Added API v1 mapping

Signed-off-by: Xuhang Cao <[email protected]>
spiffe · Aug 27, 2024 · cd3c19a · cd3c19a
1 parent 2103b3f
commit cd3c19a
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 4 deletions.
diff --git a/api/agent/server.go b/api/agent/server.go
@@ -1061,6 +1061,7 @@ func NewAuthorizer(authorizerPlugin *ast.ObjectItem) (authorization.Authorizer,
 		// decode into role list and apiMapping
 		roleList := make(map[string]string)
 		apiMapping := make(map[string][]string)
+		apiV1Mapping := make(map[string]map[string][]string)
 		for _, role := range config.RoleList {
 			roleList[role.Name] = role.Desc
 			// print warning for empty string
@@ -1077,9 +1078,15 @@ func NewAuthorizer(authorizerPlugin *ast.ObjectItem) (authorization.Authorizer,
 			apiV1.Method = arr[0]
 			apiV1.Path = arr[1]
 			fmt.Printf("API V1 method: %s, API V1 path: %s, API V1 allowed roles: %s \n", apiV1.Method, apiV1.Path, apiV1.AllowedRoles)
+			if _, ok := apiV1Mapping[apiV1.Path]; ok {
+				apiV1Mapping[apiV1.Path][apiV1.Method] = apiV1.AllowedRoles
+			} else {
+				apiV1Mapping[apiV1.Path] = map[string][]string{apiV1.Method: apiV1.AllowedRoles}
+			}
 		}
+		fmt.Printf("API V1 Mapping: %+v\n", apiV1Mapping)
 
-		authorizer, err := authorization.NewRBACAuthorizer(config.Name, roleList, apiMapping)
+		authorizer, err := authorization.NewRBACAuthorizer(config.Name, roleList, apiMapping, apiV1Mapping)
 		if err != nil {
 			return nil, errors.Errorf("Couldn't configure Authorizer: %v", err)
 		}

diff --git a/pkg/agent/authorization/rbac.go b/pkg/agent/authorization/rbac.go
@@ -3,7 +3,7 @@ package authorization
 import (
 	"net/http"
 	"github.com/pkg/errors"
-
+	"fmt"
 	"github.com/spiffe/tornjak/pkg/agent/authentication/user"
 )
 
@@ -41,7 +41,7 @@ func validateInitParameters(roleList map[string]string, apiMapping map[string][]
 		if _, ok := staticAPIList[api]; !ok {
 			return errors.Errorf("API %s does not exist", api)
 		}
-		
+
 		// check that each role exists in roleList
 		for _, allowedRole := range allowList {
 			if _, ok := roleList[allowedRole]; !ok {
@@ -52,11 +52,12 @@ func validateInitParameters(roleList map[string]string, apiMapping map[string][]
 	return nil
 }
 
-func NewRBACAuthorizer(policyName string, roleList map[string]string, apiMapping map[string][]string) (*RBACAuthorizer, error) {
+func NewRBACAuthorizer(policyName string, roleList map[string]string, apiMapping map[string][]string, apiV1Mapping map[string]map[string][]string) (*RBACAuthorizer, error) {
 	err := validateInitParameters(roleList, apiMapping)
 	if err != nil {
 		return nil, errors.Errorf("Could not parse policy %s: invalid mapping: %v", policyName, err)
 	}
+	fmt.Printf("apiV1Mapping: %v\n", apiV1Mapping)
 	return &RBACAuthorizer{
 		name: policyName,
 		roleList: roleList,