/
authz.go
73 lines (62 loc) · 1.53 KB
/
authz.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
package processors
import (
"net/http"
"go.aporeto.io/a3s/pkgs/api"
"go.aporeto.io/a3s/pkgs/authorizer"
"go.aporeto.io/a3s/pkgs/permissions"
"go.aporeto.io/a3s/pkgs/token"
"go.aporeto.io/bahamut"
"go.aporeto.io/elemental"
)
// A AuthzProcessor is a bahamut processor for Authzs.
type AuthzProcessor struct {
authorizer authorizer.Authorizer
jwks *token.JWKS
issuer string
audience string
}
// NewAuthzProcessor returns a new AuthzProcessor.
func NewAuthzProcessor(authorizer authorizer.Authorizer, jwks *token.JWKS, issuer string, audience string) *AuthzProcessor {
return &AuthzProcessor{
authorizer: authorizer,
jwks: jwks,
issuer: issuer,
audience: audience,
}
}
// ProcessCreate handles the creates requests for Authzs.
func (p *AuthzProcessor) ProcessCreate(bctx bahamut.Context) error {
req := bctx.InputData().(*api.Authz)
idt, err := token.Parse(req.Token, p.jwks, p.issuer, req.Audience)
if err != nil {
return elemental.NewError(
"Bad Request",
err.Error(),
"a3s:authz",
http.StatusBadRequest,
)
}
var r permissions.Restrictions
if idt.Restrictions != nil {
r = *idt.Restrictions
}
ok, err := p.authorizer.CheckAuthorization(
bctx.Context(),
idt.Identity,
req.Action,
req.Namespace,
req.Resource,
authorizer.OptionCheckID(req.ID),
authorizer.OptionCheckSourceIP(req.IP),
authorizer.OptionCheckRestrictions(r),
)
if err != nil {
return err
}
if ok {
bctx.SetStatusCode(http.StatusOK)
} else {
bctx.SetStatusCode(http.StatusForbidden)
}
return nil
}