From 274cfe7c4f545ccd271c28e5639e18cc13856214 Mon Sep 17 00:00:00 2001 From: akshay196-rafay <93963751+akshay196-rafay@users.noreply.github.com> Date: Mon, 7 Mar 2022 16:40:03 +0530 Subject: [PATCH] Improve Auth module (#36) * Expose NewSessionContext function When auth middleware or interceptor is being mocked by other service then they can take help of `session.NewSessionContext` to store mocked session data to request context. * Initialize _log in auth at creating * Allow excluding URLs in Auth middleware --- pkg/auth/v3/auth.go | 10 +++++----- pkg/auth/v3/interceptor.go | 2 +- pkg/auth/v3/middleware.go | 16 +++++++++++++++- pkg/auth/v3/session.go | 2 +- 4 files changed, 22 insertions(+), 8 deletions(-) diff --git a/pkg/auth/v3/auth.go b/pkg/auth/v3/auth.go index b8e6fa8..5e155ca 100644 --- a/pkg/auth/v3/auth.go +++ b/pkg/auth/v3/auth.go @@ -7,11 +7,7 @@ import ( kclient "github.com/ory/kratos-client-go" ) -var _log *logv2.Logger - -func init() { - _log = logv2.GetLogger() -} +var _log = logv2.GetLogger() type Option struct { // ExcludeRPCMethods is a list of full RPC method string in @@ -19,6 +15,10 @@ type Option struct { // /rafay.dev.rpc.v3.Idp/ListIdps). These RPC methods are to // be excluded from the auth interceptor. ExcludeRPCMethods []string + + // ExcludeURLs is a list of URL regular expressions that are + // excluded from the auth middleware. + ExcludeURLs []string } type authContext struct { diff --git a/pkg/auth/v3/interceptor.go b/pkg/auth/v3/interceptor.go index d84ec64..1820d32 100644 --- a/pkg/auth/v3/interceptor.go +++ b/pkg/auth/v3/interceptor.go @@ -58,7 +58,7 @@ func (ac authContext) NewAuthUnaryInterceptor(opt Option) grpc.UnaryServerInterc s := res.GetStatus() switch s { case commonpbv3.RequestStatus_RequestAllowed: - ctx := newSessionContext(ctx, res.SessionData) + ctx := NewSessionContext(ctx, res.SessionData) return handler(ctx, req) case commonpbv3.RequestStatus_RequestMethodOrURLNotAllowed: return nil, status.Error(codes.PermissionDenied, res.GetReason()) diff --git a/pkg/auth/v3/middleware.go b/pkg/auth/v3/middleware.go index 171ba5a..a7b9de0 100644 --- a/pkg/auth/v3/middleware.go +++ b/pkg/auth/v3/middleware.go @@ -2,6 +2,7 @@ package authv3 import ( "net/http" + "regexp" commonpbv3 "github.com/RafaySystems/rcloud-base/proto/types/commonpb/v3" "github.com/urfave/negroni" @@ -20,6 +21,18 @@ func NewAuthMiddleware(opt Option) negroni.Handler { } func (am *authMiddleware) ServeHTTP(rw http.ResponseWriter, r *http.Request, next http.HandlerFunc) { + for _, ex := range am.opt.ExcludeURLs { + match, err := regexp.MatchString(ex, r.URL.Path) + if err != nil { + _log.Errorf("failed to match URL expression", err) + http.Error(rw, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError) + return + } + if match { + next(rw, r) + return + } + } req := &commonpbv3.IsRequestAllowedRequest{ Url: r.URL.String(), Method: r.Method, @@ -36,8 +49,9 @@ func (am *authMiddleware) ServeHTTP(rw http.ResponseWriter, r *http.Request, nex s := res.GetStatus() switch s { case commonpbv3.RequestStatus_RequestAllowed: - ctx := newSessionContext(r.Context(), res.SessionData) + ctx := NewSessionContext(r.Context(), res.SessionData) next(rw, r.WithContext(ctx)) + return case commonpbv3.RequestStatus_RequestMethodOrURLNotAllowed: http.Error(rw, res.GetReason(), http.StatusForbidden) return diff --git a/pkg/auth/v3/session.go b/pkg/auth/v3/session.go index e8f6f3b..a7f863c 100644 --- a/pkg/auth/v3/session.go +++ b/pkg/auth/v3/session.go @@ -10,7 +10,7 @@ type contextKey struct{} var sessionDataKey contextKey -func newSessionContext(ctx context.Context, s *commonv3.SessionData) context.Context { +func NewSessionContext(ctx context.Context, s *commonv3.SessionData) context.Context { return context.WithValue(ctx, sessionDataKey, s) }