Merge branch 'fix/dataauth' into 'master'

Adding x-user-id header to default dataauth policies See merge request !486

Merge branch 'fix/dataauth' into 'master'
aa020858 · Chad Leong · b8e052c0 · 8e38cf79 · aa020858 · aa020858
Commit aa020858 authored 11 months ago by Chad Leong
--- a/deployment/default-policies/entitlements.rego
+++ b/deployment/default-policies/entitlements.rego
@@ -6,6 +6,7 @@ headers = {
    "Content-Type": "application/json",
    "data-partition-id":input.datapartitionid,
    "Authorization": sprintf("Bearer %v", [input.token]),
+    "x-user-id": input.xuserid,
    "Accept": "application/json"
 }


--- a/deployment/default-policies/legal.rego
+++ b/deployment/default-policies/legal.rego
@@ -6,6 +6,7 @@ headers = {
    "Content-Type": "application/json",
    "data-partition-id":input.datapartitionid,
    "Authorization": sprintf("Bearer %v", [input.token]),
+    "x-user-id": input.xuserid,
    "Accept": "application/json"
 }


--- a/docs/docs/auth.md
+++ b/docs/docs/auth.md
@@ -6,6 +6,8 @@ OSDU data platform has two additional service that are used together with policy

 [Legal](https://community.opengroup.org/osdu/platform/security-and-compliance/legal/-/blob/master/docs/tutorial/ComplianceService.md) service that provides additional attributes that can be used to conform to legal and organizational regulations.

+The data authorization policies define the requests to OSDU services and assertions required by OPA to evaluate user authorization. Entitlements service requires the `x-user-id` header and `data-partition-id` header for all calls to evaluate that a user belongs to a service group within a partition to be authorized to access a record or make a request, which is why these headers must be included in the policies api calls to OSDU services.
+
 Policy Service APIs are consistent with other OSDU APIs in a way that they require Bearer token as authorization header and data partition as `data-partition-id` header for all the calls. Similarly, user making the call needs to be in a necessary service group to be authorized to make the call.

 For policy service, the relevant service groups are `service.policy.user` and `service.policy.admin` (configurable in 

--- a/docs/docs/releasenotes.md
+++ b/docs/docs/releasenotes.md
@@ -18,6 +18,7 @@ Policy Service v0.26.0 2024/04
 - Upgraded FastAPI to 0.109.2 for security fixes [CVE-2024-24762](https://nvd.nist.gov/vuln/detail/CVE-2024-24762)
 - Upgraded usage of SHA1 to SHA256. This includes detection of changes to policies, response headers and response json if SHA-1 was previously included. [124](https://community.opengroup.org/osdu/platform/security-and-compliance/policy/-/issues/124) and [125](https://community.opengroup.org/osdu/platform/security-and-compliance/policy/-/issues/125). This SHA-256 will also show up in pod audit logs and external audit logs when relevant.
 - Updated OPA recommended versions for [CVE-2024-24783](https://nvd.nist.gov/vuln/detail/CVE-2024-24783), [CVE-2023-6246](https://nvd.nist.gov/vuln/detail/CVE-2023-6246), and [CVE-2023-6779](https://nvd.nist.gov/vuln/detail/CVE-2023-6779).
+- Added x-user-id header to default data authorization rego policies to fix issue where OPA's requests to entitlements and legal service were not authorized. Issue [129](https://community.opengroup.org/osdu/platform/security-and-compliance/policy/-/issues/129).

 ### M23 Features
 - Separate Audit Log [113](https://community.opengroup.org/osdu/platform/security-and-compliance/policy/-/issues/113). See [logging](logging.md) for more details.