proxy: Make subject configurable using go template (#129)

Signed-off-by: Lars Sjöström <lars@radicore.se>

cmd/helper_server.go

@@ -24,11 +24,10 @@ import (
 	"crypto/tls"
 	"encoding/base64"
 	"fmt"
+	"net/url"
 	"strings"
 	"time"
 
-	"net/url"
-
 	"github.com/ory/fosite"
 	"github.com/ory/go-convenience/stringsx"
 	"github.com/ory/hydra/sdk/go/hydra"

cmd/migrate_sql.go

@@ -16,7 +16,6 @@ package cmd
 
 import (
 	"fmt"
-
 	"os"
 
 	"github.com/ory/oathkeeper/rule"

cmd/root.go

@@ -23,7 +23,6 @@ package cmd
 import (
 	"fmt"
 	"os"
-
 	"time"
 
 	"github.com/sirupsen/logrus"

cmd/rules_delete.go

@@ -22,7 +22,6 @@ package cmd
 
 import (
 	"fmt"
-
 	"net/http"
 
 	"github.com/ory/oathkeeper/sdk/go/oathkeeper"

cmd/rules_get.go

@@ -21,9 +21,8 @@
 package cmd
 
 import (
-	"net/http"
-
 	"fmt"
+	"net/http"
 
 	"github.com/ory/oathkeeper/sdk/go/oathkeeper"
 	"github.com/spf13/cobra"

cmd/rules_import.go

@@ -21,13 +21,12 @@
 package cmd
 
 import (
+	"bytes"
 	"encoding/json"
 	"fmt"
 	"io/ioutil"
 	"net/http"
 
-	"bytes"
-
 	"github.com/ory/oathkeeper/rule"
 	"github.com/ory/oathkeeper/sdk/go/oathkeeper"
 	"github.com/ory/oathkeeper/sdk/go/oathkeeper/swagger"

cmd/rules_list.go

@@ -21,9 +21,8 @@
 package cmd
 
 import (
-	"net/http"
-
 	"fmt"
+	"net/http"
 
 	"github.com/ory/oathkeeper/pkg"
 	"github.com/ory/oathkeeper/sdk/go/oathkeeper"

cmd/serve.go

@@ -22,7 +22,6 @@ package cmd
 
 import (
 	"fmt"
-
 	"os"
 	"strconv"
 

cmd/serve_proxy.go

@@ -27,11 +27,10 @@ import (
 	"net/http/httputil"
 
 	"github.com/meatballhat/negroni-logrus"
-	"github.com/ory/metrics-middleware"
-
 	"github.com/ory/go-convenience/corsx"
 	"github.com/ory/graceful"
 	"github.com/ory/keto/sdk/go/keto"
+	"github.com/ory/metrics-middleware"
 	"github.com/ory/oathkeeper/proxy"
 	"github.com/ory/oathkeeper/rule"
 	"github.com/ory/oathkeeper/sdk/go/oathkeeper"

proxy/authenticator_jwt.go

@@ -1,14 +1,12 @@
 package proxy
 
 import (
-	"encoding/json"
-	"net/http"
-
 	"bytes"
 	"crypto/ecdsa"
 	"crypto/rsa"
+	"encoding/json"
 	"fmt"
-
+	"net/http"
 	"net/url"
 
 	"github.com/dgrijalva/jwt-go"

proxy/authenticator_oauth2_client_credentials.go

@@ -5,7 +5,6 @@ import (
 	"context"
 	"encoding/json"
 	"net/http"
-
 	"net/url"
 
 	"github.com/ory/oathkeeper/helper"

proxy/authenticator_oauth2_introspection.go

@@ -2,11 +2,10 @@ package proxy
 
 import (
 	"bytes"
+	"context"
 	"encoding/json"
 	"fmt"
 	"net/http"
-
-	"context"
 	"net/url"
 	"strings"
 

proxy/authenticator_oauth2_introspection_test.go

@@ -24,9 +24,8 @@ import (
 	"encoding/json"
 	"fmt"
 	"net/http"
-	"testing"
-
 	"net/http/httptest"
+	"testing"
 
 	"github.com/julienschmidt/httprouter"
 	"github.com/ory/fosite"

proxy/authorizer_keto_warden.go

@@ -23,7 +23,9 @@ package proxy
 import (
 	"bytes"
 	"encoding/json"
+	"fmt"
 	"net/http"
+	"text/template"
 	"time"
 
 	"github.com/asaskevich/govalidator"
@@ -38,6 +40,7 @@ import (
 type AuthorizerKetoWardenConfiguration struct {
 	RequiredAction   string `json:"required_action" valid:",required"`
 	RequiredResource string `json:"required_resource" valid:",required"`
+	Subject          string `json:"subject"`
 }
 
 type AuthorizerKetoWarden struct {
@@ -89,11 +92,20 @@ func (a *AuthorizerKetoWarden) Authorize(r *http.Request, session *Authenticatio
 		return errors.WithStack(err)
 	}
 
+	subject := session.Subject
+	if cf.Subject != "" {
+		templateId := fmt.Sprintf("%s:%s", rl.ID, "subject")
+		subject, err = a.ParseSubject(session, templateId, cf.Subject)
+		if err != nil {
+			return errors.WithStack(err)
+		}
+	}
+
 	defaultSession, response, err := a.K.IsSubjectAuthorized(swagger.WardenSubjectAuthorizationRequest{
 		Action:   compiled.ReplaceAllString(r.URL.String(), cf.RequiredAction),
 		Resource: compiled.ReplaceAllString(r.URL.String(), cf.RequiredResource),
 		Context:  a.contextCreator(r),
-		Subject:  session.Subject,
+		Subject:  subject,
 	})
 	if err != nil {
 		return errors.WithStack(err)
@@ -110,3 +122,27 @@ func (a *AuthorizerKetoWarden) Authorize(r *http.Request, session *Authenticatio
 
 	return nil
 }
+func (a *AuthorizerKetoWarden) ParseSubject(session *AuthenticationSession, templateId, templateString string) (string, error) {
+	tmplFn := template.New("rules").
+		Option("missingkey=zero").
+		Funcs(template.FuncMap{
+			"print": func(i interface{}) string {
+				if i == nil {
+					return ""
+				}
+				return fmt.Sprintf("%v", i)
+			},
+		})
+
+	tmpl, err := tmplFn.New(templateId).Parse(templateString)
+	if err != nil {
+		return "", err
+	}
+
+	subject := bytes.Buffer{}
+	err = tmpl.Execute(&subject, session)
+	if err != nil {
+		return "", err
+	}
+	return subject.String(), nil
+}

proxy/authorizer_keto_warden_test.go

@@ -128,6 +128,30 @@ func TestAuthorizerKetoWarden(t *testing.T) {
 			session:   &AuthenticationSession{Subject: "peter"},
 			expectErr: false,
 		},
+		{
+			config: []byte(`{ "required_action": "action:$1:$2", "required_resource": "resource:$1:$2", "subject": "{{ .Extra.name }}" }`),
+			rule: &rule.Rule{
+				Match: rule.RuleMatch{
+					Methods: []string{"POST"},
+					URL:     "https://localhost/api/users/<[0-9]+>/<[a-z]+>",
+				},
+			},
+			r: &http.Request{URL: mustParseURL(t, "https://localhost/api/users/1234/abcde")},
+			setup: func(t *testing.T, m *MockWardenSDK) {
+				m.EXPECT().IsSubjectAuthorized(gomock.Eq(swagger.WardenSubjectAuthorizationRequest{
+					Action:   "action:1234:abcde",
+					Resource: "resource:1234:abcde",
+					Context:  map[string]interface{}{},
+					Subject:  "peter",
+				})).Return(
+					&swagger.WardenSubjectAuthorizationResponse{Allowed: true},
+					&swagger.APIResponse{Response: &http.Response{StatusCode: http.StatusOK}},
+					nil,
+				)
+			},
+			session:   &AuthenticationSession{Extra: map[string]interface{}{"name": "peter"}},
+			expectErr: false,
+		},
 	} {
 		t.Run(fmt.Sprintf("case=%d", k), func(t *testing.T) {
 			c := gomock.NewController(t)

proxy/credentials_issuer_id_token_test.go

@@ -22,13 +22,12 @@ package proxy
 
 import (
 	"encoding/json"
+	"fmt"
 	"net/http"
 	"strings"
 	"testing"
 	"time"
 
-	"fmt"
-
 	"github.com/dgrijalva/jwt-go"
 	"github.com/go-errors/errors"
 	"github.com/ory/oathkeeper/rsakey"

proxy/proxy.go

@@ -24,9 +24,8 @@ import (
 	"context"
 	"io/ioutil"
 	"net/http"
-	"strings"
-
 	"net/url"
+	"strings"
 
 	"github.com/ory/herodot"
 	"github.com/ory/oathkeeper/rsakey"

proxy/proxy_test.go

@@ -26,12 +26,10 @@ import (
 	"net/http"
 	"net/http/httptest"
 	"net/http/httputil"
-	"testing"
-
-	"strings"
-
 	"net/url"
 	"strconv"
+	"strings"
+	"testing"
 
 	"github.com/ory/oathkeeper/rule"
 	"github.com/stretchr/testify/assert"

rsakey/manager_hydra.go

@@ -22,10 +22,8 @@ package rsakey
 
 import (
 	"crypto/rsa"
-	"net/http"
-
 	"encoding/json"
-
+	"net/http"
 	"strings"
 
 	"github.com/ory/hydra/sdk/go/hydra"

rsakey/manager_test.go

@@ -21,15 +21,13 @@
 package rsakey
 
 import (
+	"crypto/rsa"
 	"log"
 	"net/http"
 	"os"
 	"testing"
-
 	"time"
 
-	"crypto/rsa"
-
 	"github.com/ory/dockertest"
 	"github.com/ory/hydra/sdk/go/hydra"
 	"github.com/pkg/errors"

rule/matcher_cached.go

@@ -22,7 +22,6 @@ package rule
 
 import (
 	"net/url"
-
 	"sync"
 
 	"github.com/ory/oathkeeper/helper"

rule/rule.go

@@ -21,12 +21,11 @@
 package rule
 
 import (
-	"strings"
-
 	"encoding/json"
 	"hash/crc32"
 	"net/url"
 	"regexp"
+	"strings"
 
 	"github.com/ory/ladon/compiler"
 	"github.com/pkg/errors"