From 7defe392f2ac96e1b1d761b426fc834d6a4eb2e9 Mon Sep 17 00:00:00 2001 From: Garry O'Donnell Date: Tue, 19 Mar 2024 12:29:03 +0000 Subject: [PATCH 1/2] Authorize on proposal and session membership --- .devcontainer/docker-compose.yml | 2 +- policy/system.rego | 19 ++++++++++++++++++- policy/token.rego | 26 ++++++++++++++++++++++++++ 3 files changed, 45 insertions(+), 2 deletions(-) create mode 100644 policy/token.rego diff --git a/.devcontainer/docker-compose.yml b/.devcontainer/docker-compose.yml index d237c02..dd84f49 100644 --- a/.devcontainer/docker-compose.yml +++ b/.devcontainer/docker-compose.yml @@ -27,7 +27,7 @@ services: - ../policy/:/policy:cached,z env_file: opa.env environment: - JWKS_ENDPOINT: https://authn.diamond.ac.uk/realms/master/protocol/openid-connect/certs + SKIP_AUTHORIZATION: true ispyb: image: ghcr.io/diamondlightsource/ispyb-database:v3.0.0 diff --git a/policy/system.rego b/policy/system.rego index 0b9d475..a24e532 100644 --- a/policy/system.rego +++ b/policy/system.rego @@ -1,11 +1,28 @@ package system +import data.token.claims import rego.v1 main := {"allow": allow} default allow := false +# Allow if the SKIP_AUTHORIZATION environment variable is set and a preset token is supplied allow if { - input.token == "ValidToken" + opa.runtime().env.SKIP_AUTHORIZATION + input.token == "ValidToken" +} + +# Allow if on proposal which contains session +allow if { + some proposal_number in data.diamond.data.subjects[claims.fedid].proposals + proposal_number == input.proposal +} + +# Allow if directly on session +allow if { + some session_id in data.diamond.data.subjects[claims.fedid].sessions + session := data.diamond.data.sessions[session_id] + session.proposal_number == input.proposal + session.visit_number == input.visit } diff --git a/policy/token.rego b/policy/token.rego new file mode 100644 index 0000000..b2d70d6 --- /dev/null +++ b/policy/token.rego @@ -0,0 +1,26 @@ +package token + +fetch_jwks(url) := http.send({ + "url": jwks_url, + "method": "GET", + "force_cache": true, + "force_cache_duration_seconds": 3600, +}) + +jwks_endpoint := opa.runtime().env.JWKS_ENDPOINT + +token_unverified := io.jwt.decode(input.token) + +token_jwt_header := token_unverified[0] + +jwks_url := concat("?", [jwks_endpoint, urlquery.encode_object({"kid": token_jwt_header.kid})]) + +jwks := fetch_jwks(jwks_url).raw_body + +token := token_unverified + +if { + io.jwt.verify_rs256(input.token, jwks) +} + +claims := token[1] From 0d10b39abaa64e8f6e96c45479936ab3c0d9e19a Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 19 Mar 2024 12:30:28 +0000 Subject: [PATCH 2/2] Bump sea-orm-codegen from 0.12.14 to 0.12.15 Bumps [sea-orm-codegen](https://github.com/SeaQL/sea-orm) from 0.12.14 to 0.12.15. - [Release notes](https://github.com/SeaQL/sea-orm/releases) - [Changelog](https://github.com/SeaQL/sea-orm/blob/0.12.15/CHANGELOG.md) - [Commits](https://github.com/SeaQL/sea-orm/compare/0.12.14...0.12.15) --- updated-dependencies: - dependency-name: sea-orm-codegen dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- Cargo.lock | 4 ++-- models/Cargo.toml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index ec8eae8..66816c1 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -2405,9 +2405,9 @@ dependencies = [ [[package]] name = "sea-orm-codegen" -version = "0.12.14" +version = "0.12.15" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "515fb555cbbe586cd2c251a39fbc6d0e52a84b353dd63c4320205553b865ac81" +checksum = "6edc65d76c9a0d693611b8dafac12802406a426410f95beb63ae1ce69354a703" dependencies = [ "heck", "proc-macro2", diff --git a/models/Cargo.toml b/models/Cargo.toml index 93fc057..25b53d7 100644 --- a/models/Cargo.toml +++ b/models/Cargo.toml @@ -11,7 +11,7 @@ prettyplease = "0.2.16" sea-orm = { workspace = true } [build-dependencies] -sea-orm-codegen = { version = "0.12.14" } +sea-orm-codegen = { version = "0.12.15" } sea-schema = { version = "0.14.2", default-features = false, features = [ "runtime-tokio-rustls", "sqlx-mysql",