diff options
Diffstat (limited to 'pkg/authz')
| -rw-r--r-- | pkg/authz/casbin.go | 43 | ||||
| -rw-r--r-- | pkg/authz/cedar.go | 53 |
2 files changed, 96 insertions, 0 deletions
diff --git a/pkg/authz/casbin.go b/pkg/authz/casbin.go new file mode 100644 index 00000000..99dcc8ec --- /dev/null +++ b/pkg/authz/casbin.go @@ -0,0 +1,43 @@ +package authz + +import ( + "fmt" + "net" + "net/http" + + "github.com/casbin/casbin/v3" + "github.com/xlgmokha/x/pkg/x" + xlog "gitlab.com/mokhax/spike/pkg/log" +) + +func WithCasbin() Authorizer { + enforcer := x.Must(casbin.NewEnforcer("casbin.conf", "casbin.csv")) + + return AuthorizerFunc(func(r *http.Request) bool { + host, _, err := net.SplitHostPort(r.Host) + if err != nil { + xlog.WithFields(r, xlog.Fields{"error": err}) + return false + } + + subject, found := TokenFrom(r).Subject() + if !found { + subject = "*" + } + ok, err := enforcer.Enforce(subject, host, r.Method, r.URL.Path) + if err != nil { + xlog.WithFields(r, xlog.Fields{"error": err}) + return false + } + + fmt.Printf("%v: %v -> %v %v%v\n", ok, subject, r.Method, host, r.URL.Path) + xlog.WithFields(r, xlog.Fields{ + "ok": ok, + "subject": subject, + "action": r.Method, + "domain": host, + "object": r.URL.Path, + }) + return ok + }) +} diff --git a/pkg/authz/cedar.go b/pkg/authz/cedar.go new file mode 100644 index 00000000..1d952651 --- /dev/null +++ b/pkg/authz/cedar.go @@ -0,0 +1,53 @@ +package authz + +import ( + "encoding/json" + "fmt" + "net" + "net/http" + "os" + + cedar "github.com/cedar-policy/cedar-go" + "github.com/cedar-policy/cedar-go/types" + "github.com/xlgmokha/x/pkg/x" + xlog "gitlab.com/mokhax/spike/pkg/log" +) + +func WithCedar() Authorizer { + var policy cedar.Policy + x.Check(policy.UnmarshalCedar(x.Must(os.ReadFile("cedar.conf")))) + + policies := cedar.NewPolicySet() + policies.Add("cedar.conf", &policy) + + var entities cedar.EntityMap + if err := json.Unmarshal(x.Must(os.ReadFile("cedar.json")), &entities); err != nil { + xlog.Logger.Error("Error", "error", err) + return nil + } + + return AuthorizerFunc(func(r *http.Request) bool { + host, _, err := net.SplitHostPort(r.Host) + if err != nil { + return false + } + + subject, found := TokenFrom(r).Subject() + if !found { + subject = "*" + } + + req := cedar.Request{ + Principal: cedar.NewEntityUID("Subject", cedar.String(subject)), + Action: cedar.NewEntityUID("Action", cedar.String(r.Method)), + Resource: cedar.NewEntityUID("Path", cedar.String(r.URL.Path)), + Context: cedar.NewRecord(cedar.RecordMap{ + "Host": cedar.String(host), + }), + } + + ok, diagnostic := policies.IsAuthorized(entities, req) + fmt.Printf("%v: %v -> %v %v%v %v\n", ok, subject, r.Method, host, r.URL.Path, diagnostic.Reasons) + return ok == types.Allow + }) +} |