Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Move authorization info from header to body #6

Merged
merged 3 commits into from
Jul 17, 2024
Merged

Conversation

gerardsn
Copy link
Member

@gerardsn gerardsn commented Jun 13, 2024

This PR contains the changes needed to make APISIX PEP demo work.

APISIX sends all data of the request as JSON in the body to opa/nuts-pxp, which is different from the headers we opted for in the NGINX PEP flow.

This PR adds a separate API to handle the APISIX requests at /v1/data/apisix. The NGINX flow is unchanged on /v1/data. The body sent by APISIX is of the following format

{
  "input": {
    "var": {
      "server_port": "9080",
      "remote_addr": "172.90.10.2",
      "timestamp": 1718289289,
      "remote_port": "54228",
      "server_addr": "172.90.10.12"
    },
    "type": "http",
    "request": {
      "scheme": "http",
      "method": "POST",
      "host": "pep-right",
      "query": {},
      "path": "/web/external/transfer/notify/21189b43-04d5-4f4f-86ed-e5ae21a87f84",
      "headers": {
        "X-Userinfo": "eyJvcmdhbml6YXRpb25fbmFtZSI6IkxlZnQiLCJzY29wZSI6ImVPdmVyZHJhY2h0LXJlY2VpdmVyIiwic3ViIjoiZGlkOndlYjpub2RlLnJpZ2h0LmxvY2FsOmlhbTpyaWdodCIsImV4cCI6MTcxODI5MDE4NiwiaWF0IjoxNzE4Mjg5Mjg2LCJpc3MiOiJkaWQ6d2ViOm5vZGUucmlnaHQubG9jYWw6aWFtOnJpZ2h0IiwiYWN0aXZlIjp0cnVlLCJjbGllbnRfaWQiOiJkaWQ6d2ViOm5vZGUubGVmdC5sb2NhbDppYW06bGVmdCIsIm9yZ2FuaXphdGlvbl9jaXR5IjoiR3JvZW5sbyJ9",
        "host": "pep-right:9080",
        "authorization": "Bearer TonUNXLwVn2UgJgVfpVDNa7WaXAlE2W-mS6CfqDzeP0",
        "content-length": "0",
        "user-agent": "go-resty/2.13.1 (https://github.com/go-resty/resty)",
        "X-Access-Token": "TonUNXLwVn2UgJgVfpVDNa7WaXAlE2W-mS6CfqDzeP0",
        "accept-encoding": "gzip",
        "content-type": "text/plain; charset=utf-8",
        "connection": "close"
      },
      "port": 9080
    }
  }
}

And APISIX expects a response:

HTTP/1.1 200 OK
Content-Type: application/json

{
  "result": {
    "allow": true
  }
}

I have tried to get this work with variable number of path elements after /v1/data as in opa to make it pluggable with a standard opa server, but I cannot get this to work with echo. Using the standard library's http.ServeMux can do this, see #7.

@woutslakhorst
Copy link
Member

Maybe it's better to change the current endpoints and the nginx setup?

@woutslakhorst
Copy link
Member

So, most of the work to support both use cases would be to adjust logic in this repo and change the nginx case to be compatible?

if !ok {
return nil, errors.New("invalid request, missing 'input.request.headers'")
}
xUserinfoBase64, ok := httpHeaders["X-Userinfo"].(string)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does APISIX always pass the header as b64 encoded. If so, we can be OPA docker image compatible with:

token_climas := json.unmarshal(base64.decode(input.request.headers["x-Userinfo"]))

@gerardsn gerardsn changed the title Add separate endpoint for APISIX Move authorization info from header to body Jul 17, 2024
@gerardsn gerardsn merged commit 51183bf into main Jul 17, 2024
1 check passed
@gerardsn gerardsn deleted the changes-for-apisix-pep branch July 17, 2024 08:17
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants