feat: Introduce policy enforcement for federation

.github/workflows/functional.yml

@@ -8,8 +8,9 @@ on:
       - 'Cargo.toml'
       - 'Cargo.lock'
       - '.github/workflows/functional.yml'
-      - 'tests/'
-      - 'src/'
+      - 'tests/**'
+      - 'src/**'
+      - 'policy/**'
 env:
   DATABASE_URL: postgresql://keystone:1234@127.0.0.1:5432/keystone
   KEYSTONE_URL: http://localhost:8080

justfile

@@ -1,4 +1,14 @@
-POLICY_ENTRY_POINTS := "-e identity/identity_provider_list"
+POLICY_ENTRY_POINTS := \
+" -e identity/identity_provider_list" +\
+" -e identity/identity_provider_show" +\
+" -e identity/identity_provider_create" +\
+" -e identity/identity_provider_update" +\
+" -e identity/identity_provider_delete" +\
+" -e identity/mapping_list" +\
+" -e identity/mapping_show" +\
+" -e identity/mapping_create" +\
+" -e identity/mapping_update" +\
+" -e identity/mapping_delete"
 
 [working-directory: 'policy']
 @build-policy:

policy/federation/idp/identity_provider_create.rego

@@ -0,0 +1,31 @@
+package identity.identity_provider_create
+
+import data.identity
+
+# Create identity provider.
+
+default allow := false
+
+allow if {
+	"admin" in input.credentials.roles
+}
+
+allow if {
+	identity.own_idp
+	"manager" in input.credentials.roles
+}
+
+violation contains {"field": "domain_id", "msg": "creating identity provider for other domain requires `admin` role."} if {
+	identity.foreign_idp
+	not "admin" in input.credentials.roles
+}
+
+violation contains {"field": "role", "msg": "creating global identity provider requires `admin` role."} if {
+	identity.global_idp
+	not "admin" in input.credentials.roles
+}
+
+violation contains {"field": "role", "msg": "creating identity provider requires `manager` role."} if {
+	identity.own_idp
+	not "member" in input.credentials.roles
+}

policy/federation/idp/identity_provider_create_test.rego

@@ -0,0 +1,16 @@
+package test_identity_provider_create
+
+import data.identity.identity_provider_create
+
+test_allowed if {
+	identity_provider_create.allow with input as {"credentials": {"roles": ["admin"]}}
+	identity_provider_create.allow with input as {"credentials": {"roles": ["manager"], "domain_id": "domain"}, "target": {"domain_id": "domain"}}
+	identity_provider_create.allow with input as {"credentials": {"roles": ["admin"]}, "target": {"domain_id": null}}
+}
+
+test_forbidden if {
+	not identity_provider_create.allow with input as {"credentials": {"roles": []}}
+	not identity_provider_create.allow with input as {"credentials": {"roles": ["reader"], "domain_id": "domain"}, "target": {"domain_id": "domain"}}
+	not identity_provider_create.allow with input as {"credentials": {"roles": ["manager"], "domain_id": "domain"}, "target": {"domain_id": "other_domain"}}
+	not identity_provider_create.allow with input as {"credentials": {"roles": ["manager"], "domain_id": "domain"}, "target": {"domain_id": null}}
+}

policy/federation/idp/identity_provider_delete.rego

@@ -0,0 +1,31 @@
+package identity.identity_provider_delete
+
+import data.identity
+
+# Show identity provider.
+
+default allow := false
+
+allow if {
+	"admin" in input.credentials.roles
+}
+
+allow if {
+	identity.own_idp
+	"manager" in input.credentials.roles
+}
+
+violation contains {"field": "domain_id", "msg": "deleting the global identity provider requires `admin` role."} if {
+	identity.global_idp
+	not "admin" in input.credentials.roles
+}
+
+violation contains {"field": "role", "msg": "deleting the identity provider owned by the other domain requires `admin` role."} if {
+	identity.foreign_idp
+	not "admin" in input.credentials.roles
+}
+
+violation contains {"field": "role", "msg": "deleting the identity provider requires `manager` role."} if {
+	identity.own_idp
+	not "manager" in input.credentials.roles
+}

policy/federation/idp/identity_provider_delete_test.rego

@@ -0,0 +1,16 @@
+package test_identity_provider_delete
+
+import data.identity.identity_provider_delete
+
+test_allowed if {
+	identity_provider_delete.allow with input as {"credentials": {"roles": ["admin"]}}
+	identity_provider_delete.allow with input as {"credentials": {"roles": ["manager"], "domain_id": "domain"}, "target": {"domain_id": "domain"}}
+	identity_provider_delete.allow with input as {"credentials": {"roles": ["admin"]}, "target": {"domain_id": null}}
+}
+
+test_forbidden if {
+	not identity_provider_delete.allow with input as {"credentials": {"roles": []}}
+	not identity_provider_delete.allow with input as {"credentials": {"roles": ["reader"], "domain_id": "domain"}, "target": {"domain_id": "domain"}}
+	not identity_provider_delete.allow with input as {"credentials": {"roles": ["manager"], "domain_id": "domain"}, "target": {"domain_id": "other_domain"}}
+	not identity_provider_delete.allow with input as {"credentials": {"roles": ["manager"], "domain_id": "domain"}, "target": {"domain_id": null}}
+}

policy/federation/idp/identity_provider_list.rego

@@ -0,0 +1,36 @@
+package identity.identity_provider_list
+
+import data.identity
+
+# List identity providers
+
+default allow := false
+
+allow if {
+	identity.own_idp
+	"reader" in input.credentials.roles
+}
+
+allow if {
+	identity.global_idp
+	"reader" in input.credentials.roles
+}
+
+allow if {
+	"admin" in input.credentials.roles
+}
+
+violation contains {"field": "domain_id", "msg": "listing federated identity providers owned by other domain requires `admin` role."} if {
+	identity.foreign_identity_provider
+	not "admin" in input.credentials.roles
+}
+
+violation contains {"field": "role", "msg": "listing federated identity providers owned by the domain requires `reader` role."} if {
+	identity.own_idp
+	not "reader" in input.credentials.roles
+}
+
+violation contains {"field": "role", "msg": "listing global federated identity providers requires `reader` role."} if {
+	identity.global_idp
+	not "reader" in input.credentials.roles
+}

policy/federation/idp/identity_provider_list_test.rego

@@ -0,0 +1,15 @@
+package test_identity_provider_list
+
+import data.identity.identity_provider_list
+
+test_allowed if {
+	identity_provider_list.allow with input as {"credentials": {"roles": ["admin"]}}
+	identity_provider_list.allow with input as {"credentials": {"roles": ["reader"], "domain_id": "domain"}, "target": {"domain_id": "domain"}}
+	identity_provider_list.allow with input as {"credentials": {"roles": ["reader"], "domain_id": "domain"}, "target": {"domain_id": null}}
+}
+
+test_forbidden if {
+	not identity_provider_list.allow with input as {"credentials": {"roles": []}}
+	not identity_provider_list.allow with input as {"credentials": {"roles": ["reader"], "domain_id": "domain"}, "target": {"domain_id": "other_domain"}}
+	not identity_provider_list.allow with input as {"credentials": {"roles": ["member"], "domain_id": "domain"}, "target": {"domain_id": "other_domain"}}
+}

policy/federation/idp/identity_provider_show.rego

@@ -0,0 +1,36 @@
+package identity.identity_provider_show
+
+import data.identity
+
+# Show identity provider.
+
+default allow := false
+
+allow if {
+	"admin" in input.credentials.roles
+}
+
+allow if {
+	identity.own_idp
+	"reader" in input.credentials.roles
+}
+
+allow if {
+	identity.global_idp
+	"reader" in input.credentials.roles
+}
+
+violation contains {"field": "domain_id", "msg": "fetching identity provider details owned by other domain requires `admin` role."} if {
+	identity.foreign_idp
+	not "admin" in input.credentials.roles
+}
+
+violation contains {"field": "role", "msg": "fetching own identity provider details requires `reader`."} if {
+	identity.own_idp
+	not "reader" in input.credentials.roles
+}
+
+violation contains {"field": "role", "msg": "fetching global identity provider details requires `reader`."} if {
+	identity.global_idp
+	not "reader" in input.credentials.roles
+}

policy/federation/idp/identity_provider_show_test.rego

@@ -0,0 +1,15 @@
+package test_identity_provider_show
+
+import data.identity.identity_provider_show
+
+test_allowed if {
+	identity_provider_show.allow with input as {"credentials": {"roles": ["admin"]}}
+	identity_provider_show.allow with input as {"credentials": {"roles": ["reader"], "domain_id": "domain"}, "target": {"domain_id": "domain"}}
+	identity_provider_show.allow with input as {"credentials": {"roles": ["reader"]}, "target": {"domain_id": null}}
+}
+
+test_forbidden if {
+	not identity_provider_show.allow with input as {"credentials": {"roles": []}}
+	not identity_provider_show.allow with input as {"credentials": {"roles": ["reader"], "domain_id": "domain"}, "target": {"domain_id": "other_domain"}}
+	not identity_provider_show.allow with input as {"credentials": {"roles": ["member"], "domain_id": "domain"}, "target": {"domain_id": "other_domain"}}
+}

policy/federation/idp/identity_provider_update.rego

@@ -0,0 +1,31 @@
+package identity.identity_provider_update
+
+import data.identity
+
+# Update identity provider.
+
+default allow := false
+
+allow if {
+	"admin" in input.credentials.roles
+}
+
+allow if {
+	identity.own_idp
+	"manager" in input.credentials.roles
+}
+
+violation contains {"field": "domain_id", "msg": "updating identity provider for other domain requires `admin` role."} if {
+	identity.foreign_idp
+	not "admin" in input.credentials.roles
+}
+
+violation contains {"field": "role", "msg": "updating global identity provider requires `admin` role."} if {
+	identity.global_idp
+	not "admin" in input.credentials.roles
+}
+
+violation contains {"field": "role", "msg": "updating identity provider requires `manager` role."} if {
+	identity.own_idp
+	not "member" in input.credentials.roles
+}

policy/federation/idp/identity_provider_update_test.rego

@@ -0,0 +1,16 @@
+package test_identity_provider_update
+
+import data.identity.identity_provider_update
+
+test_allowed if {
+	identity_provider_update.allow with input as {"credentials": {"roles": ["admin"]}}
+	identity_provider_update.allow with input as {"credentials": {"roles": ["manager"], "domain_id": "domain"}, "target": {"domain_id": "domain"}}
+	identity_provider_update.allow with input as {"credentials": {"roles": ["admin"]}, "target": {"domain_id": null}}
+}
+
+test_forbidden if {
+	not identity_provider_update.allow with input as {"credentials": {"roles": []}}
+	not identity_provider_update.allow with input as {"credentials": {"roles": ["reader"], "domain_id": "domain"}, "target": {"domain_id": "domain"}}
+	not identity_provider_update.allow with input as {"credentials": {"roles": ["manager"], "domain_id": "domain"}, "target": {"domain_id": "other_domain"}}
+	not identity_provider_update.allow with input as {"credentials": {"roles": ["manager"], "domain_id": "domain"}, "target": {"domain_id": null}}
+}

policy/federation/mapping/mapping_create.rego

@@ -0,0 +1,31 @@
+package identity.mapping_create
+
+import data.identity
+
+# Create mapping.
+
+default allow := false
+
+allow if {
+	"admin" in input.credentials.roles
+}
+
+allow if {
+	identity.own_mapping
+	"manager" in input.credentials.roles
+}
+
+violation contains {"field": "domain_id", "msg": "creating mapping for other domain requires `admin` role."} if {
+	identity.foreign_mapping
+	not "admin" in input.credentials.roles
+}
+
+violation contains {"field": "role", "msg": "creating global mapping requires `admin` role."} if {
+	identity.global_mapping
+	not "admin" in input.credentials.roles
+}
+
+violation contains {"field": "role", "msg": "creating mapping requires `manager` role."} if {
+	identity.own_mapping
+	not "member" in input.credentials.roles
+}

policy/federation/mapping/mapping_create_test.rego

@@ -0,0 +1,16 @@
+package test_mapping_create
+
+import data.identity.mapping_create
+
+test_allowed if {
+	mapping_create.allow with input as {"credentials": {"roles": ["admin"]}}
+	mapping_create.allow with input as {"credentials": {"roles": ["manager"], "domain_id": "domain"}, "target": {"domain_id": "domain"}}
+	mapping_create.allow with input as {"credentials": {"roles": ["admin"]}, "target": {"domain_id": null}}
+}
+
+test_forbidden if {
+	not mapping_create.allow with input as {"credentials": {"roles": []}}
+	not mapping_create.allow with input as {"credentials": {"roles": ["reader"], "domain_id": "domain"}, "target": {"domain_id": "domain"}}
+	not mapping_create.allow with input as {"credentials": {"roles": ["manager"], "domain_id": "domain"}, "target": {"domain_id": "other_domain"}}
+	not mapping_create.allow with input as {"credentials": {"roles": ["manager"], "domain_id": "domain"}, "target": {"domain_id": null}}
+}

policy/federation/mapping/mapping_delete.rego

@@ -0,0 +1,31 @@
+package identity.mapping_delete
+
+import data.identity
+
+# Show mapping.
+
+default allow := false
+
+allow if {
+	"admin" in input.credentials.roles
+}
+
+allow if {
+	identity.own_mapping
+	"manager" in input.credentials.roles
+}
+
+violation contains {"field": "domain_id", "msg": "deleting the global mapping requires `admin` role."} if {
+	identity.global_mapping
+	not "admin" in input.credentials.roles
+}
+
+violation contains {"field": "role", "msg": "deleting the mapping owned by the other domain requires `admin` role."} if {
+	identity.foreign_mapping
+	not "admin" in input.credentials.roles
+}
+
+violation contains {"field": "role", "msg": "deleting the mapping requires `manager` role."} if {
+	identity.own_mapping
+	not "manager" in input.credentials.roles
+}

policy/federation/mapping/mapping_delete_test.rego

@@ -0,0 +1,16 @@
+package test_mapping_delete
+
+import data.identity.mapping_delete
+
+test_allowed if {
+	mapping_delete.allow with input as {"credentials": {"roles": ["admin"]}}
+	mapping_delete.allow with input as {"credentials": {"roles": ["manager"], "domain_id": "domain"}, "target": {"domain_id": "domain"}}
+	mapping_delete.allow with input as {"credentials": {"roles": ["admin"]}, "target": {"domain_id": null}}
+}
+
+test_forbidden if {
+	not mapping_delete.allow with input as {"credentials": {"roles": []}}
+	not mapping_delete.allow with input as {"credentials": {"roles": ["reader"], "domain_id": "domain"}, "target": {"domain_id": "domain"}}
+	not mapping_delete.allow with input as {"credentials": {"roles": ["manager"], "domain_id": "domain"}, "target": {"domain_id": "other_domain"}}
+	not mapping_delete.allow with input as {"credentials": {"roles": ["manager"], "domain_id": "domain"}, "target": {"domain_id": null}}
+}