feat(jans-cedarling): implement CEDARLING_ID_TOKEN_TRUST_MODE (#10585)

* refactor(jans-cedarling): move id token trust mode to authz config Signed-off-by: rmarinn <[email protected]> * feat(jans-cedarling): implement CEDARLING_ID_TOKEN_TRUST_MODE Signed-off-by: rmarinn <[email protected]> * docs(jans-cedarling): updatge PYTHONTYPES.md Signed-off-by: rmarinn <[email protected]> * chore(jans-cedarling): remove empty file Signed-off-by: rmarinn <[email protected]> * chore(jans-cedarling): remove unused FromStr impl for IdTokenTrustMode Signed-off-by: rmarinn <[email protected]> * chore(jans-cedarling): add docstring for enforce_id_tkn_trust_mode Signed-off-by: rmarinn <[email protected]> * chore(jans-cedarling): rename enforce_id_tkn_trust_mode - rename enforce_id_tkn_trust_mode to validate_id_tkn_trust_mode Signed-off-by: rmarinn <[email protected]> * chore(jans-cedarling): rename ClientIdIdTokenAudMismatch - rename ClientIdIdTokenAudMismatch to AccessTokenClientIdMismatch Signed-off-by: rmarinn <[email protected]> * refactor(jans-cedarling): get_tkn_claim_as_str implementation Signed-off-by: rmarinn <[email protected]> * chore(jans-cedarling): remove unnecessary .into() call Signed-off-by: rmarinn <[email protected]> --------- Signed-off-by: rmarinn <[email protected]>
JanssenProject · Jan 18, 2025 · d76f28c · d76f28c
1 parent ef8a07a
commit d76f28c
Show file tree

Hide file tree

Showing 14 changed files with 458 additions and 110 deletions.
diff --git a/jans-cedarling/bindings/cedarling_python/PYTHON_TYPES.md b/jans-cedarling/bindings/cedarling_python/PYTHON_TYPES.md
@@ -201,16 +201,16 @@ ___
 Error encountered while parsing Action to EntityUid
 ___
 
-# authorize_errors.AddEntitiesIntoContextError
-Error encountered while adding entities into context
-___
-
 # authorize_errors.AuthorizeError
 Exception raised by authorize_errors
 ___
 
-# authorize_errors.BuildEntitiesError
-Error encountered while building entities into context
+# authorize_errors.BuildContextError
+Error encountered while building the request context
+___
+
+# authorize_errors.BuildEntityError
+Error encountered while running on strict id token trust mode
 ___
 
 # authorize_errors.CreateContextError
@@ -225,6 +225,10 @@ ___
 Error encountered while parsing all entities to json for logging
 ___
 
+# authorize_errors.IdTokenTrustModeError
+Error encountered while running on strict id token trust mode
+___
+
 # authorize_errors.ProcessTokens
 Error encountered while processing JWT token data
 ___

diff --git a/jans-cedarling/bindings/cedarling_python/src/authorize/errors.rs b/jans-cedarling/bindings/cedarling_python/src/authorize/errors.rs
@@ -74,16 +74,23 @@ create_exception!(
 
 create_exception!(
     authorize_errors,
-    BuildEntitiesError,
+    BuildContextError,
     AuthorizeError,
-    "Error encountered while building entities into context"
+    "Error encountered while building the request context"
 );
 
 create_exception!(
     authorize_errors,
-    AddEntitiesIntoContextError,
+    IdTokenTrustModeError,
     AuthorizeError,
-    "Error encountered while adding entities into context"
+    "Error encountered while running on strict id token trust mode"
+);
+
+create_exception!(
+    authorize_errors,
+    BuildEntityError,
+    AuthorizeError,
+    "Error encountered while running on strict id token trust mode"
 );
 
 #[pyclass]
@@ -129,10 +136,11 @@ errors_functions! {
     CreateContext => CreateContextError,
     WorkloadRequestValidation => WorkloadRequestValidationError,
     UserRequestValidation => UserRequestValidationError,
-    BuildEntity => BuildEntitiesError,
-    BuildContext => AddEntitiesIntoContextError,
     Entities => EntitiesError,
-    EntitiesToJson => EntitiesToJsonError
+    EntitiesToJson => EntitiesToJsonError,
+    BuildContext => BuildContextError,
+    IdTokenTrustMode => IdTokenTrustModeError,
+    BuildEntity => BuildEntityError
 }
 
 pub fn authorize_errors_module(m: &Bound<'_, PyModule>) -> PyResult<()> {

diff --git a/jans-cedarling/bindings/cedarling_python/tests/test_authorize.py b/jans-cedarling/bindings/cedarling_python/tests/test_authorize.py
@@ -186,7 +186,7 @@ def test_resource_entity_error():
     '''
     try:
         raise_authorize_error(load_bootstrap_config())
-    except authorize_errors.BuildEntitiesError as e:
+    except authorize_errors.BuildEntityError as e:
         assert str(e) == "failed to build resource entity: failed to build `org_id` attribute: failed to build restricted expression: type mismatch for key 'org_id'. expected: 'string', but found: 'number'"
 
 

diff --git a/jans-cedarling/cedarling/examples/authorize_with_jwt_validation.rs b/jans-cedarling/cedarling/examples/authorize_with_jwt_validation.rs
@@ -3,14 +3,13 @@
 //
 // Copyright (c) 2024, Gluu, Inc.
 
-use std::collections::{HashMap, HashSet};
-
 use cedarling::{
-    AuthorizationConfig, BootstrapConfig, Cedarling, IdTokenTrustMode, JwtConfig, LogConfig,
-    LogLevel, LogTypeConfig, PolicyStoreConfig, PolicyStoreSource, Request, ResourceData,
-    TokenValidationConfig, Tokens, WorkloadBoolOp,
+    AuthorizationConfig, BootstrapConfig, Cedarling, JwtConfig, LogConfig, LogLevel, LogTypeConfig,
+    PolicyStoreConfig, PolicyStoreSource, Request, ResourceData, TokenValidationConfig, Tokens,
+    WorkloadBoolOp,
 };
 use jsonwebtoken::Algorithm;
+use std::collections::{HashMap, HashSet};
 
 static POLICY_STORE_RAW_YAML: &str =
     include_str!("../../test_files/policy-store_with_trusted_issuers_ok.yaml");
@@ -24,7 +23,6 @@ async fn main() -> Result<(), Box<dyn std::error::Error>> {
         jwks: None,
         jwt_sig_validation: true,
         jwt_status_validation: false,
-        id_token_trust_mode: IdTokenTrustMode::None,
         signature_algorithms_supported: HashSet::from_iter([Algorithm::HS256, Algorithm::RS256]),
         access_token_config: TokenValidationConfig::access_token(),
         id_token_config: TokenValidationConfig::id_token(),

diff --git a/jans-cedarling/cedarling/src/authz/mod.rs b/jans-cedarling/cedarling/src/authz/mod.rs
@@ -8,6 +8,7 @@
 //! - evaluate if authorization is granted for *user*
 //! - evaluate if authorization is granted for *client* / *workload *
 
+use crate::authorization_config::IdTokenTrustMode;
 use crate::bootstrap_config::AuthorizationConfig;
 use crate::common::app_types;
 use crate::common::policy_store::PolicyStoreWithID;
@@ -27,15 +28,17 @@ use std::collections::HashMap;
 use std::io::Cursor;
 use std::str::FromStr;
 use std::sync::Arc;
-
-pub use authorize_result::AuthorizeResult;
+use trust_mode::*;
 
 mod authorize_result;
 mod build_ctx;
+mod trust_mode;
 
 pub(crate) mod entity_builder;
 pub(crate) mod request;
 
+pub use authorize_result::AuthorizeResult;
+
 /// Configuration to Authz to initialize service without errors
 pub(crate) struct AuthzConfig {
     pub log_service: Logger,
@@ -140,6 +143,10 @@ impl Authz {
 
         let tokens = self.decode_tokens(&request).await?;
 
+        if let IdTokenTrustMode::Strict = self.config.authorization.id_token_trust_mode {
+            validate_id_tkn_trust_mode(&tokens)?;
+        }
+
         // Parse action UID.
         let action = cedar_policy::EntityUid::from_str(request.action.as_str())
             .map_err(AuthorizeError::Action)?;
@@ -489,6 +496,9 @@ pub enum AuthorizeError {
     /// Error encountered while building the context for the request
     #[error("Failed to build context: {0}")]
     BuildContext(#[from] BuildContextError),
+    /// Error encountered while building the context for the request
+    #[error("error while running on strict id token trust mode: {0}")]
+    IdTokenTrustMode(#[from] IdTokenTrustModeError),
     /// Error encountered while building Cedar Entities
     #[error(transparent)]
     BuildEntity(#[from] BuildCedarlingEntityError),