hexa-org / policy-mapper Goto Github PK

This adds support for Scopes which are obligations returned to a PEP. For example a SQL Filter, or IDQL Filter, or a set of attributes or columns allowed to be returned.

Use cases:

• SQL Servers (filters expressed as WHERE clauses)
• SCIM (use IDQL Filter expressions)
• LDAP (can convert IDQL filter to LDAP filter)

This enables web interface servers to establish user logins with OIDC.

Anticipated use by:

• Hexa Industries Demo
• Hexa Admin UI

For some reason when kong type=existingfile is used, the value is kept blank after the first use (good or bad).

Remove use of existingfile for now.

Adding documentation for the SDK example

Issues with using pass by reference was causing occasional failures.

A for loop in hexa_policy was not resetting the reference but allowed random passes. By forcing direct use of objects, the reference problem is blocked.

Breaking change:
PolicyDif struct -> PolicyExist attribute is no longer passed by reference.

Allow opaProvider to accept a custom http.Client. This allows the use of oauth2 client for token handling.

Adding documentation for the AWS common provider info

Add support for using authorization header values in addition to mutual TLS.

This is needed for AuthZen server.

Adding documentation for Azure test harness

Current OPA provider is downgrading to an old version of IDQL. Should be end-to-end IDQL 0.6

When no credential is required (and thus not supplied), the hexa cli will panic building WithHttpOptions

When using the Hexa CLI and using the OPA HTTP provider. The client actually tries to get policy from the Server URL root rather than <server-rood>/bundles/bundle.tar.gz

Adding documentation for the Azure AD provider

The export function enables an administrator to export an existing integration to a json file that can be used by the web admin of Policy-Orchestrator

In particular Hexa CLI can be used to create itnegration files by doing the following:

hexa add opa http mybundle --cacert=ca-cert.pem --url=https://mybundlerserver:8889/
hexa export mybundle mybundleserver.json

For some reason, the default policy generated by AVP often includes a when { true }; clause

permit(
  principal,
  action in [hexa_avp::Action::"ReadAccount",hexa_avp::Action::"Transfer",hexa_avp::Action::"Deposit",hexa_avp::Action::"Withdrawl"],
  resource
) when {
  true
};

The above when clause should be converted or just ignored.

Adding documentation for the main models directory

Current Policy-OPA project is using a version of IDQL that has Policy.ID. This has been moved to meta.policyId.

Because of the way the OPA Rego interpreter works, each IDQL policy installed needs to have an identifier.

See: Policy-OPA Issue#2.

This is to publish hexaOpa image so that IDQL enhanced OPA can be easily deployed with docker-compose and on cloud platforms.

Adding documentation for the AWS Cognito provider

At present bundle updates via HTTP can only be done anonymously.

Finalize OPA and integrate with Hexa console

The Hexa cli currently expects the full bundle url. If just a host is provided, simply add it for the user.

Discovered there were some migration issues between old and new policy formats.

Json attributes should all be lower initial case

Unlike projectid in AWS providers or GCP provider, projectid is never actually used. Instead the platform project is wrapped up in the bundle url and the access token.

This is important to simplify and avoid confusion.

Occasionally for testing purposes and other integration work there is the need to initialize a custom HTTP Client when calling cloud APIs. For example, the custom client can mock the remote server and its responses.

This is currently implemented inside many of Hexa Providers but is not yet exposed through the SDK interface.

Adding documentation for the Azure common provider information

Should be returning gcp_iap instead of google_cloud

... needed by policy-orchestrator

Many of the support pkgs have similar code across all 3 packages and have become divergent.

This task moves shared packages to policy-mapper to avoid divergence.

Currently Cedar where clause expression parsing is using Google CEL (because they are almost the same). In the dependencies update, the CEL parser is now failing to parse Cedar where clauses (see Hexa cli test suite).

Now that Cedar is published, it is time to switch to the Cedar libraries

Currently we are just returning the encoded info. Return the decoded server URL to make it easier to tell which PAP goes where. :)

Appears to be a packaging problem where /resources tree not embedded with go code.

Need to use go:embed

Provide a little more context as to the type of resource. E.g. iap_proxy:backend:xyz

Currently the OPA HTTP Provider accepts a fixed authorization which can be a token for authorization with the HexaBundleServer.

The Policy-OPA AuthZen Server takes a certificate PEM to validate tokens provided.

This functionality would allow the provider client to authenticate to an OAuth2 server using the client credentials flow to receive a rotating token for access.

Note: #47 will allow this to be done outside the provider because an http.Client could be configured in the provider which handles token use and refreshing automatically. This enhancement means that each integration can have it's own client credential and OAuth2 server making it possible to connect to multiple provisioning domains while at the same time simplifying configuration inside of Policy-Orchestrator and Hexa CLI

The OPA Provider Get Policies function is expecting OPA Bundle server to respond with a file structure of
/bundle/

Instead the current testBundleServer is returning
/default/bundle/

This causes an unexpected file not found error

The orchestrator "democonfig" service is an implementation of a bundle server that can be used for testing.

This would be moved over to the "examples" directory of policy-mapper to let evaluators set up and run a bundle server and OPA server.

Currently generates an error when parsing:

permit(
    principal == ?principal,
    action in [hexa_avp::Action::"ReadAccount"],
    resource == ?resource
);

? is unexpected