Add support for authorization

[omerlh]

Currently, AirBag supports only authentication. Let's add support for authorization!
What we can do?
Define a mapping between claims to paths. For example:

[
{
   "path": "/api/v1/secure"
   "claims":
   {
       "key": "scope",
       "value": ["super-secure"]
}
]

Another issues is how you tests your service configuration.
What do you think?

[Yshayy]

I think AirBag shares lots of functionality with OPA.
It might be possible to use OPA as alternative as rego is more expressive.
I think something like this:
Authority: "oidc/discovery endpoint"
Issuer: ...
Audience: ...

Policy: ./policies/auth.rego # or
Policies: ./policies

### policies/auth.rego

token = {"payload": payload} { io.jwt.decode(http_api.token, [_, payload, _]) }

default allow = false

# Allow specific app access to all paths/methods
allow {
  http_api.method = "GET"
  token.sub = "my-app-id"
}

# Allow user to get only his details
allow {
  token.sub = username
  http_api.method = "GET"
  http_api.path = ["users", "details", username]
}

# Allow users with group user-admin to get details for any user
allow {
  token.groups[_] = "user-admin"
  http_api.method = "GET"
  http_api.path = ["users", "details", _]
}

# Allow diagnostics services to check metrics/health endpoints
is_diagnostics_service {
    # can be kube master/nodes   
    # or/and Promethus pods when using stateful set
    request.ip = net.cidr_overlap(ip, "127.0.0.1/24") 
}


diagnostics_path {  http_api.path = ["metrics"] }
diagnostics_path {  http_api.path = ["health"] }

allow {
    http_api.method = "GET"
    diagnostics_path
    is_diagnostics_service
}