package authz import ( "context" "net/http" "strings" core "github.com/envoyproxy/go-control-plane/envoy/config/core/v3" auth "github.com/envoyproxy/go-control-plane/envoy/service/auth/v3" types "github.com/envoyproxy/go-control-plane/envoy/type/v3" "github.com/xlgmokha/x/pkg/log" "github.com/xlgmokha/x/pkg/x" "gitlab.com/gitlab-org/software-supply-chain-security/authorization/sparkled/pkg/pls" status "google.golang.org/genproto/googleapis/rpc/status" "google.golang.org/grpc/codes" ) var public map[string]bool = map[string]bool{ "GET:/": true, "GET:/application.js": true, "GET:/callback": true, "GET:/dashboard/nav": true, "GET:/favicon.ico": true, "GET:/favicon.png": true, "GET:/health": true, "GET:/htmx.js": true, "GET:/index.html": true, "GET:/logo.png": true, "GET:/pico.min.css": true, "GET:/signout": true, "GET:/sparkle": true, "GET:/sparkles": true, "GET:/vue.global.js": true, "POST:/sparkles/restore": true, } type CheckService struct { auth.UnimplementedAuthorizationServer } func NewCheckService() *CheckService { return &CheckService{} } func (svc *CheckService) Check(ctx context.Context, request *auth.CheckRequest) (*auth.CheckResponse, error) { if svc.isAllowed(ctx, request) { return svc.OK(ctx), nil } return svc.Denied(ctx), nil } func (svc *CheckService) isPublic(ctx context.Context, r *auth.CheckRequest) bool { ok, _ := public[svc.keyFor(r.Attributes.Request.Http)] return ok } func (svc *CheckService) isAllowed(ctx context.Context, r *auth.CheckRequest) bool { if !svc.validRequest(ctx, r) { return false } log.WithFields(ctx, svc.fieldsFor(r)) return svc.isPublic(ctx, r) || svc.isLoggedIn(ctx, r) } func (svc *CheckService) validRequest(ctx context.Context, r *auth.CheckRequest) bool { return x.IsPresent(r) && x.IsPresent(r.Attributes) && x.IsPresent(r.Attributes.Request) && x.IsPresent(r.Attributes.Request.Http) } // TODO:: Replace this naive implementation func (svc *CheckService) isLoggedIn(ctx context.Context, r *auth.CheckRequest) bool { rawCookie := r.Attributes.Request.Http.Headers["cookie"] if x.IsPresent(rawCookie) { cookies, err := http.ParseCookie(rawCookie) if err != nil { pls.LogError(ctx, err) return false } idTokenCookie := x.Find(cookies, func(cookie *http.Cookie) bool { return cookie.Name == "id_token" }) if x.IsZero(idTokenCookie) { return false } segments := strings.SplitN(idTokenCookie.Value, ".", 3) if len(segments) != 3 { return false } idToken, err := NewIDToken(idTokenCookie.Value) if err != nil { pls.LogError(ctx, err) return false } if x.IsZero(idToken) { return false } return true } return false } func (svc *CheckService) OK(ctx context.Context) *auth.CheckResponse { log.WithFields(ctx, log.Fields{"authorized": true}) return &auth.CheckResponse{ Status: &status.Status{ Code: int32(codes.OK), }, HttpResponse: &auth.CheckResponse_OkResponse{ OkResponse: &auth.OkHttpResponse{ Headers: []*core.HeaderValueOption{}, HeadersToRemove: []string{}, ResponseHeadersToAdd: []*core.HeaderValueOption{}, }, }, } } func (svc *CheckService) Denied(ctx context.Context) *auth.CheckResponse { log.WithFields(ctx, log.Fields{"authorized": false}) return &auth.CheckResponse{ Status: &status.Status{ Code: int32(codes.PermissionDenied), }, HttpResponse: &auth.CheckResponse_DeniedResponse{ DeniedResponse: &auth.DeniedHttpResponse{ Status: &types.HttpStatus{ Code: types.StatusCode_Unauthorized, }, Headers: []*core.HeaderValueOption{}, }, }, } } func (svc *CheckService) fieldsFor(r *auth.CheckRequest) log.Fields { return log.Fields{ "host": r.Attributes.Request.Http.Host, "id": r.Attributes.Request.Http.Id, "method": r.Attributes.Request.Http.Method, "path": r.Attributes.Request.Http.Path, "protocol": r.Attributes.Request.Http.Protocol, "request_id": r.Attributes.Request.Http.Headers["x-request-id"], "scheme": r.Attributes.Request.Http.Scheme, } } func (svc *CheckService) keyFor(r *auth.AttributeContext_HttpRequest) string { return strings.Join([]string{r.Method, r.Path}, ":") }