eko / authz Goto Github PK

env:

go version
go version go1.19.4 darwin/amd64

~env | grep GO
GOBIN=/Users/ltagliamonte/go/bin
GOPATH=/Users/ltagliamonte/go

Following the instructions at this link i get an import error:

go get github.com/eko/authz/sdk@latest
go: github.com/eko/authz/[email protected]: reading github.com/eko/authz/backend/go.mod at revision backend/v0.0.0: unknown revision backend/v0.0.0

no luck also trying also:

go get -u github.com/eko/authz/sdk
go: downloading github.com/eko/authz/sdk v0.0.0-20230430134208-23688ec53c7c
go: downloading github.com/eko/authz v0.8.1
go: github.com/eko/authz/[email protected]: reading github.com/eko/authz/backend/go.mod at revision backend/v0.0.0: unknown revision backend/v0.0.0

The creation of a Policy auto creates the associated Resource.
In terms of user experience it sort of hides the required connection between a Policy and a Resource object.
How to replicate:

docker run --rm \
    -e database_driver=sqlite \
    -e database_name=:memory: \
    -p 8080:8080 \
    -p 8081:8081 \
    -p 3000:80 \
    ekofr/authz:v0.8.3-standalone

login to http://localhost:3000/ with default username/pwd.

Navigate to: Policies -> Create New Policy
Fill the Form and Submit:
Name: deploy
Association: deploy.*
Actions: get

Navigate to Resources and the Resource deploy got automatically created.

Hello @eko,

I am working with Authz for managing authorizations across several applications, and I've encountered an issue related to restricted admin access and custom field checks.
I have several administrators for multiple applications, including Authz. I wish to allow these admins to access Authz, but with the restriction that they can only add new principals and assign them roles specific to their application. To implement this, I've added a custom field (e.g., application1=true) in the principal entity.

For role assignment, I've created roles with policies that check for the existence of this new field in the principal and restrict all access except for the principal list. However, when logging in with this new admin user, I expected to see the principal list but instead received an "access denied" error.

Questions/Requests:
Usecase Feasibility: Is my use case possible with Authz's current capabilities? Specifically, can I restrict admin users to only add new principals and assign roles based on a custom field in the principal?

Custom Field Checks: In addition to checking for equality, is there a way to implement a "contains" check for custom fields in Authz? This feature would be particularly useful for scenarios where a principal might belong to multiple applications.

Steps to Reproduce:

1. Create a principal with a custom field (e.g., application1=true).
2. Assign a role to this principal with policies that allow listing principals but restrict other accesses, checking for the custom field.
3. Log in as the principal and attempt to access the principal list.

Expected Behavior:
The admin user should be able to see and manage the principal list based on the custom field's condition.

Actual Behavior:
Received an "access denied" error when attempting to access the principal list.

I appreciate any guidance or suggestions you can provide to resolve these issues or implement these features.

Hello @eko I was wondering if you have thought about making a contrib GoFiber middleware for authz?

Title :)

Currently it is possible to delete the admin user, effectively making an installation useless.
Would be nice to have a check to prevent the admin user to be deleted.

Steps to reproduce:

• login
• select User tab
• select Bin icon next to admin user
• select Ok