Merge pull request #40 from holaplex/mpw/add-authz-plugin

Mpw/add authz plugin
holaplex · Mar 24, 2023 · 3497446 · 3497446
2 parents 017de76 + f570a55
commit 3497446
Show file tree

Hide file tree

Showing 7 changed files with 321 additions and 38 deletions.
diff --git a/charts/hub-gateway/Chart.yaml b/charts/hub-gateway/Chart.yaml
@@ -19,7 +19,7 @@ type: application
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
 
-version: "0.8.0"
+version: "0.9.0"
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

diff --git a/charts/hub-gateway/plugins/authz-helper.lua b/charts/hub-gateway/plugins/authz-helper.lua
@@ -0,0 +1,129 @@
+-- Licensed to the Apache Software Foundation (ASF) under one or more
+-- contributor license agreements.  See the NOTICE file distributed with
+-- this work for additional information regarding copyright ownership.
+-- The ASF licenses this file to You under the Apache License, Version 2.0
+-- (the "License"); you may not use this file except in compliance with
+-- the License.  You may obtain a copy of the License at
+--
+--     http://www.apache.org/licenses/LICENSE-2.0
+--
+-- Unless required by applicable law or agreed to in writing, software
+-- distributed under the License is distributed on an "AS IS" BASIS,
+-- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+-- See the License for the specific language governing permissions and
+-- limitations under the License.
+--
+
+local core        = require("apisix.core")
+local get_service = require("apisix.http.service").get
+local http        = require("resty.http")
+local json        = require("apisix.core.json")
+local ngx         = ngx
+local ngx_time    = ngx.time
+local re_match    = ngx.re.match
+local type        = type
+local _M = {}
+
+
+-- build a table of Nginx variables with some generality
+-- between http subsystem and stream subsystem
+local function build_var(conf, ctx)
+    return {
+        server_addr = ctx.var.server_addr,
+        server_port = ctx.var.server_port,
+        remote_addr = ctx.var.remote_addr,
+        remote_port = ctx.var.remote_port,
+        timestamp   = ngx_time(),
+    }
+end
+
+local function build_http_request(conf, ctx)
+    return {
+        scheme  = core.request.get_scheme(ctx),
+        method  = core.request.get_method(),
+        host    = core.request.get_host(ctx),
+        port    = core.request.get_port(ctx),
+        path    = ctx.var.uri,
+        headers = core.request.headers(ctx),
+        query   = core.request.get_uri_args(ctx),
+    }
+end
+
+
+local function build_http_route(conf, ctx, remove_upstream)
+    local route = core.table.clone(ctx.matched_route).value
+
+    if remove_upstream and route and route.upstream then
+        route.upstream = nil
+    end
+
+    return route
+end
+
+
+local function build_http_service(conf, ctx)
+    local service_id = ctx.service_id
+
+    -- possible that there is no service bound to the route
+    if service_id then
+        local service = core.table.clone(get_service(service_id)).value
+
+        if service then
+            if service.upstream then
+                service.upstream = nil
+            end
+            return service
+        else
+        core.log.error("failed to get service")
+        end
+    end
+
+    return nil
+end
+
+local function build_graphql_data(conf, ctx)
+    local input = json.decode(core.request.get_body())
+    return {
+        query = input['query'],
+        variables = input['variables'],
+        operation = ctx.var.graphql_operation,
+
+    }
+end
+
+local function build_http_consumer(conf, ctx)
+    -- possible that there is no consumer bound to the route
+    if ctx.consumer then
+        return core.table.clone(ctx.consumer)
+    end
+
+    return nil
+end
+
+function _M.build_opa_input(conf, ctx, subsystem)
+    local data = {
+        type    = subsystem,
+        request = build_http_request(conf, ctx),
+        var     = build_var(conf, ctx),
+        graphql = build_graphql_data(conf, ctx),
+        keto_endpoint = conf.keto_endpoint
+    }
+
+    if conf.with_route then
+        data.route = build_http_route(conf, ctx, true)
+    end
+
+    if conf.with_consumer then
+        data.consumer = build_http_consumer(conf, ctx)
+    end
+
+    if conf.with_service then
+        data.service = build_http_service(conf, ctx)
+    end
+
+    return {
+        input = data,
+    }
+end
+
+return _M
diff --git a/charts/hub-gateway/plugins/authz.lua b/charts/hub-gateway/plugins/authz.lua
@@ -0,0 +1,138 @@
+--
+-- Licensed to the Apache Software Foundation (ASF) under one or more
+-- contributor license agreements.  See the NOTICE file distributed with
+-- this work for additional information regarding copyright ownership.
+-- The ASF licenses this file to You under the Apache License, Version 2.0
+-- (the "License"); you may not use this file except in compliance with
+-- the License.  You may obtain a copy of the License at
+--
+--     http://www.apache.org/licenses/LICENSE-2.0
+--
+-- Unless required by applicable law or agreed to in writing, software
+-- distributed under the License is distributed on an "AS IS" BASIS,
+-- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+-- See the License for the specific language governing permissions and
+-- limitations under the License.
+--
+
+local core   = require("apisix.core")
+local http   = require("resty.http")
+local helper = require("apisix.plugins.authz.helper")
+local json = require("apisix.core.json")
+local type   = type
+
+
+local schema = {
+    type = "object",
+    properties = {
+        host = {type = "string"},
+        ssl_verify = {
+            type = "boolean",
+            default = true,
+        },
+        policy = {type = "string"},
+        timeout = {
+            type = "integer",
+            minimum = 1,
+            maximum = 60000,
+            default = 3000,
+            description = "timeout in milliseconds",
+        },
+        keepalive = {type = "boolean", default = true},
+        keepalive_timeout = {type = "integer", minimum = 1000, default = 60000},
+        keepalive_pool = {type = "integer", minimum = 1, default = 5},
+        with_route = {type = "boolean", default = false},
+        with_service = {type = "boolean", default = false},
+        with_consumer = {type = "boolean", default = false},
+    },
+    required = {"host", "policy"}
+}
+
+
+local _M = {
+    version = 0.1,
+    priority = 1,
+    name = "authz",
+    schema = schema,
+}
+
+function _M.check_schema(conf)
+    local ok, err = core.schema.check(schema, conf)
+    if not ok then
+        return false, err
+    end
+    return true
+end
+
+function _M.access(conf, ctx)
+    local body = helper.build_opa_input(conf, ctx, "http")
+
+    local params = {
+        method = "POST",
+        body = json.encode(body),
+        headers = {
+            ["Content-Type"] = "application/json",
+        },
+        keepalive = conf.keepalive,
+        ssl_verify = conf.ssl_verify
+    }
+
+    if conf.keepalive then
+        params.keepalive_timeout = conf.keepalive_timeout
+        params.keepalive_pool = conf.keepalive_pool
+    end
+
+    local endpoint = conf.host .. "/v1/data/" .. conf.policy
+
+    local httpc = http.new()
+    httpc:set_timeout(conf.timeout)
+
+    local res, err = httpc:request_uri(endpoint, params)
+
+    -- block by default when decision is unavailable
+    if not res then
+        return 403, json.encode({
+          message = "OPA Decision is unavailable. Errors found in policy"
+        })
+    end
+
+    -- parse the results of the decision
+    local data, err = json.decode(res.body)
+
+    if not data then
+        return 503, json.encode({
+          message = "Invalid response body"
+        })
+    end
+
+    if not data.result then
+        return 503, json.encode({
+          message = "Invalid decision format: " .. res.body .. " Err: `result field does not exist"
+        })
+    end
+
+    local result = data.result
+
+    if not result.allow then
+        if result.headers then
+            core.response.set_header(result.headers)
+        end
+
+        local status_code = 403
+        if result.status_code then
+            status_code = result.status_code
+        end
+
+        local reason = nil
+        if result.reason then
+            reason = type(result.reason) == "table"
+                and json.encode(result.reason)
+                or result.reason
+        end
+
+        return status_code, reason
+    end
+end
+
+
+return _M
diff --git a/charts/hub-gateway/plugins/oauth2.lua b/charts/hub-gateway/plugins/oauth2.lua
@@ -53,6 +53,10 @@ local schema = {
             type = "boolean",
             default = false
         },
+        expose_owner = {
+            type = "boolean",
+            default = false
+        },
     },
     required = {"host"}
 }
@@ -118,16 +122,12 @@ function _M.access(conf, ctx)
         })
     end
 
-    -- Expose hydra_client_id id on $hydra_client_id variable
     if conf.expose_client_id then
         core.request.set_header(ctx, "X-CLIENT-ID", data.client_id)
         core.response.set_header("X-CLIENT-ID", data.client_id)
-        core.ctx.register_var("hydra_client_id", function(ctx)
-            return data.client_id
-        end)
     end
-
-    -- Get kratos user id from hydra client contacts
+   
+    -- Lookup full hydra client data
     local params = {
         method = "GET",
         headers = {
@@ -149,11 +149,15 @@ function _M.access(conf, ctx)
     local data, err = json.decode(res.body)
     if not data then
         return 401, err
+    end 
+
+    -- Expose hydra client owner id on request header
+    if conf.expose_owner then
+        if not data.owner then
+          core.log.error("unable to get owner from response:", json.encode(data))
+        end
+        core.request.set_header(ctx, "X-CLIENT-OWNER-ID", data.owner)
     end
-
-    core.request.set_header(ctx, "X-USER-ID", data.contacts[1])
-    core.response.set_header("X-USER-ID", data.contacts[1])
-
 end
 
 return _M
diff --git a/charts/hub-gateway/plugins/session.lua b/charts/hub-gateway/plugins/session.lua
@@ -49,10 +49,6 @@ local schema = {
             minimum = 1,
             default = 5
         },
-        expose_user_data = {
-            type = "boolean",
-            default = false
-        },
         expose_user_id = {
             type = "boolean",
             default = false
@@ -77,6 +73,7 @@ end
 
 function _M.access(conf, ctx)
     local session_cookie_name = string.lower(conf.session_cookie_name or "ory_kratos_session")
+
     local cookie_header = string.lower("cookie_" .. session_cookie_name)
     local cookie_value = ngx.var[cookie_header]
 
@@ -134,32 +131,12 @@ function _M.access(conf, ctx)
             })
     end
 
-    -- Expose user data response on $kratos_user_data variable
-    if conf.expose_user_data then
-        local user_data = ngx.encode_base64(res.body)
-        if not user_data then
-            return 401, json.encode({
-              message = "Error while reading user_data"
-            })
-        end
-        core.ctx.register_var("kratos_user_data", function(ctx)
-            return user_data
-        end)
-    end
-
-    -- Expose user id on $kratos_user_id variable
-    -- Expose user email on $kratos_user_email variable
+    -- Expose user email and id on headers
     if conf.expose_user_id then
         core.request.set_header(ctx, "X-USER-ID", data.identity.id)
         core.response.set_header("X-USER-ID", data.identity.id)
         core.request.set_header(ctx, "X-USER-EMAIL", data.identity.traits.email)
         core.response.set_header("X-USER-EMAIL", data.identity.traits.email)
-        core.ctx.register_var("kratos_user_id", function(ctx)
-            return data.identity.id
-        end)
-        core.ctx.register_var("kratos_user_email", function(ctx)
-            return data.identity.traits.email
-        end)
     end
 end