1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
|
use envoy_types::ext_authz::v3::CheckResponseExt;
use envoy_types::ext_authz::v3::pb::{CheckRequest, CheckResponse};
use tonic::{Request, Response, Status};
trait Authorizer {
fn authorize(&self, request: CheckRequest) -> bool;
}
struct CedarAuthorizer {}
impl CedarAuthorizer {
fn new() -> CedarAuthorizer {
return CedarAuthorizer {};
}
}
impl Authorizer for CedarAuthorizer {
fn authorize(&self, request: CheckRequest) -> bool {
let headers = request
.attributes
.as_ref()
.and_then(|attr| attr.request.as_ref())
.and_then(|req| req.http.as_ref())
.map(|http| &http.headers)
.unwrap();
if let Some(authorization) = headers.get("authorization") {
if authorization == "Bearer valid-token" {
return true;
}
}
return false;
}
}
#[derive(Debug, Default)]
pub struct CheckService;
#[tonic::async_trait]
impl envoy_types::ext_authz::v3::pb::Authorization for CheckService {
async fn check(
&self,
request: Request<CheckRequest>,
) -> Result<Response<CheckResponse>, Status> {
let request = request.into_inner();
let authorizer = CedarAuthorizer::new();
if authorizer.authorize(request) {
return Ok(Response::new(CheckResponse::with_status(Status::ok("OK"))));
}
return Ok(Response::new(CheckResponse::with_status(
Status::unauthenticated("Unauthorized"),
)));
}
}
#[cfg(test)]
mod tests {
use super::*;
use envoy_types::ext_authz::v3::pb::{Authorization, CheckRequest};
use std::collections::HashMap;
use tonic::Request;
fn create_test_request_with_headers(headers: HashMap<String, String>) -> Request<CheckRequest> {
use envoy_types::pb::envoy::service::auth::v3::{AttributeContext, attribute_context};
let http_request = attribute_context::HttpRequest {
headers,
..Default::default()
};
let request_context = attribute_context::Request {
http: Some(http_request),
..Default::default()
};
let attributes = AttributeContext {
request: Some(request_context),
..Default::default()
};
let check_request = CheckRequest {
attributes: Some(attributes),
..Default::default()
};
Request::new(check_request)
}
fn create_headers_with_auth(auth_value: &str) -> HashMap<String, String> {
let mut headers = HashMap::new();
headers.insert("authorization".to_string(), auth_value.to_string());
headers
}
#[tokio::test]
async fn test_check_allows_valid_bearer_token() {
let token = String::from("valid-token");
let server = CheckService::default();
let headers = create_headers_with_auth(&format!("Bearer {}", token));
let request = create_test_request_with_headers(headers);
let response = server.check(request).await;
assert!(response.is_ok());
let check_response = response.unwrap().into_inner();
assert!(check_response.status.is_some());
let status = check_response.status.unwrap();
assert_eq!(status.code, tonic::Code::Ok.into());
}
#[tokio::test]
async fn test_check_denies_invalid_bearer_token() {
let server = CheckService::default();
let request = create_test_request_with_headers(HashMap::new());
let response = server.check(request).await;
assert!(response.is_ok());
let check_response = response.unwrap().into_inner();
assert!(check_response.status.is_some());
let status = check_response.status.unwrap();
assert_eq!(status.code, tonic::Code::Unauthenticated.into());
}
}
|
