From b56ddcc57e4065125c6fb80c3fab665451d7b10c Mon Sep 17 00:00:00 2001 From: Jan Gottschick Date: Sun, 6 Oct 2024 12:16:58 +0200 Subject: [PATCH] * fix authorization --- Features.md | 2 +- core/version | 2 +- generator/generator.go | 2 ++ generator/readme.go | 31 ++++++++++++++++++++++++++++ templates/ENVIRONMENT.md.tmpl | 1 + templates/core/config.go.tmpl | 2 +- templates/middleware/authz.rego.tmpl | 28 +++++++++++++++++++++---- templates/middleware/policy.go.tmpl | 8 +++---- 8 files changed, 65 insertions(+), 11 deletions(-) create mode 100644 generator/readme.go create mode 100644 templates/ENVIRONMENT.md.tmpl diff --git a/Features.md b/Features.md index 5478fd5..ec70091 100644 --- a/Features.md +++ b/Features.md @@ -48,7 +48,7 @@ To restrict the web crawlers a handler for _robots.txt_ is generated and adaptab ### Doc -The comprehensive documentation of a service should be contained in the OpenAPI specification. Therefor, the OpenAPI documentation will also be embedded with the service and online available at runtime (_/doc_). +The comprehensive documentation of a service should be contained in the OpenAPI specification. Therefor, the OpenAPI documentation will also be embedded with the service and online available at runtime (_/doc_). Two viewers (_rapidoc_ and _Stoplight elements_) are available and configurable. ### Testing diff --git a/core/version b/core/version index 449d7e7..0f82685 100644 --- a/core/version +++ b/core/version @@ -1 +1 @@ -0.3.6 +0.3.7 diff --git a/generator/generator.go b/generator/generator.go index f7d8af4..5bbef64 100644 --- a/generator/generator.go +++ b/generator/generator.go @@ -94,6 +94,8 @@ func GenerateServer(conf GeneratorConfig) error { generateJustfile(conf, serverConf) + generateReadme(conf, serverConf) + generateDockerfile(conf, serverConf) log.Info().Msg("Created all files successfully.") diff --git a/generator/readme.go b/generator/readme.go new file mode 100644 index 0000000..9b8622e --- /dev/null +++ b/generator/readme.go @@ -0,0 +1,31 @@ +package generator + +import ( + fs "dredger/fileUtils" + "errors" + "os" + "path/filepath" + + "github.com/rs/zerolog/log" +) + +func generateReadme(conf GeneratorConfig, serverConf ServerConfig) { + type readmeConfig struct { + ModuleName string + Port int16 + } + + var readmeConf readmeConfig + readmeConf.ModuleName = conf.ModuleName + readmeConf.Port = serverConf.Port + + fileName := "ENVIRONMENT.md" + filePath := filepath.Join(config.Path, fileName) + templateFile := "templates/ENVIRONMENT.md.tmpl" + + if _, err := os.Stat(filePath); errors.Is(err, os.ErrNotExist) { + log.Info().Msg("CREATE ENVIRONMENT.md") + fs.GenerateFile(filePath) + createFileFromTemplate(filePath, templateFile, readmeConf) + } +} diff --git a/templates/ENVIRONMENT.md.tmpl b/templates/ENVIRONMENT.md.tmpl new file mode 100644 index 0000000..601d3c7 --- /dev/null +++ b/templates/ENVIRONMENT.md.tmpl @@ -0,0 +1 @@ +{{ upper ( snakecase .ModuleName ) }}_PORT_NB the local port of the web service (default=8080) diff --git a/templates/core/config.go.tmpl b/templates/core/config.go.tmpl index bc164f1..4407c78 100644 --- a/templates/core/config.go.tmpl +++ b/templates/core/config.go.tmpl @@ -26,7 +26,7 @@ type Config struct { User string Policy string `default:""` OpaSvc string `default:""` - Realm string `default:""` + Realm string `default:""` StaffUser string `default:"" split_words:"true"` StaffPassword string `default:"" split_words:"true"` ParticipantUser string `default:"" split_words:"true"` diff --git a/templates/middleware/authz.rego.tmpl b/templates/middleware/authz.rego.tmpl index e83a6bd..8202498 100644 --- a/templates/middleware/authz.rego.tmpl +++ b/templates/middleware/authz.rego.tmpl @@ -82,26 +82,46 @@ default allowAccess = false # examples how you could set permission for each path in the API endpoint # +allowEntrypoint { + getMethod + input.path == "/livez" +} + +allowAccess { + getMethod + input.path == "/livez" +} + +allowEntrypoint { + getMethod + input.path == "/readyz" +} + +allowAccess { + getMethod + input.path == "/readyz" +} + allowEntrypoint { user # getMethod -# input.path == "/livez" +# input.path == "/func" } allowAccess { user # getMethod -# input.path == "/livez" +# input.path == "/func" } #allowEntrypoint { -# staffuser +# staff # postMethod # input.path == "/admin" #} #allowAccess { -# staffuser +# staff # postMethod # input.path == "/admin" #} diff --git a/templates/middleware/policy.go.tmpl b/templates/middleware/policy.go.tmpl index da0584f..e785009 100644 --- a/templates/middleware/policy.go.tmpl +++ b/templates/middleware/policy.go.tmpl @@ -190,15 +190,15 @@ func checkPolicy(c echo.Context) Action { // extract input from request authorization := req.Header.Get("Authorization") role, authorized := checkAuthorization(authorization) - if !authorized && (core.AppConfig.OpaSvc != "" || core.AppConfig.Policy != "") && (core.AppConfig.ParticipantUser != "" || core.AppConfig.StaffUser != "") { + if !authorized && core.AppConfig.OpaSvc == "" && core.AppConfig.Policy == "" && (core.AppConfig.ParticipantUser != "" || core.AppConfig.StaffUser != "") { log.Debug().Str("authorization", authorization).Msg("Authorization failed") return Authorize } - return checkAccess(req, role) + return checkAccess(req, role, authorized) } -func checkAccess(req *http.Request, role string) Action { +func checkAccess(req *http.Request, role string, authorized bool) Action { input := Input{ "url": req.URL.String(), "method": req.Method, @@ -220,7 +220,7 @@ func checkAccess(req *http.Request, role string) Action { } if !ok { log.Warn().Str("role", role).Any("url", input["url"]).Any("method", input["method"]).Any("path", input["path"]).Any("trace", input["trace"]).Any("session", input["session"]).Any("host", input["host"]).Any("who", input["who"]).Msg("Access denied") - if checkEntryPoint(req) == Deny { + if checkEntryPoint(req) == Deny && authorized { return NotFound } return Authorize