diff options
| -rwxr-xr-x | bin/api | 23 | ||||
| -rwxr-xr-x | bin/idp | 2 | ||||
| -rwxr-xr-x | bin/rpc | 51 | ||||
| -rw-r--r-- | lib/authx.rb | 10 | ||||
| -rw-r--r-- | lib/authx/rpc/ability_handler.rb | 13 | ||||
| -rw-r--r-- | lib/authx/rpc/ability_pb.rb | 18 | ||||
| -rw-r--r-- | lib/authx/rpc/ability_services_pb.rb | 24 | ||||
| -rw-r--r-- | magefile.go | 26 |
8 files changed, 45 insertions, 122 deletions
@@ -5,8 +5,9 @@ require 'bundler/inline' gemfile do source 'https://rubygems.org' + gem "declarative_policy", "~> 1.0" gem "erb", "~> 4.0" - gem "grpc", "~> 1.0" + gem "google-protobuf", "~> 3.0" gem "json", "~> 2.0" gem "logger", "~> 1.0" gem "rack", "~> 3.0" @@ -21,7 +22,6 @@ $LOAD_PATH.unshift(lib_path) unless $LOAD_PATH.include?(lib_path) require 'authx' -GRPC.logger = Logger.new($stderr, level: :debug) $scheme = ENV.fetch("SCHEME", "http") $port = ENV.fetch("PORT", 8284).to_i $host = ENV.fetch("HOST", "localhost:#{$port}") @@ -80,21 +80,10 @@ class API def authorized?(request, permission) # TODO:: Check the JWT for the appropriate claim # Connect to the Authz RPC endpoint Ability.allowed?(subject, permission, resource) - if twirp? - client = ::Authx::Rpc::AbilityClient.new("http://idp.example.com:8080/twirp") - response = client.allowed(subject: "", permission: permission, resource: "") - puts response.inspect - response&.error&.nil? && response&.data&.result - else - client = ::Authx::Rpc::Ability::Stub.new('localhost:50051', :this_channel_is_insecure) # TODO:: memorize client - reply = client.allowed(::Authx::Rpc::AllowRequest.new(subject: "", permission: permission, resource: "")) - puts reply.inspect - reply&.result - end - end - - def twirp? - true + client = ::Authx::Rpc::AbilityClient.new("http://idp.example.com:8080/twirp") + response = client.allowed(subject: "", permission: permission, resource: "") + puts response.inspect + response&.error&.nil? && response&.data&.result end def json_not_found @@ -5,6 +5,8 @@ require "bundler/inline" gemfile do source "https://rubygems.org" + gem "declarative_policy", "~> 1.0" + gem "google-protobuf", "~> 3.0" gem "erb", "~> 4.0" gem "rack", "~> 3.0" gem "rackup", "~> 2.0" diff --git a/bin/rpc b/bin/rpc deleted file mode 100755 index 6d9c0f7..0000000 --- a/bin/rpc +++ /dev/null @@ -1,51 +0,0 @@ -#!/usr/bin/env ruby - -require "bundler/inline" - -gemfile do - source "https://rubygems.org" - - gem "declarative_policy", "~> 1.0" - gem "grpc", "~> 1.0" - gem "grpc-tools", "~> 1.0" - gem "logger", "~> 1.0" -end - -lib_path = Pathname.new(__FILE__).parent.parent.join('lib/authx/rpc').realpath.to_s -$LOAD_PATH.unshift(lib_path) unless $LOAD_PATH.include?(lib_path) - -require 'ability_services_pb' - -class ProjectPolicy < DeclarativePolicy::Base - condition(:owner) { @subject.owner?(@user) } - - rule { owner }.enable :create_project -end - -class RawAbilityHandler < ::Authx::Rpc::Ability::Service - def allowed(request, _call) - puts [request, _call].inspect - GRPC.logger.info([request, _call].inspect) - - ::Authx::Rpc::AllowReply.new(result: true) - # TODO:: entrypoint to declarative policies - # AllowReply.new(result: policy_for(request).can?(request.permission)) - end - - private - - def policy_for(request) - # TODO:: convert subject in form of GlobalID to Resource Type - DeclarativePolicy.policy_for(request.subject, request.resource) - end -end - -host = ENV.fetch("HOST", "localhost") -port = ENV.fetch("PORT", "50051") -bind_addr = "#{host}:#{port}" -server = GRPC::RpcServer.new -server.add_http2_port(bind_addr, :this_port_is_insecure) -GRPC.logger = Logger.new($stderr, level: :debug) -GRPC.logger.info("... running insecurely on #{bind_addr}") -server.handle(RawAbilityHandler.new) -server.run_till_terminated_or_interrupted([1, 'int', 'SIGQUIT']) diff --git a/lib/authx.rb b/lib/authx.rb index 81bc8ff..3c4a467 100644 --- a/lib/authx.rb +++ b/lib/authx.rb @@ -1,3 +1,13 @@ # frozen_string_literal: true +require "declarative_policy" + require "authx/rpc" + +module Authx + class ProjectPolicy < DeclarativePolicy::Base + condition(:owner) { true } + + rule { owner }.enable :create_project + end +end diff --git a/lib/authx/rpc/ability_handler.rb b/lib/authx/rpc/ability_handler.rb index bc1444c..9f9b8fe 100644 --- a/lib/authx/rpc/ability_handler.rb +++ b/lib/authx/rpc/ability_handler.rb @@ -7,9 +7,20 @@ module Authx puts [request, env].inspect { - result: true + result: can?(request) } end + + private + + def can?(request) + policy_for(request).can?(request.permission) + end + + def policy_for(request) + # TODO:: convert subject in form of GlobalID to Resource Type + DeclarativePolicy.policy_for(request.subject, request.resource) + end end end end diff --git a/lib/authx/rpc/ability_pb.rb b/lib/authx/rpc/ability_pb.rb index b360db2..ee71dc5 100644 --- a/lib/authx/rpc/ability_pb.rb +++ b/lib/authx/rpc/ability_pb.rb @@ -1,14 +1,20 @@ -# frozen_string_literal: true # Generated by the protocol buffer compiler. DO NOT EDIT! # source: ability.proto require 'google/protobuf' - -descriptor_data = "\n\rability.proto\x12\tauthx.rpc\"E\n\x0c\x41llowRequest\x12\x0f\n\x07subject\x18\x01 \x01(\t\x12\x12\n\npermission\x18\x02 \x01(\t\x12\x10\n\x08resource\x18\x03 \x01(\t\"\x1c\n\nAllowReply\x12\x0e\n\x06result\x18\x01 \x01(\x08\x32\x46\n\x07\x41\x62ility\x12;\n\x07\x41llowed\x12\x17.authx.rpc.AllowRequest\x1a\x15.authx.rpc.AllowReply\"\x00\x62\x06proto3" - -pool = Google::Protobuf::DescriptorPool.generated_pool -pool.add_serialized_file(descriptor_data) +Google::Protobuf::DescriptorPool.generated_pool.build do + add_file("ability.proto", :syntax => :proto3) do + add_message "authx.rpc.AllowRequest" do + optional :subject, :string, 1 + optional :permission, :string, 2 + optional :resource, :string, 3 + end + add_message "authx.rpc.AllowReply" do + optional :result, :bool, 1 + end + end +end module Authx module Rpc diff --git a/lib/authx/rpc/ability_services_pb.rb b/lib/authx/rpc/ability_services_pb.rb deleted file mode 100644 index a6c3b17..0000000 --- a/lib/authx/rpc/ability_services_pb.rb +++ /dev/null @@ -1,24 +0,0 @@ -# Generated by the protocol buffer compiler. DO NOT EDIT! -# Source: ability.proto for package 'authx.rpc' - -require 'grpc' -require 'ability_pb' - -module Authx - module Rpc - module Ability - class Service - - include ::GRPC::GenericService - - self.marshal_class_method = :encode - self.unmarshal_class_method = :decode - self.service_name = 'authx.rpc.Ability' - - rpc :Allowed, ::Authx::Rpc::AllowRequest, ::Authx::Rpc::AllowReply - end - - Stub = Service.rpc_stub_class - end - end -end diff --git a/magefile.go b/magefile.go index 0e309bd..334f658 100644 --- a/magefile.go +++ b/magefile.go @@ -56,15 +56,6 @@ func Api() error { return sh.RunWithV(env, "ruby", "./bin/api") } -// Run the gRPC Server -func Rpc() error { - env := map[string]string{ - "PORT": "50051", - "HOST": "localhost", - } - return sh.RunWithV(env, "ruby", "./bin/rpc") -} - // Open a web browser to the login page func Browser() error { url := "http://localhost:8080/ui/sessions/new" @@ -77,11 +68,9 @@ func Browser() error { // Generate gRPC from protocal buffers func Protos() error { - files := x.Must(filepath.Glob("./protos/*.proto")) outDir := "lib/authx/rpc" - for _, file := range files { - var err error - if err = sh.RunV( + for _, file := range x.Must(filepath.Glob("./protos/*.proto")) { + if err := sh.RunV( "protoc", "--proto_path=./protos", "--ruby_out="+outDir, @@ -90,15 +79,6 @@ func Protos() error { ); err != nil { return err } - if err = sh.RunV( - "grpc_tools_ruby_protoc", - "--proto_path=./protos", - "--ruby_out="+outDir, - "--grpc_out="+outDir, - file, - ); err != nil { - return err - } } return nil @@ -106,5 +86,5 @@ func Protos() error { // Run All the servers func Run(ctx context.Context) { - mg.CtxDeps(ctx, Idp, UI, Api, Rpc, Gateway) + mg.CtxDeps(ctx, Idp, UI, Api, Gateway) } |