Skip to content

feat: add rule to check if service account is valid #303

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
tpoliaw wants to merge 1 commit into
base: main
Choose a base branch
from
+28 −0
Open

feat: add rule to check if service account is valid #303

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 8 additions & 0 deletions policy/diamond/policy/tiled/tiled.rego
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,14 @@ scopes := {
"tiled-writer" in token.claims.aud
}

default service_account_for_beamline := false

Comment on lines +26 to +27
Copy link
Copy Markdown
Collaborator

@ZohebShaikh ZohebShaikh May 12, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this should be moved into a folder name blueapi.
As this authZ check will only be made by blueapi and not by tiled

service_account_for_beamline if {
input.beamline == token.claims.beamline
"tiled-writer" in token.claims.aud
not token.claims.fedid
}

Copy link
Copy Markdown
Collaborator

@ZohebShaikh ZohebShaikh May 12, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

errors should be used to give the reason why the policy has failed without leaking any privileged information.

I see this pattern emerging

class OPADecision(..):
	...
	
	def _make_call_to_opa(endpoint,expected_result:Any=True,input:dict[str,str]):
		response = request.post(endpoint,input)
		
		(decision,error) = from response
		if decision == expected_result:
			return;
		if decision != expected_result:
			raise AuthZError(f"{error}")
	
	def delete_task(....):
		_make_call_to_opa(....)
		# successful authz
		return blueapi.delete_task()

This might be better than having exception handling in every func like this

	def delete_task(....):
		decision = _make_call_to_opa(....)
		if decision != True:
			raise AuthZError("Cannot delete this awesome task")
		if decision == True:
			return blueapi.delete_task()

Another example I can think of is when we were debugging numtracker and there was an extra “/” in the issuer, which caused JWT verification to fail. If we had received a clearer error message from OPA, the debugging process would have been much simpler.

_session := data.diamond.data.proposals[format_int(input.proposal, 10)].sessions[format_int(input.visit, 10)]

# Returns the session ID if the subject has write permissions for the
Expand Down
20 changes: 20 additions & 0 deletions policy/diamond/policy/tiled/tiled_test.rego
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -175,3 +175,23 @@ test_user_session_tags_service_account if {
tiled.user_sessions == set() with data.diamond.data as diamond_data
with data.diamond.policy.token.claims as {"beamline": "b007"}
}

test_service_account_if_beamline_matches if {
tiled.service_account_for_beamline with input as {"beamline": "i22"}
with data.diamond.policy.token.claims as {"beamline": "i22", "aud": ["tiled-writer"]}
}

test_not_service_account_if_beamline_mismatch if {
not tiled.service_account_for_beamline with input as {"beamline": "b21"}
with data.diamond.policy.token.claims as {"beamline": "i22", "aud": ["tiled-writer"]}
}

test_not_service_account_if_missing_aud if {
not tiled.service_account_for_beamline with input as {"beamline": "i22"}
with data.diamond.policy.token.claims as {"beamline": "i22", "aud": ["blueapiCli"]}
}

test_not_service_account_if_fedid_present if {
not tiled.service_account_for_beamline with input as {"beamline": "i22"}
with data.diamond.policy.token.claims as {"beamline": "i22", "aud": ["tiled-writer"], "fedid": "abc12345"}
}
Loading