Add in AuthZEN proxy & interop 1.0 passing policy & data

authzen/.gitignore

@@ -0,0 +1,184 @@
+# Logs
+logs
+*.log
+npm-debug.log*
+yarn-debug.log*
+yarn-error.log*
+lerna-debug.log*
+.pnpm-debug.log*
+
+# Diagnostic reports (https://nodejs.org/api/report.html)
+report.[0-9]*.[0-9]*.[0-9]*.[0-9]*.json
+
+# Runtime data
+pids
+*.pid
+*.seed
+*.pid.lock
+
+# Directory for instrumented libs generated by jscoverage/JSCover
+lib-cov
+
+# Coverage directory used by tools like istanbul
+coverage
+*.lcov
+
+# nyc test coverage
+.nyc_output
+
+# Grunt intermediate storage (https://gruntjs.com/creating-plugins#storing-task-files)
+.grunt
+
+# Bower dependency directory (https://bower.io/)
+bower_components
+
+# node-waf configuration
+.lock-wscript
+
+# Compiled binary addons (https://nodejs.org/api/addons.html)
+build/Release
+
+# Dependency directories
+node_modules/
+jspm_packages/
+
+# Snowpack dependency directory (https://snowpack.dev/)
+web_modules/
+
+# TypeScript cache
+*.tsbuildinfo
+
+# Optional npm cache directory
+.npm
+
+# Optional eslint cache
+.eslintcache
+
+# Optional stylelint cache
+.stylelintcache
+
+# Microbundle cache
+.rpt2_cache/
+.rts2_cache_cjs/
+.rts2_cache_es/
+.rts2_cache_umd/
+
+# Optional REPL history
+.node_repl_history
+
+# Output of 'npm pack'
+*.tgz
+
+# Yarn Integrity file
+.yarn-integrity
+
+# dotenv environment variable files
+.env
+.env.development.local
+.env.test.local
+.env.production.local
+.env.local
+
+# parcel-bundler cache (https://parceljs.org/)
+.cache
+.parcel-cache
+
+# Next.js build output
+.next
+out
+
+# Nuxt.js build / generate output
+.nuxt
+dist
+
+# Gatsby files
+.cache/
+# Comment in the public line in if your project uses Gatsby and not Next.js
+# https://nextjs.org/blog/next-9-1#public-directory-support
+# public
+
+# vuepress build output
+.vuepress/dist
+
+# vuepress v2.x temp and cache directory
+.temp
+.cache
+
+# Docusaurus cache and generated files
+.docusaurus
+
+# Serverless directories
+.serverless/
+
+# FuseBox cache
+.fusebox/
+
+# DynamoDB Local files
+.dynamodb/
+
+# TernJS port file
+.tern-port
+
+# Stores VSCode versions used for testing VSCode extensions
+.vscode-test
+
+# yarn v2
+.yarn/cache
+.yarn/unplugged
+.yarn/build-state.yml
+.yarn/install-state.gz
+.pnp.*
+
+# Editor directories and files
+.vscode/
+.idea/
+*.swp
+*.swo
+*~
+
+# OS generated files
+.DS_Store
+.DS_Store?
+._*
+.Spotlight-V100
+.Trashes
+ehthumbs.db
+Thumbs.db
+
+# Local configuration files
+config/local.json
+config/development.json
+config/production.json
+
+# SSL certificates
+*.pem
+*.key
+*.crt
+
+# Database files
+*.db
+*.sqlite
+*.sqlite3
+
+# Temporary files
+tmp/
+temp/
+.tmp/
+
+# PM2 ecosystem file
+ecosystem.config.js
+
+# API keys and sensitive data
+secrets.json
+api-keys.json
+
+# Test results
+test-results/
+coverage/
+
+# Build artifacts
+build/
+dist/
+
+# Testing artifacts
+policy/

authzen/authzen-interop/README.md

@@ -0,0 +1,7 @@
+# AuthZEN Interop
+
+`./policy` contains the rego policies and data to be loaded into OPA to pass the AuthZEN interop scenario tests.
+
+```
+opa run -s -b policy --addr http://localhost:8181
+```

authzen/authzen-interop/policy/authzen/authzen.rego

@@ -0,0 +1,51 @@
+package authzen
+
+import rego.v1
+
+default allow["decision"] := false
+
+# Anyone can read users or todos
+allow["decision"] if input.action.name == "can_read_user"
+
+allow["decision"] if input.action.name == "can_read_todos"
+
+allow["decision"] if {
+	input.action.name == "can_create_todo"
+	can_create
+}
+
+allow["decision"] if {
+	input.action.name == "can_update_todo"
+	can_update
+}
+
+allow["decision"] if {
+	input.action.name == "can_delete_todo"
+	can_delete
+}
+
+user_is_admin if "admin" in data.users[input.subject.id].roles
+
+user_is_evil_genius if "evil_genius" in data.users[input.subject.id].roles
+
+user_is_editor if "editor" in data.users[input.subject.id].roles
+
+user_is_owner if input.resource.properties.ownerID == data.users[input.subject.id].email
+
+can_create if user_is_admin
+
+can_create if user_is_editor
+
+can_update if user_is_evil_genius
+
+can_update if {
+	user_is_editor
+	user_is_owner
+}
+
+can_delete if user_is_admin
+
+can_delete if {
+	user_is_editor
+	user_is_owner
+}

authzen/authzen-interop/policy/users/data.json

@@ -0,0 +1,37 @@
+{
+  "CiRmZDA2MTRkMy1jMzlhLTQ3ODEtYjdiZC04Yjk2ZjVhNTEwMGQSBWxvY2Fs": {
+    "id": "[email protected]",
+    "name": "Rick Sanchez",
+    "email": "[email protected]",
+    "roles": ["admin", "evil_genius"],
+    "picture": "https://www.topaz.sh/assets/templates/citadel/img/Rick%20Sanchez.jpg"
+  },
+  "CiRmZDM2MTRkMy1jMzlhLTQ3ODEtYjdiZC04Yjk2ZjVhNTEwMGQSBWxvY2Fs": {
+    "id": "[email protected]",
+    "name": "Beth Smith",
+    "email": "[email protected]",
+    "roles": ["viewer"],
+    "picture": "https://www.topaz.sh/assets/templates/citadel/img/Beth%20Smith.jpg"
+  },
+  "CiRmZDE2MTRkMy1jMzlhLTQ3ODEtYjdiZC04Yjk2ZjVhNTEwMGQSBWxvY2Fs": {
+    "id": "[email protected]",
+    "name": "Morty Smith",
+    "email": "[email protected]",
+    "roles": ["editor"],
+    "picture": "https://www.topaz.sh/assets/templates/citadel/img/Morty%20Smith.jpg"
+  },
+  "CiRmZDI2MTRkMy1jMzlhLTQ3ODEtYjdiZC04Yjk2ZjVhNTEwMGQSBWxvY2Fs": {
+    "id": "[email protected]",
+    "name": "Summer Smith",
+    "email": "[email protected]",
+    "roles": ["editor"],
+    "picture": "https://www.topaz.sh/assets/templates/citadel/img/Summer%20Smith.jpg"
+  },
+  "CiRmZDQ2MTRkMy1jMzlhLTQ3ODEtYjdiZC04Yjk2ZjVhNTEwMGQSBWxvY2Fs": {
+    "id": "[email protected]",
+    "name": "Jerry Smith",
+    "email": "[email protected]",
+    "roles": ["viewer"],
+    "picture": "https://www.topaz.sh/assets/templates/citadel/img/Jerry%20Smith.jpg"
+  }
+}

authzen/authzen-proxy/README.md

@@ -0,0 +1,9 @@
+# AuthZEN OPA Proxy
+
+This repository contains a proxy server in `node.js` that exposes an AuthZen compliant API
+while proxying requests and responses to an Open Policy Agent instance.
+
+```
+# Default values included
+OPA_URL=<http://localhost:8181> OPA_POLICY_PATH=<authzen/allow> npm install && npm start
+```

authzen/authzen-proxy/eslint.config.mjs

@@ -0,0 +1,10 @@
+import js from "@eslint/js";
+import globals from "globals";
+import { defineConfig } from "eslint/config";
+
+
+export default defineConfig([
+  { files: ["**/*.{js,mjs,cjs}"], plugins: { js }, extends: ["js/recommended"] },
+  { files: ["**/*.js"], languageOptions: { sourceType: "commonjs" } },
+  { files: ["**/*.{js,mjs,cjs}"], languageOptions: { globals: globals.node } },
+]);