Is there an existing issue for this?

• [X] I have searched the existing issues

Current Behavior

Following is my configuration file

---
server:
  httpListenAddr: ":3598"


storage:
  driver: "git"
  git:
    protocol: ssh
    url: github.com:xxxx/access-policies.git // our private repo
    branch: main
    subDir: policies
    checkoutDir: /Users/admin/Documents/execs/cerbos/tmp
    updatePollInterval: 60s
    ssh:
      user: git
      privateKeyFile: /Users/admin/Documents/execs/cerbos/keys/id_rsa // deploy private key 

./cerbos server --config=config.yaml

2021-12-21T09:56:24.182+0530	INFO	cerbos.server	maxprocs: Leaving GOMAXPROCS=4: CPU quota undefined
2021-12-21T09:56:24.220+0530	INFO	cerbos.git.store	Cloning git repo from github.com:xxxx/access-policies.git	{"dir": "/Users/admin/Documents/execs/cerbos/tmp"}
2021-12-21T09:56:25.005+0530	ERROR	cerbos.git.store	Failed to initialize git store	{"dir": "/Users/admin/Documents/execs/cerbos/tmp", "error": "failed to clone from github.com:xxxx/access-policies.git to /Users/admin/Documents/execs/cerbos/tmp: ssh: handshake failed: knownhosts: key mismatch"}
2021-12-21T09:56:25.005+0530	INFO	cerbos.server	maxprocs: No GOMAXPROCS change to reset
ERROR: failed to create store: failed to clone from github.com:xxxx/access-policies.git to /Users/admin/Documents/execs/cerbos/tmp: ssh: handshake failed: knownhosts: key mismatch

Is there an option to set ignore hostkey check?.

I tried cloning the repo using the above private key and it work. No issue there.

Expected Behavior

It should clone the repo

Steps To Reproduce

Set the config.yaml to use git storage

---
server:
  httpListenAddr: ":3598"


storage:
  driver: "git"
  git:
    protocol: ssh
    url: github.com:xxxx/access-policies.git
    branch: main
    subDir: policies
    checkoutDir: /Users/admin/Documents/execs/cerbos/tmp
    updatePollInterval: 60s
    ssh:
      user: git
      privateKeyFile: /Users/admin/Documents/execs/cerbos/keys/id_rsa

Start cerbos using the above config

./cerbos server --config=config.yaml

Environment

- OS: MacOS
- Cerbos version: cerbos version 0.10.0
Built on 2021-11-16T12:52:36Z from b24701bb75b135518117f7d56a2d8680f9a59450

Anything else?

No response

Documentation restructuring work. Working doc can be found here.

This PR represents the first phase of the work, and mostly encompasses merging the book.cerbos.dev guide, and other restructuring.

Changes

• book.cerbos.dev content is now in the Getting started section, including a dedicated What is Cerbos section, along with the "Cerbforce" tutorial
• Removed old Getting Started -> Usage section, as it's now covered by the merged content
• Temporarily removed old Getting Started -> Quickstart section, need to find a new home for this, or remove entirely
• Removed references to "Cerbforce" in What is Cerbos
• Telemetry section now resides inside Configuration section
• Renamed top level Tutorials to Recipes
• Made merged book.* content now uses native links

Signed-off-by: Sam Lock [email protected]

Checklist

• [x] The PR title has the correct prefix
• [ ] PR is linked to the corresponding issue
• [x] All commits are signed-off (git commit -s ...) to provide the DCO

Git should be the default storage backend.

Things to consider:

• Should cloud providers be integrated? (E.g. provide GitHub/GitLab/BitBucket token to integrate with them directly via webhooks etc.)
• Refresh rate/change detection (currently no good way in Linux to watch recursive directory changes)
• Credential management (how to keep them secure)

Description

Currently, policy tests are table tests for a multiple principals and a single resource - you specify a resource in the input, and principals in the expectations.

This PR adds the possibility to write tests for

• a single principal and a single resource
• a single principal and multiple resources
• multiple principals and resources

It works by requiring test inputs to include either principal or principals, and either resource or resources. Expectations specify principal and resource to identify the subject under test - these can be omitted when using the singular principal/resource in the input. An expectation for a principal-resource pairing can be omitted, in which case it's treated as implicitly expecting EFFECT_DENY for all actions for that pair.

There is a breaking change here - existing tests will have to be updated to include the principals list in input. This allows us to be strict about only including expectations for things that were included in the input. Attempting to keep this backwards compatible introduced too much complexity (both in the implementation and in the documentation - it is difficult to justify being allowed to expect something to be output that wasn't specified in the inputs!).

Sometimes users need to filter a list of things to figure out what they have access to. For example, from a list of 100 documents, which ones do I have access to?

At the moment we have two check APIs - check, and check_resource_batch.

For the most part, check (which takes a homogeneous list of resources) is just a special case of check_resource_batch (which takes a heterogeneous list of resources).

However, check accepts includeMeta but check_resource_batch does not. Also, the response formats are quite different, making it nontrivial to replace one call with the other.

There is a cognitive load for anyone consuming the API to decide which call they need. A single unified API would be simpler to understand.

We should introduce a new unified API based on check_resource_batch, which should also

• support includeMeta
• return resource: { kind, id } rather than resourceId (to account for cases where different kinds of resource have the same id, originally proposed in https://github.com/cerbos/cerbos/issues/695)

The existing check and check_resource_batch APIs should be gradually deprecated

• reduce their prominence in the documentation (a separate "deprecated" section/page?) and add a notice to point users to the new API
• add a deprecation warning to the PDP logs

Services are expected to support TLS by default in modern environments so we need to make sure that can be easily achieved.

• User-provided certificates
  • It is important that the app is able to detect when the certificate changes and reload it. I have seen this problem a lot in production. Rolling certificates is hard and usually results in downtime so we need to make sure this is easy.
• ACME certs
  • Potentially a premium feature
  • Not sure how useful it is for internally deployed services like ours. Need more data to go on.
• Service meshes
  • Usually this just involves switching off TLS at the application level and letting the mesh sidecar handle everything
  • Maybe support client certicate authentication as a premium feature

We need to generate audit logs to keep track of all the authz decisions made by the system. They need to be written somewhere safe to prevent modification by attackers. (Could be as simple as using a container mounted volume that the users provide)

On macOS 13, github.com/rjeczalik/notify has started throwing deprecation warnings during compilation.

# github.com/rjeczalik/notify
cgo-gcc-prolog:217:2: warning: 'FSEventStreamScheduleWithRunLoop' is deprecated: first deprecated in macOS 13.0 - Use FSEventStreamSetDispatchQueue instead. [-Wdeprecated-declarations]
/Library/Developer/CommandLineTools/SDKs/MacOSX.sdk/System/Library/Frameworks/CoreServices.framework/Frameworks/FSEvents.framework/Headers/FSEvents.h:1138:1: note: 'FSEventStreamScheduleWithRunLoop' has been explicitly marked deprecated here

It doesn't appear to be actively maintained, so we probably need to find an alternative.

Is there an existing issue for this?

• [X] I have searched the existing issues

Feature description

We can enhance the list policies method by adding filtering. So, the implementation details are quite settled as we discussed before. The filtering can be done after all policies have been fetched from the store. With this, we won't need to maintain filtering logic across different store implementations. For the first iteration, the performance cost can be negligible.

So, how the filtering fields should look like? From the command line tool (cerbosctl) the filtering for cerbosctl can adopt a similar fashion with the kubectl. Taken this into consideration, as we discussed here we can leverage filtering with field selectors against policies.

1. We can add basic filtering (e.g. policy kinds).
   • the kind filter should accept multiple kinds
   • disabled field (this needs confirmation)
2. We can add advanced filtering with the field selectors.
   • filter field with an exact match (the flag can be --field-eq for this type of filtering)
   • filter field with wildcard match (the flag can be --field-match for this type)
   • search arguments should be in the form of <field>=<value>. For instance, if someone is looking "foo" in the resource policy description they should provide --field-match resourcePolicy.description=foo. Or, if they want to search "foo" among all policy kinds --field-match description=foo.

The API method should take either a list of basic filters or a list of advanced filters as the parameter. One thing we should consider is that whether the filter kinds above are forced to be used separately.

What would the ideal solution look like to you?

For demonstration purposes, I am going to exemplify this with the cerbosctl output. The ticket includes work on both API method and the cli tool.

Current Impl. when we list the policies

$ cerbosctl list
NAME              KIND           DEPENDENCIES      VERSION   
donald_duck       PRINCIPAL      -                 20210210  
leave_request     RESOURCE       my_derived_roles  20210210  
leave_request     RESOURCE                         staging   
my_derived_roles  DERIVED_ROLES  -                 -     

We should be able to filter by kind like this:

$ cerbosctl list --kind principal
NAME              KIND           DEPENDENCIES      VERSION   
donald_duck       PRINCIPAL      -                 20210210  

Or, by field match like this:

$ cerbosctl list --field-eq resourcePolicy.resource=leave_request
NAME              KIND           DEPENDENCIES      VERSION   
leave_request     RESOURCE       my_derived_roles  20210210  
leave_request     RESOURCE                         staging   

Anything else?

I'd like to link #136 here as this is a subset of that ticket.

Description

Adds List Policies endpoint to the admin API.

Part of #136

Checklist

• [x] The PR title has the correct prefix
• [x] PR is linked to the corresponding issue
• [x] All commits are signed-off (git commit -s ...) to provide the DCO

This PR contains the following updates:

| Package | Type | Update | Change | |---|---|---|---| | github.com/alecthomas/chroma | require | major | v0.10.0 -> v2.4.0 | | github.com/cespare/xxhash | require | major | v1.1.0 -> v2.2.0 | | github.com/lyft/protoc-gen-star | require | major | v0.6.2 -> v2.0.1 |

Release Notes

Configuration

📅 Schedule: Branch creation - "before 3am on Monday" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

• [ ] If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate. View repository job log here.

This PR contains the following updates:

| Package | Type | Update | Change | |---|---|---|---| | github.com/aws/aws-sdk-go | require | patch | v1.44.171 -> v1.44.175 | | github.com/go-git/go-git/v5 | require | patch | v5.5.1 -> v5.5.2 | | github.com/goreleaser/goreleaser | require | patch | v1.14.0 -> v1.14.1 | | github.com/minio/minio-go/v7 | require | patch | v7.0.45 -> v7.0.46 | | github.com/pterm/pterm | require | patch | v0.12.51 -> v0.12.53 | | github.com/rivo/tview | require | digest | 1dc4a83 -> 892d1a2 | | golang.org/x/crypto | require | minor | v0.4.0 -> v0.5.0 | | golang.org/x/net | require | minor | v0.4.0 -> v0.5.0 | | golang.org/x/tools | require | minor | v0.4.0 -> v0.5.0 | | google.golang.org/genproto | require | digest | f9683d7 -> a12b697 | | google.golang.org/protobuf | require | digest | b2a7dfe -> a8d446d | | modernc.org/sqlite | require | patch | v1.20.0 -> v1.20.2 |

Release Notes

Configuration

📅 Schedule: Branch creation - "before 3am on Monday" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

• [ ] If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate. View repository job log here.

Follows from #1403

We currently don't display the name of the test case in the output produced by the test runner. It would be useful to have that information displayed to help users link the results back to a particular test case they wrote.

One way to do this would be to group the results by test name first. However, if the JSON output also has to change to accommodate this (I haven't checked), then that would be a breaking change. In that case, let's evaluate whether we should go ahead with that breaking change or come up with an alternative.

CEL now has optional support behind a feature flag. https://github.com/google/cel-spec/wiki/proposal-246

https://github.com/google/cel-go/blob/32ac6133c6b8eca8bb76e17e6ad50a1eb757778a/cel/cel_test.go#L1879

This can be quite useful for writing policy rules because it simplifies the complicated presence checks that would otherwise be required.

We need to investigate how this affects the query planner though.

Buf ultimately didn't accept my PR to handle only rejecting newly-introduced breaking changes: https://github.com/bufbuild/buf-breaking-action/pull/18#issuecomment-1298708171

We should investigate an alternative way to handle this by running their action twice and processing the output.