AuthZ: Implementation, tests and docs (#193)

* AuthZ: Implementation, tests and docs
* add example and beta tags in docs

Author: pangea-andrest

CHANGELOG.md

@@ -7,6 +7,11 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+### Added
+
+- AuthZ service support
+
+
 ## v3.8.0-beta.2 - 2024-03-20
 
 ### Added

examples/.examples-ci.yml

@@ -13,6 +13,7 @@ go-sdk-examples:
           - vault
           - share
           - sanitize
+          - authz
   image: golang:${GO_VERSION}
   before_script:
     - export PANGEA_AUDIT_CONFIG_ID="${PANGEA_AUDIT_CONFIG_ID_1_LVE_AWS}"
@@ -35,6 +36,7 @@ go-sdk-examples:
     - export PANGEA_VAULT_TOKEN="${PANGEA_INTEGRATION_TOKEN_LVE_AWS}"
     - export PANGEA_SHARE_TOKEN="${PANGEA_INTEGRATION_TOKEN_LVE_AWS}"
     - export PANGEA_SANITIZE_TOKEN="${PANGEA_INTEGRATION_TOKEN_LVE_AWS}"
+    - export PANGEA_AUTHZ_TOKEN="${PANGEA_INTEGRATION_TOKEN_LVE_AWS}"
   script:
     - cd examples/${EXAMPLE_FOLDER}
     - bash ../../dev/run_examples.sh

examples/authz/authz_cycle.go

@@ -0,0 +1,257 @@
+package main
+
+import (
+	"context"
+	"fmt"
+	"log"
+	"os"
+	"time"
+
+	"github.com/pangeacyber/pangea-go/pangea-sdk/v3/pangea"
+	"github.com/pangeacyber/pangea-go/pangea-sdk/v3/service/authz"
+)
+
+const (
+	namespaceFolder = "folder"
+	namespaceUser   = "user"
+	relationOwner   = "owner"
+	relationEditor  = "editor"
+	relationReader  = "reader"
+)
+
+func main() {
+	var timeNow = time.Now()
+	var timeStr = timeNow.Format("20060102_150405")
+	var folder1 = "folder_1_" + timeStr
+	var folder2 = "folder_2_" + timeStr
+	var user1 = "user_1_" + timeStr
+	var user2 = "user_2_" + timeStr
+
+	// Load Pangea token from environment variables
+	token := os.Getenv("PANGEA_AUTHZ_TOKEN")
+	if token == "" {
+		log.Fatal("Unauthorized: No token present.")
+	}
+
+	ctx, cancelFn := context.WithTimeout(context.Background(), 120*time.Second)
+	defer cancelFn()
+
+	// create a new AuthZ client with pangea token and domain
+	client := authz.New(&pangea.Config{
+		Token:              token,
+		Domain:             os.Getenv("PANGEA_DOMAIN"),
+		QueuedRetryEnabled: true,
+		PollResultTimeout:  120 * time.Second,
+		Retry:              true,
+		RetryConfig: &pangea.RetryConfig{
+			RetryMax: 4,
+		},
+	})
+
+	// Create tuples
+	fmt.Println("Creating tuples...")
+	_, err := client.TupleCreate(ctx, &authz.TupleCreateRequest{
+		Tuples: []authz.Tuple{
+			authz.Tuple{
+				Resource: authz.Resource{
+					Namespace: namespaceFolder,
+					ID:        folder1,
+				},
+				Relation: relationReader,
+				Subject: authz.Subject{
+					Namespace: namespaceUser,
+					ID:        user1,
+				},
+			},
+			authz.Tuple{
+				Resource: authz.Resource{
+					Namespace: namespaceFolder,
+					ID:        folder1,
+				},
+				Relation: relationEditor,
+				Subject: authz.Subject{
+					Namespace: namespaceUser,
+					ID:        user2,
+				},
+			},
+			authz.Tuple{
+				Resource: authz.Resource{
+					Namespace: namespaceFolder,
+					ID:        folder2,
+				},
+				Relation: relationEditor,
+				Subject: authz.Subject{
+					Namespace: namespaceUser,
+					ID:        user1,
+				},
+			},
+			authz.Tuple{
+				Resource: authz.Resource{
+					Namespace: namespaceFolder,
+					ID:        folder2,
+				},
+				Relation: relationOwner,
+				Subject: authz.Subject{
+					Namespace: namespaceUser,
+					ID:        user2,
+				},
+			},
+		},
+	})
+	if err != nil {
+		log.Fatalf("Unexpected error.", err)
+	}
+	fmt.Println("Tuples created.")
+
+	// Tuple list with resource
+	fmt.Println("Listing tuples with resource...")
+	filter := authz.NewFilterUserList()
+	filter.ResourceNamespace().Set(pangea.String(namespaceFolder))
+	filter.ResourceID().Set(pangea.String(folder1))
+
+	rListWithResource, err := client.TupleList(ctx, &authz.TupleListRequest{
+		Filter: filter.Filter(),
+	})
+	if err != nil {
+		log.Fatalf("Unexpected error.", err)
+	}
+
+	fmt.Printf("Got %d tuples.\n", rListWithResource.Result.Count)
+	for i, tuple := range rListWithResource.Result.Tuples {
+		fmt.Printf("Tuple #%d\n", i)
+		fmt.Printf("\tNamespace: %s\n", tuple.Subject.Namespace)
+		fmt.Printf("\tID: %s\n", tuple.Subject.ID)
+	}
+
+	// Tuple list with subject
+	filter = authz.NewFilterUserList()
+	fmt.Println("Listing tuples with subject...")
+	filter.SubjectNamespace().Set(pangea.String(namespaceUser))
+	filter.SubjectID().Set(pangea.String(user1))
+
+	rListWithSubject, err := client.TupleList(ctx, &authz.TupleListRequest{
+		Filter: filter.Filter(),
+	})
+	if err != nil {
+		log.Fatalf("Unexpected error.", err)
+	}
+
+	fmt.Printf("Got %d tuples.\n", rListWithSubject.Result.Count)
+	for i, tuple := range rListWithResource.Result.Tuples {
+		fmt.Printf("Tuple #%d\n", i)
+		fmt.Printf("\tNamespace: %s\n", tuple.Subject.Namespace)
+		fmt.Printf("\tID: %s\n", tuple.Subject.ID)
+	}
+
+	// Tuple delete
+	fmt.Println("Deleting tuples...")
+	_, err = client.TupleDelete(ctx, &authz.TupleDeleteRequest{
+		Tuples: []authz.Tuple{
+			authz.Tuple{
+				Resource: authz.Resource{
+					Namespace: namespaceFolder,
+					ID:        folder1,
+				},
+				Relation: relationReader,
+				Subject: authz.Subject{
+					Namespace: namespaceUser,
+					ID:        user1,
+				},
+			},
+		},
+	})
+	if err != nil {
+		log.Fatalf("Unexpected error.", err)
+	}
+	fmt.Println("Delete success.")
+
+	// Check no debug
+	fmt.Println("Checking tuple...")
+	rCheck, err := client.Check(ctx, &authz.CheckRequest{
+		Resource: authz.Resource{
+			Namespace: namespaceFolder,
+			ID:        folder1,
+		},
+		Action: "reader",
+		Subject: authz.Subject{
+			Namespace: namespaceUser,
+			ID:        user2,
+		},
+	})
+	if err != nil {
+		log.Fatalf("Unexpected error.", err)
+	}
+
+	if rCheck.Result.Allowed {
+		fmt.Println("Subject IS allowed to read resource")
+	} else {
+		fmt.Println("Subject is NOT allowed to read resource")
+	}
+
+	// Check debug
+	fmt.Println("Checking tuple with debug enabled...")
+	rCheck, err = client.Check(ctx, &authz.CheckRequest{
+		Resource: authz.Resource{
+			Namespace: namespaceFolder,
+			ID:        folder1,
+		},
+		Action: "editor",
+		Subject: authz.Subject{
+			Namespace: namespaceUser,
+			ID:        user2,
+		},
+		Debug: pangea.Bool(true),
+	})
+	if err != nil {
+		log.Fatalf("Unexpected error.", err)
+	}
+
+	if rCheck.Result.Allowed {
+		fmt.Println("Subject IS allowed to edit resource")
+	} else {
+		fmt.Println("Subject is NOT allowed to edit resource")
+	}
+	if rCheck.Result.Debug != nil {
+		fmt.Printf("Debug data: %s\n", pangea.Stringify(*rCheck.Result.Debug))
+	}
+
+	// List resources
+	fmt.Println("Listing resources...")
+	rListResources, err := client.ListResources(ctx, &authz.ListResourcesRequest{
+		Namespace: namespaceFolder,
+		Action:    relationEditor,
+		Subject: authz.Subject{
+			Namespace: namespaceUser,
+			ID:        user2,
+		},
+	})
+	if err != nil {
+		log.Fatalf("Unexpected error.", err)
+	}
+
+	fmt.Printf("Got %d resources.\n", len(rListResources.Result.IDs))
+	for i, id := range rListResources.Result.IDs {
+		fmt.Printf("Resource #%d. ID: %s\n", i, id)
+	}
+
+	// List subjects
+	fmt.Println("Listing subjects...")
+	rListSubjects, err := client.ListSubjects(ctx, &authz.ListSubjectsRequest{
+		Resource: authz.Resource{
+			Namespace: namespaceFolder,
+			ID:        folder2,
+		},
+		Action: relationEditor,
+	})
+	if err != nil {
+		log.Fatalf("Unexpected error.", err)
+	}
+
+	fmt.Printf("Got %d subjects.\n", len(rListSubjects.Result.Subjects))
+	for i, subject := range rListSubjects.Result.Subjects {
+		fmt.Printf("Tuple #%d\n", i)
+		fmt.Printf("\tNamespace: %s\n", subject.Namespace)
+		fmt.Printf("\tID: %s\n", subject.ID)
+	}
+
+}

examples/authz/go.mod

@@ -0,0 +1,16 @@
+module examples/share
+
+go 1.19
+
+require github.com/pangeacyber/pangea-go/pangea-sdk/v3 v3.8.0
+
+require (
+	github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
+	github.com/hashicorp/go-retryablehttp v0.7.5 // indirect
+	github.com/mattn/go-colorable v0.1.13 // indirect
+	github.com/mattn/go-isatty v0.0.20 // indirect
+	github.com/rs/zerolog v1.31.0 // indirect
+	golang.org/x/sys v0.15.0 // indirect
+)
+
+replace github.com/pangeacyber/pangea-go/pangea-sdk/v3 v3.8.0 => ../../pangea-sdk/v3

examples/authz/go.sum

@@ -0,0 +1,30 @@
+github.com/coreos/go-systemd/v22 v22.5.0/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc=
+github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
+github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/godbus/dbus/v5 v5.0.4/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=
+github.com/hashicorp/go-cleanhttp v0.5.2 h1:035FKYIWjmULyFRBKPs8TBQoi0x6d9G4xc9neXJWAZQ=
+github.com/hashicorp/go-cleanhttp v0.5.2/go.mod h1:kO/YDlP8L1346E6Sodw+PrpBSV4/SoxCXGY6BqNFT48=
+github.com/hashicorp/go-hclog v0.9.2 h1:CG6TE5H9/JXsFWJCfoIVpKFIkFe6ysEuHirp4DxCsHI=
+github.com/hashicorp/go-hclog v0.9.2/go.mod h1:5CU+agLiy3J7N7QjHK5d05KxGsuXiQLrjA0H7acj2lQ=
+github.com/hashicorp/go-retryablehttp v0.7.5 h1:bJj+Pj19UZMIweq/iie+1u5YCdGrnxCT9yvm0e+Nd5M=
+github.com/hashicorp/go-retryablehttp v0.7.5/go.mod h1:Jy/gPYAdjqffZ/yFGCFV2doI5wjtH1ewM9u8iYVjtX8=
+github.com/mattn/go-colorable v0.1.13 h1:fFA4WZxdEF4tXPZVKMLwD8oUnCTTo08duU7wxecdEvA=
+github.com/mattn/go-colorable v0.1.13/go.mod h1:7S9/ev0klgBDR4GtXTXX8a3vIGJpMovkB8vQcUbaXHg=
+github.com/mattn/go-isatty v0.0.16/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/yFXSvRLM=
+github.com/mattn/go-isatty v0.0.19/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
+github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY=
+github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
+github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
+github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
+github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
+github.com/rs/xid v1.5.0/go.mod h1:trrq9SKmegXys3aeAKXMUTdJsYXVwGY3RLcfgqegfbg=
+github.com/rs/zerolog v1.31.0 h1:FcTR3NnLWW+NnTwwhFWiJSZr4ECLpqCm6QsEnyvbV4A=
+github.com/rs/zerolog v1.31.0/go.mod h1:/7mN4D5sKwJLZQ2b/znpjC3/GQWY/xaDXUM0kKWRHss=
+github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
+github.com/stretchr/testify v1.8.4 h1:CcVxjf3Q8PM0mHUKJCdn+eZZtm5yQwehR5yeSVQQcUk=
+golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.15.0 h1:h48lPFYpsTvQJZF4EKyI4aLHaev3CxivZmv7yZig9pc=
+golang.org/x/sys v0.15.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=

pangea-sdk/.sdk-ci.yml

@@ -21,6 +21,7 @@ sdk-test-it:
     SERVICE_VAULT_ENV: LVE
     SERVICE_SHARE_ENV: LVE
     SERVICE_SANITIZE_ENV: LVE
+    SERVICE_AUTHZ_ENV: DEV
   before_script:
     - echo $ENV
     - echo $CLOUD
@@ -81,6 +82,9 @@ sdk-test-it:
       - CLOUD: [AWS]  # FIXME: Add GCP when supported
         ENV: ${SERVICE_SANITIZE_ENV}
         TEST: sanitize
+      - CLOUD: [AWS, GCP]
+        ENV: ${SERVICE_AUTHZ_ENV}
+        TEST: authz
   rules:
     - if: $CI_COMMIT_BRANCH
   script: