Implement AuthNZ provider mechanism

Signed-off-by: Josh Kim <[email protected]>

Author: jooskim

plank/pkg/server/auth_provider_manager/auth_provider_manager.go

@@ -0,0 +1,116 @@
+package auth_provider_manager
+
+import (
+	"fmt"
+	"regexp"
+	"sync"
+)
+
+var authProviderMgrInstance AuthProviderManager
+
+type AuthProviderManager interface {
+	GetRESTAuthProvider(uri string) (*RESTAuthProvider, error)
+	GetSTOMPAuthProvider() (*STOMPAuthProvider, error)
+	SetRESTAuthProvider(regex *regexp.Regexp, provider *RESTAuthProvider) int
+	SetSTOMPAuthProvider(provider *STOMPAuthProvider) error
+	DeleteRESTAuthProvider(idx int) error
+	DeleteSTOMPAuthProvider() error
+}
+
+type regexpRESTAuthProviderPair struct {
+	regexp *regexp.Regexp
+	restAuthProvider *RESTAuthProvider
+}
+
+type authProviderManager struct {
+	stompAuthProvider *STOMPAuthProvider
+	uriPatternRestAuthProviderPairs []*regexpRESTAuthProviderPair
+	mu sync.Mutex
+}
+
+type AuthProviderNotFoundError struct {}
+
+func (e *AuthProviderNotFoundError) Error() string {
+	return fmt.Sprintf("no auth provider was found at the given location/name")
+}
+
+type AuthError struct {
+	Code int
+	Message string
+}
+func (e *AuthError) Error() string {
+	return fmt.Sprintf("authentication/authorization error (%d): %s", e.Code, e.Message)
+}
+
+func (a *authProviderManager) GetRESTAuthProvider(uri string) (*RESTAuthProvider, error) {
+	a.mu.Lock()
+	defer a.mu.Unlock()
+
+	// perform regex tests to find the first matching REST auth provider
+	for _, pair := range a.uriPatternRestAuthProviderPairs {
+		if pair.regexp.Match([]byte(uri)) {
+			return pair.restAuthProvider, nil
+		}
+	}
+	return nil, &AuthProviderNotFoundError{}
+}
+
+func (a *authProviderManager) GetSTOMPAuthProvider() (*STOMPAuthProvider, error) {
+	a.mu.Lock()
+	defer a.mu.Unlock()
+	if a.stompAuthProvider == nil {
+		return nil, &AuthProviderNotFoundError{}
+	}
+	return a.stompAuthProvider, nil
+}
+
+func (a *authProviderManager) SetRESTAuthProvider(regex *regexp.Regexp, provider *RESTAuthProvider) int {
+	a.mu.Lock()
+	defer a.mu.Unlock()
+	a.uriPatternRestAuthProviderPairs = append(a.uriPatternRestAuthProviderPairs, &regexpRESTAuthProviderPair{
+		regexp:           regex,
+		restAuthProvider: provider,
+	})
+
+	return len(a.uriPatternRestAuthProviderPairs)-1
+}
+
+func (a *authProviderManager) SetSTOMPAuthProvider(provider *STOMPAuthProvider) error {
+	a.mu.Lock()
+	defer a.mu.Unlock()
+	a.stompAuthProvider = provider
+	return nil
+}
+
+func (a *authProviderManager) DeleteRESTAuthProvider(idx int) error {
+	a.mu.Lock()
+	defer a.mu.Unlock()
+	if idx < 0 || idx > len(a.uriPatternRestAuthProviderPairs)-1 {
+		return fmt.Errorf("no REST auth provider exists at index %d", idx)
+	}
+	borderLeft := idx
+	borderRight := idx+1
+	if idx > 0 {
+		borderLeft--
+	}
+	a.uriPatternRestAuthProviderPairs = append(a.uriPatternRestAuthProviderPairs[:borderLeft], a.uriPatternRestAuthProviderPairs[borderRight:]...)
+	return nil
+}
+
+func (a *authProviderManager) DeleteSTOMPAuthProvider() error {
+	a.mu.Lock()
+	defer a.mu.Unlock()
+	a.stompAuthProvider = nil
+	return nil
+}
+
+func GetAuthProviderManager() AuthProviderManager {
+	if authProviderMgrInstance == nil {
+		authProviderMgrInstance = &authProviderManager{}
+	}
+	return authProviderMgrInstance
+}
+
+func DestroyAuthProviderManager() {
+	authProviderMgrInstance = nil
+}

plank/pkg/server/auth_provider_manager/rest_auth_provider.go

@@ -0,0 +1,69 @@
+package auth_provider_manager
+
+import (
+	"github.com/vmware/transport-go/plank/utils"
+	"net/http"
+	"sort"
+	"sync"
+)
+
+type HttpRequestValidatorFn func(request *http.Request) *AuthError
+
+type httpRequestValidatorRule struct {
+	name string
+	priority int
+	validatorFn HttpRequestValidatorFn
+}
+
+type RESTAuthProvider struct {
+	rules map[string]*httpRequestValidatorRule
+	rulesByPriority []*httpRequestValidatorRule
+	mu sync.Mutex
+}
+
+func (ap *RESTAuthProvider) Validate(request *http.Request) *AuthError {
+	ap.mu.Lock()
+	defer ap.mu.Unlock()
+	defer func() {
+		if r := recover(); r != nil {
+			utils.Log.Errorln(r)
+		}
+	}()
+
+	for _, rule := range ap.rulesByPriority {
+		err := rule.validatorFn(request)
+		if err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+func (ap *RESTAuthProvider) AddRule(name string, priority int, validatorFn HttpRequestValidatorFn) {
+	ap.mu.Lock()
+	defer ap.mu.Unlock()
+
+	rule := &httpRequestValidatorRule{
+		name:        name,
+		priority:    priority,
+		validatorFn: validatorFn,
+	}
+	ap.rules[name] = rule
+	ap.rulesByPriority = append(ap.rulesByPriority, rule)
+	sort.SliceStable(ap.rulesByPriority, func(i, j int) bool {
+		return ap.rulesByPriority[i].priority < ap.rulesByPriority[j].priority
+	})
+}
+
+func (ap *RESTAuthProvider) Reset() {
+	ap.mu.Lock()
+	defer ap.mu.Unlock()
+	ap.rules = make(map[string]*httpRequestValidatorRule)
+	ap.rulesByPriority = make([]*httpRequestValidatorRule, 0)
+}
+
+func NewRESTAuthProvider() *RESTAuthProvider {
+	ap := &RESTAuthProvider{}
+	ap.Reset()
+	return ap
+}

plank/pkg/server/auth_provider_manager/stomp_auth_provider.go

@@ -0,0 +1,77 @@
+package auth_provider_manager
+
+import (
+	"github.com/go-stomp/stomp/frame"
+	"github.com/vmware/transport-go/plank/utils"
+	"sort"
+	"sync"
+)
+
+type StompFrameValidatorFn func(fr *frame.Frame) *AuthError
+
+type stompFrameValidatorRule struct {
+	msgFrameType string
+	priority int
+	validatorFn StompFrameValidatorFn
+}
+
+type STOMPAuthProvider struct {
+	rules map[string][]*stompFrameValidatorRule
+	mu sync.Mutex
+}
+
+func (ap *STOMPAuthProvider) Validate(fr *frame.Frame) error {
+	ap.mu.Lock()
+	defer ap.mu.Unlock()
+	defer func() {
+		if r := recover(); r != nil {
+			utils.Log.Errorln(r)
+		}
+	}()
+
+	rules, found := ap.rules[fr.Command]
+	// if no rule was found let the request pass through
+	if !found {
+		return nil
+	}
+
+	for _, rule := range rules {
+		err := rule.validatorFn(fr)
+		if err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+func (ap *STOMPAuthProvider) AddRule(types []string, priority int, validatorFn StompFrameValidatorFn) {
+	ap.mu.Lock()
+	defer ap.mu.Unlock()
+
+	for _, typ := range types {
+		rule := &stompFrameValidatorRule{
+			msgFrameType: typ,
+			priority:    priority,
+			validatorFn: validatorFn,
+		}
+		if _, ok := ap.rules[typ]; !ok {
+			ap.rules[typ] = make([]*stompFrameValidatorRule, 0)
+		}
+		ap.rules[typ] = append(ap.rules[typ], rule)
+		sort.SliceStable(ap.rules[typ], func(i, j int) bool {
+			return ap.rules[typ][i].priority < ap.rules[typ][j].priority
+		})
+	}
+}
+
+func (ap *STOMPAuthProvider) Reset() {
+	ap.mu.Lock()
+	defer ap.mu.Unlock()
+	ap.rules = make(map[string][]*stompFrameValidatorRule)
+}
+
+func NewSTOMPAuthProvider() *STOMPAuthProvider {
+	return &STOMPAuthProvider{
+		rules: make(map[string][]*stompFrameValidatorRule),
+	}
+}

plank/pkg/server/endpointer_handler_factory.go

@@ -3,10 +3,12 @@ package server
 import (
 	"context"
 	"encoding/json"
+	"errors"
 	"fmt"
 	"github.com/sirupsen/logrus"
 	"github.com/vmware/transport-go/bus"
 	"github.com/vmware/transport-go/model"
+	"github.com/vmware/transport-go/plank/pkg/server/auth_provider_manager"
 	"github.com/vmware/transport-go/plank/utils"
 	"github.com/vmware/transport-go/service"
 	"net/http"
@@ -25,6 +27,24 @@ func buildEndpointHandler(svcChannel string, reqBuilder service.RequestBuilder,
 			}
 		}()
 
+		apm := auth_provider_manager.GetAuthProviderManager()
+		provider, err := apm.GetRESTAuthProvider(r.URL.Path)
+
+		if err != nil && !errors.Is(err, &auth_provider_manager.AuthProviderNotFoundError{}){
+			utils.Log.Errorln(err)
+			http.Error(w, "Internal Server Error", http.StatusInternalServerError)
+			return
+		}
+
+		// run validation against rules registered in the provider only if such provider exists
+		if provider != nil {
+			err := provider.Validate(r)
+			if err != nil {
+				http.Error(w, err.Message, err.Code)
+				return
+			}
+		}
+
 		// set context that expires after the provided amount of time in restBridgeTimeout to prevent requests from hanging forever
 		ctx, cancelFn := context.WithTimeout(context.Background(), restBridgeTimeout)
 		defer cancelFn()

plank/pkg/server/server.go

@@ -334,6 +334,20 @@ func (ps *platformServer) SetHttpChannelBridge(bridgeConfig *service.RESTBridgeC
 		bridgeConfig.ServiceChannel, bridgeConfig.Uri, bridgeConfig.Method)
 }
 
+func (ps *platformServer) clearHttpChannelBridgesForService(serviceChannel string) {
+	ps.lock.Lock()
+	defer ps.lock.Unlock()
+
+	// if in override mode delete existing mappings associated with the service
+	existingMappings := ps.serviceChanToBridgeEndpoints[serviceChannel]
+	ps.serviceChanToBridgeEndpoints[serviceChannel] = make([]string, 0)
+	for _, handlerKey := range existingMappings {
+		utils.Log.Infof("Removing existing service - REST mapping '%s' for service '%s'", handlerKey, serviceChannel)
+		ps.router.Get(fmt.Sprintf("bridge-%s", handlerKey)).Handler(http.NotFoundHandler())
+		delete(ps.endpointHandlerMap, handlerKey)
+	}
+}
+
 // GetMiddlewareManager returns the MiddleManager instance
 func (ps *platformServer) GetMiddlewareManager() middleware.MiddlewareManager {
 	return ps.middlewareManager

stompserver/server.go

@@ -200,7 +200,7 @@ func (s *stompServer) waitForConnections() {
          if err != nil {
              log.Println("Failed to establish client connection:", err)
          } else {
-             c := NewStompConn(rawConn, s.config, s.connectionEvents)
+             c := NewStompConn(rawConn, s.config, s.connectionEvents, true)
 
              s.connectionEvents <- &ConnEvent{
                  ConnId:    c.GetId(),

stompserver/stomp_connection.go

@@ -8,6 +8,7 @@ import (
     "github.com/go-stomp/stomp"
     "github.com/go-stomp/stomp/frame"
     "github.com/google/uuid"
+    "github.com/vmware/transport-go/plank/pkg/server/auth_provider_manager"
     "log"
     "strconv"
     "strings"
@@ -52,9 +53,10 @@ type stompConn struct {
     subscriptions    map[string]*subscription
     currentMessageId uint64
     closeOnce        sync.Once
+    authProviderManager auth_provider_manager.AuthProviderManager
 }
 
-func NewStompConn(rawConnection RawConnection, config StompConfig, events chan *ConnEvent) StompConn {
+func NewStompConn(rawConnection RawConnection, config StompConfig, events chan *ConnEvent, useAuthProvider bool) StompConn {
     conn := &stompConn{
         rawConnection: rawConnection,
         state:         connecting,
@@ -66,6 +68,10 @@ func NewStompConn(rawConnection RawConnection, config StompConfig, events chan *
         subscriptions: make(map[string]*subscription),
     }
 
+    if useAuthProvider {
+        conn.authProviderManager = auth_provider_manager.GetAuthProviderManager()
+    }
+
     go conn.run()
     go conn.readInFrames()
 
@@ -158,6 +164,18 @@ func (conn *stompConn) run() {
 }
 
 func (conn *stompConn) handleIncomingFrame(f *frame.Frame) error {
+    if conn.authProviderManager != nil {
+        // if a STOMP auth provider was configured try to validate each frame with the rules defined
+        // in the provider. if auth provider is not found let the payload through
+        if provider, _ := conn.authProviderManager.GetSTOMPAuthProvider(); provider != nil {
+            err := provider.Validate(f) // TODO: should we return error through a transport channel?
+            if err != nil {
+                fmt.Println(f.Command, err)
+                return err
+            }
+        }
+    }
+
     switch f.Command {
 
     case frame.CONNECT, frame.STOMP:

stompserver/stomp_connection_test.go

@@ -97,7 +97,7 @@ func getTestStompConn(conf StompConfig, events chan *ConnEvent) (*stompConn, *Mo
     }
 
     rawConn := NewMockRawConnection()
-    return NewStompConn(rawConn, conf, events).(*stompConn), rawConn, events
+    return NewStompConn(rawConn, conf, events, true).(*stompConn), rawConn, events
 }
 
 func TestStompConn_Connect(t *testing.T) {