Skip to content

Commit

Permalink
chore(service): address PR findings
Browse files Browse the repository at this point in the history
Signed-off-by: Sebastian Becker <[email protected]>
  • Loading branch information
sbckr committed Dec 17, 2024
1 parent d7b55c2 commit f113daa
Show file tree
Hide file tree
Showing 34 changed files with 1,287 additions and 1,127 deletions.
2 changes: 1 addition & 1 deletion amphora-service/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -104,5 +104,5 @@ DB_USER=user
DB_PASSWORD=secret
MINIO_ENDPOINT=http://localhost:9000
EOF
docker run --env-file amphora.conf iotspecs/amphora-service
docker run --env-file amphora.conf iotspecs/amphora-service
```
2 changes: 1 addition & 1 deletion amphora-service/charts/amphora/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -79,4 +79,4 @@ auth:

opa:
defaultPolicyPackage: "carbynestack.def"
endpoint: "http://opa.default.svc.cluster.local:8081/"
endpoint: "http://opa.default.svc.cluster.local:8081/"
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
/*
* Copyright (c) 2021-2024 - for information on the respective copyright owner
* Copyright (c) 2021 - for information on the respective copyright owner
* see the NOTICE file and/or the repository https://github.com/carbynestack/amphora.
*
* SPDX-License-Identifier: Apache-2.0
Expand All @@ -13,7 +13,6 @@
import io.carbynestack.amphora.common.MaskedInput;
import io.carbynestack.amphora.common.MaskedInputData;
import io.carbynestack.amphora.common.SecretShare;
import io.carbynestack.amphora.common.Tag;
import io.carbynestack.castor.common.entities.Field;
import io.carbynestack.castor.common.entities.InputMask;
import io.carbynestack.castor.common.entities.Share;
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,6 @@

package io.carbynestack.amphora.service.config;


import lombok.Data;
import lombok.experimental.Accessors;
import org.springframework.boot.context.properties.ConfigurationProperties;
Expand All @@ -18,5 +17,5 @@
@Data
@Accessors(chain = true)
public class AuthProperties {
private String userIdFieldName;
private String userIdFieldName;
}
Original file line number Diff line number Diff line change
Expand Up @@ -9,11 +9,10 @@

import io.carbynestack.amphora.service.opa.JwtReader;
import io.carbynestack.amphora.service.opa.OpaClient;
import java.net.URI;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;

import java.net.URI;

@Configuration
public class OpaConfig {

Expand All @@ -25,8 +24,8 @@ JwtReader jwtReader(AuthProperties authProperties) {
@Bean
OpaClient opaClient(OpaProperties opaProperties) {
return OpaClient.builder()
.opaServiceUri(URI.create(opaProperties.getEndpoint()))
.defaultPolicyPackage(opaProperties.getDefaultPolicyPackage())
.build();
.opaServiceUri(URI.create(opaProperties.getEndpoint()))
.defaultPolicyPackage(opaProperties.getDefaultPolicyPackage())
.build();
}
}
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@
package io.carbynestack.amphora.service.exceptions;

public class CsOpaException extends Exception {
public CsOpaException(String message) {
super(message);
}
public CsOpaException(String message) {
super(message);
}
}
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@
package io.carbynestack.amphora.service.exceptions;

public class UnauthorizedException extends Exception {
public UnauthorizedException(String message) {
super(message);
}
public UnauthorizedException(String message) {
super(message);
}
}
Original file line number Diff line number Diff line change
Expand Up @@ -12,58 +12,57 @@
import com.fasterxml.jackson.databind.ObjectMapper;
import io.carbynestack.amphora.service.exceptions.UnauthorizedException;
import io.vavr.control.Option;

import java.util.Base64;

public class JwtReader {
static ObjectMapper mapper = new ObjectMapper();
private final String userIdField;
static ObjectMapper mapper = new ObjectMapper();
private final String userIdField;

public JwtReader(String userIdField) {
this.userIdField = userIdField;
}
public JwtReader(String userIdField) {
this.userIdField = userIdField;
}

public String extractUserIdFromAuthHeader(String header) throws UnauthorizedException {
return extractFieldFromAuthHeader(header, userIdField);
}
public String extractUserIdFromAuthHeader(String header) throws UnauthorizedException {
return extractFieldFromAuthHeader(header, userIdField);
}

private static String extractFieldFromAuthHeader(String header, String field) throws UnauthorizedException {
return tokenFromHeader(header)
.flatMap(JwtReader::dataNodeFromToken)
.flatMap(node -> fieldFromNode(node, field))
.getOrElseThrow(() -> new UnauthorizedException("No token provided"));
}
private static String extractFieldFromAuthHeader(String header, String field)
throws UnauthorizedException {
return tokenFromHeader(header)
.flatMap(JwtReader::dataNodeFromToken)
.flatMap(node -> fieldFromNode(node, field))
.getOrElseThrow(() -> new UnauthorizedException("No token provided"));
}

private static Option<JsonNode> dataNodeFromToken(String token) {
String[] parts = token.split("\\.");
if (parts.length != 3) {
return Option.none();
}
try {
String jwt = new String(Base64.getDecoder().decode(parts[1]));
return Option.of(mapper.reader().readTree(jwt));
} catch (JsonProcessingException e) {
return Option.none();
}
private static Option<JsonNode> dataNodeFromToken(String token) {
String[] parts = token.split("\\.");
if (parts.length != 3) {
return Option.none();
}
try {
String jwt = new String(Base64.getDecoder().decode(parts[1]));
return Option.of(mapper.reader().readTree(jwt));
} catch (JsonProcessingException e) {
return Option.none();

Check warning on line 46 in amphora-service/src/main/java/io/carbynestack/amphora/service/opa/JwtReader.java

View check run for this annotation

Codecov / codecov/patch

amphora-service/src/main/java/io/carbynestack/amphora/service/opa/JwtReader.java#L45-L46

Added lines #L45 - L46 were not covered by tests
}
}

private static Option<String> tokenFromHeader(String header) {
if (header != null && header.startsWith("Bearer ")) {
return Option.of(header.substring(7));
}
return Option.none();
private static Option<String> tokenFromHeader(String header) {
if (header != null && header.startsWith("Bearer ")) {
return Option.of(header.substring(7));
}
return Option.none();
}

private static Option<String> fieldFromNode(JsonNode node, String fieldName) {
JsonNode field = node;
try {
for(String f : fieldName.split("\\.")) {
field = field.get(f);
}
return Option.of(field.asText());
} catch (NullPointerException e) {
return Option.none();
}
private static Option<String> fieldFromNode(JsonNode node, String fieldName) {
JsonNode field = node;
try {
for (String f : fieldName.split("\\.")) {
field = field.get(f);
}
return Option.of(field.asText());
} catch (NullPointerException e) {
return Option.none();
}
}
}

Original file line number Diff line number Diff line change
Expand Up @@ -10,58 +10,54 @@
import io.carbynestack.amphora.common.Tag;
import io.carbynestack.httpclient.CsHttpClient;
import io.carbynestack.httpclient.CsHttpClientException;
import lombok.Builder;
import lombok.extern.slf4j.Slf4j;

import java.net.URI;
import java.util.List;
import lombok.Builder;
import lombok.extern.slf4j.Slf4j;

@Slf4j
public class OpaClient {
private final CsHttpClient<String> csHttpClient;
private final URI opaServiceUri;
private final String defaultPolicyPackage;

@Builder
public OpaClient(URI opaServiceUri, String defaultPolicyPackage) {
this(CsHttpClient.createDefault(), opaServiceUri, defaultPolicyPackage);
private final CsHttpClient<String> csHttpClient;
private final URI opaServiceUri;
private final String defaultPolicyPackage;

@Builder
public OpaClient(URI opaServiceUri, String defaultPolicyPackage) {
this(CsHttpClient.createDefault(), opaServiceUri, defaultPolicyPackage);
}

OpaClient(CsHttpClient<String> httpClient, URI opaServiceUri, String defaultPolicyPackage) {
this.csHttpClient = httpClient;
this.opaServiceUri = opaServiceUri;
this.defaultPolicyPackage = defaultPolicyPackage;
}

/**
* Evaluate the OPA policy package with the given action, subject and tags.
*
* @param policyPackage The OPA policy package to evaluate.
* @param action The action to evaluate.
* @param subject The subject attempting to perform the action.
* @param tags The tags describing the accessed object.
* @return True if the subject can perform the action, false otherwise (or if an error occurred).
*/
public boolean isAllowed(String policyPackage, String action, String subject, List<Tag> tags) {
OpaRequestBody body = OpaRequestBody.builder().subject(subject).tags(tags).build();
try {
return csHttpClient
.postForObject(
opaServiceUri.resolve(
String.format("/v1/data/%s/%s", policyPackage.replace(".", "/"), action)),
new OpaRequest(body),
OpaResult.class)
.isAllowed();
} catch (CsHttpClientException e) {
log.error("Error occurred while evaluating OPA policy package", e);
}
return false;
}

OpaClient(CsHttpClient<String> httpClient, URI opaServiceUri, String defaultPolicyPackage) {
this.csHttpClient = httpClient;
this.opaServiceUri = opaServiceUri;
this.defaultPolicyPackage = defaultPolicyPackage;
}

/**
* Evaluate the OPA policy package with the given action, subject and tags.
*
* @param policyPackage The OPA policy package to evaluate.
* @param action The action to evaluate.
* @param subject The subject attempting to perform the action.
* @param tags The tags describing the accessed object.
* @return True if the subject can perform the action, false otherwise (or if an error occurred).
*/
public boolean isAllowed(String policyPackage, String action, String subject, List<Tag> tags) {
OpaRequestBody body = OpaRequestBody.builder()
.subject(subject)
.tags(tags)
.build();
try {
return csHttpClient.postForObject(opaServiceUri.resolve(
String.format("/v1/data/%s/%s",
policyPackage.replace(".", "/"),
action)),
new OpaRequest(body),
OpaResult.class)
.isAllowed();
} catch (CsHttpClientException e) {
log.error("Error occurred while evaluating OPA policy package: {}", e.getMessage());
}
return false;
}

public OpaClientRequest newRequest() {
return new OpaClientRequest(this, defaultPolicyPackage);
}
}
public OpaClientRequest newRequest() {
return new OpaClientRequest(this, defaultPolicyPackage);
}
}
Original file line number Diff line number Diff line change
Expand Up @@ -9,37 +9,35 @@

import io.carbynestack.amphora.common.Tag;
import io.carbynestack.amphora.service.exceptions.CsOpaException;
import java.util.List;
import java.util.Objects;
import lombok.Setter;
import lombok.experimental.Accessors;
import org.apache.logging.log4j.util.Strings;

import java.util.List;
import java.util.Objects;

@Setter()
@Accessors(chain = true, fluent = true)
public class OpaClientRequest {
private String withPolicyPackage;
private String withSubject;
private List<Tag> withTags;
private String withAction;
private String withPolicyPackage;
private String withSubject;
private List<Tag> withTags;
private String withAction;

private final OpaClient opaClient;
private final OpaClient opaClient;

public OpaClientRequest(OpaClient opaClient, String defaultPolicyPackage) {
this.withPolicyPackage = defaultPolicyPackage;
this.opaClient = opaClient;
}
public OpaClientRequest(OpaClient opaClient, String defaultPolicyPackage) {
this.withPolicyPackage = defaultPolicyPackage;
this.opaClient = opaClient;
}

public boolean evaluate() throws CsOpaException {
if(Strings.isEmpty(withSubject)) {
throw new CsOpaException("Subject is required to evaluate the policy");
}
if(Strings.isEmpty(withAction)) {
throw new CsOpaException("Action is required to evaluate the policy");
}
withTags.removeIf(Objects::isNull);
return opaClient.isAllowed(withPolicyPackage, withAction, withSubject, withTags);
public boolean evaluate() throws CsOpaException {
if (Strings.isEmpty(withSubject)) {
throw new CsOpaException("Subject is required to evaluate the policy");
}
if (Strings.isEmpty(withAction)) {
throw new CsOpaException("Action is required to evaluate the policy");
}
withTags.removeIf(Objects::isNull);
return opaClient.isAllowed(withPolicyPackage, withAction, withSubject, withTags);
}
}

Original file line number Diff line number Diff line change
Expand Up @@ -11,10 +11,9 @@

@Getter
class OpaRequest {
OpaRequestBody input;

public OpaRequest(OpaRequestBody input) {
this.input = input;
}
OpaRequestBody input;

public OpaRequest(OpaRequestBody input) {
this.input = input;
}
}
Original file line number Diff line number Diff line change
Expand Up @@ -8,19 +8,18 @@
package io.carbynestack.amphora.service.opa;

import io.carbynestack.amphora.common.Tag;
import java.util.List;
import lombok.Builder;
import lombok.Value;

import java.util.List;

@Value
public class OpaRequestBody {
String subject;
List<Tag> tags;
String subject;
List<Tag> tags;

@Builder
public OpaRequestBody(String subject, List<Tag> tags) {
this.subject = subject;
this.tags = tags;
}
@Builder
public OpaRequestBody(String subject, List<Tag> tags) {
this.subject = subject;
this.tags = tags;
}
}
Loading

0 comments on commit f113daa

Please sign in to comment.