omc-college · hiendevt · Aug 18, 2020
diff --git a/Dockerfile.rbac b/Dockerfile.rbac
@@ -1,13 +1,23 @@
-FROM golang:1.14
+FROM golang:1.14 as builder
 
-EXPOSE 8000
+ARG ARCH=amd64
+ARG GOPATH="/go"
+ARG GO111MODULE=on
+
+WORKDIR $GOPATH/src/github.com/omc-college/management-system/
 
-WORKDIR /go/src/app
-COPY ./go.mod ./go.sum ./
-COPY ./pkg ./pkg
-COPY ./cmd/rbac ./cmd/rbac
+COPY go.mod go.sum ./
+COPY pkg ./pkg
+COPY cmd/rbac ./cmd/rbac
 
 RUN go get -d -v ./...
-RUN go install -v ./...
+RUN CGO_ENABLED=0 GOOS=linux GOARCH=${ARCH} \
+    go build -o $GOPATH/bin/rbac -a ./cmd/rbac
+
+FROM scratch
+
+EXPOSE 8000
+
+COPY --from=builder /go/bin/rbac /bin/rbac
 
-CMD ["rbac"]
+ENTRYPOINT ["/bin/rbac"]
diff --git a/Dockerfile.rbac-db-migrator b/Dockerfile.rbac-db-migrator
@@ -1,6 +1,6 @@
 FROM migrate/migrate:v4.11.0
 
 WORKDIR /
-COPY ./pkg/rbac/repository/postgres/migrations ./migrations
+COPY ./pkg/rbac/repository/postgres/migrations /etc/migrations
 
-CMD ["-path", "/migrations", "-database",  "postgres://postgres:superuser@rbac-db:5432/roles?sslmode=disable", "up"]
+CMD ["-path", "/etc/migrations", "-database",  "postgres://postgres:superuser@rbac-db:5432/roles?sslmode=disable", "up"]
diff --git a/Dockerfile.rbacgen b/Dockerfile.rbacgen
@@ -1,15 +1,23 @@
-FROM golang:1.14
+FROM golang:1.14 as builder
 
-EXPOSE 8000
+ARG ARCH=amd64
+ARG GOPATH="/go"
+ARG GO111MODULE=on
+
+WORKDIR $GOPATH/src/github.com/omc-college/management-system/
 
-WORKDIR /go/src/app
-COPY ./go.mod ./go.sum ./
-COPY ./pkg ./pkg
-COPY ./cmd/rbacgen ./cmd/rbacgen
-COPY ./api ./api
+COPY go.mod go.sum ./
+COPY pkg ./pkg
+COPY cmd/rbacgen ./cmd/rbacgen
 
 RUN go get -d -v ./...
-RUN go install -v ./...
+RUN CGO_ENABLED=0 GOOS=linux GOARCH=${ARCH} \
+    go build -o $GOPATH/bin/rbacgen -a ./cmd/rbacgen
+
+FROM scratch
+
+EXPOSE 8000
+
+COPY --from=builder /go/bin/rbacgen /bin/rbacgen
 
-CMD rbacgen --create \
- && rbacgen --fill
+ENTRYPOINT ["/bin/rbacgen", "--create", "--fill"]
diff --git a/cmd/rbac/config.go b/cmd/rbac/config.go
@@ -10,4 +10,9 @@ type Config struct {
 	DBConnection db.ConnectionConfig `mapstructure:"dbconnection"`
 	MQConnection mq.ConnectionConfig `mapstructure:"mqconnection"`
 	PubSubConfig pubsub.Config       `mapstructure:"pubsub"`
+	PolicyAgent PolicyAgentConfig	`mapstructure:"policyAgent"`
+}
+
+type PolicyAgentConfig struct {
+	PolicyPath	string	`mapstructure:"policyPath"`
 }
diff --git a/cmd/rbac/main.go b/cmd/rbac/main.go
@@ -21,7 +21,7 @@ func main() {
 	var serviceConfig Config
 	var err error
 
-	configPath := flag.StringP("config", "c", "./cmd/rbac/rbac-service-example-config.yaml", "path to service config")
+	configPath := flag.StringP("config", "c", "/etc/rbac/rbac-service-config.yaml", "path to service config")
 
 	flag.Parse()
 
@@ -65,5 +65,7 @@ func main() {
 
 	rolesService := service.NewRolesService(repository, client)
 
-	logrus.Fatal(http.ListenAndServe(":8000", api.NewCrudRouter(rolesService, cache, opa.GetDecision)))
+	policyAgent := opa.NewPolicyAgent(serviceConfig.PolicyAgent.PolicyPath)
+
+	logrus.Fatal(http.ListenAndServe(":8000", api.NewCrudRouter(rolesService, cache, policyAgent.GetDecision)))
 }
diff --git a/cmd/rbac/rbac-service-example-config.yaml b/cmd/rbac/rbac-service-example-config.yaml
@@ -16,3 +16,6 @@ pubsub:
   queuename: 'new-queue'
   pingsinterval: 20
   maxunsuccessfulpings: 5
+
+policyAgent:
+  policyPath: "/etc/rbac/policy/authorization.rego"
diff --git a/cmd/rbacgen/main.go b/cmd/rbacgen/main.go
@@ -20,7 +20,7 @@ import (
 )
 
 func main() {
-	configPath := flag.StringP("config", "c", "./cmd/rbacgen/rbacgen-service-example-config.yaml", "path to service config")
+	configPath := flag.StringP("config", "c", "/etc/rbacgen/rbacgen-service-config.yaml", "path to service config")
 
 	isCreateMode := flag.Bool("create", false, "In this mode utility generates and creates new Role Template and saves into roleTmpl.yaml")
 	isFillMode := flag.Bool("fill", false, "In this mode utility fills DB with features and endpoints from existing Role Template")
@@ -34,8 +34,8 @@ func main() {
 		logrus.Fatalf("cannot load config: %s", err.Error())
 	}
 
-	if *isCreateMode == *isFillMode {
-		logrus.Fatalf("exactly one mode should be choosen")
+	if !*isCreateMode && !*isFillMode {
+		logrus.Fatalf("at least one mode should be chosen")
 	}
 
 	if *isCreateMode {

diff --git a/cmd/rbacgen/rbacgen-service-example-config.yaml b/cmd/rbacgen/rbacgen-service-example-config.yaml
@@ -19,7 +19,7 @@ pubsub:
 
 rbacgen:
   specsPaths: 
-    - './api/ims/ims-api.yaml'
-    - './api/rbac/rbac-api.yaml'
-    - './api/timetable/timetable-api.yaml'
-  tmplPath: './cmd/rbacgen/roleTmpl.yaml'
+    - '/etc/rbacgen/api/ims/ims-api.yaml'
+    - '/etc/rbacgen/api/rbac/rbac-api.yaml'
+    - '/etc/rbacgen/api/timetable/timetable-api.yaml'
+  tmplPath: '/etc/rbacgen/roleTmpl.yaml'
diff --git a/docker-compose.yml b/docker-compose.yml
@@ -7,7 +7,8 @@ services:
     ports: 
       - "8001:8000"
     volumes:
-      - ./cmd/rbac/rbac-service-example-config.yaml:/go/src/app/cmd/rbac/rbac-service-example-config.yaml
+      - ./cmd/rbac/rbac-service-example-config.yaml:/etc/rbac/rbac-service-config.yaml
+      - ./pkg/rbac/opa/authorization.rego:/etc/rbac/policy/authorization.rego
     depends_on: 
       - rbac-db
       - rbac-db-migrator
@@ -22,7 +23,8 @@ services:
     ports: 
       - "8002:8000"
     volumes:
-      - ./cmd/rbacgen/rbacgen-service-example-config.yaml:/go/src/app/cmd/rbacgen/rbacgen-service-example-config.yaml
+      - ./cmd/rbacgen/rbacgen-service-example-config.yaml:/etc/rbacgen/rbacgen-service-config.yaml
+      - ./api:/etc/rbacgen/api
     depends_on:
       - rbac-db
       - rbac-db-migrator
@@ -46,7 +48,7 @@ services:
       context: .
       dockerfile: Dockerfile.rbac-db-migrator
     volumes:
-      - ./pkg/rbac/repository/postgres/migrations:/migrations
+      - ./pkg/rbac/repository/postgres/migrations:/etc/migrations
     depends_on:
       - rbac-db
     restart: on-failure

diff --git a/go.mod b/go.mod
@@ -7,7 +7,7 @@ require (
 	github.com/dgrijalva/jwt-go v3.2.0+incompatible
 	github.com/getkin/kin-openapi v0.8.0
 	github.com/gofrs/uuid v3.3.0+incompatible // indirect
-	github.com/gorilla/handlers v1.4.2 // indirect
+	github.com/gorilla/handlers v1.4.2
 	github.com/gorilla/mux v1.7.4
 	github.com/jackc/fake v0.0.0-20150926172116-812a484cc733 // indirect
 	github.com/jackc/pgx v3.6.2+incompatible

diff --git a/pkg/rbac/opa/opa.go b/pkg/rbac/opa/opa.go
@@ -7,11 +7,21 @@ import (
 	"github.com/open-policy-agent/opa/rego"
 )
 
-func GetDecision(ctx context.Context, requestRegoInput rbac.Input) error {
+type PolicyAgent struct {
+	policyPath string
+}
+
+func NewPolicyAgent(policyPath string) *PolicyAgent {
+	return &PolicyAgent{
+		policyPath: policyPath,
+	}
+}
+
+func (pa PolicyAgent)GetDecision(ctx context.Context, requestRegoInput rbac.Input) error {
 	authorizationRego := rego.New(
 		rego.Query("data.authorization.isAccessGranted"),
 		rego.Input(requestRegoInput),
-		rego.Load([]string{"./pkg/rbac/opa/authorization.rego"}, nil))
+		rego.Load([]string{pa.policyPath}, nil))
 
 	regoResult, err := authorizationRego.Eval(ctx)
 	if err != nil {