Add RBAC to Access Token Claims (#10)

unikorn-cloud · Mar 14, 2024 · d356689 · d356689
1 parent 3f7b394
commit d356689
Show file tree

Hide file tree

Showing 2 changed files with 43 additions and 5 deletions.
diff --git a/charts/core/Chart.yaml b/charts/core/Chart.yaml
@@ -4,7 +4,7 @@ description: A Helm chart for deploying Unikorn Core
 
 type: application
 
-version: v0.1.9
-appVersion: v0.1.9
+version: v0.1.10
+appVersion: v0.1.10
 
 icon: https://assets.unikorn-cloud.org/images/logos/dark-on-light/icon.svg
diff --git a/pkg/authorization/oauth2/claims/types.go b/pkg/authorization/oauth2/claims/types.go
@@ -22,15 +22,53 @@ import (
 	"github.com/unikorn-cloud/core/pkg/authorization/oauth2/scope"
 )
 
+// Role defines the role a user has within the scope of a group.
+// +kubebuilder:validation:Enum=superAdmin;admin;user;reader
+type Role string
+
+const (
+	// SuperAdmin users can do anything, anywhere, and should be
+	// restricted to platform operators only.
+	SuperAdmin = "superAdmin"
+	// Admin users can do anything within an organization.
+	Admin Role = "admin"
+	// Users can do anything within allowed projects.
+	User Role = "user"
+	// Readers have read-only access within allowed projects.
+	Reader Role = "reader"
+)
+
+// Group records RBAC data in the claims.
+type Group struct {
+	// ID is the immutable group ID.
+	ID string `json:"id"`
+	// Roles are a list of roles the group possesses.
+	Roles []Role `json:"roles,omitempty"`
+}
+
+// UnikornClaims contains all application specific claims in a single
+// top-level claim that won't clash with the ones defined by IETF.
+type UnikornClaims struct {
+	// Organization is the top level organization the user belongs to.
+	Organization string `json:"org"`
+
+	// Groups is a list of groups and roles the token has access to.
+	// Resources should be scoped to some group/groups that the resource
+	// server can filter based on the access token.  Then it can determine
+	// what operations are allowed based on the roles assigned to those
+	// groups.
+	Groups []Group `json:"groups,omitempty"`
+}
+
 // Claims is an application specific set of claims.
 // TODO: this technically isn't conformant to oauth2 in that we don't specify
 // the client_id claim, and there are probably others.
 type Claims struct {
 	jwt.Claims `json:",inline"`
 
-	// Organization is the top level organization the user belongs to.
-	Organization string `json:"org"`
-
 	// Scope is the oauth2 scope of the token.
 	Scope scope.Scope `json:"scope,omitempty"`
+
+	// Unikorn claims are application specific extensions.
+	Unikorn *UnikornClaims `json:"unikorn,omitempty"`
 }