Fix spec typo, wire Cognito groups to OPA, clean up stale files#7
Merged
Conversation
- spec: fix reference impl filename (ztxp-v0.2.py to ztxpv0.2.py) and repo URL (cliffbell to cjb00) - cognito: add writer/admin user pool groups; parameterise callback and logout URLs; move variables from typo'd cariables.tf into proper variables.tf - pep: extract cognito:groups from JWT claims and include in TAM subject block so OPA can evaluate group-based write/admin rules - tests: add 4 new PEP tests covering group extraction and JWT decode edge cases - cleanup: delete stale authz.rego.txt backup file Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
ztxp-v0.2.py→ztxpv0.2.py) and repo URL (cliffbell→cjb00)writerandadminCognito user pool groups that map directly to OPA policy groups; parameterisecallback_urls/logout_urlsso they no longer hardcodeexample.com; rename the typo'dcariables.tf→variables.tfcognito:groupsfrom JWT claims and include them in the TAMsubject.groupsfield — this was the missing link that prevented OPA write/admin rules from ever firingauthz.rego.txtbackup fileTest plan
pytest ztxb-aws-lab/tests/)opa test ztxb-aws-lab/app/pdp/policy/)Generated with Claude Code