Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

add support for http mw in v2 version #30

Merged
merged 7 commits into from
Feb 8, 2024
Merged
Show file tree
Hide file tree
Changes from 5 commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion .github/workflows/test.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,7 @@ jobs:
- name: Setup Go
uses: actions/setup-go@v2
with:
go-version: 1.15.x
go-version: 1.19.x
- name: Unit tests
if: ${{ !matrix.e2e }}
run: |
Expand Down
16 changes: 9 additions & 7 deletions cmd/authz_mw_cli/authz_mw_cli.go
Original file line number Diff line number Diff line change
Expand Up @@ -14,14 +14,15 @@ import (
"regexp"
"strings"

opamw "github.com/infobloxopen/atlas-authz-middleware/grpc_opa"
opacl "github.com/infobloxopen/atlas-authz-middleware/pkg/opa_client"
"github.com/infobloxopen/atlas-authz-middleware/v2/http_opa"
kumaya marked this conversation as resolved.
Show resolved Hide resolved
opacl "github.com/infobloxopen/atlas-authz-middleware/v2/pkg/opa_client"

"github.com/grpc-ecosystem/go-grpc-middleware/logging/logrus/ctxlogrus"
"github.com/grpc-ecosystem/go-grpc-middleware/util/metautils"

logrus "github.com/sirupsen/logrus"

az "github.com/infobloxopen/atlas-authz-middleware/v2/common/authorizer"
"google.golang.org/grpc/metadata"
)

Expand Down Expand Up @@ -107,9 +108,10 @@ func validate(ctx context.Context, opaIpPort string) {
var decInputr MyDecisionInputr
decInputr.DecisionInput.DecisionDocument = decisionDoc

authzr := opamw.NewDefaultAuthorizer(app,
opamw.WithAddress(opaIpPort),
opamw.WithDecisionInputHandler(&decInputr),
//TODO: add a flag to indicate whether to use http authorizer or grpc authorizer, when grpc authorizer is implemented in v2
authzr := httpopa.NewHttpAuthorizer(app,
httpopa.WithAddress(opaIpPort),
httpopa.WithDecisionInputHandler(&decInputr),
)

resultCtx, resultErr := authzr.AffirmAuthorization(ctx, fullMethod, nil)
Expand Down Expand Up @@ -139,9 +141,9 @@ func acct_entitlements(ctx context.Context, opaIpPort string) {
}

type MyDecisionInputr struct {
opamw.DecisionInput
az.DecisionInput
}

func (d MyDecisionInputr) GetDecisionInput(ctx context.Context, fullMethod string, grpcReq interface{}) (*opamw.DecisionInput, error) {
func (d MyDecisionInputr) GetDecisionInput(ctx context.Context, fullMethod string, grpcReq interface{}) (*az.DecisionInput, error) {
return &d.DecisionInput, nil
}
26 changes: 26 additions & 0 deletions common/authorizer/authorizer.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,26 @@
package authorizer

import "context"

// OpaEvaluator implements calling OPA with a request and receiving the raw response
type OpaEvaluator func(ctx context.Context, decisionDocument string, opaReq, opaResp interface{}) error

type ClaimsVerifier func([]string, []string) (string, []error)

// Authorizer interface is implemented for making arbitrary requests to Opa.
type Authorizer interface {
// Evaluate evaluates the authorization policy for the given request.
// It takes the context, full method name, request object, and an OpaEvaluator as input.
// It returns a boolean indicating whether the request is authorized, a modified context,
// and an error if any.
Evaluate(ctx context.Context, fullMethod string, req interface{}, opaEvaluator OpaEvaluator) (bool, context.Context, error)

// OpaQuery executes a query against the OPA (Open Policy Agent) with the specified decision document.
// If the decision document is an empty string, the query is executed against the default decision document
// configured in OPA.
// It takes the context, decision document name, OPA request object, and OPA response object as input.
// It returns an error if any.
OpaQuery(ctx context.Context, decisionDocument string, opaReq, opaResp interface{}) error

AffirmAuthorization(ctx context.Context, fullMethod string, eq interface{}) (context.Context, error)
}
47 changes: 47 additions & 0 deletions common/authorizer/decision_input.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,47 @@
package authorizer

import "context"

// DecisionInput is app/service-specific data supplied by app/service ABAC requests
type DecisionInput struct {
Type string `json:"type"` // Object/resource-type to match
Verb string `json:"verb"` // Verb to match
SealCtx []interface{} `json:"ctx"` // Array of app/service-specific context data to match
DecisionDocument string `json:"-"` // OPA decision document to query, by default "",
// which is default decision document configured in OPA
}

// fullMethod is of the form "Service.FullMethod"
type DecisionInputHandler interface {
// GetDecisionInput returns an app/service-specific DecisionInput.
// A nil DecisionInput should NOT be returned unless error.
GetDecisionInput(ctx context.Context, fullMethod string, req interface{}) (*DecisionInput, error)
}

// DefaultDecisionInputer is an example DecisionInputHandler that is used as default
type DefaultDecisionInputer struct{}

func (m DefaultDecisionInputer) String() string {
return "authorizer.DefaultDecisionInputer{}"
}

// GetDecisionInput is an example DecisionInputHandler that returns some decision input
// based on some incoming Context values. App/services will most likely supply their
// own DecisionInputHandler using WithDecisionInputHandler option.
func (m *DefaultDecisionInputer) GetDecisionInput(ctx context.Context, fullMethod string, grpcReq interface{}) (*DecisionInput, error) {
var abacType string
if v, ok := ctx.Value(TypeKey).(string); ok {
abacType = v
}

var abacVerb string
if v, ok := ctx.Value(VerbKey).(string); ok {
abacVerb = v
}

decInp := DecisionInput{
Type: abacType,
Verb: abacVerb,
}
return &decInp, nil
}
15 changes: 15 additions & 0 deletions common/authorizer/literal.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
package authorizer

// ABACKey is a context.Context key type
type ABACKey string
type ObligationKey string

const (
// DefaultValidatePath is default OPA path to perform authz validation
DefaultValidatePath = "v1/data/authz/rbac/validate_v1"

REDACTED = "redacted"
TypeKey = ABACKey("ABACType")
VerbKey = ABACKey("ABACVerb")
ObKey = ObligationKey("obligations")
)
213 changes: 213 additions & 0 deletions common/authorizer/mock_Authorizer.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Loading
Loading