feat(jans-cedarling): Implement check authorization principals based on the schema for action

[olehbozhok]

Prepare

• Read PR guidelines
• Read license information

---

Description

Target issue

issue

closes #10072

Implementation Details

• add usage of namespace stored in the policy-store
• add using principals: User, Role, Workload based on schema
  • first I have tried to improve parsing json of cedar-policy schema. But after realized that it is OK to handle error from cedar-policy`

---

Test and Document the changes

• Static code analysis has been run locally and issues have been fixed
• Relevant unit and integration tests have been added/updated
• Relevant documentation has been updated if any (i.e. user guides, installation and configuration guides, technical design docs etc)

Please check the below before submitting your PR. The PR will not be merged if there are no commits that start with docs: to indicate documentation changes or if the below checklist is not selected.

• I confirm that there is no impact on the docs due to the code changes in this PR.

[dryrunsecurity]

DryRun Security Summary

The pull request covers various improvements to the Cedarling application's authorization functionality, focusing on enhancing security, robustness, and comprehensive test coverage.

Expand for full summary

Summary:

The code changes in this pull request cover various aspects of the Cedarling application, with a focus on improving the security and robustness of the authorization functionality. The changes include updates to the AuthorizeResult struct, the handling of policy stores and schemas, the implementation of the PolicyStore module, and the addition of comprehensive test suites.

Key security-related improvements include:

1. Handling of potentially missing or incomplete authorization responses (workload, person, role) in the AuthorizeResult struct.
2. Improvements to the policy store deserialization process, including better error handling and input validation.
3. Enhancements to the PolicyStore module, such as the ability to handle different policy store namespaces and metadata.
4. Extensive test coverage for various authorization scenarios, including edge cases and error conditions.

Overall, the changes demonstrate a strong focus on security and reliability, with a particular emphasis on ensuring that the authorization system can handle a wide range of inputs and edge cases without introducing vulnerabilities or compromising the application's security posture.

Files Changed:

1. jans-cedarling/bindings/cedarling_python/src/authorize/authorize_result.rs: The changes modify the return types of the workload() and person() methods to handle potentially missing or incomplete authorization responses.
2. jans-cedarling/bindings/cedarling_python/example.py: The changes improve the robustness of the example code by handling potentially missing workload_result and person_result values.
3. jans-cedarling/bindings/cedarling_python/cedarling_python.pyi: The changes update the type annotations for the AuthorizeResult class to reflect the handling of potentially missing or incomplete authorization responses.
4. jans-cedarling/cedarling/src/authz/authorize_result.rs: The changes update the AuthorizeResult struct to use Option<cedar_policy::Response> for the workload, person, and role fields, improving the handling of incomplete authorization responses.
5. jans-cedarling/cedarling/src/authz/entities/test_create.rs: The changes add comprehensive test cases for the entity creation functionality, ensuring that the application can handle various input validation and type checking scenarios.
6. jans-cedarling/cedarling/src/authz/entities/mod.rs: The changes update the entity creation functions to handle different token types and role mapping configurations, improving the overall security and reliability of the authorization system.
7. jans-cedarling/cedarling/src/authz/mod.rs: The changes improve the organization and error handling of the authorization evaluation logic, making it easier to understand and maintain.
8. jans-cedarling/cedarling/src/authz/request.rs: The changes add the ability to clone and deserialize the Request struct, which can be useful for security-related operations, such as logging and auditing.
9. jans-cedarling/cedarling/src/common/cedar_schema/cedar_json.rs: The changes reorganize the code and improve the handling of the Cedar Policy schema, which is an important component for the application's access control and authorization mechanisms.
10. jans-cedarling/cedarling/src/common/cedar_schema/mod.rs: The changes improve the deserialization of the policy store, including the handling of different formats for the cedar_schema field.
11. jans-cedarling/cedarling/src/common/cedar_schema/cedar_json/entity_types.rs: The changes introduce new structs and enums to represent the various entity types and attributes in the Cedar Policy schema, improving the overall structure and maintainability of the code.
12. jans-cedarling/cedarling/src/common/policy_store.rs: The changes improve the handling of policy store metadata, including the namespace and Cedar Policy version information.
13. jans-cedarling/cedarling/src/common/policy_store/test.rs: The changes add comprehensive test cases for the policy store deserialization process, ensuring that the application can handle various error scenarios.
14. jans-cedarling/cedarling/src/log/log_entry.rs: The changes reorganize the AuthorizationLogInfo struct to improve the handling and separation of authorization information for different principals (person, workloa

Code Analysis

We ran 9 analyzers against 30 files and 0 analyzers had findings. 9 analyzers had no findings.

Riskiness

🟢 Risk threshold not exceeded.

View PR in the DryRun Dashboard.

[SafinWasi]

Python changes look good. Is example_files/policy-store.json update in PR #10098 ?

[djellemah]

Looks good to me.