search

opentdf / platform

OpenTDF Platform monorepo enabling the development and integration of _forever control_ of data into new and existing applications. The concept of forever control stems from an increasingly common concept known as zero trust.
BSD 3-Clause Clear License
15 stars 4 forks source link

KAS upsert url is not exposed by casbin policy #993

Closed jakedoublev closed 1 week ago

jakedoublev commented 2 weeks ago

If KAS does its own auth validation, perhaps all KAS routes should be public?

Route /kas/v2/upsert is not covered by default casbin policy and appears to be completely inaccessible (at least over HTTP).


platform-1                           | time=2024-06-14T20:51:24.890Z level=DEBUG msg="matching route" route=/healthz path=/kas/kas_public_key matched=false
platform-1                           | time=2024-06-14T20:51:24.890Z level=DEBUG msg="matching route" route=/.well-known/opentdf-configuration path=/kas/kas_public_key matched=false
platform-1                           | time=2024-06-14T20:51:24.890Z level=DEBUG msg="matching route" route=/kas/kas_public_key path=/kas/kas_public_key matched=true
platform-1                           | time=2024-06-14T20:51:24.890Z level=INFO msg="⚠️ Ignoring the" "key id"=unknown
platform-1                           | time=2024-06-14T20:51:24.934Z level=DEBUG msg="grpc handler func" proto_major=2 content_type=""
platform-1                           | time=2024-06-14T20:51:24.936Z level=DEBUG msg="grpc handler func" proto_major=2 content_type=application/json
platform-1                           | time=2024-06-14T20:51:24.937Z level=DEBUG msg="matching route" route=/grpc.health.v1.Health/Check path=/kas/v2/upsert matched=false
platform-1                           | time=2024-06-14T20:51:24.937Z level=DEBUG msg="matching route" route=/wellknownconfiguration.WellKnownService/GetWellKnownConfiguration path=/kas/v2/upsert matched=false
platform-1                           | time=2024-06-14T20:51:24.937Z level=DEBUG msg="matching route" route=/kas.AccessService/PublicKey path=/kas/v2/upsert matched=false
platform-1                           | time=2024-06-14T20:51:24.937Z level=DEBUG msg="matching route" route=/healthz path=/kas/v2/upsert matched=false
platform-1                           | time=2024-06-14T20:51:24.937Z level=DEBUG msg="matching route" route=/.well-known/opentdf-configuration path=/kas/v2/upsert matched=false
platform-1                           | time=2024-06-14T20:51:24.937Z level=DEBUG msg="matching route" route=/kas/kas_public_key path=/kas/v2/upsert matched=false
platform-1                           | time=2024-06-14T20:51:24.937Z level=DEBUG msg="matching route" route=/kas/v2/kas_public_key path=/kas/v2/upsert matched=false
platform-1                           | time=2024-06-14T20:51:24.938Z level=DEBUG msg="building subject from token" token="&{mu:0x40008e50f8 dc:<nil> options:0 audience:[http://localhost:8080 tdf-entity-resolution realm-management account] expiration:0x40013c8a98 issuedAt:0x40013c8ae0 issuer:0x40013e3090 jwtID:0x40013e3050 notBefore:<nil> subject:0x40013e3150 privateClaims:map[acr:1 allowed-origins:[*] azp:opentdf-client email:test@test.com email_verified:false family_name:hello given_name:world name:world hello preferred_username:hello-world realm_access:map[roles:[opentdf-org-admin default-roles-opentdf offline_access uma_authorization]] resource_access:map[account:map[roles:[manage-account manage-account-links view-profile]] realm-management:map[roles:[view-users view-clients query-clients query-groups query-users]] tdf-entity-resolution:map[roles:[entity-resolution-test-role]]] scope:openid email profile session_state:a6f7f416-abae-4ab6-832f-c13332cc1f9f sid:a6f7f416-abae-4ab6-832f-c13332cc1f9f typ:Bearer]}"
platform-1                           | time=2024-06-14T20:51:24.938Z level=DEBUG msg="extracting roles from token" token="&{mu:0x40008e50f8 dc:<nil> options:0 audience:[http://localhost:8080 tdf-entity-resolution realm-management account] expiration:0x40013c8a98 issuedAt:0x40013c8ae0 issuer:0x40013e3090 jwtID:0x40013e3050 notBefore:<nil> subject:0x40013e3150 privateClaims:map[acr:1 allowed-origins:[*] azp:opentdf-client email:test@test.com email_verified:false family_name:hello given_name:world name:world hello preferred_username:hello-world realm_access:map[roles:[opentdf-org-admin default-roles-opentdf offline_access uma_authorization]] resource_access:map[account:map[roles:[manage-account manage-account-links view-profile]] realm-management:map[roles:[view-users view-clients query-clients query-groups query-users]] tdf-entity-resolution:map[roles:[entity-resolution-test-role]]] scope:openid email profile session_state:a6f7f416-abae-4ab6-832f-c13332cc1f9f sid:a6f7f416-abae-4ab6-832f-c13332cc1f9f typ:Bearer]}"
platform-1                           | time=2024-06-14T20:51:24.938Z level=DEBUG msg="root claim found" claim=realm_access.roles claims="map[roles:[opentdf-org-admin default-roles-opentdf offline_access uma_authorization]]"
platform-1                           | time=2024-06-14T20:51:24.938Z level=DEBUG msg="checking role" role=opentdf-org-admin map=readonly
platform-1                           | time=2024-06-14T20:51:24.938Z level=DEBUG msg="checking role" role=opentdf-org-admin map=admin
platform-1                           | time=2024-06-14T20:51:24.938Z level=DEBUG msg="checking role" role=opentdf-org-admin map=org-admin
platform-1                           | time=2024-06-14T20:51:24.938Z level=DEBUG msg="checking role" role=default-roles-opentdf map=admin
platform-1                           | time=2024-06-14T20:51:24.938Z level=DEBUG msg="checking role" role=default-roles-opentdf map=org-admin
platform-1                           | time=2024-06-14T20:51:24.938Z level=DEBUG msg="checking role" role=default-roles-opentdf map=readonly
platform-1                           | time=2024-06-14T20:51:24.938Z level=DEBUG msg="checking role" role=offline_access map=readonly
platform-1                           | time=2024-06-14T20:51:24.938Z level=DEBUG msg="checking role" role=offline_access map=admin
platform-1                           | time=2024-06-14T20:51:24.938Z level=DEBUG msg="checking role" role=offline_access map=org-admin
platform-1                           | time=2024-06-14T20:51:24.938Z level=DEBUG msg="checking role" role=uma_authorization map=org-admin
platform-1                           | time=2024-06-14T20:51:24.938Z level=DEBUG msg="checking role" role=uma_authorization map=readonly
platform-1                           | time=2024-06-14T20:51:24.938Z level=DEBUG msg="checking role" role=uma_authorization map=admin
platform-1                           | time=2024-06-14T20:51:24.938Z level=INFO msg="enforcing policy" subject=role:org-admin resource=/kas/v2/upsert action=write
platform-1                           | time=2024-06-14T20:51:24.938Z level=WARN msg="permission denied" azp=4c4ee84a-cdab-4843-a637-2a91b440a5b9 error="permission denied"
strantalis commented 2 weeks ago

@jakedoublev KAS does not support upsert. I believe that's for remote policies but not 100% on that.

jakedoublev commented 2 weeks ago

Interesting. I was seeing calls to it from within the TDF3Client consumed from opentdf/client-web. Monday I plan to test working around upsert and will submit a PR if I find a good path forward. The ins and outs of KAS flows are not something I’m intimately familiar with.

strantalis commented 1 week ago

@dmihalcik-virtru Will probably have more insights into this as well.

jakedoublev commented 1 week ago

Closing as the offline config option in opentdf/client-web works for browser-driven encrypt and skips the unsupported upsert call.