feat: Fine-Grained Authorization with Keycloak-Core Policy Engine#607
Open
lakhansamani wants to merge 26 commits intomainfrom
Open
feat: Fine-Grained Authorization with Keycloak-Core Policy Engine#607lakhansamani wants to merge 26 commits intomainfrom
lakhansamani wants to merge 26 commits intomainfrom
Conversation
…methods Add 7 new collection/table names (Resource, Scope, Policy, PolicyTarget, Permission, PermissionScope, PermissionPolicy) to CollectionList and Collections var. Add 28 new method signatures to the Provider interface covering CRUD for resources, scopes, policies, policy targets, permissions, and join tables, plus the optimized GetPermissionsForResourceScope evaluation query.
Add CRUD methods for resources, scopes, policies, policy targets, permissions, permission scopes, and permission policies. Implement GetPermissionsForResourceScope optimized JOIN query for the evaluation engine. Add 7 new schemas to AutoMigrate.
Add CRUD methods for all 7 authorization collections using MongoDB driver. Implement GetPermissionsForResourceScope using sequential lookups. Create indexes for efficient name and foreign key lookups.
…ders Add authorization CRUD methods for all remaining NoSQL providers. Each provider follows its existing patterns for collection access, querying, and pagination. All 6 providers now implement the full 28-method authorization storage interface.
Add principal-agnostic policy evaluation engine with: - Role-based and user-based policy evaluators (extensible to client/agent) - Affirmative and unanimous decision strategies - MaxScopes delegation ceiling enforcement - Input validation (safe characters, known resource/scope checks) - In-memory cache with negative caching and prefix invalidation - Three enforcement modes (disabled, permissive, enforcing)
Add SetCache, GetCache, DeleteCacheByPrefix to Redis, DB-backed, and in-memory memory store providers. Update fakeMemoryStore in tests to implement the new interface methods.
Add --authorization-enforcement, --authorization-cache-ttl, --include-permissions-in-token, --authorization-log-all-checks flags. Wire authorization provider in cmd/root.go initialization order. Pass authorization provider to http_handlers and graphql dependencies.
Add 10 output types, 9 input types, 12 admin mutations, and 6 queries for the authorization model. Regenerate GraphQL code. Wire resolver stubs with placeholder implementations until Phase 10.
Add 18 GraphQL handler methods: CRUD for resources, scopes, policies, permissions, plus check_permission and my_permissions user-facing queries. Add AsAPI conversion methods to all authorization schemas. Wire resolvers to graphql Provider interface.
Add POST /api/v1/check-permission endpoint for downstream services.
Extracts principal from JWT Bearer token, evaluates permission via
authorization engine, returns {allowed, matched_policy} JSON response.
Add 16 integration tests covering resource/scope/policy/permission CRUD, permission evaluation with role-based policies, referential integrity checks on delete, and cleanup. All tests pass with SQLite.
Add 5 authorization pages to admin dashboard: Resources, Scopes, Policies, Permissions, and Evaluate. Include guided setup flow, natural language permission summaries, and policy evaluation test tool. Add Authorization nav item to sidebar.
- H-1: Make cache invalidation synchronous (remove goroutine) to prevent stale authorization decisions after policy changes - H-2: Add allowlist validation for policy type, logic, and decision strategy in add/update handlers -- prevents silent permission escalation from typos - C-2: Fix evaluateRoleTargets unanimous strategy returning true when no role targets exist (empty-target bypass) - C-3: Fix DeletePolicy handler ordering -- storage provider now handles cascade deletion, preventing data loss on referential integrity failure - M-3: Add name format validation (alphanumeric, hyphens, underscores, max 100 chars) in resource/scope/policy/permission add/update handlers
Upgrade to latest available versions to address CVE-2026-33816 and CVE-2026-33815 in pgx. Note: both CVEs have no upstream fix yet (Fixed in: N/A) but govulncheck confirms the affected symbols (Backend.Receive, FunctionCall.Decode, Bind.Decode) are not called by Authorizer code. Also upgrades gorm v1.25.5->v1.25.10.
… for unmatched checks
…led' with one-time log
…ermission-probe errors
…t cache, DoS caps
…ts, test coverage
…fer cache decode, shared identifier constant
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Implements RFC #508 — Fine-Grained Authorization with a Keycloak-inspired four-pillar model (Resources, Scopes, Policies, Permissions). This replaces the flat comma-separated role strings with a composable, principal-agnostic authorization engine.
Key features
permissivedefault /enforcing)POST /api/v1/check-permissionfor downstream servicesObservability
authorizer_authz_checks_total{mode,result},authorizer_authz_unmatched_total{mode},authorizer_authz_check_duration_secondsauthz.unmatched=truewarn log (1 per (resource, scope) per 60s) on permissive fallthroughsenforcingwith 0 permissions configuredBackward compatibility
--authorization-enforcement=permissive— unmatched checks are ALLOWED and logged, so apps keep working while operators seed permissions--authorization-enforcement=disabledis silently normalized topermissivewith a one-time INFO log — no operator action required during upgradeUser.Rolesfield,IsSuperAdmin()checks, and JWT format are unchanged--include-permissions-in-token=trueFuture-proof for M2M and AI agents
Principalabstraction accepts any identity type (user, client, agent)MaxScopesdelegation ceiling for token-scoped restrictionsStorage
GetPermissionsForResourceScopeJOIN query for the evaluation hot pathNew CLI flags
--authorization-enforcement(permissivedefault /enforcing; legacydisabledauto-migrated)--authorization-cache-ttl(default: 300s)--include-permissions-in-token(default: false)--authorization-log-all-checks(default: false)Test plan
TestConfig_*migration testsgo build ./...passesgo vet ./...passesnpm run buildpassesmake dev, navigate to Authorization in dashboard, create resource/scope/policy/permission, test evaluate page--authorization-enforcement=enforcingto verify default-deny behaviorcurl -X POST /api/v1/check-permission--authorization-enforcement=disabledto confirm the legacy-migration INFO log fires and the server boots inpermissivemodeDesign specs
docs/superpowers/specs/2026-04-13-fine-grained-authorization-design.md— original FGA designdocs/superpowers/specs/2026-04-21-authz-two-mode-enforcement-design.md— two-mode enforcement refactor