diff options
Diffstat (limited to 'pkg/authz/check_service.go')
| -rw-r--r-- | pkg/authz/check_service.go | 114 |
1 files changed, 114 insertions, 0 deletions
diff --git a/pkg/authz/check_service.go b/pkg/authz/check_service.go new file mode 100644 index 0000000..ff4e92a --- /dev/null +++ b/pkg/authz/check_service.go @@ -0,0 +1,114 @@ +package authz + +import ( + "context" + "strings" + + core "github.com/envoyproxy/go-control-plane/envoy/config/core/v3" + auth "github.com/envoyproxy/go-control-plane/envoy/service/auth/v3" + types "github.com/envoyproxy/go-control-plane/envoy/type/v3" + "github.com/xlgmokha/x/pkg/log" + "github.com/xlgmokha/x/pkg/x" + status "google.golang.org/genproto/googleapis/rpc/status" + "google.golang.org/grpc/codes" +) + +type CheckService struct { + auth.UnimplementedAuthorizationServer +} + +func (svc *CheckService) Check(ctx context.Context, request *auth.CheckRequest) (*auth.CheckResponse, error) { + if svc.isAllowed(ctx, request) { + return svc.OK(ctx), nil + } + return svc.Denied(ctx), nil +} + +// TODOD:: Replace with a PaC language +func (svc *CheckService) isPublic(ctx context.Context, r *auth.CheckRequest) bool { + allowed := map[string]bool{ + "GET:/": true, + "GET:/application.js": true, + "GET:/callback": true, + "GET:/dashboard/nav": true, + "GET:/favicon.ico": true, + "GET:/favicon.png": true, + "GET:/health": true, + "GET:/index.html": true, + "GET:/logo.png": true, + "GET:/signout": true, + "GET:/sparkle": true, + "GET:/sparkles": true, + "POST:/sparkles/restore": true, + } + ok, _ := allowed[strings.Join([]string{ + r.Attributes.Request.Http.Method, + r.Attributes.Request.Http.Path, + }, ":")] + return ok +} + +func (svc *CheckService) isAllowed(ctx context.Context, r *auth.CheckRequest) bool { + if !svc.validRequest(ctx, r) { + return false + } + + log.WithFields(ctx, svc.fieldsFor(r)) + return svc.isLoggedIn(ctx, r) || svc.isPublic(ctx, r) +} + +func (svc *CheckService) validRequest(ctx context.Context, r *auth.CheckRequest) bool { + return x.IsPresent(r) && + x.IsPresent(r.Attributes) && + x.IsPresent(r.Attributes.Request) && + x.IsPresent(r.Attributes.Request.Http) +} + +// TODO:: Replace this naive implementation +func (svc *CheckService) isLoggedIn(ctx context.Context, r *auth.CheckRequest) bool { + return x.IsPresent(r.Attributes.Request.Http.Headers["cookie"]) +} + +func (svc *CheckService) OK(ctx context.Context) *auth.CheckResponse { + log.WithFields(ctx, log.Fields{"authorized": true}) + return &auth.CheckResponse{ + Status: &status.Status{ + Code: int32(codes.OK), + }, + HttpResponse: &auth.CheckResponse_OkResponse{ + OkResponse: &auth.OkHttpResponse{ + Headers: []*core.HeaderValueOption{}, + HeadersToRemove: []string{}, + ResponseHeadersToAdd: []*core.HeaderValueOption{}, + }, + }, + } +} + +func (svc *CheckService) Denied(ctx context.Context) *auth.CheckResponse { + log.WithFields(ctx, log.Fields{"authorized": false}) + return &auth.CheckResponse{ + Status: &status.Status{ + Code: int32(codes.PermissionDenied), + }, + HttpResponse: &auth.CheckResponse_DeniedResponse{ + DeniedResponse: &auth.DeniedHttpResponse{ + Status: &types.HttpStatus{ + Code: types.StatusCode_Unauthorized, + }, + Headers: []*core.HeaderValueOption{}, + }, + }, + } +} + +func (svc *CheckService) fieldsFor(r *auth.CheckRequest) log.Fields { + return log.Fields{ + "id": r.Attributes.Request.Http.Id, + "method": r.Attributes.Request.Http.Method, + "path": r.Attributes.Request.Http.Path, + "host": r.Attributes.Request.Http.Host, + "scheme": r.Attributes.Request.Http.Scheme, + "protocol": r.Attributes.Request.Http.Protocol, + } +} |