fix(cedarling): Make cedarling trusted store compatible with agama lab

[olehbozhok]

Prepare

• Read PR guidelines
• Read license information

---

Description

fix loading cedarling trusted issuer from agama lab

Target issue

closes #10038

Implementation Details

---

Test and Document the changes

• Static code analysis has been run locally and issues have been fixed
• Relevant unit and integration tests have been added/updated
• Relevant documentation has been updated if any (i.e. user guides, installation and configuration guides, technical design docs etc)

Please check the below before submitting your PR. The PR will not be merged if there are no commits that start with docs: to indicate documentation changes or if the below checklist is not selected.

• I confirm that there is no impact on the docs due to the code changes in this PR.

[dryrunsecurity]

DryRun Security Summary

The pull request focuses on improving the handling and management of policy stores, including support for multiple policy stores, enhanced policy content parsing, and integration with identity sources, which are crucial for the application's security and functionality.

Expand for full summary

Summary:

The code changes in this pull request are focused on improving the handling and management of policy stores, which are a critical component for the application's security and functionality. The key changes include:

1. Policy Store Handling: The policy_store.rs file has been updated to support multiple policy stores, with each store having additional metadata such as name, description, Cedar policy version, and trusted identity sources.
2. Policy Content Parsing: The code has been enhanced to handle the deserialization of base64-encoded policy content, ensuring that the policy information can be properly parsed and validated.
3. Identity Source Integration: The service_config.rs file has been updated to fetch the OpenID configuration for the identity sources specified in the policy stores, allowing the application to properly validate the JWT tokens used for authentication and authorization.

From an application security perspective, these changes are important as they improve the flexibility, robustness, and security of the policy store management. Proper handling of policy stores and identity sources is crucial for ensuring the integrity and reliability of the application's authorization and access control mechanisms.

However, it's important to ensure that the parsing and validation of the policy content and the integration with external identity sources are implemented securely to prevent potential vulnerabilities, such as improper input handling or insecure token validation. The code comments and TODO items suggest that there might be further work needed to fully address these security considerations.

Files Changed:

1. jans-cedarling/cedarling/src/init/policy_store.rs: This file has been updated to handle multiple policy stores, with improved error handling and policy content parsing.
2. jans-cedarling/cedarling/src/common/cedar_schema.rs: The changes in this file are focused on improving the deserialization of the policy store data, with a comprehensive test suite to ensure the robustness of the process.
3. docs/cedarling/cedarling-policy-store.md: The documentation for the Cedarling Policy Store has been updated to reflect the changes in the schema and the new features, such as the handling of identity sources and token claim mapping.
4. jans-cedarling/cedarling/src/common/policy_store.rs: This file has been updated to include additional fields in the PolicyStore struct, providing more configuration options and information about the policy stores.
5. jans-cedarling/cedarling/src/init/service_config.rs: The changes in this file focus on the handling of identity sources and their associated OpenID configurations, which is an important security consideration for the application.

Code Analysis

We ran 9 analyzers against 5 files and 0 analyzers had findings. 9 analyzers had no findings.

Riskiness

🟢 Risk threshold not exceeded.

View PR in the DryRun Dashboard.

[abaghinyan]

in Rust, it's better to use match then if else

let result_map = match serde_json::from_str::<HashMap<String, PolicyStore>>(policies_json) {
    Ok(map) => map,
    Err(_) => return Err(err), // Return the original error here
};

[olehbozhok]

when we ignore error it is OK to use

let OK(_) = some else{
...
}

https://rust-lang.github.io/rfcs/3137-let-else.html#guide-level-explanation

[olehbozhok]

and also https://doc.rust-lang.org/rust-by-example/flow_control/let_else.html

[abaghinyan]

Err(err)=> is just more clear then else to identify the error part

[abaghinyan]

It could be more human readable to put the decoded version as comment

[abaghinyan]

It could be more human readable to put the decoded version as comment

[olehbozhok]

Looks like implemented in the #10036

[olehbozhok]

It is you change in charts/janssen-all-in-one/README.md ?
I guess not, probably exit the way to remove all changes in MR for this file..

[olehbozhok]

Name only Jans and it is defined the agama-lab
and looks like you need to revert this change...

[olehbozhok]

Please, left only one policy. Because cedarling support only one policy in store per file. And in agama-lab will do the same

[rmarinn]

Closing this PR in favor of a newer one that addresses the same issue with an improved approach and cleaner git history. Please see: #10098