From 7defe392f2ac96e1b1d761b426fc834d6a4eb2e9 Mon Sep 17 00:00:00 2001
From: Garry O'Donnell <garry.o'donnell@diamond.ac.uk>
Date: Tue, 19 Mar 2024 12:29:03 +0000
Subject: [PATCH 1/2] Authorize on proposal and session membership

---
 .devcontainer/docker-compose.yml |  2 +-
 policy/system.rego               | 19 ++++++++++++++++++-
 policy/token.rego                | 26 ++++++++++++++++++++++++++
 3 files changed, 45 insertions(+), 2 deletions(-)
 create mode 100644 policy/token.rego

diff --git a/.devcontainer/docker-compose.yml b/.devcontainer/docker-compose.yml
index d237c02..dd84f49 100644
--- a/.devcontainer/docker-compose.yml
+++ b/.devcontainer/docker-compose.yml
@@ -27,7 +27,7 @@ services:
       - ../policy/:/policy:cached,z
     env_file: opa.env
     environment:
-      JWKS_ENDPOINT: https://authn.diamond.ac.uk/realms/master/protocol/openid-connect/certs
+      SKIP_AUTHORIZATION: true
 
   ispyb:
     image: ghcr.io/diamondlightsource/ispyb-database:v3.0.0
diff --git a/policy/system.rego b/policy/system.rego
index 0b9d475..a24e532 100644
--- a/policy/system.rego
+++ b/policy/system.rego
@@ -1,11 +1,28 @@
 package system
 
+import data.token.claims
 import rego.v1
 
 main := {"allow": allow}
 
 default allow := false
 
+# Allow if the SKIP_AUTHORIZATION environment variable is set and a preset token is supplied 
 allow if {
-    input.token == "ValidToken"
+	opa.runtime().env.SKIP_AUTHORIZATION
+	input.token == "ValidToken"
+}
+
+# Allow if on proposal which contains session
+allow if {
+	some proposal_number in data.diamond.data.subjects[claims.fedid].proposals
+	proposal_number == input.proposal
+}
+
+# Allow if directly on session
+allow if {
+	some session_id in data.diamond.data.subjects[claims.fedid].sessions
+	session := data.diamond.data.sessions[session_id]
+	session.proposal_number == input.proposal
+	session.visit_number == input.visit
 }
diff --git a/policy/token.rego b/policy/token.rego
new file mode 100644
index 0000000..b2d70d6
--- /dev/null
+++ b/policy/token.rego
@@ -0,0 +1,26 @@
+package token
+
+fetch_jwks(url) := http.send({
+	"url": jwks_url,
+	"method": "GET",
+	"force_cache": true,
+	"force_cache_duration_seconds": 3600,
+})
+
+jwks_endpoint := opa.runtime().env.JWKS_ENDPOINT
+
+token_unverified := io.jwt.decode(input.token)
+
+token_jwt_header := token_unverified[0]
+
+jwks_url := concat("?", [jwks_endpoint, urlquery.encode_object({"kid": token_jwt_header.kid})])
+
+jwks := fetch_jwks(jwks_url).raw_body
+
+token := token_unverified
+
+if {
+	io.jwt.verify_rs256(input.token, jwks)
+}
+
+claims := token[1]

From b2ae8200983005f814d283a02657df2d147cb2a5 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Tue, 19 Mar 2024 12:30:21 +0000
Subject: [PATCH 2/2] Bump clap from 4.5.2 to 4.5.3

Bumps [clap](https://github.com/clap-rs/clap) from 4.5.2 to 4.5.3.
- [Release notes](https://github.com/clap-rs/clap/releases)
- [Changelog](https://github.com/clap-rs/clap/blob/master/CHANGELOG.md)
- [Commits](https://github.com/clap-rs/clap/compare/v4.5.2...v4.5.3)

---
updated-dependencies:
- dependency-name: clap
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 Cargo.lock          | 32 +++++++++++++++++++-------------
 sessions/Cargo.toml |  2 +-
 2 files changed, 20 insertions(+), 14 deletions(-)

diff --git a/Cargo.lock b/Cargo.lock
index ec8eae8..5e7f283 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -595,9 +595,9 @@ dependencies = [
 
 [[package]]
 name = "clap"
-version = "4.5.2"
+version = "4.5.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "b230ab84b0ffdf890d5a10abdbc8b83ae1c4918275daea1ab8801f71536b2651"
+checksum = "949626d00e063efc93b6dca932419ceb5432f99769911c0b995f7e884c778813"
 dependencies = [
  "clap_builder",
  "clap_derive",
@@ -617,11 +617,11 @@ dependencies = [
 
 [[package]]
 name = "clap_derive"
-version = "4.5.0"
+version = "4.5.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "307bc0538d5f0f83b8248db3087aa92fe504e4691294d0c96c0eabc33f47ba47"
+checksum = "90239a040c80f5e14809ca132ddc4176ab33d5e17e49691793296e3fcb34d72f"
 dependencies = [
- "heck",
+ "heck 0.5.0",
  "proc-macro2",
  "quote",
  "syn 2.0.52",
@@ -1151,6 +1151,12 @@ dependencies = [
  "unicode-segmentation",
 ]
 
+[[package]]
+name = "heck"
+version = "0.5.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "2304e00983f87ffb38b55b444b5e3b60a884b5d30c0fca7d82fe33449bbe55ea"
+
 [[package]]
 name = "hermit-abi"
 version = "0.3.9"
@@ -1797,7 +1803,7 @@ version = "0.17.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "ec4c6225c69b4ca778c0aea097321a64c421cf4577b331c61b229267edabb6f8"
 dependencies = [
- "heck",
+ "heck 0.4.1",
  "proc-macro-error",
  "proc-macro2",
  "quote",
@@ -2368,7 +2374,7 @@ version = "0.2.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "3bd3534a9978d0aa7edd2808dc1f8f31c4d0ecd31ddf71d997b3c98e9f3c9114"
 dependencies = [
- "heck",
+ "heck 0.4.1",
  "proc-macro-error",
  "proc-macro2",
  "quote",
@@ -2409,7 +2415,7 @@ version = "0.12.14"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "515fb555cbbe586cd2c251a39fbc6d0e52a84b353dd63c4320205553b865ac81"
 dependencies = [
- "heck",
+ "heck 0.4.1",
  "proc-macro2",
  "quote",
  "sea-query",
@@ -2423,7 +2429,7 @@ version = "0.12.14"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "ec13bfb4c4aef208f68dbea970dd40d13830c868aa8dcb4e106b956e6bb4f2fa"
 dependencies = [
- "heck",
+ "heck 0.4.1",
  "proc-macro2",
  "quote",
  "sea-bae",
@@ -2471,7 +2477,7 @@ version = "0.4.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "25a82fcb49253abcb45cdcb2adf92956060ec0928635eb21b4f7a6d8f25ab0bc"
 dependencies = [
- "heck",
+ "heck 0.4.1",
  "proc-macro2",
  "quote",
  "syn 2.0.52",
@@ -2497,7 +2503,7 @@ version = "0.2.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "c6f686050f76bffc4f635cda8aea6df5548666b830b52387e8bc7de11056d11e"
 dependencies = [
- "heck",
+ "heck 0.4.1",
  "proc-macro2",
  "quote",
  "syn 1.0.109",
@@ -2779,7 +2785,7 @@ checksum = "5833ef53aaa16d860e92123292f1f6a3d53c34ba8b1969f152ef1a7bb803f3c8"
 dependencies = [
  "dotenvy",
  "either",
- "heck",
+ "heck 0.4.1",
  "hex",
  "once_cell",
  "proc-macro2",
@@ -2964,7 +2970,7 @@ version = "0.25.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "23dc1fa9ac9c169a78ba62f0b841814b7abae11bdd047b9c58f893439e309ea0"
 dependencies = [
- "heck",
+ "heck 0.4.1",
  "proc-macro2",
  "quote",
  "rustversion",
diff --git a/sessions/Cargo.toml b/sessions/Cargo.toml
index 05294b4..8bae3f1 100644
--- a/sessions/Cargo.toml
+++ b/sessions/Cargo.toml
@@ -14,7 +14,7 @@ async-graphql-axum = { version = "7.0.2" }
 axum = { version = "0.7.4" }
 axum-extra = { version = "0.9.2", features = ["typed-header"] }
 chrono = { version = "0.4.35" }
-clap = { version = "4.5.2", features = ["derive", "env"] }
+clap = { version = "4.5.3", features = ["derive", "env"] }
 dotenvy = { version = "0.15.7" }
 models = { path = "../models" }
 opentelemetry = { version = "0.22.0", features = ["metrics"] }