refactor(jans-cedarling): update AuthZ interface to use tokens for all JWTs sent as input

docs/cedarling/cedarling-authz.md

@@ -56,24 +56,25 @@ this is a sample request from a hypothetical application:
 
 ```js
 input = { 
-           "access_token": "eyJhbGc....", 
-           "id_token": "eyJjbGc...", 
-           "userinfo_token": "eyJjbGc...",
-           "tx_token": "eyJjbGc...",
-           "action": "View",
-           "resource": {
-                          "id": "ticket-10101",
-                          "type" : "Ticket",
-                          "owner": "[email protected]", 
-                          "org_id": "Acme"
-                        },
-           "context": {
-                       "ip_address": "54.9.21.201",
-                       "network_type": "VPN",
-                       "user_agent": "Chrome 125.0.6422.77 (Official Build) (arm64)",
-                       "time": "1719266610.98636",
-                      }
-         }
+  "tokens": {
+    "access_token": "eyJhbGc....", 
+    "id_token": "eyJjbGc...", 
+    "userinfo_token": "eyJjbGc...",
+  },
+    "action": "View",
+    "resource": {
+      "id": "ticket-10101",
+      "type" : "Ticket",
+      "owner": "[email protected]", 
+      "org_id": "Acme"
+    },
+      "context": {
+        "ip_address": "54.9.21.201",
+        "network_type": "VPN",
+        "user_agent": "Chrome 125.0.6422.77 (Official Build) (arm64)",
+        "time": "1719266610.98636",
+      }
+    }
 
 decision_result = authz(input)
 ```

jans-cedarling/bindings/cedarling_python/PYTHON_TYPES.md

@@ -113,12 +113,10 @@ authorization data with access token, action, resource, and context.
 
 Attributes
 ----------  
+:param tokens: A class containing the JWTs what will be used for the request.  
 :param action: The action to be authorized.  
 :param resource: Resource data (wrapped `ResourceData` object).  
-:param context: Python dictionary with additional context.  
-:param access_token: (Optional) The access token string.  
-:param id_token: (Optional) The id token string.  
-:param userinfo_token: (Optional) The userinfo token string.
+:param context: Python dictionary with additional context.
 
 Example
 -------

jans-cedarling/bindings/cedarling_python/cedarling_python.pyi

@@ -128,21 +128,28 @@ class Cedarling:
 
 @final
 class Request:
+    tokens: Tokens
     action: str
     resource: ResourceData
     context: Dict[str, Any]
-    access_token: str | None
-    id_token: str | None
-    userinfo_token: str | None
 
     def __init__(self,
-                 access_token: str,
-                 id_token: str,
-                 userinfo_token: str,
+                 tokens: Tokens,
                  action: str,
                  resource: ResourceData,
                  context: Dict[str, Any]) -> None: ...
 
+@final
+class Tokens:
+    access_token: str | None
+    id_token: str | None
+    userinfo_token: str | None
+
+    def __init__(self,
+                 access_token: str | None,
+                 id_token: str | None,
+                 userinfo_token: str | None) -> None: ...
+
 
 @final
 class ResourceData:

jans-cedarling/bindings/cedarling_python/example.py

@@ -3,7 +3,7 @@
 #
 # Copyright (c) 2024, Gluu, Inc.
 
-from cedarling_python import BootstrapConfig
+from cedarling_python import BootstrapConfig, Tokens
 from cedarling_python import Cedarling
 from cedarling_python import ResourceData, Request
 import time
@@ -189,9 +189,7 @@
 action = 'Jans::Action::"Read"'
 
 request = Request(
-    access_token,
-    id_token,
-    userinfo_token,
+    tokens=Tokens(access_token, id_token, userinfo_token),
     action=action,
     resource=resource, context=context)
 

jans-cedarling/bindings/cedarling_python/pyproject.toml

@@ -4,7 +4,6 @@ build-backend = "maturin"
 
 [project]
 name = "cedarling_python"
-version = "0.0.0"
 requires-python = ">=3.8"
 classifiers = [
     "Programming Language :: Rust",

jans-cedarling/bindings/cedarling_python/src/authorize/mod.rs

@@ -22,6 +22,7 @@ pub fn register_entities(m: &Bound<'_, PyModule>) -> PyResult<()> {
     m.add_class::<decision::Decision>()?;
     m.add_class::<resource_data::ResourceData>()?;
     m.add_class::<request::Request>()?;
+    m.add_class::<request::Tokens>()?;
     m.add_class::<authorize_result_response::AuthorizeResultResponse>()?;
     m.add_class::<authorize_result::AuthorizeResult>()?;
 

jans-cedarling/bindings/cedarling_python/src/authorize/request.rs

@@ -20,12 +20,10 @@ use serde_pyobject::from_pyobject;
 ///
 /// Attributes
 /// ----------
+/// :param tokens: A class containing the JWTs what will be used for the request.
 /// :param action: The action to be authorized.
 /// :param resource: Resource data (wrapped `ResourceData` object).
 /// :param context: Python dictionary with additional context.
-/// :param access_token: (Optional) The access token string.
-/// :param id_token: (Optional) The id token string.
-/// :param userinfo_token: (Optional) The userinfo token string.
 ///
 /// Example
 /// -------
@@ -35,12 +33,7 @@ use serde_pyobject::from_pyobject;
 /// ```
 #[pyclass(get_all, set_all)]
 pub struct Request {
-    /// Access token raw value
-    pub access_token: Option<String>,
-    /// Id token raw value
-    pub id_token: Option<String>,
-    /// Userinfo token raw value
-    pub userinfo_token: Option<String>,
+    pub tokens: Tokens,
     /// cedar_policy action
     pub action: String,
     /// cedar_policy resource data
@@ -49,14 +42,39 @@ pub struct Request {
     pub context: Py<PyDict>,
 }
 
+/// Tokens
+/// =======
+///
+/// A Python wrapper for the Rust `cedarling::Token` struct. Contains the JWTs
+/// that will be used for the AuthZ request.
+///
+/// Attributes
+/// ----------
+/// :param access_token: (Optional) The access token string.
+/// :param id_token: (Optional) The id token string.
+/// :param userinfo_token: (Optional) The userinfo token string.
+///
+/// Example
+/// -------
+/// ```python
+/// tokens = Request("your_access_tkn", "your_id_tkn", "your_userinfo_tkn")
+/// ```
+#[derive(Clone)]
+#[pyclass(get_all, set_all)]
+pub struct Tokens {
+    /// Access token raw value
+    pub access_token: Option<String>,
+    /// Id token raw value
+    pub id_token: Option<String>,
+    /// Userinfo token raw value
+    pub userinfo_token: Option<String>,
+}
+
 #[pymethods]
-impl Request {
+impl Tokens {
     #[new]
-    #[pyo3(signature = (action, resource, context, access_token=None, id_token=None, userinfo_token=None))]
+    #[pyo3(signature = (access_token, id_token, userinfo_token))]
     fn new(
-        action: String,
-        resource: ResourceData,
-        context: Py<PyDict>,
         access_token: Option<String>,
         id_token: Option<String>,
         userinfo_token: Option<String>,
@@ -65,13 +83,34 @@ impl Request {
             access_token,
             id_token,
             userinfo_token,
+        }
+    }
+}
+
+#[pymethods]
+impl Request {
+    #[new]
+    #[pyo3(signature = (tokens, action, resource, context))]
+    fn new(tokens: Tokens, action: String, resource: ResourceData, context: Py<PyDict>) -> Self {
+        Self {
+            tokens,
             action,
             resource,
             context,
         }
     }
 }
 
+impl From<Tokens> for cedarling::Tokens {
+    fn from(tokens: Tokens) -> Self {
+        Self {
+            access_token: tokens.access_token,
+            id_token: tokens.id_token,
+            userinfo_token: tokens.userinfo_token,
+        }
+    }
+}
+
 impl Request {
     pub fn to_cedarling(&self) -> Result<cedarling::Request, PyErr> {
         let context = Python::with_gil(|py| -> Result<serde_json::Value, PyErr> {
@@ -82,9 +121,7 @@ impl Request {
         })?;
 
         Ok(cedarling::Request {
-            access_token: self.access_token.clone(),
-            id_token: self.id_token.clone(),
-            userinfo_token: self.userinfo_token.clone(),
+            tokens: self.tokens.clone().into(),
             action: self.action.clone(),
             resource: self.resource.clone().into(),
             context,

jans-cedarling/bindings/cedarling_python/tests/test_authorize.py

@@ -3,7 +3,7 @@
 #
 # Copyright (c) 2024, Gluu, Inc.
 
-from cedarling_python import Cedarling
+from cedarling_python import Cedarling, Tokens
 from cedarling_python import ResourceData, Request, authorize_errors
 from config import load_bootstrap_config
 
@@ -115,9 +115,7 @@ def test_authorize_ok():
     })
 
     request = Request(
-        access_token=ACCESS_TOKEN,
-        id_token=ID_TOKEN,
-        userinfo_token=USERINFO_TOKEN,
+        tokens=Tokens(ACCESS_TOKEN, ID_TOKEN, USERINFO_TOKEN),
         action='Jans::Action::"Update"',
         context={}, 
         resource=resource,
@@ -172,9 +170,7 @@ def raise_authorize_error(bootstrap_config):
     })
 
     request = Request(
-        access_token=ACCESS_TOKEN,
-        id_token=ID_TOKEN,
-        userinfo_token=USERINFO_TOKEN,
+        tokens=Tokens(ACCESS_TOKEN, ID_TOKEN, USERINFO_TOKEN),
         action='Jans::Action::"Update"',
         context={}, resource=resource)
 

jans-cedarling/cedarling/examples/authorize_with_jwt_validation.rs

@@ -8,7 +8,7 @@ use std::collections::{HashMap, HashSet};
 use cedarling::{
     AuthorizationConfig, BootstrapConfig, Cedarling, IdTokenTrustMode, JwtConfig, LogConfig,
     LogLevel, LogTypeConfig, PolicyStoreConfig, PolicyStoreSource, Request, ResourceData,
-    TokenValidationConfig, WorkloadBoolOp,
+    TokenValidationConfig, Tokens, WorkloadBoolOp,
 };
 use jsonwebtoken::Algorithm;
 
@@ -61,9 +61,11 @@ fn main() -> Result<(), Box<dyn std::error::Error>> {
     // on a specific resource. Each token (access, ID, and userinfo) is required for the
     // authorization process, alongside resource and action details.
     let result = cedarling.authorize(Request {
-        access_token: Some(access_token),
-        id_token: Some(id_token),
-        userinfo_token: Some(userinfo_token),
+        tokens: Tokens {
+            access_token: Some(access_token),
+            id_token: Some(id_token),
+            userinfo_token: Some(userinfo_token),
+        },
         action: "Jans::Action::\"Update\"".to_string(),
         context: serde_json::json!({}),
         resource: ResourceData {

jans-cedarling/cedarling/examples/authorize_without_jwt_validation.rs

@@ -7,7 +7,7 @@ use std::collections::HashMap;
 
 use cedarling::{
     AuthorizationConfig, BootstrapConfig, Cedarling, JwtConfig, LogConfig, LogLevel, LogTypeConfig,
-    PolicyStoreConfig, PolicyStoreSource, Request, ResourceData, WorkloadBoolOp,
+    PolicyStoreConfig, PolicyStoreSource, Request, ResourceData, Tokens, WorkloadBoolOp,
 };
 
 static POLICY_STORE_RAW: &str = include_str!("../../test_files/policy-store_ok.yaml");
@@ -112,9 +112,11 @@ fn main() -> Result<(), Box<dyn std::error::Error>> {
     let userinfo_token = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJodHRwczovL2FkbWluLXVpLXRlc3QuZ2x1dS5vcmciLCJzdWIiOiJib0c4ZGZjNU1LVG4zN283Z3NkQ2V5cUw4THBXUXRnb080MW0xS1p3ZHEwIiwiY2xpZW50X2lkIjoiNWI0NDg3YzQtOGRiMS00MDlkLWE2NTMtZjkwN2I4MDk0MDM5IiwiYXVkIjoiNWI0NDg3YzQtOGRiMS00MDlkLWE2NTMtZjkwN2I4MDk0MDM5IiwidXNlcm5hbWUiOiJhZG1pbkBnbHV1Lm9yZyIsIm5hbWUiOiJEZWZhdWx0IEFkbWluIFVzZXIiLCJlbWFpbCI6ImFkbWluQGdsdXUub3JnIiwiY291bnRyeSI6IlVTIiwianRpIjoidXNyaW5mb190a25fanRpIn0.NoR53vPZFpfb4vFk85JH9RPx7CHsaJMZwrH3fnB-N60".to_string();
 
     let result = cedarling.authorize(Request {
-        access_token: Some(access_token),
-        id_token: Some(id_token),
-        userinfo_token: Some(userinfo_token),
+        tokens: Tokens {
+            access_token: Some(access_token),
+            id_token: Some(id_token),
+            userinfo_token: Some(userinfo_token),
+        },
         action: "Jans::Action::\"Update\"".to_string(),
         context: serde_json::json!({}),
         resource: ResourceData {

jans-cedarling/cedarling/src/authz/entities/create.rs

@@ -435,6 +435,6 @@ pub enum CreateCedarEntityError {
     UnavailableToken,
 
     /// Missing claim
-    #[error("{0} Entity creation failed: no available token to build the entity from")]
+    #[error("missing claim: {0}")]
     MissingClaim(String),
 }

jans-cedarling/cedarling/src/authz/entities/workload.rs

@@ -43,7 +43,6 @@ pub fn create_workload_entity(
     for (token_kind, token, key) in [
         (TokenKind::Access, tokens.access_token.as_ref(), "client_id"),
         (TokenKind::Id, tokens.id_token.as_ref(), "aud"),
-        (TokenKind::Userinfo, tokens.userinfo_token.as_ref(), "aud"),
     ] {
         match try_create_entity(token_kind, token, key) {
             Ok(entity) => return Ok(entity),
@@ -233,7 +232,7 @@ mod test {
         let result = create_workload_entity(entity_mapping, &policy_store, &tokens)
             .expect_err("expected to error while creating workload entity");
 
-        assert_eq!(result.errors.len(), 3);
+        assert_eq!(result.errors.len(), 2);
         for (_tkn_kind, err) in result.errors.iter() {
             assert!(
                 matches!(err, CreateCedarEntityError::UnavailableToken),

jans-cedarling/cedarling/src/authz/mod.rs

@@ -34,12 +34,12 @@ use std::time::Instant;
 pub use authorize_result::AuthorizeResult;
 use cedar_policy::{ContextJsonError, Entities, Entity, EntityUid};
 use entities::{
-    CEDAR_POLICY_SEPARATOR, CreateCedarEntityError, CreateUserEntityError,
-    CreateWorkloadEntityError, DecodedTokens, ResourceEntityError, RoleEntityError,
     create_resource_entity, create_role_entities, create_token_entities, create_user_entity,
-    create_workload_entity,
+    create_workload_entity, CreateCedarEntityError, CreateUserEntityError,
+    CreateWorkloadEntityError, DecodedTokens, ResourceEntityError, RoleEntityError,
+    CEDAR_POLICY_SEPARATOR,
 };
-use merge_json::{MergeError, merge_json_values};
+use merge_json::{merge_json_values, MergeError};
 use request::Request;
 use serde_json::Value;
 
@@ -87,16 +87,19 @@ impl Authz {
         request: &'a Request,
     ) -> Result<DecodedTokens<'a>, AuthorizeError> {
         let access_token = request
+            .tokens
             .access_token
             .as_ref()
             .map(|tkn| self.config.jwt_service.process_token(TokenStr::Access(tkn)))
             .transpose()?;
         let id_token = request
+            .tokens
             .id_token
             .as_ref()
             .map(|tkn| self.config.jwt_service.process_token(TokenStr::Id(tkn)))
             .transpose()?;
         let userinfo_token = request
+            .tokens
             .userinfo_token
             .as_ref()
             .map(|tkn| {