From 2bb5b3ce0e618ab652159b986df252990f3d2f12 Mon Sep 17 00:00:00 2001 From: mo khan Date: Fri, 23 May 2025 17:26:45 -0600 Subject: feat: delegate to the remote authzd to check if the permission is granted --- pkg/authz/check_service.go | 25 +++++++++++++++++++++++-- pkg/authz/id_token.go | 2 +- pkg/authz/server.go | 10 +++++++++- 3 files changed, 33 insertions(+), 4 deletions(-) (limited to 'pkg') diff --git a/pkg/authz/check_service.go b/pkg/authz/check_service.go index 3c4426a..0d5567a 100644 --- a/pkg/authz/check_service.go +++ b/pkg/authz/check_service.go @@ -10,6 +10,7 @@ import ( types "github.com/envoyproxy/go-control-plane/envoy/type/v3" "github.com/xlgmokha/x/pkg/log" "github.com/xlgmokha/x/pkg/x" + "gitlab.com/gitlab-org/software-supply-chain-security/authorization/authzd.git/pkg/rpc" "gitlab.com/gitlab-org/software-supply-chain-security/authorization/sparkled/pkg/pls" status "google.golang.org/genproto/googleapis/rpc/status" "google.golang.org/grpc/codes" @@ -17,6 +18,13 @@ import ( type CheckService struct { auth.UnimplementedAuthorizationServer + ability rpc.Ability +} + +func NewCheckService(ability rpc.Ability) *CheckService { + return &CheckService{ + ability: ability, + } } func (svc *CheckService) Check(ctx context.Context, request *auth.CheckRequest) (*auth.CheckResponse, error) { @@ -56,7 +64,7 @@ func (svc *CheckService) isAllowed(ctx context.Context, r *auth.CheckRequest) bo } log.WithFields(ctx, svc.fieldsFor(r)) - return svc.isLoggedIn(ctx, r) || svc.isPublic(ctx, r) + return svc.isPublic(ctx, r) || svc.isLoggedIn(ctx, r) } func (svc *CheckService) validRequest(ctx context.Context, r *auth.CheckRequest) bool { @@ -90,7 +98,20 @@ func (svc *CheckService) isLoggedIn(ctx context.Context, r *auth.CheckRequest) b pls.LogError(ctx, err) return false } - return x.IsPresent(idToken) + if x.IsZero(idToken) { + return false + } + + reply, err := svc.ability.Allowed(ctx, &rpc.AllowRequest{ + Subject: idToken.Subject, + Permission: r.Attributes.Request.Http.Method, + Resource: r.Attributes.Request.Http.Path, + }) + if err != nil { + pls.LogError(ctx, err) + return false + } + return reply.Result } return false } diff --git a/pkg/authz/id_token.go b/pkg/authz/id_token.go index b647161..ccc96de 100644 --- a/pkg/authz/id_token.go +++ b/pkg/authz/id_token.go @@ -9,7 +9,7 @@ import ( ) type IDToken struct { - Audience []string `json:"aud"` + // Audience []string `json:"aud"` Email string `json:"email"` EmailVerified bool `json:"email_verified"` ExpiredAt int64 `json:"exp"` diff --git a/pkg/authz/server.go b/pkg/authz/server.go index 49bcd3d..b890387 100644 --- a/pkg/authz/server.go +++ b/pkg/authz/server.go @@ -2,11 +2,15 @@ package authz import ( "context" + "net/http" auth "github.com/envoyproxy/go-control-plane/envoy/service/auth/v3" + "github.com/xlgmokha/x/pkg/env" "github.com/xlgmokha/x/pkg/log" "github.com/xlgmokha/x/pkg/x" + "gitlab.com/gitlab-org/software-supply-chain-security/authorization/authzd.git/pkg/rpc" "gitlab.com/gitlab-org/software-supply-chain-security/authorization/sparkled/pkg/pls" + "gitlab.com/gitlab-org/software-supply-chain-security/authorization/sparkled/pkg/web" "google.golang.org/grpc" "google.golang.org/grpc/reflection" ) @@ -17,12 +21,16 @@ type Server struct { func New(ctx context.Context, options ...grpc.ServerOption) *Server { logger := log.From(ctx) + server := grpc.NewServer(x.Prepend( options, grpc.UnaryInterceptor(pls.LogGRPC(logger)), grpc.StreamInterceptor(pls.LogGRPCStream(logger)), )...) - auth.RegisterAuthorizationServer(server, &CheckService{}) + auth.RegisterAuthorizationServer(server, NewCheckService(rpc.NewAbilityProtobufClient( + env.Fetch("AUTHZD_HOST", "https://authzd.staging.runway.gitlab.net"), + &http.Client{Transport: &web.Transport{Logger: logger}}, + ))) reflection.Register(server) return &Server{ -- cgit v1.2.3