grpc_opa_middleware

package
v0.0.1 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Aug 2, 2021 License: Apache-2.0 Imports: 17 Imported by: 0

Documentation

Overview

Package grpc_opa_middleware implements a gRPC middleware for sending requests to Opa.

Index

Constants

View Source 
const (
	REDACTED = "redacted"
	TypeKey  = ABACKey("ABACType")
	VerbKey  = ABACKey("ABACVerb")
	ObKey    = ObligationKey("obligations")
)

Variables

View Source 
var (
	ErrForbidden  = status.Errorf(codes.PermissionDenied, "Request forbidden: not authorized")
	ErrUnknown    = status.Errorf(codes.Unknown, "Unknown error")
	ErrInvalidArg = status.Errorf(codes.InvalidArgument, "Invalid argument")
)
View Source 
var (
	// Application is set at initization
	Application      string
	ErrNoCredentials = errors.New("no credentials found")
)
View Source 
var (
	ErrInvalidObligations = status.Errorf(codes.Internal, "Invalid obligations")
)
View Source 
var (
	SERVICENAME = "opa"
)

Override to set your servicename

Functions

func FromContext 

func FromContext(ctx context.Context) interface{}

FromContext retrieves authZ information from the Context

func IsNilInterface 

func IsNilInterface(i interface{}) bool

IsNilInterface returns whether the interface parameter is nil Panics if arg is not chan, func, interface, map, pointer, or slice. See https://golang.org/pkg/reflect/#Value.IsNil

func StreamServerInterceptor 

func StreamServerInterceptor(application string, opts ...Option) grpc.StreamServerInterceptor

StreamServerInterceptor returns a new Stream client interceptor that optionally logs the execution of external gRPC calls.

func UnaryServerInterceptor 

func UnaryServerInterceptor(application string, opts ...Option) grpc.UnaryServerInterceptor

UnaryServerInterceptor returns a new unary client interceptor that optionally logs the execution of external gRPC calls.

func UnverifiedClaimFromBearers 

func UnverifiedClaimFromBearers(bearer, newBearer []string) (string, []error)

athena-authn_claims.UnverifiedClaimFromBearers

Types

type ABACKey 

type ABACKey string

ABACKey is a context.Context key type

type AuthorizeFn 

type AuthorizeFn func(ctx context.Context, fullMethodName string, grpcReq interface{}, opaEvaluator OpaEvaluator) (bool, context.Context, error)

func (AuthorizeFn) Evaluate 

func (a AuthorizeFn) Evaluate(ctx context.Context, fullMethod string, grpcReq interface{}, opaEvaluator OpaEvaluator) (bool, context.Context, error)

func (AuthorizeFn) OpaQuery 

func (a AuthorizeFn) OpaQuery(opaReq, opaResp interface{}) error

type Authorizer 

type Authorizer interface {
	// Evaluate is called with the grpc request's method passing the grpc request Context.
	// If the handler is executed, the request will be sent to Opa. Opa's response
	// will be unmarshaled using JSON into the provided response.
	// Evaluate returns true if the request is authorized. The context
	// will be passed to subsequent HTTP Handler.
	Evaluate(ctx context.Context, fullMethod string, grpcReq interface{}, opaEvaluator OpaEvaluator) (bool, context.Context, error)

	// OpaQuery executes query of the specified decisionDocument against OPA.
	// If decisionDocument is "", then the query is executed against the default decision document configured in OPA.
	OpaQuery(ctx context.Context, decisionDocument string, opaReq, opaResp interface{}) error
}

Authorizer interface is implemented for making arbitrary requests to Opa.

type Config 

type Config struct {
	// contains filtered or unexported fields
}

type DecisionInput 

type DecisionInput struct {
	Type             string        `json:"type"` // Object/resource-type to match
	Verb             string        `json:"verb"` // Verb to match
	SealCtx          []interface{} `json:"ctx"`  // Array of app/service-specific context data to match
	DecisionDocument string        `json:"-"`    // OPA decision document to query, by default "",

}

DecisionInput is app/service-specific data supplied by app/service ABAC requests

type DecisionInputHandler 

type DecisionInputHandler interface {
	// GetDecisionInput returns an app/service-specific DecisionInput.
	// A nil DecisionInput should NOT be returned unless error.
	GetDecisionInput(ctx context.Context, fullMethod string, grpcReq interface{}) (*DecisionInput, error)
}

fullMethod is of the form "Service.FullMethod"

type DefaultAuthorizer 

type DefaultAuthorizer struct {
	// contains filtered or unexported fields
}

func NewDefaultAuthorizer 

func NewDefaultAuthorizer(application string, opts ...Option) *DefaultAuthorizer

func (*DefaultAuthorizer) AffirmAuthorization 

func (a *DefaultAuthorizer) AffirmAuthorization(ctx context.Context, fullMethod string, grpcReq interface{}) (context.Context, error)

AffirmAuthorization makes an authz request to sidecar-OPA. If authorization is permitted, error returned is nil, and a new context is returned, possibly containing obligations. Caller must further evaluate obligations if required.

func (*DefaultAuthorizer) Evaluate 

func (a *DefaultAuthorizer) Evaluate(ctx context.Context, fullMethod string, grpcReq interface{}, opaEvaluator OpaEvaluator) (bool, context.Context, error)

func (*DefaultAuthorizer) OpaQuery 

func (a *DefaultAuthorizer) OpaQuery(ctx context.Context, decisionDocument string, opaReq, opaResp interface{}) error

type DefaultDecisionInputer 

type DefaultDecisionInputer struct{}

DefaultDecisionInputer is an example DecisionInputHandler that is used as default

func (*DefaultDecisionInputer) GetDecisionInput 

func (m *DefaultDecisionInputer) GetDecisionInput(ctx context.Context, fullMethod string, grpcReq interface{}) (*DecisionInput, error)

GetDecisionInput is an example DecisionInputHandler that returns some decision input based on some incoming Context values. App/services will most likely supply their own DecisionInputHandler using WithDecisionInputHandler option.

type OPARequest 

type OPARequest struct {
	// Document on OPA "" calls default document
	Document string
	// OPA expects this field to be called input
	Input *Payload `json:"input"`
}

OPARequest is used to query OPA

type OPAResponse 

type OPAResponse map[string]interface{}

OPAResponse unmarshals the response from OPA

func (OPAResponse) Allow 

func (o OPAResponse) Allow() bool

Allow determine if policy is allowed

func (OPAResponse) Obligations 

func (o OPAResponse) Obligations() (*ObligationsNode, error)

Obligations parses the returned obligations and returns them in standard format

type ObligationKey 

type ObligationKey string

type ObligationsEnum 

type ObligationsEnum int
const (
	ObligationsEmpty ObligationsEnum = iota // Default "zero" value for uninitialized ObligationsEnum
	ObligationsCondition
	ObligationsAnd
	ObligationsOr
)

func (ObligationsEnum) String 

func (o8e ObligationsEnum) String() string

type ObligationsNode 

type ObligationsNode struct {
	Kind      ObligationsEnum
	Tag       string
	Condition string
	Children  []*ObligationsNode
}

ObligationsNode defines the generic obligations tree returned by middleware in the context

func (*ObligationsNode) DeepSort 

func (o8n *ObligationsNode) DeepSort()

DeepSort recursively sorts any nested nodes. Intended to be used in unit-tests to force deterministic order for comparison.

func (*ObligationsNode) ShallowLength 

func (o8n *ObligationsNode) ShallowLength() int

ShallowLength returns the length of this node. It does not include the lengths of any nested nodes. Length zero means this node is empty (has no obligation).

func (*ObligationsNode) ShallowLessThan 

func (lhs *ObligationsNode) ShallowLessThan(rhs *ObligationsNode) bool

ShallowLessThan returns true if lhs less than rhs. Does not consider nested nodes. Intended for use by DeepSort method.

func (*ObligationsNode) String 

func (o8n *ObligationsNode) String() string

String() returns a multiline pretty string representation (actually JSON), intended to be human-readable for debugging purposes.

type OpaEvaluator 

type OpaEvaluator func(ctx context.Context, decisionDocument string, opaReq, opaResp interface{}) error

OpaEvaluator implements calling OPA with a request and receiving the raw response

type Option 

type Option func(c *Config)

func WithAddress 

func WithAddress(address string) Option

WithAddress

func WithAuthorizer 

func WithAuthorizer(auther ...Authorizer) Option

WithAuthorizer overrides the request/response processing of OPA. Multiple authorizers can be passed

func WithDecisionInputHandler 

func WithDecisionInputHandler(decisionHandler DecisionInputHandler) Option

WithDecisionInputHandler supplies optional DecisionInputHandler for DefaultAuthorizer to obtain additional input for OPA ABAC decision processing.

func WithHTTPClient 

func WithHTTPClient(client *http.Client) Option

WithHTTPClient overrides the http.Client used to call Opa

func WithOpaEvaluator 

func WithOpaEvaluator(opaEvaluator OpaEvaluator) Option

WithOpaEvaluator overrides the OpaEvaluator use to evaluate authorization against OPA.

type Payload 

type Payload struct {
	Endpoint    string `json:"endpoint"`
	Application string `json:"application"`
	// FullMethod is the full RPC method string, i.e., /package.service/method.
	FullMethod string `json:"full_method"`
	JWT        string `json:"jwt"`
	DecisionInput
}

type WrappedSrvStream 

type WrappedSrvStream struct {
	grpc.ServerStream
	// It is wrapper's own Context.
	WrappedCtx context.Context
}

WrappedSrvStream allows modifying context.

func (*WrappedSrvStream) Context 

func (w *WrappedSrvStream) Context() context.Context

Context returns the wrapper's WrappedCtx

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.