Integrate Casbin into middleware and remove built-in policy engine (#6)

* refactor: removed built-in policy engine
* refactor: removed policy engine examples
* refactor: updated tests to use casbin middleware
* feat: added casbin middleware integration
* refactor: removed policy engine from service and config
* docs: removed policy engine references
* refactor: removed generate-policy-config subcommand
* refactor: removed more policy-related implementation in cmd
* chore: updated JWTMiddleware tests for casbin policy
* refactor: changed policy decision variable values
* chore: updated go deps for JWT middleware
* refactor: updated policy implementation to work properly
* tests: tidied and separated policy tests
* refactor: tidied code and minor changes
* chore: addressed FIXME issues in PR
* chore: use context key constants instead of string literals
* Address linter errors

---------

Signed-off-by: David Allen <davidallendj@gmail.com>
Signed-off-by: David J. Allen <davidallendj@gmail.com>
Signed-off-by: Alex Lovell-Troy <alovelltroy@lanl.gov>
Co-authored-by: Alex Lovell-Troy <alovelltroy@lanl.gov>

Author: davidallendj

README.md

@@ -45,13 +45,6 @@ sequenceDiagram
 
 ## Features
 
-- **Pluggable Policy Engine System**
-  - **Static Policy Engine**: Simple hardcoded policy engine with configurable scopes, audiences, and permissions
-  - **File-Based Policy Engine**: Dynamic policy engine with role-based access control (RBAC) from JSON configuration
-  - **Extensible Architecture**: Easy to implement custom policy engines for complex authorization scenarios
-  - **Hot Configuration Reloading**: File-based policy engine supports configuration updates without service restart
-  - **Role-Based Access Control**: Support for user and group role mappings with fine-grained permissions
-
 - **Identity Bridging**
   - Exchange external OIDC tokens for internal JWTs
   - Map external identities to internal service identities
@@ -71,108 +64,14 @@ sequenceDiagram
   - Scope-based authorization
   - Service-to-service authentication
   - Extensible claims handling
+  - Casbin intergration for policy-based authorization
 
 - **OIDC Provider Support**
   - Keycloak integration
   - Hydra integration
   - Authelia integration
   - Extensible provider interface
 
-## Policy Engines
-
-TokenSmith uses a pluggable policy engine system to determine scopes, audiences, and permissions for access tokens. This allows for flexible authorization policies that can be adapted to different use cases.
-
-### Static Policy Engine
-
-The static policy engine provides a simple, hardcoded approach to policy decisions. It's ideal for simple deployments or as a fallback when dynamic policies aren't needed.
-
-**Features:**
-
-- Fixed scopes, audiences, and permissions
-- Configurable token lifetime
-- Additional custom claims support
-- Zero configuration overhead
-
-**Usage:**
-
-```bash
-tokensmith serve --policy-engine static --provider hydra
-```
-
-### File-Based Policy Engine
-
-The file-based policy engine provides dynamic, role-based access control (RBAC) through JSON configuration files. It supports complex authorization scenarios with user and group role mappings.
-
-**Features:**
-
-- Role-based access control (RBAC)
-- User and group role mappings
-- Fine-grained permissions per role
-- Hot configuration reloading
-- Default policy fallback
-
-**Usage:**
-
-```bash
-# Generate a policy configuration file
-tokensmith generate-policy-config --policy-config policy.json
-
-# Run with file-based policy engine
-tokensmith serve --policy-engine file-based --policy-config policy.json --provider hydra
-```
-
-**Policy Configuration Example:**
-
-```json
-{
-  "version": "1.0.0",
-  "default_policy": {
-    "scopes": ["read"],
-    "audiences": ["smd", "bss", "cloud-init"],
-    "permissions": ["read:basic"]
-  },
-  "roles": {
-    "admin": {
-      "name": "Administrator",
-      "description": "Full administrative access",
-      "scopes": ["read", "write", "admin"],
-      "audiences": ["smd", "bss", "cloud-init", "admin-service"],
-      "permissions": ["read:all", "write:all", "admin:all"]
-    },
-    "user": {
-      "name": "Regular User",
-      "description": "Basic user access",
-      "scopes": ["read"],
-      "audiences": ["smd", "bss", "cloud-init"],
-      "permissions": ["read:basic"]
-    }
-  },
-  "user_role_mappings": {
-    "adminuser": ["admin"],
-    "regularuser": ["user"]
-  },
-  "group_role_mappings": {
-    "admins": ["admin"],
-    "users": ["user"]
-  }
-}
-```
-
-### Custom Policy Engines
-
-You can implement custom policy engines by implementing the `policy.Engine` interface:
-
-```go
-type Engine interface {
-    EvaluatePolicy(ctx context.Context, policyCtx *PolicyContext) (*PolicyDecision, error)
-    GetName() string
-    GetVersion() string
-    ValidateConfiguration() error
-}
-```
-
-See the [policy package documentation](pkg/policy/README.md) for detailed implementation examples.
-
 ## Container Deployment
 
 TokenSmith can be deployed using Docker. The following environment variables can be used to configure the service:
@@ -290,42 +189,6 @@ tokensmith generate-config --config config.json
 
 - `tokensmith serve` - Start the token service
 - `tokensmith generate-config` - Generate a default configuration file
-- `tokensmith generate-policy-config` - Generate a default policy configuration file
-
-#### Using Static Policy Engine (Default)
-
-Start the service with the static policy engine:
-
-```bash
-tokensmith serve \
-  --provider=keycloak \
-  --issuer=http://tokensmith:8080 \
-  --port=8080 \
-  --cluster-id=test-cluster-id \
-  --openchami-id=test-openchami-id \
-  --config=config.json \
-  --policy-engine=static
-```
-
-#### Using File-Based Policy Engine
-
-Generate a policy configuration file and start the service:
-
-```bash
-# Generate a policy configuration file
-tokensmith generate-policy-config --policy-config policy.json
-
-# Start the service with file-based policy engine
-tokensmith serve \
-  --provider=keycloak \
-  --issuer=http://tokensmith:8080 \
-  --port=8080 \
-  --cluster-id=test-cluster-id \
-  --openchami-id=test-openchami-id \
-  --config=config.json \
-  --policy-engine=file-based \
-  --policy-config=policy.json
-```
 
 #### Configuration File
 
@@ -356,8 +219,6 @@ Configuration options:
 | `--keycloak-url` | Keycloak admin API URL | `http://keycloak:8080` |
 | `--keycloak-realm` | Keycloak realm | `openchami` |
 | `--config` | Path to configuration file | `""` |
-| `--policy-engine` | Policy engine type (static, file-based) | `static` |
-| `--policy-config` | Path to policy configuration file | `""` |
 
 | Environment Variable | Description |
 |------|-------------|

cmd/tokenservice/main.go

@@ -8,7 +8,6 @@ import (
 	"fmt"
 	"os"
 
-	"github.com/openchami/tokensmith/pkg/policy"
 	tokenservice "github.com/openchami/tokensmith/pkg/tokenservice"
 	"github.com/spf13/cobra"
 )
@@ -25,9 +24,6 @@ var (
 	keyFile          string
 	keyDir           string
 	nonEnforcing     bool // Skip validation checks and only log errors
-	// Policy engine configuration
-	policyEngineType string
-	policyConfigPath string
 )
 
 var rootCmd = &cobra.Command{
@@ -49,59 +45,12 @@ var generateConfigCmd = &cobra.Command{
 	},
 }
 
-var generatePolicyConfigCmd = &cobra.Command{
-	Use:   "generate-policy-config",
-	Short: "Generate a default policy configuration file",
-	RunE: func(cmd *cobra.Command, args []string) error {
-		policyConfig := &policy.FileBasedConfig{
-			Version: "1.0.0",
-			DefaultPolicy: &policy.PolicyDecision{
-				Scopes:      []string{"read"},
-				Audiences:   []string{"smd", "bss", "cloud-init"},
-				Permissions: []string{"read:basic"},
-			},
-			Roles: map[string]*policy.RolePolicy{
-				"admin": {
-					Name:        "Administrator",
-					Description: "Full administrative access",
-					Scopes:      []string{"read", "write", "admin"},
-					Audiences:   []string{"smd", "bss", "cloud-init", "admin-service"},
-					Permissions: []string{"read:all", "write:all", "admin:all"},
-				},
-				"user": {
-					Name:        "Regular User",
-					Description: "Basic user access",
-					Scopes:      []string{"read"},
-					Audiences:   []string{"smd", "bss", "cloud-init"},
-					Permissions: []string{"read:basic"},
-				},
-			},
-			UserRoleMappings: map[string][]string{
-				"adminuser":   {"admin"},
-				"regularuser": {"user"},
-			},
-			GroupRoleMappings: map[string][]string{
-				"admins": {"admin"},
-				"users":  {"user"},
-			},
-		}
-
-		if err := policy.SaveFileBasedConfig(policyConfig, policyConfigPath); err != nil {
-			return fmt.Errorf("failed to save policy config: %w", err)
-		}
-		fmt.Printf("Generated policy configuration file at: %s\n", policyConfigPath)
-		return nil
-	},
-}
-
 func init() {
 
 	rootCmd.AddCommand(generateConfigCmd)
-	rootCmd.AddCommand(generatePolicyConfigCmd)
 
 	// Global flags
 	rootCmd.PersistentFlags().StringVar(&configPath, "config", "", "Path to configuration file")
-	rootCmd.PersistentFlags().StringVar(&policyConfigPath, "policy-config", "", "Path to policy configuration file")
 }
 
 func main() {

cmd/tokenservice/serve.go

@@ -8,10 +8,8 @@ import (
 	"fmt"
 	"os"
 	"path/filepath"
-	"time"
 
 	"github.com/openchami/tokensmith/pkg/keys"
-	"github.com/openchami/tokensmith/pkg/policy"
 	"github.com/openchami/tokensmith/pkg/tokenservice"
 	"github.com/spf13/cobra"
 )
@@ -26,12 +24,6 @@ var serveCmd = &cobra.Command{
 			return fmt.Errorf("failed to load config: %w", err)
 		}
 
-		// Create policy engine configuration
-		policyEngineConfig, err := createPolicyEngineConfig()
-		if err != nil {
-			return fmt.Errorf("failed to create policy engine config: %w", err)
-		}
-
 		// Get OIDC credentials from environment variables if not provided via flags
 		if oidcClientID == "" {
 			oidcClientID = os.Getenv("OIDC_CLIENT_ID")
@@ -47,7 +39,6 @@ var serveCmd = &cobra.Command{
 			ClusterID:        clusterID,
 			OpenCHAMIID:      openCHAMIID,
 			NonEnforcing:     nonEnforcing,
-			PolicyEngine:     policyEngineConfig,
 			OIDCIssuerURL:    oidcIssuerURL,
 			OIDCClientID:     oidcClientID,
 			OIDCClientSecret: oidcClientSecret,
@@ -109,46 +100,5 @@ func init() {
 	serveCmd.Flags().StringVar(&keyDir, "key-dir", "", "Directory to save key files")
 	serveCmd.Flags().BoolVar(&nonEnforcing, "non-enforcing", false, "Skip validation checks and only log errors")
 
-	// Policy engine flags
-	serveCmd.Flags().StringVar(&policyEngineType, "policy-engine", "static", "Policy engine type (static, file-based)")
-	serveCmd.Flags().StringVar(&policyConfigPath, "policy-config", "", "Path to policy configuration file (for file-based engine)")
-
 	rootCmd.AddCommand(serveCmd)
 }
-
-// createPolicyEngineConfig creates a policy engine configuration based on command-line flags
-func createPolicyEngineConfig() (*tokenservice.PolicyEngineConfig, error) {
-	switch policyEngineType {
-	case "static":
-		return &tokenservice.PolicyEngineConfig{
-			Type: tokenservice.PolicyEngineTypeStatic,
-			Static: &policy.StaticEngineConfig{
-				Name:          "tokensmith-static-engine",
-				Version:       "1.0.0",
-				Scopes:        []string{"read", "write"},
-				Audiences:     []string{"smd", "bss", "cloud-init"},
-				Permissions:   []string{"read:basic", "write:basic"},
-				TokenLifetime: func() *time.Duration { d := time.Hour; return &d }(),
-				AdditionalClaims: map[string]interface{}{
-					"policy_engine": "static",
-					"version":       "1.0.0",
-				},
-			},
-		}, nil
-	case "file-based":
-		if policyConfigPath == "" {
-			return nil, fmt.Errorf("policy-config path is required for file-based policy engine")
-		}
-		return &tokenservice.PolicyEngineConfig{
-			Type: tokenservice.PolicyEngineTypeFileBased,
-			FileBased: &policy.FileBasedEngineConfig{
-				Name:           "tokensmith-file-engine",
-				Version:        "1.0.0",
-				ConfigPath:     policyConfigPath,
-				ReloadInterval: func() *time.Duration { d := 5 * time.Minute; return &d }(),
-			},
-		}, nil
-	default:
-		return nil, fmt.Errorf("unsupported policy engine type: %s", policyEngineType)
-	}
-}