-
Notifications
You must be signed in to change notification settings - Fork 5
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Support appending sec-* headers as configured, resolved from authenti…
…cated user
- Loading branch information
Showing
42 changed files
with
1,550 additions
and
210 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,72 @@ | ||
|
||
# Configuration properties | ||
|
||
## Configuration object model | ||
|
||
```mermaid | ||
classDiagram | ||
GatewayConfigProperties *-- HeaderMappings : defaultHeaders | ||
GatewayConfigProperties *-- "0..*" RoleBasedAccessRule : globalAccessRules | ||
GatewayConfigProperties *-- "0..*" Service | ||
Service *-- HeaderMappings : headers | ||
Service *-- "0..*" RoleBasedAccessRule : accessRules | ||
class GatewayConfigProperties{ | ||
Map<String, Service> services | ||
} | ||
class HeaderMappings{ | ||
boolean proxy | ||
boolean username | ||
boolean roles | ||
boolean org | ||
boolean orgname | ||
boolean email | ||
boolean firstname | ||
boolean lastname | ||
boolean tel | ||
boolean jsonUser | ||
boolean jsonOrganization | ||
} | ||
class RoleBasedAccessRule{ | ||
List~String~ interceptUrl | ||
boolean anonymous | ||
List~String~ allowedRoles | ||
} | ||
class Service{ | ||
URL target | ||
} | ||
``` | ||
|
||
## Example YAML configuration | ||
|
||
```yaml | ||
georchestra: | ||
gateway: | ||
default-headers: | ||
proxy: true | ||
username: true | ||
roles: true | ||
org: true | ||
orgname: true | ||
global-access-rules: | ||
- intercept-url: /** | ||
anonymous: true | ||
services: | ||
analytics: | ||
target: http://analytics:8080/analytics/ | ||
access-rules: | ||
- intercept-url: /analytics/** | ||
allowed-roles: SUPERUSER, ORGADMIN | ||
atlas: | ||
target: http://atlas:8080/atlas/ | ||
console: | ||
target: http://console:8080/console/ | ||
access-rules: | ||
- intercept-url: | ||
- /console/public/** | ||
- /console/manager/public/** | ||
anonymous: true | ||
- intercept-url: | ||
- /console/private/** | ||
- /console/manager/** | ||
allowed-roles: SUPERUSER, ORGADMIN | ||
``` |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
47 changes: 47 additions & 0 deletions
47
src/main/java/org/georchestra/gateway/autoconfigure/app/FiltersAutoConfiguration.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,47 @@ | ||
/* | ||
* Copyright (C) 2021 by the geOrchestra PSC | ||
* | ||
* This file is part of geOrchestra. | ||
* | ||
* geOrchestra is free software: you can redistribute it and/or modify it under | ||
* the terms of the GNU General Public License as published by the Free | ||
* Software Foundation, either version 3 of the License, or (at your option) | ||
* any later version. | ||
* | ||
* geOrchestra is distributed in the hope that it will be useful, but WITHOUT | ||
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or | ||
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for | ||
* more details. | ||
* | ||
* You should have received a copy of the GNU General Public License along with | ||
* geOrchestra. If not, see <http://www.gnu.org/licenses/>. | ||
*/ | ||
package org.georchestra.gateway.autoconfigure.app; | ||
|
||
import org.georchestra.gateway.filter.global.ResolveTargetGlobalFilter; | ||
import org.georchestra.gateway.filter.headers.HeaderFiltersConfiguration; | ||
import org.georchestra.gateway.model.GatewayConfigProperties; | ||
import org.georchestra.gateway.model.GeorchestraTargetConfig; | ||
import org.springframework.boot.autoconfigure.AutoConfigureBefore; | ||
import org.springframework.boot.context.properties.EnableConfigurationProperties; | ||
import org.springframework.cloud.gateway.config.GatewayAutoConfiguration; | ||
import org.springframework.cloud.gateway.filter.GlobalFilter; | ||
import org.springframework.context.annotation.Bean; | ||
import org.springframework.context.annotation.Configuration; | ||
import org.springframework.context.annotation.Import; | ||
|
||
@Configuration(proxyBeanMethods = false) | ||
@AutoConfigureBefore(GatewayAutoConfiguration.class) | ||
@Import(HeaderFiltersConfiguration.class) | ||
@EnableConfigurationProperties(GatewayConfigProperties.class) | ||
public class FiltersAutoConfiguration { | ||
|
||
/** | ||
* {@link GlobalFilter} to {@link GeorchestraTargetConfig#setTarget save) the | ||
* matched Route's GeorchestraTargetConfig for each HTTP request-response | ||
* interaction before other filters are applied. | ||
*/ | ||
public @Bean ResolveTargetGlobalFilter resolveTargetWebFilter(GatewayConfigProperties config) { | ||
return new ResolveTargetGlobalFilter(config); | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
104 changes: 104 additions & 0 deletions
104
src/main/java/org/georchestra/gateway/filter/global/ResolveTargetGlobalFilter.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,104 @@ | ||
/* | ||
* Copyright (C) 2022 by the geOrchestra PSC | ||
* | ||
* This file is part of geOrchestra. | ||
* | ||
* geOrchestra is free software: you can redistribute it and/or modify it under | ||
* the terms of the GNU General Public License as published by the Free | ||
* Software Foundation, either version 3 of the License, or (at your option) | ||
* any later version. | ||
* | ||
* geOrchestra is distributed in the hope that it will be useful, but WITHOUT | ||
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or | ||
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for | ||
* more details. | ||
* | ||
* You should have received a copy of the GNU General Public License along with | ||
* geOrchestra. If not, see <http://www.gnu.org/licenses/>. | ||
*/ | ||
package org.georchestra.gateway.filter.global; | ||
|
||
import static org.springframework.cloud.gateway.support.ServerWebExchangeUtils.GATEWAY_ROUTE_ATTR; | ||
|
||
import java.net.URI; | ||
import java.util.Objects; | ||
|
||
import org.georchestra.gateway.model.GatewayConfigProperties; | ||
import org.georchestra.gateway.model.GeorchestraTargetConfig; | ||
import org.georchestra.gateway.model.Service; | ||
import org.georchestra.gateway.security.ResolveGeorchestraUserGlobalFilter; | ||
import org.springframework.cloud.gateway.filter.GatewayFilterChain; | ||
import org.springframework.cloud.gateway.filter.GlobalFilter; | ||
import org.springframework.cloud.gateway.filter.RouteToRequestUrlFilter; | ||
import org.springframework.cloud.gateway.route.Route; | ||
import org.springframework.core.Ordered; | ||
import org.springframework.web.server.ServerWebExchange; | ||
|
||
import lombok.NonNull; | ||
import lombok.RequiredArgsConstructor; | ||
import lombok.extern.slf4j.Slf4j; | ||
import reactor.core.publisher.Mono; | ||
|
||
/** | ||
* A {@link GlobalFilter} that resolves the {@link GeorchestraTargetConfig | ||
* configuration} for the request's matched {@link Route} and | ||
* {@link GeorchestraTargetConfig#setTarget stores} it to be | ||
* {@link GeorchestraTargetConfig#getTarget acquired} by non-global filters as | ||
* needed. | ||
*/ | ||
@RequiredArgsConstructor | ||
@Slf4j | ||
public class ResolveTargetGlobalFilter implements GlobalFilter, Ordered { | ||
|
||
public static final int ORDER = ResolveGeorchestraUserGlobalFilter.ORDER + 1; | ||
|
||
private final @NonNull GatewayConfigProperties config; | ||
|
||
/** | ||
* @return a lower precedence than {@link RouteToRequestUrlFilter}'s, in order | ||
* to make sure the matched {@link Route} has been set as a | ||
* {@link ServerWebExchange#getAttributes attribute} when | ||
* {@link #filter} is called. | ||
*/ | ||
public @Override int getOrder() { | ||
return ResolveTargetGlobalFilter.ORDER; | ||
} | ||
|
||
/** | ||
* Resolves the matched {@link Route} and its corresponding | ||
* {@link GeorchestraTargetConfig}, if possible, and proceeds with the filter | ||
* chain. | ||
*/ | ||
public @Override Mono<Void> filter(ServerWebExchange exchange, GatewayFilterChain chain) { | ||
Route route = (Route) exchange.getAttributes().get(GATEWAY_ROUTE_ATTR); | ||
if (null == route) { | ||
log.info("Requested URI didn't match any Route, geOrchestra target resolution ignored."); | ||
} else { | ||
GeorchestraTargetConfig config = resolveTarget(route); | ||
log.debug("Storing geOrchestra target config for Route {} request context", route.getId()); | ||
GeorchestraTargetConfig.setTarget(exchange, config); | ||
} | ||
return chain.filter(exchange); | ||
} | ||
|
||
private @NonNull GeorchestraTargetConfig resolveTarget(@NonNull Route route) { | ||
|
||
GeorchestraTargetConfig target = new GeorchestraTargetConfig().headers(config.getDefaultHeaders()) | ||
.accessRules(config.getGlobalAccessRules()); | ||
|
||
final URI routeURI = route.getUri(); | ||
|
||
for (Service service : config.getServices().values()) { | ||
var serviceURI = service.getTarget(); | ||
if (Objects.equals(routeURI, serviceURI)) { | ||
if (!service.getAccessRules().isEmpty()) | ||
target.accessRules(service.getAccessRules()); | ||
if (service.getHeaders().isPresent()) | ||
target.headers(service.getHeaders().get()); | ||
break; | ||
} | ||
} | ||
return target; | ||
} | ||
|
||
} |
Oops, something went wrong.