AuthZEN Access service (#540)

AuthZEN Access Service, ReBAC implementation of evaluation and evaluations API
aserto-dev · Feb 17, 2025 · e9ced22 · e9ced22
1 parent f44a43c
commit e9ced22
Show file tree

Hide file tree

Showing 4 changed files with 28 additions and 2 deletions.
diff --git a/.vscode/settings.json b/.vscode/settings.json
@@ -14,6 +14,7 @@
     "asertotesting",
     "atesting",
     "authz",
+    "authzen",
     "authzproto",
     "barkimedes",
     "bbolt",

diff --git a/go.mod b/go.mod
@@ -18,7 +18,7 @@ require (
 	github.com/aserto-dev/go-aserto v0.33.6
 	github.com/aserto-dev/go-authorizer v0.20.13
 	github.com/aserto-dev/go-directory v0.33.4
-	github.com/aserto-dev/go-edge-ds v0.33.9
+	github.com/aserto-dev/go-edge-ds v0.33.10
 	github.com/aserto-dev/go-grpc v0.9.4
 	github.com/aserto-dev/go-topaz-ui v0.1.19
 	github.com/aserto-dev/header v0.0.10
@@ -79,6 +79,7 @@ require (
 	github.com/agnivade/levenshtein v1.2.0 // indirect
 	github.com/antlr4-go/antlr/v4 v4.13.1 // indirect
 	github.com/aserto-dev/go-decision-logs v0.1.4 // indirect
+	github.com/authzen/access.go v0.0.0-20250123041208-d58afed67b50 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/bufbuild/protovalidate-go v0.8.2 // indirect
 	github.com/bytecodealliance/wasmtime-go/v3 v3.0.2 // indirect

diff --git a/go.sum b/go.sum
@@ -429,6 +429,10 @@ github.com/aserto-dev/go-directory v0.33.4 h1:LhAL0RGKB7L2dm4hjAYVeuUhsu+EreYTUv
 github.com/aserto-dev/go-directory v0.33.4/go.mod h1:p0wsjtpBBW2huPDgi6I8OqfhwJWyMRqJHlwPVb3kTSM=
 github.com/aserto-dev/go-edge-ds v0.33.9 h1:Y25wiIvIKo7uahOX5gLk2WweqGcfYFerBUnhlLAR3JU=
 github.com/aserto-dev/go-edge-ds v0.33.9/go.mod h1:Pm0JvA0CI/ctpk8krSQIZH2JSoLrh5DIam2dS9uyXvQ=
+github.com/aserto-dev/go-edge-ds v0.33.10-0.20250217090537-8dbf991d1f2e h1:B/1awou31nD9789dSRsPgcvlfnBFcDaramVna+7SZsM=
+github.com/aserto-dev/go-edge-ds v0.33.10-0.20250217090537-8dbf991d1f2e/go.mod h1:XraGxYRN0vpFdIUpVNJ2yV3CYJx+XUQNOcvv0tcuSJ0=
+github.com/aserto-dev/go-edge-ds v0.33.10 h1:LIi502/NxssxFf6/J8+3tue/Pmx8HD8eaXBQqqplcQw=
+github.com/aserto-dev/go-edge-ds v0.33.10/go.mod h1:XraGxYRN0vpFdIUpVNJ2yV3CYJx+XUQNOcvv0tcuSJ0=
 github.com/aserto-dev/go-grpc v0.9.4 h1:d5n1vOptiKw0wmIt6nhT0Us2ANjKBCYpSQ7+0r9Ll2s=
 github.com/aserto-dev/go-grpc v0.9.4/go.mod h1:R2bxW+34GuqclhWOnpTzEA9cIc9ay1U3WAOqS1a4TR8=
 github.com/aserto-dev/go-topaz-ui v0.1.19 h1:e+HViPk8mdrpb8AnxDydvd6VK/tVq+sa3ICBAN22RCc=
@@ -445,6 +449,8 @@ github.com/aserto-dev/runtime v1.1.0 h1:NMYHWMMjpnaQK+FWGXbVl56W+h071xDTWJyboCFj
 github.com/aserto-dev/runtime v1.1.0/go.mod h1:e6L/MB7t/IqU9fw9SA92D1L3pnDqvJE9gzOr2kcKhHk=
 github.com/aserto-dev/self-decision-logger v0.0.11 h1:390I9vzgoJr8lx+ysGB5ULDNuf91J6HzPJO7sC3dVNI=
 github.com/aserto-dev/self-decision-logger v0.0.11/go.mod h1:jgUEIc4s9i36JaZOneGI6Jyz/TIyzvTROJ9UsWZQOvk=
+github.com/authzen/access.go v0.0.0-20250123041208-d58afed67b50 h1:dcMm0TeleGlIttio5NqVo4RwquGIS3S4mn//hs2hhfI=
+github.com/authzen/access.go v0.0.0-20250123041208-d58afed67b50/go.mod h1:l+wym4Tax3t4UDb/usaRSr1lECxuSoTIoE1JRz0U4HA=
 github.com/benbjohnson/clock v1.1.0/go.mod h1:J11/hYXuz8f4ySSvYwY0FKfm+ezbsZBKZxNJlLklBHA=
 github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
 github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw=

diff --git a/pkg/app/edgedir.go b/pkg/app/edgedir.go
@@ -3,6 +3,8 @@ package app
 import (
 	"context"
 	"net/http"
+	"os"
+	"strconv"
 
 	dse3 "github.com/aserto-dev/go-directory/aserto/directory/exporter/v3"
 	dsi3 "github.com/aserto-dev/go-directory/aserto/directory/importer/v3"
@@ -14,6 +16,8 @@ import (
 	dsOpenAPI "github.com/aserto-dev/openapi-directory/publish/directory"
 	builder "github.com/aserto-dev/topaz/pkg/service/builder"
 
+	dsa1 "github.com/authzen/access.go/api/access/v1"
+
 	"github.com/grpc-ecosystem/grpc-gateway/v2/runtime"
 	"github.com/samber/lo"
 	"google.golang.org/grpc"
@@ -23,12 +27,17 @@ type EdgeDir struct {
 	dir *directory.Directory
 }
 
+const (
+	EnvTopazAuthZEN = "TOPAZ_AUTHZEN"
+)
+
 const (
 	modelService    = "model"
 	readerService   = "reader"
 	writerService   = "writer"
 	exporterService = "exporter"
 	importerService = "importer"
+	accessService   = "access"
 )
 
 func NewEdgeDir(edge *directory.Directory) (ServiceTypes, error) {
@@ -45,7 +54,7 @@ func (e *EdgeDir) Cleanups() []func() {
 }
 
 func (e *EdgeDir) AvailableServices() []string {
-	return []string{modelService, readerService, writerService, exporterService, importerService}
+	return []string{modelService, readerService, writerService, exporterService, importerService, accessService}
 }
 
 func (e *EdgeDir) GetGRPCRegistrations(services ...string) builder.GRPCRegistrations {
@@ -55,6 +64,9 @@ func (e *EdgeDir) GetGRPCRegistrations(services ...string) builder.GRPCRegistrat
 		}
 		if lo.Contains(services, readerService) {
 			dsr3.RegisterReaderServer(server, e.dir.Reader3())
+			if authZEN, _ := strconv.ParseBool(os.Getenv(EnvTopazAuthZEN)); authZEN {
+				dsa1.RegisterAccessServer(server, e.dir.Access1())
+			}
 		}
 		if lo.Contains(services, writerService) {
 			dsw3.RegisterWriterServer(server, e.dir.Writer3())
@@ -84,6 +96,12 @@ func (e *EdgeDir) GetGatewayRegistration(services ...string) builder.HandlerRegi
 			if err != nil {
 				return err
 			}
+			if authZEN, _ := strconv.ParseBool(os.Getenv(EnvTopazAuthZEN)); authZEN {
+				err := dsa1.RegisterAccessHandlerFromEndpoint(ctx, mux, grpcEndpoint, opts)
+				if err != nil {
+					return err
+				}
+			}
 		}
 		if lo.Contains(services, writerService) {
 			err := dsw3.RegisterWriterHandlerFromEndpoint(ctx, mux, grpcEndpoint, opts)