-
-
Notifications
You must be signed in to change notification settings - Fork 26
/
authz_by_policy.go
67 lines (56 loc) · 2.34 KB
/
authz_by_policy.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
package api
import (
"context"
"errors"
"net/http"
"os"
"strings"
"github.com/99designs/gqlgen/graphql"
"github.com/rs/zerolog/log"
typesgen "atomys.codes/stud42/internal/api/generated/types"
)
// policyRequestHeaderAuthorizationContextKey is the context key for the request IP.
// It is used by the AuthzByPolicyMiddleware and the directiveAuthzByPolicy.
// The type of the context value must be a net.IP.
const policyRequestHeaderAuthorizationContextKey contextKey = "policy_request_header_authorization"
// errBlockedByPolicy is the error returned by the directiveAuthzByPolicy.
// when the request IP is not allowed by the policy.
var errBlockedByPolicy = errors.New("request blocked by policy")
// AuthzByPolicyMiddleware is a middleware that checks the request IP and stores
// it in the context for the directiveAuthzByPolicy. It is used by the
// directiveAuthzByPolicy.
func AuthzByPolicyMiddleware(next http.Handler) http.Handler {
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
var authString = r.Header.Get("Authorization")
splitToken := strings.Split(authString, "ServiceToken ")
if len(splitToken) != 2 {
splitToken = append(splitToken, "")
}
ctx := context.WithValue(r.Context(), policyRequestHeaderAuthorizationContextKey, splitToken[1])
next.ServeHTTP(w, r.WithContext(ctx))
})
}
// directiveAuthzByPolicy is a directive that checks the request IP and
// returns an error if the IP is not allowed by the policy.
// The directive is registered in the schema and automatically used by the
// resolver on fields that have the @authorizationByPolicy directive.
func directiveAuthzByPolicy(ctx context.Context, obj interface{}, next graphql.Resolver, policy *typesgen.SecurityPolicy) (res interface{}, err error) {
token := ctx.Value(policyRequestHeaderAuthorizationContextKey).(string)
log.Debug().Msgf("Request being tested against policy %s", policy)
if os.Getenv("GO_ENV") == "development" {
log.Warn().Msg("policy is not enforced in development mode")
return next(ctx)
}
switch *policy {
case typesgen.SecurityPolicyServiceToken:
log.Debug().Str("token", token).Str("env", os.Getenv("S42_SERVICE_TOKEN")).Msg("testing service token")
if token != os.Getenv("S42_SERVICE_TOKEN") {
return nil, errBlockedByPolicy
}
case typesgen.SecurityPolicyNone:
break
default:
break
}
return next(ctx)
}