Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Generalize authorize chain element #200

Closed
edwarnicke opened this issue Apr 14, 2020 · 3 comments
Closed

Generalize authorize chain element #200

edwarnicke opened this issue Apr 14, 2020 · 3 comments
Assignees
@denis-tingaikin
Projects
Issue/PR tracking

Comments

@edwarnicke
Copy link
Member

edwarnicke commented Apr 14, 2020
edited
Loading

The current chain element looks only at the last token in the path chain. This is insufficient for the full spectrum of policy we are likely to want to enforce.

Expand on the authorize chain element by providing as its 'input' object:

  1. The Connection
  2. The TLSInfo (as retrieved by peer.FromContext for Server or grpc.Peer for the client)
  3. Operation - One of Request/Close
  4. Role - One of Client/Endpoint
@edwarnicke edwarnicke added this to To do in Issue/PR tracking via automation Apr 14, 2020
@edwarnicke
Copy link
Member Author

Related to #51

@edwarnicke edwarnicke mentioned this issue Apr 14, 2020
Closed
@lazyniv
Copy link
Member

lazyniv commented Apr 23, 2020

How do you think, do we need to add all of the TLSInfo.State content into the OPA input? Or we need to add only a X509SVID certificate from TLSInfo.State. I think that in our cases we only need a pem-encoded X509SVID certificate to verify the signature of the jwt token using the built-in OPA functions. Of course we also need to add the spiffeID from this certificate to OPA input

@edwarnicke
Copy link
Member Author

@lazyniv I think you are right on wrt just using the pem-encoded X509SVID :)

@lazyniv lazyniv mentioned this issue Apr 24, 2020
Merged
@lazyniv lazyniv mentioned this issue May 20, 2020
Closed
@edwarnicke edwarnicke moved this from To do to In progress in Issue/PR tracking Jun 9, 2020
@denis-tingaikin denis-tingaikin self-assigned this Jun 10, 2020
@denis-tingaikin denis-tingaikin mentioned this issue Jun 10, 2020
Merged
Issue/PR tracking automation moved this from In progress to Done Jun 16, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@denis-tingaikin denis-tingaikin

Labels
None yet
Projects
Issue/PR tracking
  
Done
Milestone
No milestone
Development

No branches or pull requests
3 participants
@edwarnicke @lazyniv @denis-tingaikin