quarkiverse / quarkus-zanzibar Goto Github PK

View Code? Open in Web Editor NEW

16.0 4.0 4.0 227 KB

Zanzibar style fine grained authorization

Home Page: https://zanzibar.academy

License: Apache License 2.0

Java 100.00%

quarkus-extension zanzibar

quarkus-zanzibar's Introduction

Quarkus Zanzibar

Overview

The Quarkus Zanzibar extension provides Zanzibar style Fine Grain Authorization (FGA) capabilities for Quarkus. An authorization filter and dedicated annotations are provided to provide easy integration of Zanzibar style FGA into applications.

The extension only provides the framework and relies on dedicated connectors to communicate with specific Zanzibar style APIs.

Supported APIs:

Documentation

The documentation for this extension can be found here.

Dependency

Adding the quarkus-zanzibar extension to your project only provides access to the authorization and the annotations needed to configure authorization on your resource classes and methods.

To communicate with your selected API you will need to add a connector for OpenFGA or Authzed.

Maven

OpenFGA Zanzibar Connector

<dependency>
    <groupId>io.quarkiverse.zanzibar</groupId>
    <artifactId>quarkus-zanzibar-openfga</artifactId>
    <version>${zanzibar.version}</version>
</dependency>

Authzed Zanzibar Connector

<dependency>
    <groupId>io.quarkiverse.zanzibar</groupId>
    <artifactId>quarkus-zanzibar-authzed</artifactId>
    <version>${zanzibar.version}</version>
</dependency>

Gradle

OpenFGA Zanzibar Connector

implementation("io.quarkiverse.zanzibar:quarkus-zanzibar-openfga:${zanzibar.version}")

Authzed Zanzibar Connector

implementation("io.quarkiverse.zanzibar:quarkus-zanzibar-authzed:${zanzibar.version}")

quarkus-zanzibar's People

Contributors

Stargazers

Watchers

Forkers

iocanel gsmet plawn srose

quarkus-zanzibar's Issues

unsatisfied dependencies when starting the application

hello, I'm getting the following unsastified depdencies when starting a quaksu app suing this extension:

java.lang.RuntimeException: io.quarkus.builder.BuildException: Build failure: Build failed due to errors
	[error]: Build step io.quarkus.arc.deployment.ArcProcessor#validate threw an exception: javax.enterprise.inject.spi.DeploymentException: Found 4 deployment problems: 
[1] Unsatisfied dependency for type java.util.Optional<java.lang.String> and qualifiers [@Default]
	- java member: io.quarkiverse.zanzibar.jaxrs.ZanzibarDynamicFeature():unauthenticatedUser
	- declared on CLASS bean [types=[io.quarkiverse.zanzibar.jaxrs.ZanzibarDynamicFeature, javax.ws.rs.container.DynamicFeature, java.lang.Object], qualifiers=[@Default, @Any], target=io.quarkiverse.zanzibar.jaxrs.ZanzibarDynamicFeature]
	The following beans match by type, but none have matching qualifiers:
		- Bean [class=java.util.Optional, qualifiers=[@ConfigProperty, @Any]]
[2] Unsatisfied dependency for type java.time.Duration and qualifiers [@Default]
	- java member: io.quarkiverse.zanzibar.jaxrs.ZanzibarDynamicFeature():timeout
	- declared on CLASS bean [types=[io.quarkiverse.zanzibar.jaxrs.ZanzibarDynamicFeature, javax.ws.rs.container.DynamicFeature, java.lang.Object], qualifiers=[@Default, @Any], target=io.quarkiverse.zanzibar.jaxrs.ZanzibarDynamicFeature]
[3] Unsatisfied dependency for type boolean and qualifiers [@Default]
	- java member: io.quarkiverse.zanzibar.jaxrs.ZanzibarDynamicFeature():denyUnannotated
	- declared on CLASS bean [types=[io.quarkiverse.zanzibar.jaxrs.ZanzibarDynamicFeature, javax.ws.rs.container.DynamicFeature, java.lang.Object], qualifiers=[@Default, @Any], target=io.quarkiverse.zanzibar.jaxrs.ZanzibarDynamicFeature]
	The following beans match by type, but none have matching qualifiers:
		- Bean [class=java.lang.Boolean, qualifiers=[@ConfigProperty, @Any]]
[4] Unsatisfied dependency for type io.quarkiverse.zanzibar.jaxrs.ZanzibarDynamicFeature$FilterFactory and qualifiers [@Default]
	- java member: io.quarkiverse.zanzibar.jaxrs.ZanzibarDynamicFeature():filterFactory
	- declared on CLASS bean [types=[io.quarkiverse.zanzibar.jaxrs.ZanzibarDynamicFeature, javax.ws.rs.container.DynamicFeature, java.lang.Object], qualifiers=[@Default, @Any], target=io.quarkiverse.zanzibar.jaxrs.ZanzibarDynamicFeature]

I'm probably not using it right but I think I followed the instructions, here is the relevant part of my class:

  @GET
  @Produces(MediaType.TEXT_PLAIN)
  @Path("{itemid}")
  @FGAPathObject(param = "itemid", type = "item")
  @FGARelation("view")
  public String hello(String itemid) {
      return "Access granted to itemid"+itemid;
  }

this is a very useful extension and I'd like to help developing/improving it.

How to configure the credentials for the openFGA server

Hello,

I wanted to use this extension in my project to work with an openFGA server but the only properties I found are these one:

quarkus.zanzibar.filter.enabled
quarkus.zanzibar.filter.deny-unannotated-resource-methods
quarkus.zanzibar.filter.unauthenticated-user
quarkus.zanzibar.filter.timeout

And I can't find how to setup the url and secrets for the openFGA server

Can you help me ? or point me to the correct item of documentation

[feature request] add support for grpc

currently the permission related annotations acts on https request. It would be nice if there was a way to have the same or similar annotations working on grpc methods.

Provide an option to have a custom principal.getName() extractor

If we don't wan to use the principal.getName() as the user identifier, we could provide a class like ?

@ApplicationScoped
public class CustomZanzibarPrincipalExtractor implements ZanzibarPrincipalExtractor {
    public String extract(...) {

    }
}

Incorrect example ?

Hello !

Thanks for your work !
I am trying to use your extension but I encountered some issues, with your example I have an error:

Caused by: io.quarkiverse.openfga.client.model.FGAValidationException: Invalid tuple 'thing:1#owner@1'. Reason: the 'user' field must be an object (e.g. document:1) or an 'object#relation' or a typed wildcard (e.g. group:*)

by chaning this line and after reading the documentation and replacing principal.getName() with "user:"+principal.getName() It works.

Is there something I'm missing ?

403 on a non protected method

I have a service with some methods that are protected by openfga annotations and some that are not. I'm getting 403 on a non protected method. That should not be possible.
Here is my method:

  @GET
  @Produces(MediaType.TEXT_PLAIN)
  @Path("specialQuery")
  public String listSpecialquery() {

      String[] returnedItems = new String[]{"item:item1","item:item2","item:item3","item:item4"};
      List<String> filteredItems=Multi.createFrom().items(returnedItems).filter(new Predicate<String>() {
        @Override
        public boolean test(String t) {
          System.out.println("before: "+t);
          boolean result=authModelClient.check(new TupleKey(t, "view", securityContext.getUserPrincipal().getName()),null).await().atMost(Duration.ofSeconds(1));
          System.out.println("after: "+t);
          return result;
        }
      }).collect().asList().await().atMost(Duration.ofSeconds(5));
      
      return "Access granted to items: "+filteredItems;