feat(jans-cedarling): php binding

[olevacho]

Prepare

• Read PR guidelines
• Read license information

---

Description

This PR adds php binding example to cedarling

Target issue

closes #issue-number-here

Implementation Details

---

Test and Document the changes

• Static code analysis has been run locally and issues have been fixed
• Relevant unit and integration tests have been added/updated
• Relevant documentation has been updated if any (i.e. user guides, installation and configuration guides, technical design docs etc)

Please check the below before submitting your PR. The PR will not be merged if there are no commits that start with docs: to indicate documentation changes or if the below checklist is not selected.

• I confirm that there is no impact on the docs due to the code changes in this PR.

Closes #9965,

[dryrunsecurity]

DryRun Security Summary

The pull request covers various security-related changes to the Cedarling project, including hardening the GitHub Actions workflow, updating Rust dependencies, implementing a policy-based authorization mechanism, and introducing a secure PHP extension library, all aimed at improving the overall security and reliability of the application.

Expand for full summary

Summary:

The code changes in this pull request cover various aspects of the Cedarling project, including the GitHub Actions workflow, Rust-based PHP bindings, and policy configuration. From an application security perspective, the changes generally appear to be focused on improving the security and reliability of the project.

The key security-related changes include:

1. Hardening the GitHub Actions runner environment by using a specific Ubuntu version and enabling the egress-policy to audit.
2. Updating the Rust crate dependencies, which introduces several new libraries related to security, policy management, and data serialization.
3. Implementing a policy-based authorization mechanism using the cedar-policy library, with a focus on ensuring that the principal's org_id matches the resource's org_id.
4. Introducing a PHP extension library that wraps the Rust-based Cedarling functionality, with a focus on secure integration between the two languages.

While the changes seem to be a step in the right direction from a security perspective, there are a few areas that should be carefully reviewed to ensure the overall security of the application:

1. Ensuring that all user inputs, such as tokens and organization IDs, are properly validated and sanitized to prevent potential injection attacks.
2. Reviewing the implementation of the authorization logic to verify that it is correctly applying the defined policies and that there are no potential privilege escalation vulnerabilities.
3. Maintaining the security of the policy store configuration and ensuring that any sensitive information is properly encrypted or secured.
4. Implementing robust error handling, logging, and monitoring mechanisms to aid in debugging and security incident response.

Overall, the changes in this pull request appear to be a positive step towards improving the security and reliability of the Cedarling project. However, it's crucial to continue reviewing the codebase and deployment practices to ensure that the application remains secure and resilient against potential attacks.

Files Changed:

1. .github/workflows/test_cedarling.yml: This file was updated to use the ubuntu-20.04 runner and the Harden Runner action, which helps improve the security of the GitHub Actions workflow.
2. jans-cedarling/bindings/cedarling_ext_php_rs/Cargo.toml: This file was updated to include several new dependencies related to security, policy management, and data serialization.
3. jans-cedarling/bindings/cedarling_ext_php_rs/README.md: This file provides instructions on building and testing the Rust-based PHP extension library.
4. jans-cedarling/bindings/cedarling_ext_php_rs/src/lib.rs: This file introduces a new function, cedarling_authorize_test(), which is responsible for authorizing actions based on the provided access token, ID token, and resource payload.
5. jans-cedarling/bindings/cedarling_ext_php_rs/src/policy-store_ok.json: This file contains a policy configuration that allows a "Workload" principal to perform the "Update" action on an "Issue" resource, as long as the principal's org_id matches the resource's org_id.
6. jans-cedarling/bindings/cedarling_php_rs/Cargo.toml: This file was updated to include the same set of new dependencies as the cedarling_ext_php_rs crate.
7. jans-cedarling/bindings/cedarling_php_rs/README.md: This file provides information on the integration between the Rust-based Cedarling library and the PHP application.
8. jans-cedarling/bindings/cedarling_php_rs/src/lib.rs: This file introduces the Cedarling PHP class, which wraps the underlying Rust-based Cedarling functionality.
9. jans-cedarling/bindings/cedarling_php_rs/src/policy-store_ok.json: This file contains the same policy configuration as the one in the cedarling_ext_php_rs crate.
10. jans-cedarling/bindings/cedarling_php_rs/test.php: This file is a PHP script that interacts with the Cedarling API to perform authorization checks.

Code Analysis

We ran 9 analyzers against 11 files and 0 analyzers had findings. 9 analyzers had no findings.

Riskiness

🟢 Risk threshold not exceeded.

View PR in the DryRun Dashboard.

[mo-auto]

Error: Hi @olevacho, You did not reference an open issue in your PR. I attempted to create an issue for you.
Please update that issues' title and body and make sure I correctly referenced it in the above PRs body.