From 1ab4de8ec28d4fdd46cd9b3e246eea4a85ca6b6c Mon Sep 17 00:00:00 2001 From: mo khan Date: Fri, 23 May 2025 17:56:39 -0600 Subject: feat: delegate call to remote rpc if permission is required --- pkg/authz/check_service.go | 78 +++++++++++++++++++++++++++++----------------- 1 file changed, 49 insertions(+), 29 deletions(-) (limited to 'pkg/authz') diff --git a/pkg/authz/check_service.go b/pkg/authz/check_service.go index 0d5567a..13b4017 100644 --- a/pkg/authz/check_service.go +++ b/pkg/authz/check_service.go @@ -8,6 +8,7 @@ import ( core "github.com/envoyproxy/go-control-plane/envoy/config/core/v3" auth "github.com/envoyproxy/go-control-plane/envoy/service/auth/v3" types "github.com/envoyproxy/go-control-plane/envoy/type/v3" + "github.com/xlgmokha/x/pkg/env" "github.com/xlgmokha/x/pkg/log" "github.com/xlgmokha/x/pkg/x" "gitlab.com/gitlab-org/software-supply-chain-security/authorization/authzd.git/pkg/rpc" @@ -16,6 +17,30 @@ import ( "google.golang.org/grpc/codes" ) +var public map[string]bool = map[string]bool{ + "GET:/": true, + "GET:/application.js": true, + "GET:/callback": true, + "GET:/dashboard/nav": true, + "GET:/favicon.ico": true, + "GET:/favicon.png": true, + "GET:/health": true, + "GET:/index.html": true, + "GET:/logo.png": true, + "GET:/signout": true, + "GET:/sparkle": true, + "GET:/sparkles": true, + "POST:/sparkles/restore": true, +} + +var permissions map[string]string = map[string]string{ + "GET:/dashboard": "read_dashboard", + "GET:/signout": "destroy_session", + "GET:/sparkles": "read_sparkles", + "POST:/sparkles": "create_sparkles", + "POST:/sparkles/restore": "restore_sparkles", +} + type CheckService struct { auth.UnimplementedAuthorizationServer ability rpc.Ability @@ -34,27 +59,8 @@ func (svc *CheckService) Check(ctx context.Context, request *auth.CheckRequest) return svc.Denied(ctx), nil } -// TODOD:: Replace with a PaC language func (svc *CheckService) isPublic(ctx context.Context, r *auth.CheckRequest) bool { - allowed := map[string]bool{ - "GET:/": true, - "GET:/application.js": true, - "GET:/callback": true, - "GET:/dashboard/nav": true, - "GET:/favicon.ico": true, - "GET:/favicon.png": true, - "GET:/health": true, - "GET:/index.html": true, - "GET:/logo.png": true, - "GET:/signout": true, - "GET:/sparkle": true, - "GET:/sparkles": true, - "POST:/sparkles/restore": true, - } - ok, _ := allowed[strings.Join([]string{ - r.Attributes.Request.Http.Method, - r.Attributes.Request.Http.Path, - }, ":")] + ok, _ := public[svc.keyFor(r.Attributes.Request.Http)] return ok } @@ -102,16 +108,22 @@ func (svc *CheckService) isLoggedIn(ctx context.Context, r *auth.CheckRequest) b return false } - reply, err := svc.ability.Allowed(ctx, &rpc.AllowRequest{ - Subject: idToken.Subject, - Permission: r.Attributes.Request.Http.Method, - Resource: r.Attributes.Request.Http.Path, - }) - if err != nil { - pls.LogError(ctx, err) - return false + if env.Fetch("APP_ENV", "") == "development" { + permission := svc.permissionFor(r.Attributes.Request.Http) + if x.IsPresent(permission) { + reply, err := svc.ability.Allowed(ctx, &rpc.AllowRequest{ + Subject: idToken.Subject, + Permission: permission, + Resource: "gid://sparkled/" + r.Attributes.Request.Http.Path, + }) + if err != nil { + pls.LogError(ctx, err) + return false + } + return reply.Result + } } - return reply.Result + return true } return false } @@ -159,3 +171,11 @@ func (svc *CheckService) fieldsFor(r *auth.CheckRequest) log.Fields { "protocol": r.Attributes.Request.Http.Protocol, } } + +func (svc *CheckService) permissionFor(r *auth.AttributeContext_HttpRequest) string { + return permissions[svc.keyFor(r)] +} + +func (svc *CheckService) keyFor(r *auth.AttributeContext_HttpRequest) string { + return strings.Join([]string{r.Method, r.Path}, ":") +} -- cgit v1.2.3