-
Notifications
You must be signed in to change notification settings - Fork 342
/
opaserveresponse.go
104 lines (81 loc) · 2.57 KB
/
opaserveresponse.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
package opaserveresponse
import (
"time"
"github.com/zalando/skipper/filters"
"gopkg.in/yaml.v2"
"github.com/zalando/skipper/filters/openpolicyagent"
"github.com/zalando/skipper/filters/openpolicyagent/internal/envoy"
)
type spec struct {
registry *openpolicyagent.OpenPolicyAgentRegistry
opts []func(*openpolicyagent.OpenPolicyAgentInstanceConfig) error
}
func NewOpaServeResponseSpec(registry *openpolicyagent.OpenPolicyAgentRegistry, opts ...func(*openpolicyagent.OpenPolicyAgentInstanceConfig) error) filters.Spec {
return &spec{
registry: registry,
opts: opts,
}
}
func (s *spec) Name() string {
return filters.OpaServeResponseName
}
func (s *spec) CreateFilter(args []interface{}) (filters.Filter, error) {
var err error
if len(args) < 1 {
return nil, filters.ErrInvalidFilterParameters
}
if len(args) > 2 {
return nil, filters.ErrInvalidFilterParameters
}
bundleName, ok := args[0].(string)
if !ok {
return nil, filters.ErrInvalidFilterParameters
}
envoyContextExtensions := map[string]string{}
if len(args) > 1 {
_, ok := args[1].(string)
if !ok {
return nil, filters.ErrInvalidFilterParameters
}
err = yaml.Unmarshal([]byte(args[1].(string)), &envoyContextExtensions)
if err != nil {
return nil, err
}
}
configOptions := s.opts
opaConfig, err := openpolicyagent.NewOpenPolicyAgentConfig(configOptions...)
if err != nil {
return nil, err
}
opa, err := s.registry.NewOpenPolicyAgentInstance(bundleName, *opaConfig, s.Name())
if err != nil {
return nil, err
}
return &opaServeResponseFilter{
opa: opa,
registry: s.registry,
envoyContextExtensions: envoyContextExtensions,
}, nil
}
type opaServeResponseFilter struct {
opa *openpolicyagent.OpenPolicyAgentInstance
registry *openpolicyagent.OpenPolicyAgentRegistry
envoyContextExtensions map[string]string
}
func (f *opaServeResponseFilter) Request(fc filters.FilterContext) {
span, ctx := f.opa.StartSpanFromFilterContext(fc)
defer span.Finish()
authzreq := envoy.AdaptToExtAuthRequest(fc.Request(), f.opa.InstanceConfig().GetEnvoyMetadata(), f.envoyContextExtensions)
start := time.Now()
result, err := f.opa.Eval(ctx, authzreq)
fc.Metrics().MeasureSince(f.opa.MetricsKey("eval_time"), start)
if err != nil {
f.opa.ServeInvalidDecisionError(fc, span, result, err)
return
}
f.opa.ServeResponse(fc, span, result)
}
func (f *opaServeResponseFilter) Response(fc filters.FilterContext) {}
func (f *opaServeResponseFilter) OpenPolicyAgent() *openpolicyagent.OpenPolicyAgentInstance {
return f.opa
}