-
Notifications
You must be signed in to change notification settings - Fork 4
/
main.go
477 lines (407 loc) · 14.6 KB
/
main.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
package main
import (
"bytes"
"context"
"encoding/json"
"errors"
"fmt"
"io"
stdlog "log"
"net/http"
"net/url"
"os"
"os/signal"
"path"
"regexp"
"strings"
"syscall"
"time"
"github.com/coreos/go-oidc"
"github.com/efficientgo/core/merrors"
"github.com/go-kit/kit/log"
"github.com/go-kit/kit/log/level"
"github.com/metalmatze/signal/healthcheck"
"github.com/metalmatze/signal/internalserver"
"github.com/metalmatze/signal/server/signalhttp"
"github.com/observatorium/api/rbac"
"github.com/observatorium/api/tracing"
"github.com/oklog/run"
"github.com/openshift/telemeter/pkg/authorize/tollbooth"
"github.com/openshift/telemeter/pkg/cache"
"github.com/openshift/telemeter/pkg/cache/memcached"
"github.com/prometheus/client_golang/prometheus"
flag "github.com/spf13/pflag"
"go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp"
"go.opentelemetry.io/otel"
"golang.org/x/oauth2"
"golang.org/x/oauth2/clientcredentials"
"github.com/observatorium/opa-ams/ams"
)
const (
dataEndpoint = "/v1/data"
)
var (
validRule = regexp.MustCompile("^[_A-Za-z][\\w]*$")
validPackage = regexp.MustCompile("^[_A-Za-z][\\w]*(\\.[_A-Za-z][\\w]*)*$")
)
type config struct {
amsURL string
logLevel level.Option
logFormat string
mappings map[string][]string
name string
resourceTypePrefix string
oidc oidcConfig
opa opaConfig
memcached memcachedConfig
server serverConfig
tracing tracingConfig
}
type opaConfig struct {
pkg string
rule string
}
type serverConfig struct {
listen string
listenInternal string
healthcheckURL string
}
type memcachedConfig struct {
expire int32
interval int32
servers []string
}
type oidcConfig struct {
audience string
clientID string
clientSecret string
issuerURL string
}
type tracingConfig struct {
serviceName string
endpoint string
endpointType tracing.EndpointType
samplingFraction float64
}
func parseFlags() (*config, error) {
var rawTracingEndpointType string
cfg := &config{}
flag.StringVar(&cfg.name, "debug.name", "opa-ams", "A name to add as a prefix to log lines.")
flag.StringVar(&cfg.resourceTypePrefix, "resource-type-prefix", "", "A prefix to add to the resource name in AMS access review requests.")
logLevelRaw := flag.String("log.level", "info", "The log filtering level. Options: 'error', 'warn', 'info', 'debug'.")
flag.StringVar(&cfg.logFormat, "log.format", "logfmt", "The log format to use. Options: 'logfmt', 'json'.")
flag.StringVar(&cfg.server.listen, "web.listen", ":8080", "The address on which the public server listens.")
flag.StringVar(&cfg.server.listenInternal, "web.internal.listen", ":8081", "The address on which the internal server listens.")
flag.StringVar(&cfg.server.healthcheckURL, "web.healthchecks.url", "http://localhost:8080", "The URL against which to run healthchecks.")
flag.StringVar(&cfg.amsURL, "ams.url", "", "An AMS URL against which to authorize client requests.")
mappingsRaw := flag.StringSlice("ams.mappings", nil, "A list of comma-separated mappings from Observatorium tenants to AMS organization IDs, e.g. foo=bar,x=y")
mappingsPath := flag.String("ams.mappings-path", "", "A path to a JSON file containing a map from Observatorium tenants to AMS organization IDs.")
flag.StringVar(&cfg.tracing.serviceName, "internal.tracing.service-name", "opa-ams",
"The service name to report to the tracing backend.")
flag.StringVar(&cfg.tracing.endpoint, "internal.tracing.endpoint", "",
"The full URL of the trace agent or collector. If it's not set, tracing will be disabled.")
flag.StringVar(&rawTracingEndpointType, "internal.tracing.endpoint-type", string(tracing.EndpointTypeAgent),
fmt.Sprintf("The tracing endpoint type. Options: '%s', '%s'.", tracing.EndpointTypeAgent, tracing.EndpointTypeCollector))
flag.Float64Var(&cfg.tracing.samplingFraction, "internal.tracing.sampling-fraction", 0.1,
"The fraction of traces to sample. Thus, if you set this to .5, half of traces will be sampled.")
flag.StringVar(&cfg.oidc.issuerURL, "oidc.issuer-url", "", "The OIDC issuer URL, see https://openid.net/specs/openid-connect-discovery-1_0.html#IssuerDiscovery.")
flag.StringVar(&cfg.oidc.clientSecret, "oidc.client-secret", "", "The OIDC client secret, see https://tools.ietf.org/html/rfc6749#section-2.3.")
flag.StringVar(&cfg.oidc.clientID, "oidc.client-id", "", "The OIDC client ID, see https://tools.ietf.org/html/rfc6749#section-2.3.")
flag.StringVar(&cfg.oidc.audience, "oidc.audience", "", "The audience for whom the access token is intended, see https://openid.net/specs/openid-connect-core-1_0.html#IDToken.")
flag.StringSliceVar(&cfg.memcached.servers, "memcached", nil, "One or more Memcached server addresses.")
flag.Int32Var(&cfg.memcached.expire, "memcached.expire", 60*60, "Time after which keys stored in Memcached should expire, given in seconds.")
flag.Int32Var(&cfg.memcached.interval, "memcached.interval", 10, "The interval at which to update the Memcached DNS, given in seconds; use 0 to disable.")
flag.StringVar(&cfg.opa.pkg, "opa.package", "", "The name of the OPA package that opa-ams should implement, see https://www.openpolicyagent.org/docs/latest/policy-language/#packages.")
flag.StringVar(&cfg.opa.rule, "opa.rule", "allow", "The name of the OPA rule for which opa-ams should provide a result, see https://www.openpolicyagent.org/docs/latest/policy-language/#rules.")
flag.Parse()
switch *logLevelRaw {
case "error":
cfg.logLevel = level.AllowError()
case "warn":
cfg.logLevel = level.AllowWarn()
case "info":
cfg.logLevel = level.AllowInfo()
case "debug":
cfg.logLevel = level.AllowDebug()
default:
return nil, fmt.Errorf("unexpected log level: %s", *logLevelRaw)
}
if len(cfg.opa.pkg) > 0 && !validPackage.Match([]byte(cfg.opa.pkg)) {
return nil, fmt.Errorf("invalid OPA package name: %s", cfg.opa.pkg)
}
if len(cfg.opa.rule) > 0 && !validRule.Match([]byte(cfg.opa.rule)) {
return nil, fmt.Errorf("invalid OPA rule name: %s", cfg.opa.rule)
}
cfg.mappings = make(map[string][]string)
for _, m := range *mappingsRaw {
parts := strings.Split(m, "=")
if len(parts) != 2 {
return nil, fmt.Errorf("invalid mapping: %q", m)
}
cfg.mappings[parts[0]] = append(cfg.mappings[parts[0]], parts[1])
}
if len(*mappingsPath) > 0 {
buf, err := os.ReadFile(*mappingsPath)
if err != nil {
stdlog.Fatalf("unable to read JSON file: %v", err)
}
if err := json.Unmarshal(buf, &cfg.mappings); err != nil {
stdlog.Fatalf("unable to parse contents of %s: %v", *mappingsPath, err)
}
}
cfg.tracing.endpointType = tracing.EndpointType(rawTracingEndpointType)
return cfg, nil
}
func main() {
cfg, err := parseFlags()
if err != nil {
stdlog.Fatal(err)
}
logger := log.NewLogfmtLogger(log.NewSyncWriter(os.Stderr))
if cfg.logFormat == "json" {
logger = log.NewJSONLogger(log.NewSyncWriter(os.Stderr))
}
logger = level.NewFilter(logger, cfg.logLevel)
if cfg.name != "" {
logger = log.With(logger, "name", cfg.name)
}
logger = log.With(logger, "ts", log.DefaultTimestampUTC, "caller", log.DefaultCaller)
defer level.Info(logger).Log("msg", "exiting")
reg := prometheus.NewRegistry()
reg.MustRegister(
prometheus.NewGoCollector(),
prometheus.NewProcessCollector(prometheus.ProcessCollectorOpts{}),
)
tp, closer, err := tracing.InitTracer(
cfg.tracing.serviceName,
cfg.tracing.endpoint,
cfg.tracing.endpointType,
cfg.tracing.samplingFraction,
)
if err != nil {
stdlog.Fatalf("initialize tracer: %v", err)
}
defer closer()
otel.SetErrorHandler(otelErrorHandler{logger: logger})
hi := signalhttp.NewHandlerInstrumenter(reg, []string{"handler"})
rti := newRoundTripperInstrumenter(reg)
healthchecks := healthcheck.NewMetricsHandler(healthcheck.NewHandler(), reg)
amsURL, err := url.Parse(cfg.amsURL)
if err != nil {
stdlog.Fatalf("invalid AMS URL: %v", err)
}
amsURL.Path = path.Join(amsURL.Path, ams.AccessReviewEndpoint)
provider, err := oidc.NewProvider(context.Background(), cfg.oidc.issuerURL)
if err != nil {
stdlog.Fatalf("OIDC provider initialization failed: %v", err)
}
ctx := context.WithValue(context.Background(), oauth2.HTTPClient,
&http.Client{
Transport: rti.NewRoundTripper("oauth", http.DefaultTransport),
},
)
oidcConfig := clientcredentials.Config{
ClientID: cfg.oidc.clientID,
ClientSecret: cfg.oidc.clientSecret,
TokenURL: provider.Endpoint().TokenURL,
}
if cfg.oidc.audience != "" {
oidcConfig.EndpointParams = url.Values{
"audience": []string{cfg.oidc.audience},
}
}
client := &http.Client{
Transport: otelhttp.NewTransport(
&oauth2.Transport{
Base: rti.NewRoundTripper("ams", http.DefaultTransport),
Source: oidcConfig.TokenSource(ctx),
}),
}
if len(cfg.memcached.servers) > 0 {
mc := memcached.New(context.Background(), cfg.memcached.interval, cfg.memcached.expire, cfg.memcached.servers...)
client.Transport = cache.NewRoundTripper(mc, tollbooth.ExtractToken, client.Transport, log.With(logger, "component", "cache"), reg)
}
p := path.Join(dataEndpoint, strings.ReplaceAll(cfg.opa.pkg, ".", "/"), cfg.opa.rule)
level.Info(logger).Log("msg", "configuring the OPA endpoint", "path", p)
a := &authorizer{client: client, url: amsURL.String(), logger: log.With(logger, "component", "cache")}
m := http.NewServeMux()
m.HandleFunc(p, hi.NewHandler(prometheus.Labels{"handler": "data"}, http.HandlerFunc(newHandler(a, cfg.resourceTypePrefix, cfg.mappings))))
if cfg.server.healthcheckURL != "" {
// checks if server is up
healthchecks.AddLivenessCheck("http",
healthcheck.HTTPCheckClient(
&http.Client{},
cfg.server.healthcheckURL,
http.MethodGet,
http.StatusNotFound,
time.Second,
),
)
}
level.Info(logger).Log("msg", "starting opa-ams")
var g run.Group
{
// Signal channels must be buffered.
sig := make(chan os.Signal, 1)
g.Add(func() error {
signal.Notify(sig, os.Interrupt, syscall.SIGTERM)
<-sig
level.Info(logger).Log("msg", "caught interrupt")
return nil
}, func(_ error) {
close(sig)
})
}
{
s := http.Server{
Addr: cfg.server.listen,
Handler: otelhttp.NewHandler(m, "opa-ams", otelhttp.WithTracerProvider(tp)),
}
g.Add(func() error {
level.Info(logger).Log("msg", "starting the HTTP server", "address", cfg.server.listen)
return s.ListenAndServe()
}, func(err error) {
level.Info(logger).Log("msg", "shutting down the HTTP server")
_ = s.Shutdown(context.Background())
})
}
{
h := internalserver.NewHandler(
internalserver.WithName("Internal - opa-ams API"),
internalserver.WithHealthchecks(healthchecks),
internalserver.WithPrometheusRegistry(reg),
internalserver.WithPProf(),
)
s := http.Server{
Addr: cfg.server.listenInternal,
Handler: otelhttp.NewHandler(h, "opa-ams-internal", otelhttp.WithTracerProvider(tp)),
}
g.Add(func() error {
level.Info(logger).Log("msg", "starting internal HTTP server", "address", s.Addr)
return s.ListenAndServe()
}, func(err error) {
_ = s.Shutdown(context.Background())
})
}
if err := g.Run(); err != nil {
stdlog.Fatal(err)
}
}
func newHandler(a *authorizer, resourceTypePrefix string, mappings map[string][]string) func(http.ResponseWriter, *http.Request) {
return func(w http.ResponseWriter, r *http.Request) {
if r.Method != http.MethodPost {
http.Error(w, "request must be a POST", http.StatusBadRequest)
return
}
body, err := io.ReadAll(r.Body)
if err != nil {
http.Error(w, "failed to read body", http.StatusInternalServerError)
return
}
defer r.Body.Close()
var req struct {
Input struct {
Permission string `json:"permission"`
Resource string `json:"resource"`
Subject string `json:"subject"`
Tenant string `json:"tenant"`
} `json:"input"`
}
if err := json.Unmarshal(body, &req); err != nil {
http.Error(w, "failed to unmarshal JSON", http.StatusInternalServerError)
return
}
var action string
switch req.Input.Permission {
case string(rbac.Read):
action = "get"
case string(rbac.Write):
action = "create"
default:
http.Error(w, "unknown permission", http.StatusBadRequest)
return
}
allowedOrganizationIDs, ok := mappings[req.Input.Tenant]
if !ok {
http.Error(w, "unknown tenant", http.StatusBadRequest)
return
}
resourceType := fmt.Sprintf("%s%s", strings.Title(strings.ToLower(resourceTypePrefix)), strings.Title(strings.ToLower(req.Input.Resource)))
allowed, err := a.authorize(action, req.Input.Subject, allowedOrganizationIDs, resourceType)
if err != nil {
statusCode := http.StatusInternalServerError
if sce, ok := err.(statusCoder); ok {
statusCode = sce.statusCode()
}
http.Error(w, err.Error(), statusCode)
return
}
w.Write([]byte(fmt.Sprintf("{\"result\":%t}", allowed)))
}
}
type statusCoder interface {
statusCode() int
}
type statusCodeError struct {
error
sc int
}
func (s *statusCodeError) statusCode() int {
return s.sc
}
type authorizer struct {
client *http.Client
url string
logger log.Logger
}
func (a *authorizer) authorize(action string, accountUsername string, allowedOrganizationIDs []string, resourceType string) (bool, error) {
errs := merrors.New()
for _, orgId := range allowedOrganizationIDs {
ar := ams.AccessReview{
Action: action,
AccountUsername: accountUsername,
OrganizationID: orgId,
ResourceType: resourceType,
}
allowed, err := a.reviewAccessForOrgId(ar)
if allowed {
return true, nil
}
errs.Add(err)
}
return false, errs.Err()
}
func (a *authorizer) reviewAccessForOrgId(ar ams.AccessReview) (bool, error) {
j, err := json.Marshal(ar)
if err != nil {
return false, fmt.Errorf("failed to marshal access review to JSON: %w", err)
}
res, err := a.client.Post(a.url, "application/json", bytes.NewBuffer(j))
if res != nil {
defer res.Body.Close()
}
if err != nil {
return false, fmt.Errorf("failed to make request to AMS endpoint: %w", err)
}
if res.StatusCode/100 != 2 {
msg := "got non-200 status from upstream"
level.Error(a.logger).Log("msg", msg, "status", res.Status)
if _, err = io.Copy(io.Discard, res.Body); err != nil {
level.Error(a.logger).Log("msg", "failed to discard response body", "err", err.Error())
}
return false, &statusCodeError{errors.New(msg), res.StatusCode}
}
var accessReviewResponse struct {
Allowed bool `json:"allowed"`
}
if err := json.NewDecoder(res.Body).Decode(&accessReviewResponse); err != nil {
return false, fmt.Errorf("failed to unmarshal access review response: %w", err)
}
return accessReviewResponse.Allowed, nil
}
type otelErrorHandler struct {
logger log.Logger
}
func (oh otelErrorHandler) Handle(err error) {
level.Error(oh.logger).Log("msg", "opentelemetry", "err", err.Error())
}