TinyTodo is a Cedar Agent example, with a server in Rust and client in python

Overview

TinyTodo - OPAL and Cedar Agent Demo

TinyTodo is a simple application for managing task lists. It uses OPAL and Cedar Agent to control who has access to what. It is the Cedar Agent fork of the original TinyTodo app adapted to use OPAL and Cedar Agent by Permit.io team.

TinyTodo allows individuals, called Users to organize, track, and share their todo lists. Users create Lists which they can populate with tasks. As tasks are completed, they can be checked off the list. A list's creater, called its owner, can share a list with either Users or Teams, either as a reader or an editor. A reader can only view the contents of a list, while an editor can modify it (e.g., add tasks, or check them off the list).

What is OPAL?

OPAL stands for Open Policy Administration Layer. It has two main components: a server, and a client. The server is tracking the state of the policy on Git or bundles and the Client is responsible for saving the Policy and the Data so it could evaluating the policy. OPAL supports multiple engines for policy evaluation such as OPA, Cedar, and more in the near future. You can read more about OPAL here. If you check it out we would love to get a star from you.

What is Cedar Agent?

Cedar Agent is an HTTP server designed to efficiently manage a policy store and a data store. It provides a seamless integration with Cedar, a language for defining permissions as policies.
With Cedar-Agent, you can easily control and monitor access to your application's resources by leveraging Cedar policies. If you check it out we would love to get a star from you.

Permit.io

Permit.io is a platform for managing access to your application's resources. It builds on top of OPAL and Cedar Agent to provide a complete solution for managing access to your application's resources. And also it provides a UI for managing the policies and the data. Permit is the main contributor to OPAL and Cedar Agent, but you are more than welcome to contribute to the projects.

Usage

The code is structured as a server, written in Rust, that processes HTTP commands. A client tinytodo.py, written in Python3, can be used to interact with the server. This is just a demo app, so there is no permanent storage of todo lists -- they last only as long as the server is running.

Build

You need Docker Python3 and Rust. Rust can be installed via (rustup)[https://rustup.rs]. Python3 can be installed (here)[https://www.python.org/] or using your system's package manager. Docker can be installed (here)[https://docs.docker.com/get-docker/].

Install the needed python packages, and build the server as follows.

pip3 install -r requirements.txt
cargo build --release

The Rust executable is stored in target/release/tiny-todo-server.

Run OPAL server and Python client

To start opal-server and opal-client, run

docker compose -f docker-compose-example-cedar.yml up

To start the client within Python interactive mode, enter

python3 -i ./tinytodo.py // it will start the rust server automatically and set the user as andrew (admin)

When it starts up, the OPAL server reads in the Cedar policies in the defined github account and pass it to the opal-client and it pass it to cedar-agent, and the Cedar entities, which define the TinyTodo Users and Teams, from data/data.json sent as well to the cedar-agent by opal.

Look at the tinytodo.py code to see the functions you can call, which serve as the list of commands.

set_user("andrew") # set the user as andrew (admin)
get_lists() # get all lists
get_list(list_id) # get list1
create_list("list1") # create list1
create_task(list_id, "task1") # create task1 in list1
toggle_task(list_id, task_id) # toggle task1 in list1
share_list(list_id, "username") # share list1 with user "username"
and more...

See also TUTORIAL.md for a detailed description of how to use these commands, and how TinyTodo works.

Main changes from the original TinyTodo

  • We are syncing the entities every time data is changed, so that the entities are always up to date. This is done by calling save_entities_and_sync() in context.rs after every change like new list created or shared.
  • We added a new route get_entities to get the entities from the app state so OPAL can sync them.
  • When we check for access, we only send the user, action, resource and context to the cedar-agent, and we don't need to send the policy and the entities every time because they are already synced by OPAL and cedar-agent.
// in context.rs
let client = reqwest::blocking::Client::new();
let res = client.post("http://localhost:8180/v1/is_authorized")
    .json(&serde_json::json!({
        "principal": principal.as_ref().clone().to_string(),
        "action": action.as_ref().clone().to_string(),
        "resource": resource.as_ref().clone().to_string(),
        "context": {}
    }))
    .send();
You might also like...
Language server for Odoo Python/JS/XML
Language server for Odoo Python/JS/XML

odoo-lsp Features Completion, definition and references for models, XML IDs and model fields Works for records, templates, env.ref() and other structu

A Rust CLI tool that helps you enforce Git policies through Git hooks both server and client side

GitPolicyEnforcer This is a command line utility written in Rust, that helps you utilize Git hooks, to enforce various policies. It currently supports

Russh - Async (tokio) SSH2 client and server rimplementation

Russh Async (tokio) SSH2 client and server rimplementation. This is a fork of Thrussh by Pierre-Étienne Meunier which adds: More safety guarantees AES

A backend server and client for Norg related applications.

Norgopolis Norgopolis is a lightweight communication, launcher and utility services client for the Neorg rust-native modules ecosystem on Desktop. It

A light-as-air client/server networking library for Rust

aeronet A light-as-air client/server networking library with first-class support for Bevy, providing a consistent API which can be implemented by diff

SA-MP client server list fix but written in Rust

Server List Fix This is a samp client server list fix, which reroutes the client's request to list.sa-mp.com to sam.markski.ar. The idea is originally

Bruteforce connecting to a specific Sea of Thieves server. Useful if you want to be in the same server as your friends.

SoT Server Finder Find which Sea of Thieves server you're connected to. Useful if you want to be in the same server as your friends. Setup Download so

Leptos server signals synced through Server-Sent-Events (SSE)

Leptos Server Sent Events Server signals are leptos signals kept in sync with the server through server-sent-events (SSE). The signals are read-only o

A lightweight and high-performance order-book designed to process level 2 and trades data. Available in Rust and Python

ninjabook A lightweight and high-performance order-book implemented in Rust, designed to process level 2 and trades data. Available in Python and Rust

Owner
Permit.io
Fullstack permissions for cloud native applications
Permit.io
A toy example showing how to run Rust code in Python for speed and progress.

PoC: Integrating Rust in Python A toy example showing how to run Rust code in Python for speed and progress. Requirements Python 3.6+ Rust 1.44+ Cargo

Emil Thorenfeldt 2 Feb 7, 2022
Rust Imaging Library's Python binding: A performant and high-level image processing library for Python written in Rust

ril-py Rust Imaging Library for Python: Python bindings for ril, a performant and high-level image processing library written in Rust. What's this? Th

Cryptex 13 Dec 6, 2022
Akamai Krypton CLI and SSH Agent (v2)

Akamai "Krypton" FIDO2 SSH Agent and CLI The akr command line utility is Akamai's "Krypton" SSH Agent, the successor to kr which works exclusively wit

Akamai 57 Jan 4, 2023
A customizable MCTS planner with advanced featured tailored to multi-agent simulations and emergent narratives.

NPC engine Core:  Utils:  © 2020-2022 ETH Zurich and other contributors. See AUTHORS.txt for more details. A customizable Monte Carlo Tree Search (MCT

Game Technology Center, ETH Zurich 30 Jun 6, 2023
This PAM module provides ssh-agent based authentication

PAM-RSSH This PAM module provides ssh-agent based authentication. The primary design goal is to avoid typing password when you sudo on remote servers.

Yuxiang Zhang 21 Dec 14, 2022
Figma Agent for Linux (a.k.a. Font Helper)

Figma Agent for Linux (a.k.a. Font Helper)

Neetly 32 Dec 25, 2022
Incredible.dev is an AI Coding Co-worker which can code, fix, document, deploy, test your APIs. One agent to rule everything API.

Incredible.dev Early Github preview, documentation and instruction to run coming soon in a week! Here are some highlights: AI agents that can code, fi

Incredible 27 Jun 27, 2024
⚡ Blazing fast async/await HTTP client for Python written on Rust using reqwests

Reqsnaked Reqsnaked is a blazing fast async/await HTTP client for Python written on Rust using reqwests. Works 15% faster than aiohttp on average RAII

Yan Kurbatov 8 Mar 2, 2023
REC2 (Rusty External Command and Control) is client and server tool allowing auditor to execute command from VirusTotal and Mastodon APIs written in Rust. 🦀

Information: REC2 is an old personal project (early 2023) that I didn't continue development on. It's part of a list of projects that helped me to lea

Quentin Texier (g0h4n) 104 Oct 7, 2023
A fast static code analyzer & language server for Python

pylyzer ⚡ pylyzer is a static code analyzer / language server for Python written in Rust. Installation cargo (rust package manager) cargo install pyly

Shunsuke Shibayama 78 Jan 3, 2023