Merge branch 'main' into axio-runner-updates

openid · Feb 25, 2025 · 8d1dede · 8d1dede
2 parents 8cefc2b + 6b163f2
commit 8d1dede
Show file tree

Hide file tree

Showing 46 changed files with 6,559 additions and 210 deletions.
diff --git a/interop/authzen-api-gateways/aws-api-gateway/authzen.mjs b/interop/authzen-api-gateways/aws-api-gateway/authzen.mjs
@@ -9,11 +9,12 @@ function log(message) {
 }
 
 const { AUTHZEN_PDP_API_KEYS } = process.env;
+const apiKeys = (AUTHZEN_PDP_API_KEYS && JSON.parse(AUTHZEN_PDP_API_KEYS)) ?? {};
 
 function getPdpInfo(req) {
   const pdpName = req.headers["x_authzen_gateway_pdp"];
   const pdpBaseUrl = pdpName && pdps[pdpName];
-  const pdpAuthHeader = pdpName && AUTHZEN_PDP_API_KEYS[pdpName];
+  const pdpAuthHeader = pdpName && apiKeys[pdpName];
   return { pdpName, pdpBaseUrl, pdpAuthHeader };
 };
 
@@ -45,7 +46,7 @@ export async function authorize(req) {
 
   const payload = {
     "subject": {
-      "type": "user",
+      "type": "identity",
       "id": subjectId
     },
     "action": {

diff --git a/interop/authzen-api-gateways/aws-api-gateway/pdps.json b/interop/authzen-api-gateways/aws-api-gateway/pdps.json
@@ -2,5 +2,7 @@
   "Aserto": "https://authzen-gateway-proxy.demo.aserto.com",
   "Axiomatics": "https://pdp.alfa.guide",
   "Cerbos": "https://authzen-proxy-demo.cerbos.dev",
-  "PlainID": "https://authzeninteropt.se-plainid.com"
+  "PlainID": "https://authzeninteropt.se-plainid.com",
+  "Rock Solid Knowledge": "https://authzen.identityserver.com",
+  "Topaz": "https://authzen-topaz.demo.aserto.com"
 }
diff --git a/interop/authzen-api-gateways/envoy-gateway/authzen-external-authorizer/authzen.go b/interop/authzen-api-gateways/envoy-gateway/authzen-external-authorizer/authzen.go
@@ -16,10 +16,12 @@ import (
 
 // PDP URLs
 var pdps = map[string]string{
-	"Aserto":     "https://authzen-gateway-proxy.demo.aserto.com",
-	"Axiomatics": "https://pdp.alfa.guide",
-	"Cerbos":     "https://authzen-proxy-demo.cerbos.dev",
-	"PlainID":    "https://authzeninteropt.se-plainid.com",
+	"Aserto":               "https://authzen-gateway-proxy.demo.aserto.com",
+	"Axiomatics":           "https://pdp.alfa.guide",
+	"Cerbos":               "https://authzen-proxy-demo.cerbos.dev",
+	"PlainID":              "https://authzeninteropt.se-plainid.com",
+	"Rock Solid Knowledge": "https://authzen.identityserver.com",
+	"Topaz":                "https://authzen-topaz.demo.aserto.com",
 }
 
 // AuthZENSubject represents the subject in the authorization request
@@ -86,7 +88,7 @@ func (server *AuthServer) AuthorizeRequest(ctx context.Context, request *auth_pb
 	// Create authorization request payload
 	authZENPayload := &AuthZENRequest{
 		Subject: AuthZENSubject{
-			Type: "user",
+			Type: "identity",
 			ID:   userId,
 		},
 		Action: AuthZENAction{

diff --git a/interop/authzen-api-gateways/envoy-gateway/authzen-external-authorizer/go.mod b/interop/authzen-api-gateways/envoy-gateway/authzen-external-authorizer/go.mod
@@ -22,10 +22,10 @@ require (
 	github.com/getkin/kin-openapi v0.129.0
 	github.com/golang-jwt/jwt/v5 v5.2.1
 	github.com/planetscale/vtprotobuf v0.6.1-0.20240319094008-0393e58bdf10 // indirect
-	golang.org/x/net v0.32.0 // indirect
+	golang.org/x/net v0.33.0 // indirect
 	golang.org/x/sys v0.28.0 // indirect
 	golang.org/x/text v0.21.0 // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20241202173237-19429a94021a // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20241202173237-19429a94021a
 	google.golang.org/grpc v1.70.0
 	google.golang.org/protobuf v1.35.2 // indirect
 )
diff --git a/interop/authzen-api-gateways/envoy-gateway/authzen-external-authorizer/go.sum b/interop/authzen-api-gateways/envoy-gateway/authzen-external-authorizer/go.sum
@@ -62,8 +62,8 @@ go.opentelemetry.io/otel/sdk/metric v1.32.0 h1:rZvFnvmvawYb0alrYkjraqJq0Z4ZUJAiy
 go.opentelemetry.io/otel/sdk/metric v1.32.0/go.mod h1:PWeZlq0zt9YkYAp3gjKZ0eicRYvOh1Gd+X99x6GHpCQ=
 go.opentelemetry.io/otel/trace v1.32.0 h1:WIC9mYrXf8TmY/EXuULKc8hR17vE+Hjv2cssQDe03fM=
 go.opentelemetry.io/otel/trace v1.32.0/go.mod h1:+i4rkvCraA+tG6AzwloGaCtkx53Fa+L+V8e9a7YvhT8=
-golang.org/x/net v0.32.0 h1:ZqPmj8Kzc+Y6e0+skZsuACbx+wzMgo5MQsJh9Qd6aYI=
-golang.org/x/net v0.32.0/go.mod h1:CwU0IoeOlnQQWJ6ioyFrfRuomB8GKF6KbYXZVyeXNfs=
+golang.org/x/net v0.33.0 h1:74SYHlV8BIgHIFC/LrYkOGIwL19eTYXQ5wc6TBuO36I=
+golang.org/x/net v0.33.0/go.mod h1:HXLR5J+9DxmrqMwG9qjGCxZ+zKXxBru04zlTvWlWuN4=
 golang.org/x/sys v0.28.0 h1:Fksou7UEQUWlKvIdsqzJmUmCX3cZuD2+P3XyyzwMhlA=
 golang.org/x/sys v0.28.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/text v0.21.0 h1:zyQAAkrwaneQ066sspRyJaG9VNi/YJ1NfzcGB3hZ/qo=

diff --git a/interop/authzen-api-gateways/kong-gateway/conf.yaml b/interop/authzen-api-gateways/kong-gateway/conf.yaml
@@ -19,9 +19,13 @@ routes:
   methods: ~
   service: 2e9926ca-053f-4a4d-aeea-e45ac77d4775
   paths:
-    - "/"
+    - ~/users/(?<userId>.+)
+    - ~/todos/(?<todoId>.+)
+    - /users
+    - /todos
+    - /pdps
   https_redirect_status_code: 426
-  strip_path: true
+  strip_path: false
   request_buffering: true
   response_buffering: true
   protocols:
@@ -32,16 +36,36 @@ plugins:
 - tags: ~
   instance_name: authzen-profile
   name: authzen
-  ordering: ~
-  consumer: ~
   id: 96cb9f8d-edd3-4254-b950-2fba72c8289b
   route: 51799165-1a03-495c-b390-4ac7e7047061
   config:
     server:
-      pdp_url: '{     "Aserto":"https://authzen-gateway-proxy.demo.aserto.com",     "Cerbos":"https://authzen-proxy-demo.cerbos.dev",     "PlainID":"https://authzeninteropt.se-plainid.com" }'
+      pdp_url: '{     "Aserto":"https://authzen-gateway-proxy.demo.aserto.com",  "Axiomatics": "https://pdp.alfa.guide",   "Cerbos":"https://authzen-proxy-demo.cerbos.dev",     "PlainID":"https://authzeninteropt.se-plainid.com",     "Rock Solid Knowledge": "https://authzen.identityserver.com",     "Topaz": "https://authzen-topaz.demo.aserto.com" }'
   protocols:
   - grpc
   - grpcs
   - http
   - https
-  enabled: true
+  enabled: true
+- id: bc8fc574-8540-4dc8-bbcd-cd1b671ab801
+  protocols:
+    - grpc
+    - grpcs
+    - http
+    - https
+  name: cors
+  enabled: true
+  route: 51799165-1a03-495c-b390-4ac7e7047061
+  config:
+    origins:
+      - http://localhost:3000
+      - https://citadel.demo.aserto.com
+      - https://todo.authzen-interop.net
+    credentials: false
+    preflight_continue: false
+    methods:
+      - GET
+      - HEAD
+      - PUT
+      - PATCH
+      - POST
diff --git a/interop/authzen-api-gateways/kong-gateway/kong/plugins/authzen/access.lua b/interop/authzen-api-gateways/kong-gateway/kong/plugins/authzen/access.lua
@@ -22,26 +22,26 @@ local function evaluate(pidreq,conf)
         method = "POST",
         body = pidreq,
         headers = {
-          ["Content-Type"] = "application/json"
+            ["Content-Type"] = "application/json"
         },
         keepalive_timeout = 60,
         keepalive_pool = 10
-      })
+    })
     if err then
         kong.log.error("AuthZEN error: " ,err)
         return kong.response.exit(403, {
             message = {
                 authzen_err = err
             }
-          })
+        })
     end
     kong.log.notice("AuthZEN Response: " ,res['body'])
     if res.status ~= 200  then
-          return kong.response.exit(403, {
+        return kong.response.exit(403, {
             message = {
                 authzen_err = res['body']
             }
-          })
+        })
     end
     return res['body']
 end
@@ -52,12 +52,26 @@ local function return_err(msg)
     local message = {
         message = msg
     }
-    return kong.response.exit(403, message)    
+    return kong.response.exit(403, message)
+end
+
+--TODO: Very naive :)
+local function replace_values_by_keys()
+    local m = ngx.ctx.router_matches
+    local modified = ngx.var.uri
+    if m.uri_captures ~= nil then
+        for k, v in pairs(m.uri_captures) do
+            if type(v) == "string" and type(k) == "string" then
+                local pattern = v:gsub("([%^%$%(%)%%%.%[%]%*%+%-%?])", "%%%1") -- Escape special characters in the value
+                modified = modified:gsub("/" .. pattern, "/{" .. k .. "}")
+            end
+        end
+    end
+    return modified
 end
 
 function _M.execute(conf)
     kong.log.info("Starting AuthZEN Plugin........")
-
     local authorization = ngx.var.http_authorization
     if authorization == nil then
         return return_err("No Bearer token provided")
@@ -75,33 +89,37 @@ function _M.execute(conf)
     if err then
         return return_err("No Bearer token provided")
     end
-    
+
     kong.log.info(decoded_token.claims)
 
-
+    local route = replace_values_by_keys()
+    if route == nil then
+        route = ngx.var.uri
+    end
+
     local id = decoded_token.claims.sub
     local authzen_request = {
         subject = {
-            type = "user",
+            type = "identity",
             id = id
         },
         resource = {
             type = "route",
-            id = ngx.var.uri
+            id = route
         },
         action = {
             name = ngx.var.request_method
         }
     }
-      
-    
- 
+
+
+
     local pidreq = cjson.encode(authzen_request)
     local rsp = evaluate(pidreq,conf)
     local data = cjson.decode(rsp)
     local result = data.decision
     if not result then
-      return return_err("AuthZEN: Access Forbidden")
+        return return_err("AuthZEN: Access Forbidden")
     end
 
 end

diff --git a/interop/authzen-api-gateways/kong-gateway/kong/plugins/authzen/schema.lua b/interop/authzen-api-gateways/kong-gateway/kong/plugins/authzen/schema.lua
@@ -1,7 +1,7 @@
 local typedefs = require "kong.db.schema.typedefs"
 
 return {
-  name = "plainid",
+  name = "authzen",
   fields = {
     -- {
     --   -- this plugin will only be applied to Services or Routes