Merge pull request #3710 from Azure/nwnt/add-checkaccess-group-expansion

Always do group expansion for CheckAccess subjects
Azure · Jul 23, 2024 · 18fa5ec · 18fa5ec
2 parents 6ab3476 + e20b612
commit 18fa5ec
Show file tree

Hide file tree

Showing 3 changed files with 10 additions and 1 deletion.
diff --git a/pkg/util/azureclient/authz/remotepdp/const.go b/pkg/util/azureclient/authz/remotepdp/const.go
@@ -17,4 +17,11 @@ const (
 	Allowed    AccessDecision = "Allowed"
 	NotAllowed AccessDecision = "NotAllowed"
 	Denied     AccessDecision = "Denied"
+
+	// GroupExpansion is the value to be used with ClaimName in SubjectAttributes
+	// This value gives CheckAccess a hint that it needs to retrieve all the groups the principal belongs to
+	// and then give the response based on all group entitlements.
+	//
+	// https://eng.ms/docs/microsoft-security/identity/auth/access-control-managed-identityacmi/azure-authz-data-plane/authz-dataplane-partner-wiki/remotepdp/checkaccess/samples/requestresponse
+	GroupExpansion = `{"groups":"src1"}`
 )
diff --git a/pkg/util/azureclient/authz/remotepdp/types.go b/pkg/util/azureclient/authz/remotepdp/types.go
@@ -32,6 +32,7 @@ type SubjectAttributes struct {
 	AltSecId         string   `json:"altsecid,omitempty"`
 	IdentityProvider string   `json:"idp,omitempty"`
 	Issuer           string   `json:"iss,omitempty"`
+	ClaimName        string   `json:"_claim_names,omitempty"`
 }
 
 // ActionInfo contains an action the query checks whether the subject

diff --git a/pkg/validate/dynamic/dynamic.go b/pkg/validate/dynamic/dynamic.go
@@ -467,7 +467,8 @@ func createAuthorizationRequest(subject, resourceId string, actions ...string) r
 	return remotepdp.AuthorizationRequest{
 		Subject: remotepdp.SubjectInfo{
 			Attributes: remotepdp.SubjectAttributes{
-				ObjectId: subject,
+				ObjectId:  subject,
+				ClaimName: remotepdp.GroupExpansion, // always do group expansion
 			},
 		},
 		Actions: actionInfos,