Add authorization-webhook-methods flag (#203)

Co-authored-by: Hackerwins <[email protected]>

internal/cli/agent.go

@@ -66,6 +66,13 @@ func newAgentCmd() *cobra.Command {
 				conf = parsed
 			}
 
+			// TODO(hackerwins): We need to check that the entire config is valid.
+			// err = conf.Validate()
+			err := conf.Backend.Validate()
+			if err != nil {
+				return err
+			}
+
 			r, err := yorkie.New(conf)
 			if err != nil {
 				return err
@@ -205,6 +212,13 @@ func init() {
 		"",
 		"URL of remote service to query authorization",
 	)
+	cmd.Flags().StringSliceVar(
+		&conf.Backend.AuthorizationWebhookMethods,
+		"authorization-webhook-methods",
+		[]string{},
+		"List of methods that require authorization checks."+
+			" If no value is specified, all methods will be checked.",
+	)
 
 	rootCmd.AddCommand(cmd)
 }

pkg/types/auth_webhook.go

@@ -55,6 +55,27 @@ const (
 	PushPull         Method = "PushPull"
 )
 
+// IsAuthMethod returns whether the given method can be used for authorization.
+func IsAuthMethod(method string) bool {
+	for _, m := range AuthMethods() {
+		if method == string(m) {
+			return true
+		}
+	}
+	return false
+}
+
+// AuthMethods returns a slice of methods that can be used for authorization.
+func AuthMethods() []Method {
+	return []Method{
+		ActivateClient,
+		DeactivateClient,
+		AttachDocument,
+		DetachDocument,
+		PushPull,
+	}
+}
+
 // AccessAttribute represents an access attribute.
 type AccessAttribute struct {
 	Key  string   `json:"key"`

test/integration/auth_webhook_test.go

@@ -91,4 +91,28 @@ func TestAuthWebhook(t *testing.T) {
 		err = cliWithInvalidToken.Activate(ctx)
 		assert.Equal(t, codes.Unauthenticated, status.Convert(err).Code())
 	})
+
+	t.Run("Selected method authorization webhook test", func(t *testing.T) {
+		server, _ := newAuthServer(t)
+
+		conf := helper.TestConfig(server.URL)
+		conf.Backend.AuthorizationWebhookMethods = []string{string(types.AttachDocument)}
+
+		agent, err := yorkie.New(conf)
+		assert.NoError(t, err)
+		assert.NoError(t, agent.Start())
+		defer func() { assert.NoError(t, agent.Shutdown(true)) }()
+
+		ctx := context.Background()
+		cli, err := client.Dial(agent.RPCAddr(), client.Option{Token: "invalid"})
+		assert.NoError(t, err)
+		defer func() { assert.NoError(t, cli.Close()) }()
+
+		err = cli.Activate(ctx)
+		assert.NoError(t, err)
+
+		doc := document.New(helper.Collection, t.Name())
+		err = cli.Attach(ctx, doc)
+		assert.Equal(t, codes.Unauthenticated, status.Convert(err).Code())
+	})
 }

yorkie/auth/webhook.go

@@ -36,7 +36,7 @@ func AccessAttributes(pack *change.Pack) []types.AccessAttribute {
 
 // VerifyAccess verifies the given access.
 func VerifyAccess(ctx context.Context, be *backend.Backend, info *types.AccessInfo) error {
-	if len(be.Config.AuthorizationWebhookURL) == 0 {
+	if !be.Config.RequireAuth(info.Method) {
 		return nil
 	}
 

yorkie/backend/backend.go

@@ -17,13 +17,15 @@
 package backend
 
 import (
+	"fmt"
 	"os"
 	gosync "sync"
 	"time"
 
 	"github.com/rs/xid"
 
 	"github.com/yorkie-team/yorkie/internal/log"
+	"github.com/yorkie-team/yorkie/pkg/types"
 	"github.com/yorkie-team/yorkie/yorkie/backend/db"
 	"github.com/yorkie-team/yorkie/yorkie/backend/db/mongo"
 	"github.com/yorkie-team/yorkie/yorkie/backend/sync"
@@ -42,7 +44,40 @@ type Config struct {
 	SnapshotInterval uint64 `json:"SnapshotInterval"`
 
 	// AuthorizationWebhookURL is the url of the authorization webhook.
-	AuthorizationWebhookURL string
+	AuthorizationWebhookURL string `json:"AuthorizationWebhookURL"`
+
+	// AuthorizationWebhookMethods is the methods that run the authorization webhook.
+	AuthorizationWebhookMethods []string `json:"AuthorizationWebhookMethods"`
+}
+
+// RequireAuth returns whether the given method require authorization.
+func (c *Config) RequireAuth(method types.Method) bool {
+	if len(c.AuthorizationWebhookURL) == 0 {
+		return false
+	}
+
+	if len(c.AuthorizationWebhookMethods) == 0 {
+		return true
+	}
+
+	for _, m := range c.AuthorizationWebhookMethods {
+		if types.Method(m) == method {
+			return true
+		}
+	}
+
+	return false
+}
+
+// Validate validates this config.
+func (c *Config) Validate() error {
+	for _, method := range c.AuthorizationWebhookMethods {
+		if !types.IsAuthMethod(method) {
+			return fmt.Errorf("not supported method for authorization webhook: %s", method)
+		}
+	}
+
+	return nil
 }
 
 // Backend manages Yorkie's remote states such as data store, distributed lock

yorkie/backend/backend_test.go

@@ -0,0 +1,52 @@
+/*
+ * Copyright 2021 The Yorkie Authors. All rights reserved.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package backend_test
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+
+	"github.com/yorkie-team/yorkie/pkg/types"
+	"github.com/yorkie-team/yorkie/yorkie/backend"
+)
+
+func TestConfig(t *testing.T) {
+	t.Run("authorization webhook config test", func(t *testing.T) {
+		conf := backend.Config{
+			AuthorizationWebhookURL:     "ValidWebhookURL",
+			AuthorizationWebhookMethods: []string{"InvalidMethod"},
+		}
+		assert.Error(t, conf.Validate())
+
+		conf2 := backend.Config{
+			AuthorizationWebhookURL:     "ValidWebhookURL",
+			AuthorizationWebhookMethods: []string{string(types.ActivateClient)},
+		}
+		assert.NoError(t, conf2.Validate())
+		assert.True(t, conf2.RequireAuth(types.ActivateClient))
+		assert.False(t, conf2.RequireAuth(types.DetachDocument))
+
+		conf3 := backend.Config{
+			AuthorizationWebhookURL:     "ValidWebhookURL",
+			AuthorizationWebhookMethods: []string{},
+		}
+		assert.NoError(t, conf3.Validate())
+		assert.True(t, conf3.RequireAuth(types.ActivateClient))
+		assert.True(t, conf3.RequireAuth(types.DetachDocument))
+	})
+}