diff options
| author | mo khan <mo@mokhan.ca> | 2025-03-28 17:49:09 -0600 |
|---|---|---|
| committer | mo khan <mo@mokhan.ca> | 2025-03-28 17:49:09 -0600 |
| commit | 30bbdad4ef99449f29f412d0b770e4b9f76ede42 (patch) | |
| tree | c295bb8b9020ba8a609d7a0a527a2a06fc5db342 /pkg/app | |
| parent | e47813ecaa942631945215a8c0c938a240c3894a (diff) | |
refactor: move authorizers into authz package
Diffstat (limited to 'pkg/app')
| -rw-r--r-- | pkg/app/app.go | 84 | ||||
| -rw-r--r-- | pkg/app/routes.go | 7 |
2 files changed, 5 insertions, 86 deletions
diff --git a/pkg/app/app.go b/pkg/app/app.go index c55ecce..a8dedc1 100644 --- a/pkg/app/app.go +++ b/pkg/app/app.go @@ -1,95 +1,13 @@ package app import ( - "encoding/json" - "fmt" - "net" - "net/http" - "os" - - "github.com/casbin/casbin/v3" - cedar "github.com/cedar-policy/cedar-go" - "github.com/cedar-policy/cedar-go/types" - "github.com/xlgmokha/x/pkg/x" "gitlab.com/mokhax/spike/pkg/authz" "gitlab.com/mokhax/spike/pkg/cfg" - xlog "gitlab.com/mokhax/spike/pkg/log" "gitlab.com/mokhax/spike/pkg/srv" ) -func WithCasbin() authz.Authorizer { - enforcer := x.Must(casbin.NewEnforcer("casbin.conf", "casbin.csv")) - - return authz.AuthorizerFunc(func(r *http.Request) bool { - host, _, err := net.SplitHostPort(r.Host) - if err != nil { - xlog.WithFields(r, xlog.Fields{"error": err}) - return false - } - - subject, found := authz.TokenFrom(r).Subject() - if !found { - subject = "*" - } - ok, err := enforcer.Enforce(subject, host, r.Method, r.URL.Path) - if err != nil { - xlog.WithFields(r, xlog.Fields{"error": err}) - return false - } - - fmt.Printf("%v: %v -> %v %v%v\n", ok, subject, r.Method, host, r.URL.Path) - xlog.WithFields(r, xlog.Fields{ - "ok": ok, - "subject": subject, - "action": r.Method, - "domain": host, - "object": r.URL.Path, - }) - return ok - }) -} - -func WithCedar() authz.Authorizer { - var policy cedar.Policy - x.Check(policy.UnmarshalCedar(x.Must(os.ReadFile("cedar.conf")))) - - policies := cedar.NewPolicySet() - policies.Add("cedar.conf", &policy) - - var entities cedar.EntityMap - if err := json.Unmarshal(x.Must(os.ReadFile("cedar.json")), &entities); err != nil { - xlog.Logger.Error("Error", "error", err) - return nil - } - - return authz.AuthorizerFunc(func(r *http.Request) bool { - host, _, err := net.SplitHostPort(r.Host) - if err != nil { - return false - } - - subject, found := authz.TokenFrom(r).Subject() - if !found { - subject = "*" - } - - req := cedar.Request{ - Principal: cedar.NewEntityUID("Subject", cedar.String(subject)), - Action: cedar.NewEntityUID("Action", cedar.String(r.Method)), - Resource: cedar.NewEntityUID("Path", cedar.String(r.URL.Path)), - Context: cedar.NewRecord(cedar.RecordMap{ - "Host": cedar.String(host), - }), - } - - ok, diagnostic := policies.IsAuthorized(entities, req) - fmt.Printf("%v: %v -> %v %v%v %v\n", ok, subject, r.Method, host, r.URL.Path, diagnostic.Reasons) - return ok == types.Allow - }) -} - func Start(bindAddr string) error { - mux := authz.HTTP(WithCasbin(), Routes()) + mux := authz.HTTP(authz.WithCasbin(), Routes()) return srv.Run(cfg.New( bindAddr, cfg.WithMux(mux), diff --git a/pkg/app/routes.go b/pkg/app/routes.go index 9cfa979..ff1291c 100644 --- a/pkg/app/routes.go +++ b/pkg/app/routes.go @@ -9,9 +9,10 @@ import ( func Routes() http.Handler { mux := http.NewServeMux() mux.Handle("/", prxy.New(map[string]string{ - "idp.example.com": "http://localhost:8282", - "ui.example.com": "http://localhost:8283", - "api.example.com": "http://localhost:8284", + "api.example.com": "http://localhost:8284", + "authzd.example.com": "http://localhost:50051", + "idp.example.com": "http://localhost:8282", + "ui.example.com": "http://localhost:8283", })) return mux } |