diff --git a/cmd/helper_server.go b/cmd/helper_server.go index 3e119c487f..0e96be8f1c 100644 --- a/cmd/helper_server.go +++ b/cmd/helper_server.go @@ -24,11 +24,10 @@ import ( "crypto/tls" "encoding/base64" "fmt" + "net/url" "strings" "time" - "net/url" - "github.com/ory/fosite" "github.com/ory/go-convenience/stringsx" "github.com/ory/hydra/sdk/go/hydra" diff --git a/cmd/migrate_sql.go b/cmd/migrate_sql.go index 39155e972d..249905dd4b 100644 --- a/cmd/migrate_sql.go +++ b/cmd/migrate_sql.go @@ -16,7 +16,6 @@ package cmd import ( "fmt" - "os" "github.com/ory/oathkeeper/rule" diff --git a/cmd/root.go b/cmd/root.go index b4febd0fd2..2d1360cca9 100644 --- a/cmd/root.go +++ b/cmd/root.go @@ -23,7 +23,6 @@ package cmd import ( "fmt" "os" - "time" "github.com/sirupsen/logrus" diff --git a/cmd/rules_delete.go b/cmd/rules_delete.go index 27f71b22f5..0250d85d61 100644 --- a/cmd/rules_delete.go +++ b/cmd/rules_delete.go @@ -22,7 +22,6 @@ package cmd import ( "fmt" - "net/http" "github.com/ory/oathkeeper/sdk/go/oathkeeper" diff --git a/cmd/rules_get.go b/cmd/rules_get.go index 2bd09ff0d1..44a24845eb 100644 --- a/cmd/rules_get.go +++ b/cmd/rules_get.go @@ -21,9 +21,8 @@ package cmd import ( - "net/http" - "fmt" + "net/http" "github.com/ory/oathkeeper/sdk/go/oathkeeper" "github.com/spf13/cobra" diff --git a/cmd/rules_import.go b/cmd/rules_import.go index e9d16fd70d..08c355ca4b 100644 --- a/cmd/rules_import.go +++ b/cmd/rules_import.go @@ -21,13 +21,12 @@ package cmd import ( + "bytes" "encoding/json" "fmt" "io/ioutil" "net/http" - "bytes" - "github.com/ory/oathkeeper/rule" "github.com/ory/oathkeeper/sdk/go/oathkeeper" "github.com/ory/oathkeeper/sdk/go/oathkeeper/swagger" diff --git a/cmd/rules_list.go b/cmd/rules_list.go index 61ad95534f..ea67e9f905 100644 --- a/cmd/rules_list.go +++ b/cmd/rules_list.go @@ -21,9 +21,8 @@ package cmd import ( - "net/http" - "fmt" + "net/http" "github.com/ory/oathkeeper/pkg" "github.com/ory/oathkeeper/sdk/go/oathkeeper" diff --git a/cmd/serve.go b/cmd/serve.go index 93664faf47..a4d5db312e 100644 --- a/cmd/serve.go +++ b/cmd/serve.go @@ -22,7 +22,6 @@ package cmd import ( "fmt" - "os" "strconv" diff --git a/cmd/serve_proxy.go b/cmd/serve_proxy.go index 3219e9b2d3..6820d8fc81 100644 --- a/cmd/serve_proxy.go +++ b/cmd/serve_proxy.go @@ -27,11 +27,10 @@ import ( "net/http/httputil" "github.com/meatballhat/negroni-logrus" - "github.com/ory/metrics-middleware" - "github.com/ory/go-convenience/corsx" "github.com/ory/graceful" "github.com/ory/keto/sdk/go/keto" + "github.com/ory/metrics-middleware" "github.com/ory/oathkeeper/proxy" "github.com/ory/oathkeeper/rule" "github.com/ory/oathkeeper/sdk/go/oathkeeper" diff --git a/proxy/authenticator_jwt.go b/proxy/authenticator_jwt.go index 8a254d6756..d91f1a74a6 100644 --- a/proxy/authenticator_jwt.go +++ b/proxy/authenticator_jwt.go @@ -1,14 +1,12 @@ package proxy import ( - "encoding/json" - "net/http" - "bytes" "crypto/ecdsa" "crypto/rsa" + "encoding/json" "fmt" - + "net/http" "net/url" "github.com/dgrijalva/jwt-go" diff --git a/proxy/authenticator_oauth2_client_credentials.go b/proxy/authenticator_oauth2_client_credentials.go index 4754944a12..a7d1722509 100644 --- a/proxy/authenticator_oauth2_client_credentials.go +++ b/proxy/authenticator_oauth2_client_credentials.go @@ -5,7 +5,6 @@ import ( "context" "encoding/json" "net/http" - "net/url" "github.com/ory/oathkeeper/helper" diff --git a/proxy/authenticator_oauth2_introspection.go b/proxy/authenticator_oauth2_introspection.go index 00812b556a..b2d8fa8c71 100644 --- a/proxy/authenticator_oauth2_introspection.go +++ b/proxy/authenticator_oauth2_introspection.go @@ -2,11 +2,10 @@ package proxy import ( "bytes" + "context" "encoding/json" "fmt" "net/http" - - "context" "net/url" "strings" diff --git a/proxy/authenticator_oauth2_introspection_test.go b/proxy/authenticator_oauth2_introspection_test.go index f4e7160670..5805b73f92 100644 --- a/proxy/authenticator_oauth2_introspection_test.go +++ b/proxy/authenticator_oauth2_introspection_test.go @@ -24,9 +24,8 @@ import ( "encoding/json" "fmt" "net/http" - "testing" - "net/http/httptest" + "testing" "github.com/julienschmidt/httprouter" "github.com/ory/fosite" diff --git a/proxy/authorizer_keto_warden.go b/proxy/authorizer_keto_warden.go index 7da76243b8..01ab7fec95 100644 --- a/proxy/authorizer_keto_warden.go +++ b/proxy/authorizer_keto_warden.go @@ -23,7 +23,9 @@ package proxy import ( "bytes" "encoding/json" + "fmt" "net/http" + "text/template" "time" "github.com/asaskevich/govalidator" @@ -38,6 +40,7 @@ import ( type AuthorizerKetoWardenConfiguration struct { RequiredAction string `json:"required_action" valid:",required"` RequiredResource string `json:"required_resource" valid:",required"` + Subject string `json:"subject"` } type AuthorizerKetoWarden struct { @@ -89,11 +92,20 @@ func (a *AuthorizerKetoWarden) Authorize(r *http.Request, session *Authenticatio return errors.WithStack(err) } + subject := session.Subject + if cf.Subject != "" { + templateId := fmt.Sprintf("%s:%s", rl.ID, "subject") + subject, err = a.ParseSubject(session, templateId, cf.Subject) + if err != nil { + return errors.WithStack(err) + } + } + defaultSession, response, err := a.K.IsSubjectAuthorized(swagger.WardenSubjectAuthorizationRequest{ Action: compiled.ReplaceAllString(r.URL.String(), cf.RequiredAction), Resource: compiled.ReplaceAllString(r.URL.String(), cf.RequiredResource), Context: a.contextCreator(r), - Subject: session.Subject, + Subject: subject, }) if err != nil { return errors.WithStack(err) @@ -110,3 +122,27 @@ func (a *AuthorizerKetoWarden) Authorize(r *http.Request, session *Authenticatio return nil } +func (a *AuthorizerKetoWarden) ParseSubject(session *AuthenticationSession, templateId, templateString string) (string, error) { + tmplFn := template.New("rules"). + Option("missingkey=zero"). + Funcs(template.FuncMap{ + "print": func(i interface{}) string { + if i == nil { + return "" + } + return fmt.Sprintf("%v", i) + }, + }) + + tmpl, err := tmplFn.New(templateId).Parse(templateString) + if err != nil { + return "", err + } + + subject := bytes.Buffer{} + err = tmpl.Execute(&subject, session) + if err != nil { + return "", err + } + return subject.String(), nil +} diff --git a/proxy/authorizer_keto_warden_test.go b/proxy/authorizer_keto_warden_test.go index 53f1036ded..a5359bd533 100644 --- a/proxy/authorizer_keto_warden_test.go +++ b/proxy/authorizer_keto_warden_test.go @@ -128,6 +128,30 @@ func TestAuthorizerKetoWarden(t *testing.T) { session: &AuthenticationSession{Subject: "peter"}, expectErr: false, }, + { + config: []byte(`{ "required_action": "action:$1:$2", "required_resource": "resource:$1:$2", "subject": "{{ .Extra.name }}" }`), + rule: &rule.Rule{ + Match: rule.RuleMatch{ + Methods: []string{"POST"}, + URL: "https://localhost/api/users/<[0-9]+>/<[a-z]+>", + }, + }, + r: &http.Request{URL: mustParseURL(t, "https://localhost/api/users/1234/abcde")}, + setup: func(t *testing.T, m *MockWardenSDK) { + m.EXPECT().IsSubjectAuthorized(gomock.Eq(swagger.WardenSubjectAuthorizationRequest{ + Action: "action:1234:abcde", + Resource: "resource:1234:abcde", + Context: map[string]interface{}{}, + Subject: "peter", + })).Return( + &swagger.WardenSubjectAuthorizationResponse{Allowed: true}, + &swagger.APIResponse{Response: &http.Response{StatusCode: http.StatusOK}}, + nil, + ) + }, + session: &AuthenticationSession{Extra: map[string]interface{}{"name": "peter"}}, + expectErr: false, + }, } { t.Run(fmt.Sprintf("case=%d", k), func(t *testing.T) { c := gomock.NewController(t) diff --git a/proxy/credentials_issuer_id_token_test.go b/proxy/credentials_issuer_id_token_test.go index 209b7364e4..a1864ba0fb 100644 --- a/proxy/credentials_issuer_id_token_test.go +++ b/proxy/credentials_issuer_id_token_test.go @@ -22,13 +22,12 @@ package proxy import ( "encoding/json" + "fmt" "net/http" "strings" "testing" "time" - "fmt" - "github.com/dgrijalva/jwt-go" "github.com/go-errors/errors" "github.com/ory/oathkeeper/rsakey" diff --git a/proxy/proxy.go b/proxy/proxy.go index aef9218f71..aad9e3d017 100644 --- a/proxy/proxy.go +++ b/proxy/proxy.go @@ -24,9 +24,8 @@ import ( "context" "io/ioutil" "net/http" - "strings" - "net/url" + "strings" "github.com/ory/herodot" "github.com/ory/oathkeeper/rsakey" diff --git a/proxy/proxy_test.go b/proxy/proxy_test.go index f6fee64c4c..0f2ce1720f 100644 --- a/proxy/proxy_test.go +++ b/proxy/proxy_test.go @@ -26,12 +26,10 @@ import ( "net/http" "net/http/httptest" "net/http/httputil" - "testing" - - "strings" - "net/url" "strconv" + "strings" + "testing" "github.com/ory/oathkeeper/rule" "github.com/stretchr/testify/assert" diff --git a/rsakey/manager_hydra.go b/rsakey/manager_hydra.go index 3967d9bba8..d5f418eeb5 100644 --- a/rsakey/manager_hydra.go +++ b/rsakey/manager_hydra.go @@ -22,10 +22,8 @@ package rsakey import ( "crypto/rsa" - "net/http" - "encoding/json" - + "net/http" "strings" "github.com/ory/hydra/sdk/go/hydra" diff --git a/rsakey/manager_test.go b/rsakey/manager_test.go index 34497899bc..304b796f36 100644 --- a/rsakey/manager_test.go +++ b/rsakey/manager_test.go @@ -21,15 +21,13 @@ package rsakey import ( + "crypto/rsa" "log" "net/http" "os" "testing" - "time" - "crypto/rsa" - "github.com/ory/dockertest" "github.com/ory/hydra/sdk/go/hydra" "github.com/pkg/errors" diff --git a/rule/matcher_cached.go b/rule/matcher_cached.go index aa05d03e79..cd1ec743bf 100644 --- a/rule/matcher_cached.go +++ b/rule/matcher_cached.go @@ -22,7 +22,6 @@ package rule import ( "net/url" - "sync" "github.com/ory/oathkeeper/helper" diff --git a/rule/rule.go b/rule/rule.go index 779e963c54..b082aea6ca 100644 --- a/rule/rule.go +++ b/rule/rule.go @@ -21,12 +21,11 @@ package rule import ( - "strings" - "encoding/json" "hash/crc32" "net/url" "regexp" + "strings" "github.com/ory/ladon/compiler" "github.com/pkg/errors"