Skip to content

Commit

Permalink
* fix authorization
Browse files Browse the repository at this point in the history
  • Loading branch information
JGottschick committed Oct 6, 2024
1 parent 7578467 commit b56ddcc
Show file tree
Hide file tree
Showing 8 changed files with 65 additions and 11 deletions.
2 changes: 1 addition & 1 deletion Features.md
Original file line number Diff line number Diff line change
Expand Up @@ -48,7 +48,7 @@ To restrict the web crawlers a handler for _robots.txt_ is generated and adaptab

### Doc

The comprehensive documentation of a service should be contained in the OpenAPI specification. Therefor, the OpenAPI documentation will also be embedded with the service and online available at runtime (_/doc_).
The comprehensive documentation of a service should be contained in the OpenAPI specification. Therefor, the OpenAPI documentation will also be embedded with the service and online available at runtime (_/doc_). Two viewers (_rapidoc_ and _Stoplight elements_) are available and configurable.

### Testing

Expand Down
2 changes: 1 addition & 1 deletion core/version
Original file line number Diff line number Diff line change
@@ -1 +1 @@
0.3.6
0.3.7
2 changes: 2 additions & 0 deletions generator/generator.go
Original file line number Diff line number Diff line change
Expand Up @@ -94,6 +94,8 @@ func GenerateServer(conf GeneratorConfig) error {

generateJustfile(conf, serverConf)

generateReadme(conf, serverConf)

generateDockerfile(conf, serverConf)

log.Info().Msg("Created all files successfully.")
Expand Down
31 changes: 31 additions & 0 deletions generator/readme.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,31 @@
package generator

import (
fs "dredger/fileUtils"
"errors"
"os"
"path/filepath"

"github.com/rs/zerolog/log"
)

func generateReadme(conf GeneratorConfig, serverConf ServerConfig) {
type readmeConfig struct {
ModuleName string
Port int16
}

var readmeConf readmeConfig
readmeConf.ModuleName = conf.ModuleName
readmeConf.Port = serverConf.Port

fileName := "ENVIRONMENT.md"
filePath := filepath.Join(config.Path, fileName)
templateFile := "templates/ENVIRONMENT.md.tmpl"

if _, err := os.Stat(filePath); errors.Is(err, os.ErrNotExist) {
log.Info().Msg("CREATE ENVIRONMENT.md")
fs.GenerateFile(filePath)
createFileFromTemplate(filePath, templateFile, readmeConf)
}
}
1 change: 1 addition & 0 deletions templates/ENVIRONMENT.md.tmpl
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
{{ upper ( snakecase .ModuleName ) }}_PORT_NB the local port of the web service (default=8080)
2 changes: 1 addition & 1 deletion templates/core/config.go.tmpl
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,7 @@ type Config struct {
User string
Policy string `default:""`
OpaSvc string `default:""`
Realm string `default:""`
Realm string `default:""`
StaffUser string `default:"" split_words:"true"`
StaffPassword string `default:"" split_words:"true"`
ParticipantUser string `default:"" split_words:"true"`
Expand Down
28 changes: 24 additions & 4 deletions templates/middleware/authz.rego.tmpl
Original file line number Diff line number Diff line change
Expand Up @@ -82,26 +82,46 @@ default allowAccess = false
# examples how you could set permission for each path in the API endpoint
#

allowEntrypoint {
getMethod
input.path == "/livez"
}

allowAccess {
getMethod
input.path == "/livez"
}

allowEntrypoint {
getMethod
input.path == "/readyz"
}

allowAccess {
getMethod
input.path == "/readyz"
}

allowEntrypoint {
user
# getMethod
# input.path == "/livez"
# input.path == "/func"
}

allowAccess {
user
# getMethod
# input.path == "/livez"
# input.path == "/func"
}

#allowEntrypoint {
# staffuser
# staff
# postMethod
# input.path == "/admin"
#}

#allowAccess {
# staffuser
# staff
# postMethod
# input.path == "/admin"
#}
Expand Down
8 changes: 4 additions & 4 deletions templates/middleware/policy.go.tmpl
Original file line number Diff line number Diff line change
Expand Up @@ -190,15 +190,15 @@ func checkPolicy(c echo.Context) Action {
// extract input from request
authorization := req.Header.Get("Authorization")
role, authorized := checkAuthorization(authorization)
if !authorized && (core.AppConfig.OpaSvc != "" || core.AppConfig.Policy != "") && (core.AppConfig.ParticipantUser != "" || core.AppConfig.StaffUser != "") {
if !authorized && core.AppConfig.OpaSvc == "" && core.AppConfig.Policy == "" && (core.AppConfig.ParticipantUser != "" || core.AppConfig.StaffUser != "") {
log.Debug().Str("authorization", authorization).Msg("Authorization failed")
return Authorize
}

return checkAccess(req, role)
return checkAccess(req, role, authorized)
}

func checkAccess(req *http.Request, role string) Action {
func checkAccess(req *http.Request, role string, authorized bool) Action {
input := Input{
"url": req.URL.String(),
"method": req.Method,
Expand All @@ -220,7 +220,7 @@ func checkAccess(req *http.Request, role string) Action {
}
if !ok {
log.Warn().Str("role", role).Any("url", input["url"]).Any("method", input["method"]).Any("path", input["path"]).Any("trace", input["trace"]).Any("session", input["session"]).Any("host", input["host"]).Any("who", input["who"]).Msg("Access denied")
if checkEntryPoint(req) == Deny {
if checkEntryPoint(req) == Deny && authorized {
return NotFound
}
return Authorize
Expand Down

0 comments on commit b56ddcc

Please sign in to comment.