Authorization enforcement

cloudtrust · Feb 10, 2020 · 103664d · 103664d
1 parent ee02f6e
commit 103664d
Show file tree

Hide file tree

Showing 21 changed files with 163 additions and 209 deletions.
diff --git a/Gopkg.lock b/Gopkg.lock
diff --git a/Gopkg.toml b/Gopkg.toml
@@ -27,11 +27,11 @@
 
 [[constraint]]
   name = "github.com/cloudtrust/common-service"
-  branch = "master"
+  branch = "CLOUDTRUST-2109_2_authorizationManagement"
 
 [[constraint]]
   name = "github.com/cloudtrust/keycloak-client"
-  branch = "master"
+  branch = "CLOUDTRUST-2109_2_authorizationManagement"
 
 [[constraint]]
   name = "github.com/go-kit/kit"

diff --git a/api/management/api.go b/api/management/api.go
@@ -5,7 +5,7 @@ import (
 	"regexp"
 	"strconv"
 
-	"github.com/cloudtrust/keycloak-bridge/internal/dto"
+	"github.com/cloudtrust/common-service/configuration"
 	internal "github.com/cloudtrust/keycloak-bridge/internal/messages"
 	kc "github.com/cloudtrust/keycloak-client"
 )
@@ -262,7 +262,7 @@ func ConvertToKCGroup(group GroupRepresentation) kc.GroupRepresentation {
 }
 
 // ConvertToAPIAuthorizations creates a API authorization representation from an array of DB Authorization
-func ConvertToAPIAuthorizations(authorizations []dto.Authorization) AuthorizationsRepresentation {
+func ConvertToAPIAuthorizations(authorizations []configuration.Authorization) AuthorizationsRepresentation {
 	var matrix = make(map[string]map[string]map[string]struct{})
 
 	for _, authz := range authorizations {
@@ -294,8 +294,8 @@ func ConvertToAPIAuthorizations(authorizations []dto.Authorization) Authorizatio
 }
 
 // ConvertToDBAuthorizations creates an array of DB Authorization from an API AuthorizationsRepresentation
-func ConvertToDBAuthorizations(realmID, groupID string, apiAuthorizations AuthorizationsRepresentation) []dto.Authorization {
-	var authorizations = []dto.Authorization{}
+func ConvertToDBAuthorizations(realmID, groupName string, apiAuthorizations AuthorizationsRepresentation) []configuration.Authorization {
+	var authorizations = []configuration.Authorization{}
 
 	if apiAuthorizations.Matrix == nil {
 		return authorizations
@@ -304,9 +304,9 @@ func ConvertToDBAuthorizations(realmID, groupID string, apiAuthorizations Author
 	for action, u := range *apiAuthorizations.Matrix {
 		if len(u) == 0 {
 			var act = string(action)
-			authorizations = append(authorizations, dto.Authorization{
+			authorizations = append(authorizations, configuration.Authorization{
 				RealmID:   &realmID,
-				GroupName: &groupID,
+				GroupName: &groupName,
 				Action:    &act,
 			})
 			continue
@@ -316,9 +316,9 @@ func ConvertToDBAuthorizations(realmID, groupID string, apiAuthorizations Author
 			if len(v) == 0 {
 				var act = string(action)
 				var targetRealm = string(targetRealmID)
-				authorizations = append(authorizations, dto.Authorization{
+				authorizations = append(authorizations, configuration.Authorization{
 					RealmID:       &realmID,
-					GroupName:     &groupID,
+					GroupName:     &groupName,
 					Action:        &act,
 					TargetRealmID: &targetRealm,
 				})
@@ -329,9 +329,9 @@ func ConvertToDBAuthorizations(realmID, groupID string, apiAuthorizations Author
 				var act = string(action)
 				var targetRealm = string(targetRealmID)
 				var targetGroup = string(targetGroupName)
-				authorizations = append(authorizations, dto.Authorization{
+				authorizations = append(authorizations, configuration.Authorization{
 					RealmID:         &realmID,
-					GroupName:       &groupID,
+					GroupName:       &groupName,
 					Action:          &act,
 					TargetRealmID:   &targetRealm,
 					TargetGroupName: &targetGroup,

diff --git a/api/management/api_test.go b/api/management/api_test.go
@@ -5,7 +5,7 @@ import (
 	"strings"
 	"testing"
 
-	"github.com/cloudtrust/keycloak-bridge/internal/dto"
+	"github.com/cloudtrust/common-service/configuration"
 	kc "github.com/cloudtrust/keycloak-client"
 	"github.com/stretchr/testify/assert"
 )
@@ -204,22 +204,22 @@ func TestConvertToAPIAuthorizations(t *testing.T) {
 	var action2 = "action2"
 	var any = "*"
 
-	var authorizations = []dto.Authorization{}
+	var authorizations = []configuration.Authorization{}
 
-	var authz1 = dto.Authorization{
+	var authz1 = configuration.Authorization{
 		RealmID:   &master,
 		GroupName: &groupName2,
 		Action:    &action2,
 	}
 
-	var authz2 = dto.Authorization{
+	var authz2 = configuration.Authorization{
 		RealmID:       &master,
 		GroupName:     &groupName2,
 		Action:        &action2,
 		TargetRealmID: &any,
 	}
 
-	var authz3 = dto.Authorization{
+	var authz3 = configuration.Authorization{
 		RealmID:         &master,
 		GroupName:       &groupName1,
 		Action:          &action,

diff --git a/cmd/keycloakb/keycloak_bridge.go b/cmd/keycloakb/keycloak_bridge.go
@@ -14,6 +14,7 @@ import (
 	"syscall"
 	"time"
 
+	"github.com/cloudtrust/common-service/configuration"
 	"github.com/cloudtrust/common-service/database/sqltypes"
 	"github.com/cloudtrust/common-service/healthcheck"
 
@@ -98,9 +99,6 @@ func main() {
 	// Configurations.
 	var c = config(ctx, log.With(logger, "unit", "config"))
 	var (
-		// Component
-		authorizationConfigFile = c.GetString("authorization-file")
-
 		// Publishing
 		httpAddrInternal   = c.GetString("internal-http-host-port")
 		httpAddrManagement = c.GetString("management-http-host-port")
@@ -215,18 +213,6 @@ func main() {
 	// Keycloak adaptor for common-service library
 	commonKcAdaptor := keycloakb.NewKeycloakAuthClient(keycloakClient, logger)
 
-	// Authorization Manager
-	var authorizationManager security.AuthorizationManager
-	{
-		var err error
-		authorizationManager, err = security.NewAuthorizationManagerFromFile(commonKcAdaptor, logger, authorizationConfigFile)
-
-		if err != nil {
-			logger.Error(ctx, "msg", "could not load authorizations", "error", err)
-			return
-		}
-	}
-
 	var sentryClient tracking.SentryTracking
 	{
 		var logger = log.With(logger, "unit", "sentry")
@@ -314,6 +300,25 @@ func main() {
 	healthChecker.AddDatabase("Config RO", configurationRoDBConn, healthCheckCacheDuration)
 	healthChecker.AddHTTPEndpoint("Keycloak", keycloakConfig.AddrAPI, httpTimeout, 200, healthCheckCacheDuration)
 
+	// Authorization Manager
+	var authorizationManager security.AuthorizationManager
+	{
+		var authorizationLogger = log.With(logger, "svc", "authorization")
+
+		var configurationReaderDBModule *configuration.ConfigurationReaderDBModule
+		{
+			configurationReaderDBModule = configuration.NewConfigurationReaderDBModule(configurationRoDBConn, authorizationLogger)
+		}
+
+		var err error
+		authorizationManager, err = security.NewAuthorizationManager(configurationReaderDBModule, commonKcAdaptor, authorizationLogger)
+
+		if err != nil {
+			logger.Error(ctx, "msg", "could not load authorizations", "error", err)
+			return
+		}
+	}
+
 	// Event service.
 	var eventEndpoints = event.Endpoints{}
 	{
@@ -811,7 +816,6 @@ func config(ctx context.Context, logger log.Logger) *viper.Viper {
 
 	// Component default.
 	v.SetDefault("config-file", "./configs/keycloak_bridge.yml")
-	v.SetDefault("authorization-file", "./configs/authorization.json")
 
 	// Log level
 	v.SetDefault("log-level", "info")
@@ -901,9 +905,7 @@ func config(ctx context.Context, logger log.Logger) *viper.Viper {
 
 	// First level of override.
 	pflag.String("config-file", v.GetString("config-file"), "The configuration file path can be relative or absolute.")
-	pflag.String("authorization-file", v.GetString("authorization-file"), "The authorization file path can be relative or absolute.")
 	v.BindPFlag("config-file", pflag.Lookup("config-file"))
-	v.BindPFlag("authorization-file", pflag.Lookup("authorization-file"))
 	pflag.Parse()
 
 	// Bind ENV variables

diff --git a/internal/dto/authorization.go b/internal/dto/authorization.go
diff --git a/internal/dto/configuration.go b/internal/dto/configuration.go
diff --git a/internal/keycloakb/authorizationutil.go b/internal/keycloakb/authorizationutil.go
@@ -3,12 +3,12 @@ package keycloakb
 import (
 	"errors"
 
+	"github.com/cloudtrust/common-service/configuration"
 	api "github.com/cloudtrust/keycloak-bridge/api/management"
-	"github.com/cloudtrust/keycloak-bridge/internal/dto"
 )
 
 // Validate the content of the provided array. Returns an error if any issue is detected
-func Validate(authorizations []dto.Authorization, allowedTargetRealmsAndGroupNames map[string]map[string]struct{}) error {
+func Validate(authorizations []configuration.Authorization, allowedTargetRealmsAndGroupNames map[string]map[string]struct{}) error {
 	for _, auth := range authorizations {
 		// Check TargetRealm
 		if auth.TargetRealmID != nil {

diff --git a/internal/keycloakb/authorizationutil_test.go b/internal/keycloakb/authorizationutil_test.go
@@ -3,7 +3,7 @@ package keycloakb
 import (
 	"testing"
 
-	"github.com/cloudtrust/keycloak-bridge/internal/dto"
+	"github.com/cloudtrust/common-service/configuration"
 	"github.com/stretchr/testify/assert"
 )
 
@@ -24,12 +24,12 @@ func TestValidate(t *testing.T) {
 	allowedTargetRealmsAndGroupNames[realmName][groupName2] = struct{}{}
 	allowedTargetRealmsAndGroupNames[realmName]["*"] = struct{}{}
 
-	var authorizations = []dto.Authorization{}
+	var authorizations = []configuration.Authorization{}
 
 	// Invalid targetRealm
 	{
-		authorizations = []dto.Authorization{
-			dto.Authorization{
+		authorizations = []configuration.Authorization{
+			configuration.Authorization{
 				RealmID:       &realmName,
 				GroupName:     &groupName1,
 				Action:        &action2,
@@ -43,8 +43,8 @@ func TestValidate(t *testing.T) {
 
 	// Invalid targetGroupName
 	{
-		authorizations = []dto.Authorization{
-			dto.Authorization{
+		authorizations = []configuration.Authorization{
+			configuration.Authorization{
 				RealmID:         &realmName,
 				GroupName:       &groupName1,
 				Action:          &action2,
@@ -59,14 +59,14 @@ func TestValidate(t *testing.T) {
 
 	// Incompatible rules due to * in targetRealm
 	{
-		authorizations = []dto.Authorization{
-			dto.Authorization{
+		authorizations = []configuration.Authorization{
+			configuration.Authorization{
 				RealmID:       &realmName,
 				GroupName:     &groupName1,
 				Action:        &action2,
 				TargetRealmID: &star,
 			},
-			dto.Authorization{
+			configuration.Authorization{
 				RealmID:       &realmName,
 				GroupName:     &groupName1,
 				Action:        &action2,
@@ -80,15 +80,15 @@ func TestValidate(t *testing.T) {
 
 	// Incompatible rules due to * in targetGroupName
 	{
-		authorizations = []dto.Authorization{
-			dto.Authorization{
+		authorizations = []configuration.Authorization{
+			configuration.Authorization{
 				RealmID:         &realmName,
 				GroupName:       &groupName1,
 				Action:          &action2,
 				TargetRealmID:   &realmName,
 				TargetGroupName: &star,
 			},
-			dto.Authorization{
+			configuration.Authorization{
 				RealmID:         &realmName,
 				GroupName:       &groupName1,
 				Action:          &action2,
@@ -103,15 +103,15 @@ func TestValidate(t *testing.T) {
 
 	// Valid set of authorizations
 	{
-		authorizations = []dto.Authorization{
-			dto.Authorization{
+		authorizations = []configuration.Authorization{
+			configuration.Authorization{
 				RealmID:         &realmName,
 				GroupName:       &groupName1,
 				Action:          &action2,
 				TargetRealmID:   &realmName,
 				TargetGroupName: &star,
 			},
-			dto.Authorization{
+			configuration.Authorization{
 				RealmID:         &realmName,
 				GroupName:       &groupName1,
 				Action:          &action1,