feat(jans-cedarling): implement CEDARLING_ID_TOKEN_TRUST_MODE

jans-cedarling/bindings/cedarling_python/PYTHON_TYPES.md

@@ -241,6 +241,10 @@ ___
 Error encountered while parsing all entities to json for logging
 ___
 
+# authorize_errors.IdTokenTrustModeError
+Error encountered while running on strict id token trust mode
+___
+
 # authorize_errors.ProcessTokens
 Error encountered while processing JWT token data
 ___

jans-cedarling/bindings/cedarling_python/src/authorize/errors.rs

@@ -120,6 +120,13 @@ create_exception!(
     "Error encountered while parsing all entities to json for logging"
 );
 
+create_exception!(
+    authorize_errors,
+    IdTokenTrustModeError,
+    AuthorizeError,
+    "Error encountered while running on strict id token trust mode"
+);
+
 create_exception!(
     authorize_errors,
     AddEntitiesIntoContextError,
@@ -179,7 +186,8 @@ errors_functions! {
     UserRequestValidation => UserRequestValidationError,
     BuildContext => AddEntitiesIntoContextError,
     Entities => EntitiesError,
-    EntitiesToJson => EntitiesToJsonError
+    EntitiesToJson => EntitiesToJsonError,
+    IdTokenTrustMode => IdTokenTrustModeError
 }
 
 pub fn authorize_errors_module(m: &Bound<'_, PyModule>) -> PyResult<()> {

jans-cedarling/cedarling/examples/authorize_with_jwt_validation.rs

@@ -3,14 +3,13 @@
 //
 // Copyright (c) 2024, Gluu, Inc.
 
-use std::collections::{HashMap, HashSet};
-
 use cedarling::{
-    AuthorizationConfig, BootstrapConfig, Cedarling, IdTokenTrustMode, JwtConfig, LogConfig,
-    LogLevel, LogTypeConfig, PolicyStoreConfig, PolicyStoreSource, Request, ResourceData,
-    TokenValidationConfig, Tokens, WorkloadBoolOp,
+    AuthorizationConfig, BootstrapConfig, Cedarling, JwtConfig, LogConfig, LogLevel, LogTypeConfig,
+    PolicyStoreConfig, PolicyStoreSource, Request, ResourceData, TokenValidationConfig, Tokens,
+    WorkloadBoolOp,
 };
 use jsonwebtoken::Algorithm;
+use std::collections::{HashMap, HashSet};
 
 static POLICY_STORE_RAW_YAML: &str =
     include_str!("../../test_files/policy-store_with_trusted_issuers_ok.yaml");
@@ -23,7 +22,6 @@ fn main() -> Result<(), Box<dyn std::error::Error>> {
         jwks: None,
         jwt_sig_validation: true,
         jwt_status_validation: false,
-        id_token_trust_mode: IdTokenTrustMode::None,
         signature_algorithms_supported: HashSet::from_iter([Algorithm::HS256, Algorithm::RS256]),
         access_token_config: TokenValidationConfig::access_token(),
         id_token_config: TokenValidationConfig::id_token(),

jans-cedarling/cedarling/src/authz/mod.rs

@@ -13,6 +13,7 @@ use std::io::Cursor;
 use std::str::FromStr;
 use std::sync::Arc;
 
+use crate::authorization_config::IdTokenTrustMode;
 use crate::bootstrap_config::AuthorizationConfig;
 use crate::common::app_types;
 use crate::common::cedar_schema::cedar_json::{BuildJsonCtxError, FindActionError};
@@ -26,6 +27,7 @@ use crate::log::{
 
 mod authorize_result;
 mod merge_json;
+mod trust_mode;
 
 pub(crate) mod entities;
 pub(crate) mod request;
@@ -42,6 +44,7 @@ use entities::{
 use merge_json::{merge_json_values, MergeError};
 use request::Request;
 use serde_json::Value;
+use trust_mode::*;
 
 /// Configuration to Authz to initialize service without errors
 pub(crate) struct AuthzConfig {
@@ -124,6 +127,10 @@ impl Authz {
         let schema = &self.config.policy_store.schema;
         let tokens = self.decode_tokens(&request)?;
 
+        if let IdTokenTrustMode::Strict = self.config.authorization.id_token_trust_mode {
+            enforce_id_tkn_trust_mode(&tokens)?;
+        }
+
         // Parse action UID.
         let action = cedar_policy::EntityUid::from_str(request.action.as_str())
             .map_err(AuthorizeError::Action)?;
@@ -552,6 +559,9 @@ pub enum AuthorizeError {
     /// Error encountered while building the context for the request
     #[error("Failed to build context: {0}")]
     BuildContext(#[from] BuildContextError),
+    /// Error encountered while building the context for the request
+    #[error("error while running on strict id token trust mode: {0}")]
+    IdTokenTrustMode(#[from] IdTokenTrustModeError),
 }
 
 #[derive(Debug, thiserror::Error)]