Skip to content

fix: properly set casbin authz policy #6728

fix: properly set casbin authz policy

fix: properly set casbin authz policy #6728

Workflow file for this run

name: 'Checks'
env:
IS_RELEASE_BRANCH: ${{ startsWith(github.head_ref, 'release-please-') }}
on:
pull_request:
types:
- opened
- synchronize
- reopened
push:
branches:
- main
merge_group:
branches:
- main
types:
- checks_requested
workflow_call:
jobs:
go:
runs-on: ubuntu-22.04
permissions:
checks: write
contents: read
pull-requests: read
strategy:
matrix:
directory:
- examples
- sdk
- service
- lib/ocrypto
- lib/fixtures
- lib/flattening
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
with:
fetch-depth: 0
- uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7
with:
go-version-file: 'service/go.mod'
check-latest: false
cache-dependency-path: |
examples/go.sum
protocol/go/go.sum
sdk/go.sum
service/go.sum
- if: env.IS_RELEASE_BRANCH == 'true'
name: prevent depending on unreleased upstream changes
run: ./.github/scripts/work-init.sh
- if: github.head_ref == format('release-please--branches--main--components--{0}', matrix.directory)
name: prevent tagging with replace directives
run: go mod edit --json | jq -e '.Replace | not'
working-directory: ${{ matrix.directory }}
- run: go mod download
working-directory: ${{ matrix.directory }}
- run: go mod verify
working-directory: ${{ matrix.directory }}
- run: go work use .
if: env.IS_RELEASE_BRANCH == 'true'
working-directory: ${{ matrix.directory }}
- name: golangci-lint
uses: golangci/golangci-lint-action@aaa42aa0628b4ae2578232a66b541047968fac86
with:
version: v1.61
working-directory: ${{ matrix.directory }}
skip-cache: true
args: --out-format=colored-line-number
- if: matrix.directory == 'service'
run: .github/scripts/init-temp-keys.sh
- run: go test ./... -short
working-directory: ${{ matrix.directory }}
- if: matrix.directory == 'service'
run: go test ./service/integration -race -failfast
- name: check go fmt and go mod tidy
run: |-
go mod tidy
go fmt ./...
git restore go.sum "${GITHUB_WORKSPACE}/go.work.sum"
working-directory: ${{ matrix.directory }}
- run: git diff
- run: git diff-files --ignore-submodules
- name: Check that files have been formatted before PR submission; see above for error details
run: git diff-files --quiet --ignore-submodules
if: env.IS_RELEASE_BRANCH == 'false'
integration:
name: integration tests
runs-on: ubuntu-22.04
env:
TLS_ENABLED: "true"
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
- uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7
with:
go-version-file: 'service/go.mod'
check-latest: false
cache-dependency-path: |
service/go.sum
examples/go.sum
protocol/go/go.sum
sdk/go.sum
- if: env.IS_RELEASE_BRANCH == 'true'
run: ./.github/scripts/work-init.sh
- run: go mod download
- run: go mod verify
- name: Install mkcert
run: |
sudo apt-get install -y libnss3-tools
curl -JLO "https://dl.filippo.io/mkcert/latest?for=linux/amd64"
chmod +x mkcert-v*-linux-amd64
sudo cp mkcert-v*-linux-amd64 /usr/local/bin/mkcert
- run: |
.github/scripts/init-temp-keys.sh
mkcert -install
mkcert -cert-file ./keys/platform.crt -key-file ./keys/platform-key.pem localhost
cp opentdf-dev.yaml opentdf.yaml
yq eval '.server.tls.enabled = true' -i opentdf.yaml
- name: Added Trusted Certs
run: |
sudo chmod -R 777 ./keys
sudo apt-get install -y ca-certificates
sudo cp ./keys/localhost.crt /usr/local/share/ca-certificates
sudo update-ca-certificates
- run: docker compose up -d --wait --wait-timeout 240 || (docker compose logs && exit 1)
- run: go run ./service provision keycloak
- run: go run ./service provision fixtures
- uses: JarvusInnovations/background-action@2428e7b970a846423095c79d43f759abf979a635
name: start server in background
with:
run: >
go build -o opentdf -v service/main.go
&& .github/scripts/watch.sh opentdf.yaml ./opentdf start
wait-on: |
tcp:localhost:8080
log-output-if: true
wait-for: 90s
- run: go install github.com/fullstorydev/grpcurl/cmd/grpcurl@v1.8.9
- name: Setup Bats and bats libs
uses: bats-core/bats-action@3.0.0
- run: test/service-start.bats
- run: test/tdf-roundtrips.bats
- run: test/policy-service.bats
- name: create roundtrip test data and run tests
run: go test ./service/rttests -v
- name: enable static entitlements rego policy
run: yq eval '.services.authorization.rego.path = "./test/rego/static-entitlements.rego"' -i opentdf.yaml
- run: sleep 30
- name: validate static rego policy
run: test/rego/static-entitlements.bats
- name: enable custom entity rego policy
run: yq eval '.services.authorization.rego.path = "./test/rego/custom-entity.rego"' -i opentdf.yaml
- run: sleep 30
- name: validate custom entity rego policy
run: test/rego/custom-entity.bats
image:
name: image build
runs-on: ubuntu-22.04
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
- uses: docker/setup-buildx-action@v3
- uses: docker/build-push-action@v6.3.0
with:
context: .
file: ./Dockerfile
push: false
platform-xtest:
uses: opentdf/tests/.github/workflows/xtest.yml@main
with:
# use commit instead of ref so we can "go get" specific sdk version
platform-ref: ${{ github.event.pull_request.head.sha || github.sha }}
# test latest otdfctl CLI 'main' against platform PR branch
otdfctl-test:
name: otdfctl e2e tests
runs-on: ubuntu-latest
steps:
- uses: opentdf/platform/test/start-up-with-containers@main
with:
platform-ref: ${{ github.event.pull_request.head.sha || github.sha }}
- uses: opentdf/otdfctl/e2e@main
with:
otdfctl-ref: 'main'
buflint:
name: Protocol Buffer Lint and Gencode Up-to-date check
runs-on: ubuntu-22.04
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
- uses: bufbuild/buf-setup-action@62ee92603c244ad0da98bab36a834a999a5329e6
with:
github_token: ${{ github.token }}
- uses: bufbuild/buf-lint-action@06f9dd823d873146471cfaaf108a993fe00e5325
with:
input: service
- uses: bufbuild/buf-breaking-action@c57b3d842a5c3f3b454756ef65305a50a587c5ba
with:
input: service
against: 'https://github.com/opentdf/platform.git#branch=main,subdir=service'
- uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7
with:
go-version-file: 'service/go.mod'
check-latest: false
cache-dependency-path: |
service/go.sum
protocol/go/go.sum
sdk/go.sum
examples/go.sum
- run: cd service && go get github.com/pseudomuto/protoc-gen-doc/cmd/protoc-gen-doc
- run: cd service && go install github.com/pseudomuto/protoc-gen-doc/cmd/protoc-gen-doc
- run: make proto-generate
- name: Restore go.mod after installing protoc-gen-doc
run: git restore {service,protocol/go}/go.{mod,sum}
- name: validate go mod tidy
run: |-
cd protocol/go
go mod tidy
git restore go.sum "${GITHUB_WORKSPACE}/go.work.sum"
- run: git diff
- run: git diff-files --ignore-submodules
- name: Check that make proto-generate has run before PR submission; see above for error details
run: git diff-files --quiet --ignore-submodules
ci:
needs:
- buflint
- go
- image
- integration
- license
- platform-xtest
- otdfctl-test
runs-on: ubuntu-22.04
if: ${{ !cancelled() }}
steps:
- if: contains(needs.*.result, 'failure')
run: echo "Failed due to ${{ contains(needs.*.result, 'failure') }}" && exit 1
license:
name: license check
runs-on: ubuntu-22.04
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
- uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7
with:
go-version-file: 'service/go.mod'
check-latest: false
cache: false
- name: install go-licenses
run: go install github.com/google/go-licenses@5348b744d0983d85713295ea08a20cca1654a45e
- name: check service licenses
run: >
go-licenses check --disallowed_types=forbidden --include_tests
./service
- name: check sdk licenses
run: >
go-licenses check --disallowed_types=forbidden --include_tests
./sdk
- name: check examples licenses
run: >
go-licenses check --disallowed_types=forbidden --include_tests
./examples