feat: add rule to check if service account is valid#303
Open
tpoliaw wants to merge 4 commits into
Open
Conversation
tpoliaw
changed the title
tpoliaw
force-pushed
the
tiled-service-account-check
branch
2 times, most recently
from
980f098 to
c77b98c
Compare
tpoliaw
force-pushed
the
tiled-service-account-check
branch
from
c77b98c to
05d911c
Compare
tpoliaw
changed the title
ZohebShaikh
requested changes
May 12, 2026
Collaborator
ZohebShaikh
left a comment
ZohebShaikh
left a comment
There was a problem hiding this comment.
The rego policy logic looks correct
| "tiled-writer" in token.claims.aud | ||
| not token.claims.fedid | ||
| } | ||
|
|
Collaborator
There was a problem hiding this comment.
errors should be used to give the reason why the policy has failed without leaking any privileged information.
I see this pattern emerging
class OPADecision(..):
...
def _make_call_to_opa(endpoint,expected_result:Any=True,input:dict[str,str]):
response = request.post(endpoint,input)
(decision,error) = from response
if decision == expected_result:
return;
if decision != expected_result:
raise AuthZError(f"{error}")
def delete_task(....):
_make_call_to_opa(....)
# successful authz
return blueapi.delete_task()
This might be better than having exception handling in every func like this
def delete_task(....):
decision = _make_call_to_opa(....)
if decision != True:
raise AuthZError("Cannot delete this awesome task")
if decision == True:
return blueapi.delete_task()
Another example I can think of is when we were debugging numtracker and there was an extra “/” in the issuer, which caused JWT verification to fail. If we had received a clearer error message from OPA, the debugging process would have been much simpler.
Collaborator
Author
There was a problem hiding this comment.
Where would this go in the module if there end up being multiple rules? How would you distinguish between causes of errors?
The package no longer has a link to tiled by default
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.