feat: Add proper support for Auth delegation

Signed-off-by: Utkarsh Saxena <[email protected]>
razorpay · May 26, 2024 · 235ca58 · 235ca58
1 parent 59c4e80
commit 235ca58
Show file tree

Hide file tree

Showing 13 changed files with 393 additions and 371 deletions.
diff --git a/cmd/gateway/main.go b/cmd/gateway/main.go
@@ -109,7 +109,7 @@ func startGatewayServers(_ctx *context.Context) []*http.Server {
 
 	servers := make([]*http.Server, len(boot.Config.Gateway.Ports))
 	for i, port := range boot.Config.Gateway.Ports {
-		server := router.Server(&ctx, port, &gatewayClient, boot.Config.App.ServiceExternalHostname, boot.Config.Auth.Router.Authenticate)
+		server := router.Server(&ctx, port, &gatewayClient, boot.Config.App.ServiceExternalHostname)
 		servers[i] = server
 
 		go listenHttp(&ctx, server, port)

diff --git a/config/default.toml b/config/default.toml
@@ -30,11 +30,10 @@
 [auth]
     token                        = "test123"
     tokenHeaderKey               = "X-Auth-Key"
-    [auth.router]
-        validationURL            = "localhost:28001"
-        validationToken          = "test123"
+    [auth.router.delegatedAuth]
+        validationProviderURL            = "localhost:28001"
+        validationProviderToken          = "test123"
         cacheTTLMinutes          = "10m"
-        authenticate             = "false"
 
 
 

diff --git a/internal/config/config.go b/internal/config/config.go
@@ -30,10 +30,11 @@ type Auth struct {
 	Token          string
 	TokenHeaderKey string
 	Router         struct {
-		ValidationURL   string
-		ValidationToken string
-		CacheTTLMinutes string
-		Authenticate    string
+		DelegatedAuth struct {
+			ValidationProviderURL   string
+			ValidationProviderToken string
+			CacheTTLMinutes         string
+		}
 	}
 }
 

diff --git a/internal/gatewayserver/database/migrations/20240524205304_add_auth_delegation.go b/internal/gatewayserver/database/migrations/20240524205304_add_auth_delegation.go
@@ -0,0 +1,31 @@
+package migration
+
+import (
+	"database/sql"
+
+	"github.com/pressly/goose/v3"
+)
+
+func init() {
+	goose.AddMigration(Up20240524205304, Down20240524205304)
+}
+
+func Up20240524205304(tx *sql.Tx) error {
+	var err error
+
+	_, err = tx.Exec("ALTER TABLE `policies` ADD COLUMN `is_auth_delegated` BOOL DEFAULT false;")
+	if err != nil {
+		return err
+	}
+	return err
+}
+
+func Down20240524205304(tx *sql.Tx) error {
+	var err error
+
+	_, err = tx.Exec("ALTER TABLE `policies` DROP COLUMN `is_auth_delegated`;")
+	if err != nil {
+		return err
+	}
+	return err
+}
diff --git a/internal/gatewayserver/models/policy.go b/internal/gatewayserver/models/policy.go
@@ -10,6 +10,7 @@ type Policy struct {
 	GroupId         string  `json:"group_id"`
 	FallbackGroupId *string `json:"fallback_group_id"`
 	IsEnabled       *bool   `json:"is_enabled" sql:"DEFAULT:true"`
+	IsAuthDelegated *bool   `json:"is_auth_delegated" sql:"DEFAULT:false"`
 }
 
 func (u *Policy) TableName() string {

diff --git a/internal/gatewayserver/policyApi/core.go b/internal/gatewayserver/policyApi/core.go
@@ -25,6 +25,7 @@ type ICore interface {
 	DisablePolicy(ctx context.Context, id string) error
 
 	EvaluateGroupsForClient(ctx context.Context, c *EvaluateClientParams) ([]string, error)
+	EvaluateAuthDelegation(ctx context.Context, p int32) (bool, error)
 	// EvaluatePolicy(ctx context.Context, group string) (string, error)
 	// FindPolicyForQuery(ctx context.Context, q string) (string, error)
 }
@@ -35,12 +36,13 @@ func NewCore(policy repo.IPolicyRepo) *Core {
 
 // CreateParams has attributes that are required for policy.Create()
 type PolicyCreateParams struct {
-	ID            string
-	RuleType      string
-	RuleValue     string
-	Group         string
-	FallbackGroup string
-	IsEnabled     bool
+	ID              string
+	RuleType        string
+	RuleValue       string
+	Group           string
+	FallbackGroup   string
+	IsEnabled       bool
+	IsAuthDelegated bool
 }
 
 func (c *Core) CreateOrUpdatePolicy(ctx context.Context, params *PolicyCreateParams) error {
@@ -50,6 +52,7 @@ func (c *Core) CreateOrUpdatePolicy(ctx context.Context, params *PolicyCreatePar
 		GroupId:         params.Group,
 		FallbackGroupId: &params.FallbackGroup,
 		IsEnabled:       &params.IsEnabled,
+		IsAuthDelegated: &params.IsAuthDelegated,
 	}
 	policy.ID = params.ID
 
@@ -95,9 +98,10 @@ type FindManyParams struct {
 	// To    int32
 
 	// custom
-	IsEnabled bool   `json:"is_enabled"`
-	RuleType  string `json:"rule_type"`
-	RuleValue string `json:"rule_value"`
+	IsEnabled       bool   `json:"is_enabled"`
+	RuleType        string `json:"rule_type"`
+	RuleValue       string `json:"rule_value"`
+	IsAuthDelegated bool   `json:"is_auth_delegated,omitempty"`
 }
 
 func (p *FindManyParams) GetIsEnabled() bool {
@@ -214,6 +218,28 @@ func (c *Core) EvaluateGroupsForClient(ctx context.Context, params *EvaluateClie
 	return res, nil
 }
 
+func (c *Core) EvaluateAuthDelegation(ctx context.Context, port int32) (bool, error) {
+	res, err := c.FindMany(
+		ctx,
+		&FindManyParams{
+			IsEnabled:       true,
+			RuleType:        "listening_port",
+			RuleValue:       strconv.Itoa(int(port)),
+			IsAuthDelegated: true,
+		})
+	if err != nil {
+		return false, err
+	}
+	provider.Logger(ctx).Debugw("Is Auth Delegated For Port", map[string]interface{}{
+		"listeningPort": port,
+		"matchingRules": res,
+	})
+	if len(res) > 0 {
+		return true, nil
+	}
+	return false, nil
+}
+
 // Implementing "set" collection methods here, :)
 func setIntersection(s1 map[string]struct{}, s2 map[string]struct{}) map[string]struct{} {
 	s_intersection := map[string]struct{}{}

diff --git a/internal/gatewayserver/policyApi/server.go b/internal/gatewayserver/policyApi/server.go
@@ -32,12 +32,13 @@ func (s *Server) CreateOrUpdatePolicy(ctx context.Context, req *gatewayv1.Policy
 	})
 
 	createParams := PolicyCreateParams{
-		ID:            req.GetId(),
-		RuleType:      req.GetRule().Type.Enum().String(),
-		RuleValue:     req.GetRule().Value,
-		Group:         req.GetGroup(),
-		FallbackGroup: req.GetFallbackGroup(),
-		IsEnabled:     req.GetIsEnabled(),
+		ID:              req.GetId(),
+		RuleType:        req.GetRule().GetType().Enum().String(),
+		RuleValue:       req.GetRule().GetValue(),
+		Group:           req.GetGroup(),
+		FallbackGroup:   req.GetFallbackGroup(),
+		IsEnabled:       req.GetIsEnabled(),
+		IsAuthDelegated: req.GetIsAuthDelegated(),
 	}
 
 	err := s.core.CreateOrUpdatePolicy(ctx, &createParams)
@@ -142,11 +143,12 @@ func toPolicyResponseProto(policy *models.Policy) (*gatewayv1.Policy, error) {
 		Value: policy.RuleValue,
 	}
 	response := gatewayv1.Policy{
-		Id:            policy.ID,
-		Rule:          &rule,
-		Group:         policy.GroupId,
-		FallbackGroup: *policy.FallbackGroupId,
-		IsEnabled:     *policy.IsEnabled,
+		Id:              policy.ID,
+		Rule:            &rule,
+		Group:           policy.GroupId,
+		FallbackGroup:   *policy.FallbackGroupId,
+		IsEnabled:       *policy.IsEnabled,
+		IsAuthDelegated: *policy.IsAuthDelegated,
 	}
 
 	return &response, nil
@@ -175,3 +177,24 @@ func (s *Server) EvaluateGroupsForClient(ctx context.Context, req *gatewayv1.Eva
 	}
 	return &gatewayv1.EvaluateGroupsResponse{}, nil
 }
+
+func (s *Server) EvaluateAuthDelegationForClient(ctx context.Context, req *gatewayv1.EvaluateAuthDelegationRequest) (*gatewayv1.EvaluateAuthDelegationResponse, error) {
+	provider.Logger(ctx).Debugw("EvaluateAuthDelegation", map[string]interface{}{
+		"request": req.String(),
+	})
+
+	if req.GetIncomingPort() == 0 {
+		err := errors.New("Invalid port defined in `incoming_port`.")
+		provider.Logger(ctx).WithError(err).Error(err.Error())
+		return &gatewayv1.EvaluateAuthDelegationResponse{IsAuthDelegated: false}, nil
+	}
+
+	result, err := s.core.EvaluateAuthDelegation(
+		ctx,
+		req.GetIncomingPort(),
+	)
+	if err != nil {
+		return nil, err
+	}
+	return &gatewayv1.EvaluateAuthDelegationResponse{IsAuthDelegated: result}, nil
+}