-
-
Notifications
You must be signed in to change notification settings - Fork 358
/
decision.go
121 lines (101 loc) · 3.32 KB
/
decision.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
// Copyright © 2023 Ory Corp
// SPDX-License-Identifier: Apache-2.0
package api
import (
"net/http"
"strings"
"github.com/ory/oathkeeper/pipeline/authn"
"github.com/ory/oathkeeper/x"
"github.com/ory/oathkeeper/proxy"
"github.com/ory/oathkeeper/rule"
)
const (
DecisionPath = "/decisions"
xForwardedMethod = "X-Forwarded-Method"
xForwardedProto = "X-Forwarded-Proto"
xForwardedHost = "X-Forwarded-Host"
xForwardedUri = "X-Forwarded-Uri"
)
type decisionHandlerRegistry interface {
x.RegistryWriter
x.RegistryLogger
RuleMatcher() rule.Matcher
ProxyRequestHandler() proxy.RequestHandler
}
type DecisionHandler struct {
r decisionHandlerRegistry
}
func NewJudgeHandler(r decisionHandlerRegistry) *DecisionHandler {
return &DecisionHandler{r: r}
}
func (h *DecisionHandler) ServeHTTP(w http.ResponseWriter, r *http.Request, next http.HandlerFunc) {
if len(r.URL.Path) >= len(DecisionPath) && r.URL.Path[:len(DecisionPath)] == DecisionPath {
r.Method = x.OrDefaultString(r.Header.Get(xForwardedMethod), r.Method)
r.URL.Scheme = x.OrDefaultString(r.Header.Get(xForwardedProto),
x.IfThenElseString(r.TLS != nil, "https", "http"))
r.URL.Host = x.OrDefaultString(r.Header.Get(xForwardedHost), r.Host)
r.URL.Path = x.OrDefaultString(strings.SplitN(r.Header.Get(xForwardedUri), "?", 2)[0], r.URL.Path[len(DecisionPath):])
h.decisions(w, r)
} else {
next(w, r)
}
}
// swagger:route GET /decisions api decisions
//
// # Access Control Decision API
//
// > This endpoint works with all HTTP Methods (GET, POST, PUT, ...) and matches every path prefixed with /decisions.
//
// This endpoint mirrors the proxy capability of ORY Oathkeeper's proxy functionality but instead of forwarding the
// request to the upstream server, returns 200 (request should be allowed), 401 (unauthorized), or 403 (forbidden)
// status codes. This endpoint can be used to integrate with other API Proxies like Ambassador, Kong, Envoy, and many more.
//
// Schemes: http, https
//
// Responses:
// 200: emptyResponse
// 401: genericError
// 403: genericError
// 404: genericError
// 500: genericError
func (h *DecisionHandler) decisions(w http.ResponseWriter, r *http.Request) {
fields := map[string]interface{}{
"http_method": r.Method,
"http_url": r.URL.String(),
"http_host": r.Host,
"http_user_agent": r.UserAgent(),
}
if sess, ok := r.Context().Value(proxy.ContextKeySession).(*authn.AuthenticationSession); ok {
fields["subject"] = sess.Subject
}
rl, err := h.r.RuleMatcher().Match(r.Context(), r.Method, r.URL, rule.ProtocolHTTP)
if err != nil {
h.r.Logger().WithError(err).
WithFields(fields).
WithField("granted", false).
Warn("Access request denied")
h.r.ProxyRequestHandler().HandleError(w, r, rl, err)
return
}
s, err := h.r.ProxyRequestHandler().HandleRequest(r, rl)
if err != nil {
h.r.Logger().WithError(err).
WithFields(fields).
WithField("granted", false).
Info("Access request denied")
h.r.ProxyRequestHandler().HandleError(w, r, rl, err)
return
}
h.r.Logger().
WithFields(fields).
WithField("granted", true).
Info("Access request granted")
for k := range s.Header {
// Avoid copying the original Content-Length header from the client
if strings.ToLower(k) == "content-length" {
continue
}
w.Header().Set(k, s.Header.Get(k))
}
w.WriteHeader(http.StatusOK)
}