Migrate from legacy to reusable access policies

[sidbena]

Created in reference to this issue

When I create access policies with labels in DockFlare, they seem to generate ”legacy” access policies;

As far as I understand, there are reusable ones that are the ”new” ones, but I'm not entirely sure about the implementation of these.

This should be what's required to fetch a reusable policy (to get a hold of its UUID). Or the UUID could just be an input variable for the docker labels.

And this should be the body content added to use one with creating an app with a reusable access policy:

policies: Array < Optional
The policies that Access applies to the application, in ascending order of precedence. Items can reference existing policies or create new policies exclusive to the application.

# A JSON that links a reusable policy to an application.
AccessAppPolicyLink = {
  id: stringOptional
  # (maxLength: 36) The UUID of the policy
  
  precedence: numberOptional
  # The order of execution for this policy. Must be unique for each policy within an app.
}
…

[roscoejp]

You should already be able to link existing policies with the current custom rules label since it's only getting validated as json and then passed directly to the policies in the request. I just tried this and it works fine:

      - cloudflare.tunnel.access.custom_rules=[{"id":"REUSABLE_POLICY_ID"}]

or

# Note the lack of quotes around the precedence to ensure it's not a string
      - cloudflare.tunnel.access.custom_rules=[{"id":"REUSABLE_POLICY_ID","precedence":PRECENDNCE_FOR_POLICY}]

Creating re-usable policies for applications would be a bit more involved since you'd have to ensure a policy is created prior to using it and you wouldn't be able to "re-use" it on other endpoints very easily since ordering of labels would be important at that point.

[sidbena]

Thanks for the reply.
I'm not getting this to work however, as soon as I try to supply a policy ID, I end up with an application without any access policy at all.

I'll stick with the legacy 'bypass' and 'default_tld' values for now.

[ChrispyBacon-dev]

OK. I will look into that. basically we need a new function to use already existing reusable policys selected with the policy ID.

[luketainton]

I use the cloudflare.tunnel.access.custom_rules label to specify a reusable policy and it seems to work for me, though I give it a bit more than just the ID.

cloudflare.tunnel.access.custom_rules: '[{"decision": "allow","id": "REUSABLE_POLICY_ID","uid": "REUSABLE_POLICY_ID","name": "NAME_FROM_CF_PORTAL","reusable": true,"precedence": 1}]'

[roscoejp]

#83 (reply in thread) The custom policy rule is very particular about spacing/quoting (and Dockflare stops processing labels if it gets a 400 from the CF API), but you should be able to hook up an existing re-usable policy with the ID b0d71b2b-d023-456a-8066-588269603e8a using the following compose (for example). Just tested this with a brand new re-usable service auth policy.

services:
  whoami:
    image: traefik/whoami
    container_name: working-sample
    labels:
      - cloudflare.tunnel.enable=true
      - cloudflare.tunnel.hostname=whoami.${DOMAIN}
      - cloudflare.tunnel.service=https://whoami.${DOMAIN}  # or scheme//host:port if you don't have a proxy in your LAN
      - cloudflare.tunnel.access.policy=authenticate
      - cloudflare.tunnel.access.custom_rules=[{"id":"b0d71b2b-d023-456a-8066-588269603e8a"}]

#83 (comment) The map you've provided does still contain the id and precedence fields which are one of the acceptable 'object' formats (see screenshot below). Do you find the additional options change things up in the UI (if so, bravo on finding something not immediately apparent in the API docs!)
I wouldn't be surprised if there are other acceptable formats/keys but I can't be bothered to read through all of the docs since I only found this while debugging the allowed_idp label crashes.

[ChrispyBacon-dev]

Hi, I will dedicate a new wiki page only around access policy labels. Great feedback. Thank you.

[solipsist01]

Multiple reusable policies are done like this:

    labels:
      - cloudflare.tunnel.enable=true
      - cloudflare.tunnel.hostname=dockflare.redacted.org
      - cloudflare.tunnel.service=http://dockflare:5000
      - cloudflare.tunnel.access.policy=authenticate
      - cloudflare.tunnel.access.custom_rules=[{"id":"df81dfa2-d01a-4eb5-8f0c-e88059770692"},{"id":"01862068-e56d-4beb-a442-c36c7aefae02"}]

Thank you for this brilliant software :)