly pick up #567 as a follow up
Member
Author
|
thanks @ttschampel, already getting started on the third bullet under #567 |
github-merge-queue bot
pushed a commit
that referenced
this pull request
Apr 23, 2024
🤖 I have created a release *beep* *boop* --- ## [0.1.0](service-v0.1.0...service/v0.1.0) (2024-04-22) ### ⚠ BREAKING CHANGES * Singular platform/service ([#511](#511)) ### Features * ability to add public routes that bypass authn middleware ([#601](#601)) ([7c65308](7c65308)) * ability to set config key or config file from root cmd ([#502](#502)) ([56a0131](56a0131)) * allow --insecure in provision keycloak cmd ([#629](#629)) ([a672325](a672325)) * **kas:** support HSM and standard crypto ([#497](#497)) ([f0cbe03](f0cbe03)) * **opa:** Adding jq OPA builtin for selection ([#527](#527)) ([d4ab17a](d4ab17a)) * **policy:** add `created_at` and `updated_at` timestamps to metadata ([#538](#538)) ([e812563](e812563)) * **policy:** update fixtures, proto comments, and proto field names to reflect use of jq selector syntax within Conditions of Subject Sets ([#523](#523)) ([16f40f7](16f40f7)) * **sdk:** don't require `client_id` in the auth token ([#544](#544)) ([a1e70f9](a1e70f9)) * **sdk:** normalize token exchange ([#546](#546)) ([9059dff](9059dff)) ### Bug Fixes * **authorization:** Hierarchy working in GetDecisions ([#519](#519)) ([2856485](2856485)) * **core:** allow org-admin casbin role to call KAS rewrap endpoint ([#579](#579)) ([a64c62a](a64c62a)) * **core:** fix panic on nil pointer dereference by passing KAS the SDK instance on registration ([#574](#574)) ([327bfca](327bfca)) * **core:** fixes fixtures provisioning after filepath change with repo restructuring ([#521](#521)) ([f128e9f](f128e9f)) * load extraprops for a service config with remainder values ([#524](#524)) ([d3d72dc](d3d72dc)) * **PLAT-3069:** opentdf/platform, gRPC: Namespace with existed attribute(s) can be deactivated w/o any prompts ([#489](#489)) ([e5a3324](e5a3324)) * **policy:** remove hardcoded schema in goose migration 20240405000000 ([#596](#596)) ([36c3b16](36c3b16)) * **policy:** return `created_at` and `updated_at` timestamps in CREATE metadata ([#557](#557)) ([fcaaeea](fcaaeea)) * resolves issues auth policy configuration ([#498](#498)) ([08e67cf](08e67cf)) * **service:** go.mod version fix sync ([#604](#604)) ([6323efd](6323efd)) * url encode db password field to handle special characters ([#624](#624)) ([5069f9d](5069f9d)) ### Code Refactoring * Singular platform/service ([#511](#511)) ([40c8b97](40c8b97)) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please). Co-authored-by: opentdf-automation[bot] <149537512+opentdf-automation[bot]@users.noreply.github.com>
tech-guru42
added a commit
to tech-guru42/TDF
that referenced
this pull request
Jun 3, 2024
🤖 I have created a release *beep* *boop* --- ## [0.1.0](opentdf/platform@service-v0.1.0...service/v0.1.0) (2024-04-22) ### ⚠ BREAKING CHANGES * Singular platform/service ([#511](opentdf/platform#511)) ### Features * ability to add public routes that bypass authn middleware ([#601](opentdf/platform#601)) ([7c65308](opentdf/platform@7c65308)) * ability to set config key or config file from root cmd ([#502](opentdf/platform#502)) ([56a0131](opentdf/platform@56a0131)) * allow --insecure in provision keycloak cmd ([#629](opentdf/platform#629)) ([a672325](opentdf/platform@a672325)) * **kas:** support HSM and standard crypto ([#497](opentdf/platform#497)) ([f0cbe03](opentdf/platform@f0cbe03)) * **opa:** Adding jq OPA builtin for selection ([#527](opentdf/platform#527)) ([d4ab17a](opentdf/platform@d4ab17a)) * **policy:** add `created_at` and `updated_at` timestamps to metadata ([#538](opentdf/platform#538)) ([e812563](opentdf/platform@e812563)) * **policy:** update fixtures, proto comments, and proto field names to reflect use of jq selector syntax within Conditions of Subject Sets ([#523](opentdf/platform#523)) ([16f40f7](opentdf/platform@16f40f7)) * **sdk:** don't require `client_id` in the auth token ([#544](opentdf/platform#544)) ([a1e70f9](opentdf/platform@a1e70f9)) * **sdk:** normalize token exchange ([#546](opentdf/platform#546)) ([9059dff](opentdf/platform@9059dff)) ### Bug Fixes * **authorization:** Hierarchy working in GetDecisions ([#519](opentdf/platform#519)) ([2856485](opentdf/platform@2856485)) * **core:** allow org-admin casbin role to call KAS rewrap endpoint ([#579](opentdf/platform#579)) ([a64c62a](opentdf/platform@a64c62a)) * **core:** fix panic on nil pointer dereference by passing KAS the SDK instance on registration ([#574](opentdf/platform#574)) ([327bfca](opentdf/platform@327bfca)) * **core:** fixes fixtures provisioning after filepath change with repo restructuring ([#521](opentdf/platform#521)) ([f128e9f](opentdf/platform@f128e9f)) * load extraprops for a service config with remainder values ([#524](opentdf/platform#524)) ([d3d72dc](opentdf/platform@d3d72dc)) * **PLAT-3069:** opentdf/platform, gRPC: Namespace with existed attribute(s) can be deactivated w/o any prompts ([#489](opentdf/platform#489)) ([e5a3324](opentdf/platform@e5a3324)) * **policy:** remove hardcoded schema in goose migration 20240405000000 ([#596](opentdf/platform#596)) ([36c3b16](opentdf/platform@36c3b16)) * **policy:** return `created_at` and `updated_at` timestamps in CREATE metadata ([#557](opentdf/platform#557)) ([fcaaeea](opentdf/platform@fcaaeea)) * resolves issues auth policy configuration ([#498](opentdf/platform#498)) ([08e67cf](opentdf/platform@08e67cf)) * **service:** go.mod version fix sync ([#604](opentdf/platform#604)) ([6323efd](opentdf/platform@6323efd)) * url encode db password field to handle special characters ([#624](opentdf/platform#624)) ([5069f9d](opentdf/platform@5069f9d)) ### Code Refactoring * Singular platform/service ([#511](opentdf/platform#511)) ([40c8b97](opentdf/platform@40c8b97)) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please). Co-authored-by: opentdf-automation[bot] <149537512+opentdf-automation[bot]@users.noreply.github.com>
passion-127
added a commit
to passion-127/TDF
that referenced
this pull request
Jun 6, 2024
🤖 I have created a release *beep* *boop* --- ## [0.1.0](opentdf/platform@service-v0.1.0...service/v0.1.0) (2024-04-22) ### ⚠ BREAKING CHANGES * Singular platform/service ([#511](opentdf/platform#511)) ### Features * ability to add public routes that bypass authn middleware ([#601](opentdf/platform#601)) ([7c65308](opentdf/platform@7c65308)) * ability to set config key or config file from root cmd ([#502](opentdf/platform#502)) ([56a0131](opentdf/platform@56a0131)) * allow --insecure in provision keycloak cmd ([#629](opentdf/platform#629)) ([a672325](opentdf/platform@a672325)) * **kas:** support HSM and standard crypto ([#497](opentdf/platform#497)) ([f0cbe03](opentdf/platform@f0cbe03)) * **opa:** Adding jq OPA builtin for selection ([#527](opentdf/platform#527)) ([d4ab17a](opentdf/platform@d4ab17a)) * **policy:** add `created_at` and `updated_at` timestamps to metadata ([#538](opentdf/platform#538)) ([e812563](opentdf/platform@e812563)) * **policy:** update fixtures, proto comments, and proto field names to reflect use of jq selector syntax within Conditions of Subject Sets ([#523](opentdf/platform#523)) ([16f40f7](opentdf/platform@16f40f7)) * **sdk:** don't require `client_id` in the auth token ([#544](opentdf/platform#544)) ([a1e70f9](opentdf/platform@a1e70f9)) * **sdk:** normalize token exchange ([#546](opentdf/platform#546)) ([9059dff](opentdf/platform@9059dff)) ### Bug Fixes * **authorization:** Hierarchy working in GetDecisions ([#519](opentdf/platform#519)) ([2856485](opentdf/platform@2856485)) * **core:** allow org-admin casbin role to call KAS rewrap endpoint ([#579](opentdf/platform#579)) ([a64c62a](opentdf/platform@a64c62a)) * **core:** fix panic on nil pointer dereference by passing KAS the SDK instance on registration ([#574](opentdf/platform#574)) ([327bfca](opentdf/platform@327bfca)) * **core:** fixes fixtures provisioning after filepath change with repo restructuring ([#521](opentdf/platform#521)) ([f128e9f](opentdf/platform@f128e9f)) * load extraprops for a service config with remainder values ([#524](opentdf/platform#524)) ([d3d72dc](opentdf/platform@d3d72dc)) * **PLAT-3069:** opentdf/platform, gRPC: Namespace with existed attribute(s) can be deactivated w/o any prompts ([#489](opentdf/platform#489)) ([e5a3324](opentdf/platform@e5a3324)) * **policy:** remove hardcoded schema in goose migration 20240405000000 ([#596](opentdf/platform#596)) ([36c3b16](opentdf/platform@36c3b16)) * **policy:** return `created_at` and `updated_at` timestamps in CREATE metadata ([#557](opentdf/platform#557)) ([fcaaeea](opentdf/platform@fcaaeea)) * resolves issues auth policy configuration ([#498](opentdf/platform#498)) ([08e67cf](opentdf/platform@08e67cf)) * **service:** go.mod version fix sync ([#604](opentdf/platform#604)) ([6323efd](opentdf/platform@6323efd)) * url encode db password field to handle special characters ([#624](opentdf/platform#624)) ([5069f9d](opentdf/platform@5069f9d)) ### Code Refactoring * Singular platform/service ([#511](opentdf/platform#511)) ([40c8b97](opentdf/platform@40c8b97)) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please). Co-authored-by: opentdf-automation[bot] <149537512+opentdf-automation[bot]@users.noreply.github.com>
13 tasks
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Add an opa builtin for gojq to query the entity object provided by the idp or the jwt with the subject_external_selector_value query string
references #470