Enable real RAJEE auth verification #21
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
- Add envoy_on_response() stub to authorize.lua to prevent Lua filter warning - Configure internal_address_config with RFC1918 CIDR ranges in envoy.yaml.tmpl Co-Authored-By: Claude <noreply@anthropic.com>
This change implements the deployment optimization proposal from specs/2-rajee/14-deployment-optimization.md, combining Solution 1 (ECR with content-based tags) and Solution 2 (improved asset excludes). Changes: - Add ECR repository to RajeeEnvoyStack with lifecycle policy - Update task definition to use ECR image when IMAGE_TAG is set - Fall back to building from source if IMAGE_TAG not provided - Improve asset excludes list to prevent spurious rebuilds - Add build-envoy-image.sh script for building and pushing images - Add poe tasks: build-envoy and build-envoy-push - Update documentation with new fast deployment workflow Benefits: - No-op deployments complete in 0-30s (vs 3-5 minutes) - Code-change deployments benefit from Docker layer caching - Decouples image building from CDK deployment - Maintains backward compatibility with inline builds Co-Authored-By: Claude <noreply@anthropic.com>
Enhanced test_rajee_envoy_auth_with_real_grants and test_rajee_envoy_auth_denies_unauthorized_prefix to provide clear evidence that RAJA is performing authorization: - Show JWT token issuance from RAJA control plane - Display grants decoded from token (compiled from Cedar policies) - Demonstrate local RAJA authorization checks with logging - Prove Envoy external auth filter validates tokens - Show both authorized (200) and denied (403) cases - Add step-by-step proof documentation Created RAJA_INTEGRATION_PROOF.md summarizing the evidence and architecture flow confirmed by the tests. Co-Authored-By: Claude <noreply@anthropic.com>
…tion Corrected documentation and test output to reflect the actual implementation: - Envoy uses JWT authentication filter for signature validation (not external auth) - Envoy uses Lua filter (authorize.lua) for RAJA authorization, not Lambda - Two-stage process: JWT filter validates signature, Lua filter checks grants - Added technical implementation details showing Envoy configuration - Clarified that authorization happens in-process (Lua) not via external call This addresses the confusion about "external auth filter" - RAJA authorization is performed by the Lua filter embedded in Envoy, not an external Lambda. Co-Authored-By: Claude <noreply@anthropic.com>
Co-Authored-By: Claude <noreply@anthropic.com>
Add smart deployment with automatic fast/bootstrap path selection: - Check if ECR exists before choosing deployment strategy - First deployment uses bootstrap (inline build) to create ECR - Subsequent deployments automatically use fast path (pre-built images) - Simplified workflow: just run ./poe deploy Changes: - Add check_ecr_ready.sh script to detect ECR availability - Update deploy task to auto-select fast vs bootstrap path - Add deploy-fast and deploy-bootstrap for manual control - Simplify documentation: ./poe deploy just works - Fix _deploy-with-tag to call deploy-fast (not deploy) Benefits: - Zero configuration needed - deployment picks optimal path - ./poe all automatically uses fast path when available - No manual IMAGE_TAG exports or conditional logic needed - Bootstrap path only used when necessary Co-Authored-By: Claude <noreply@anthropic.com>
The _deploy-with-tag task was calling deploy-fast, which called _deploy-with-tag again, creating an infinite loop that built and pushed the image repeatedly. Fix: Rename to _deploy-with-image-tag and call _cdk-deploy directly instead of recursing back to deploy-fast. Co-Authored-By: Claude <noreply@anthropic.com>
Changed _deploy-with-image-tag from shell with && chaining to proper poe sequence. Created _cdk-deploy-with-tag that sets IMAGE_TAG in the same shell as the cdk deploy command. Co-Authored-By: Claude <noreply@anthropic.com>
Suppress DL3001 warning for AUTH_DISABLED environment variable as it's a configuration flag (true/false), not sensitive credential data. Co-Authored-By: Claude <noreply@anthropic.com>
Move check=skip directive to top of Dockerfile to properly suppress SecretsUsedInArgOrEnv warning. AUTH_DISABLED is a boolean config flag, not sensitive credential data. Co-Authored-By: Claude <noreply@anthropic.com>
This reverts commit 66f4151.
This reverts commit 1e70091.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
Testing