Prepare input for OPA

[lazyniv]

Now OPA input provides the following objects:

1. All information about connection (usage: input.connection.[...]. For example, a token from zero path segment we can get as input.connection.path.path_segments[0].token)
2. The TLSInfo (as retrieved by peer.FromContext for Server or grpc.Peer for the Client) which contains the following data:
   • "certificate" -- is a pem encoded x509cert (usage: input.auth_info.certificate)
   • "spiffe_id" -- is a spiffeID from SVIDX509Certificate (usage: input.auth_info.spiffe_id)
3. "operation" -- one of request/close (usage: input.operation)
4. "role" -- one of client/endpoint (usage: input.role)

An example of using OPA input for the case of token signature verification

package test 
default allow = false    
allow { 
   token := input.connection.path.path_segments[0].token  
   cert := input.auth_info.certificate  
   io.jwt.verify_es256(token, cert) # signature verification  
}

Motivation #200

Signed-off-by: Dmitry Vlasov dmitry.vlasov@xored.com

[edwarnicke]

package test 
default allow = false    
allow { 
   token := input.connection.path.path_segments[0].token  
   cert := input.auth_info.certificate  
   io.jwt.verify_es256(token, cert) # signature verification  
}```

Before the line:

cert := input.auth_info.certificate

We need something to *validate* the cert.

Note: This is not a commentary on the code at all... it's just a comment on what we need to do in the policy :)

[edwarnicke]

Tell me what you are thinking about the "role" parameter :)

[lazyniv]

@edwarnicke I don't understand what the authorization client chain element should do. Please can you explain some usage cases when we need to use authorization client? Authz server is handle policies by using connection and tls info from context, but what authz client should do?

[edwarnicke]

Client-side authorization is used to decide if you trust who is providing you the Network Service.

Client-side authorization would also use OPA to do authorization based on the TLSInfo and Connection... but in this case its the Connection returned from its Request call.

[lazyniv]

@edwarnicke What do you think about operation and role parameters? In my implementation of OPA input we just pass these parameters to OPA as strings in authorization chain element. What do you think about of this approach?