forked from TykTechnologies/tyk
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Added policies and granular permission middleware
- Loading branch information
1 parent
941de17
commit b5af83f
Showing
9 changed files
with
277 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,74 @@ | ||
package main | ||
|
||
import ( | ||
"errors" | ||
"github.com/gorilla/context" | ||
"net/http" | ||
"regexp" | ||
"github.com/Sirupsen/logrus" | ||
) | ||
|
||
// GranularAccessMiddleware will check if a URL is specifically enabled for the key | ||
type GranularAccessMiddleware struct { | ||
TykMiddleware | ||
} | ||
|
||
type GranularAccessMiddlewareConfig struct {} | ||
|
||
func (m *GranularAccessMiddleware) New() {} | ||
|
||
// GetConfig retrieves the configuration from the API config - we user mapstructure for this for simplicity | ||
func (m *GranularAccessMiddleware) GetConfig() (interface{}, error) { | ||
return nil, nil | ||
} | ||
|
||
// ProcessRequest will run any checks on the request on the way through the system, return an error to have the chain fail | ||
func (m *GranularAccessMiddleware) ProcessRequest(w http.ResponseWriter, r *http.Request, configuration interface{}) (error, int) { | ||
thisSessionState := context.Get(r, SessionData).(SessionState) | ||
authHeaderValue := context.Get(r, AuthHeaderValue).(string) | ||
|
||
sessionVersionData, foundAPI := thisSessionState.AccessRights[m.Spec.APIID] | ||
|
||
if foundAPI == false { | ||
log.Debug("Version not found") | ||
return nil, 200 | ||
} | ||
|
||
if sessionVersionData.AllowedURLs == nil { | ||
log.Debug("No allowed URLS") | ||
return nil, 200 | ||
} | ||
|
||
for url_regex, accessSpec := range(sessionVersionData.AllowedURLs) { | ||
log.Debug("Checking: ", r.URL.Path) | ||
log.Debug("Against: ", url_regex) | ||
asRegex, regexpErr := regexp.Compile(url_regex) | ||
|
||
if regexpErr != nil { | ||
log.Error("Regex error: ", regexpErr) | ||
return nil, 200 | ||
} | ||
|
||
match := asRegex.MatchString(r.URL.Path) | ||
if match { | ||
log.Debug("Match!") | ||
for _, method := range(accessSpec.Methods) { | ||
if method == r.Method { | ||
return nil, 200 | ||
} | ||
} | ||
} | ||
} | ||
|
||
// No paths matched, disallow | ||
log.WithFields(logrus.Fields{ | ||
"path": r.URL.Path, | ||
"origin": r.RemoteAddr, | ||
"key": authHeaderValue, | ||
"api_found": false, | ||
}).Info("Attempted access to unauthorised endpoint (Granular).") | ||
|
||
return errors.New("Access to this resource has been disallowed"), 403 | ||
|
||
|
||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,19 @@ | ||
{ | ||
"default": { | ||
"rate": 1000, | ||
"per": 1, | ||
"quota_max": 100, | ||
"quota_renewal_rate": 60, | ||
"access_rights": { | ||
"41433797848f41a558c1573d3e55a410": { | ||
"api_name": "My API", | ||
"api_id": "41433797848f41a558c1573d3e55a410", | ||
"versions": [ | ||
"Default" | ||
] | ||
} | ||
}, | ||
"org_id": "54de205930c55e15bd000001", | ||
"hmac_enabled": false | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,61 @@ | ||
package main | ||
|
||
import ( | ||
"io/ioutil" | ||
"encoding/json" | ||
"labix.org/v2/mgo" | ||
"labix.org/v2/mgo/bson" | ||
) | ||
|
||
type Policy struct { | ||
ID string `bson:"_id, ommitempty" json:"id"` | ||
Rate float64 `bson:"rate" json:"rate"` | ||
Per float64 `bson:"per" json:"per"` | ||
QuotaMax int64 `bson:"quota_max" json:"quota_max"` | ||
QuotaRenewalRate int64 `bson:"quota_renewal_rate" json:"quota_renewal_rate"` | ||
AccessRights map[string]AccessDefinition `bson:"access_rights" json:"access_rights"` | ||
HMACEnabled bool `bson:"hmac_enabled" json:"hmac_enabled"` | ||
Active bool `bson:"active" json:"active"` | ||
} | ||
|
||
func LoadPoliciesFromFile(filePath string) map[string]Policy { | ||
policies := make(map[string]Policy) | ||
|
||
policyConfig, err := ioutil.ReadFile(filePath) | ||
if err != nil { | ||
log.Error("Couldn't load policy file: ", err) | ||
return policies | ||
} | ||
|
||
mErr := json.Unmarshal(policyConfig, &policies) | ||
if mErr != nil { | ||
log.Error("Couldn't unmarshal policies: ", mErr) | ||
} | ||
|
||
return policies | ||
} | ||
|
||
// LoadPoliciesFromMongo will connect and download POlicies from a Mongo DB instance. | ||
func LoadPoliciesFromMongo(collectionName string) map[string]Policy { | ||
policies := make(map[string]Policy) | ||
|
||
dbSession, dErr := mgo.Dial(config.AnalyticsConfig.MongoURL) | ||
if dErr != nil { | ||
log.Error("Mongo connection failed:", dErr) | ||
} | ||
|
||
policyCollection := dbSession.DB("").C(collectionName) | ||
|
||
search := bson.M{ | ||
"active": true, | ||
} | ||
|
||
mongoErr := policyCollection.Find(search).All(&policies) | ||
|
||
if mongoErr != nil { | ||
log.Error("Could not find any policy configs!") | ||
return policies | ||
} | ||
|
||
return policies | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters