diff --git a/plank/cmd/main.go b/plank/cmd/main.go index dc8dbbe..c99aff3 100644 --- a/plank/cmd/main.go +++ b/plank/cmd/main.go @@ -1,11 +1,15 @@ package main import ( + "github.com/go-stomp/stomp/frame" + "github.com/urfave/cli" "github.com/vmware/transport-go/plank/pkg/server" + "github.com/vmware/transport-go/plank/pkg/server/auth_provider_manager" "github.com/vmware/transport-go/plank/services" "github.com/vmware/transport-go/plank/utils" - "github.com/urfave/cli" + "net/http" "os" + "regexp" ) var version string @@ -41,6 +45,9 @@ func main() { platformServer = server.NewPlatformServer(serverConfig) } + AddSampleSTOMPAuthFilters() + AddSampleRESTAuthFilters() + // register services if err := platformServer.RegisterService(services.NewPingPongService(), services.PingPongServiceChan); err != nil { panic(err) @@ -63,3 +70,90 @@ func main() { panic(err) } } + +// TODO: demo purpose only. delete before merging + +func AddSampleRESTAuthFilters() { + // instantiate auth provider manager + apm := auth_provider_manager.GetAuthProviderManager() + + // create a new auth provider and add a new filter rule for REST authentication based on presence of a certain header + restAuthProvider := auth_provider_manager.NewRESTAuthProvider() + restAuthProvider.AddRule("csp-auth-header", 1, func(req *http.Request) *auth_provider_manager.AuthError { + token := req.Header.Get("csp-auth-token") + if len(token) == 0 { + return &auth_provider_manager.AuthError{ + Code: 401, + Message: "Unauthorized", + } + } + return nil + }) + + restAuthProvider.AddRule("csp-auth-token-match", 2, func(req *http.Request) *auth_provider_manager.AuthError { + token := req.Header.Get("csp-auth-token") + if token != "42" { + return &auth_provider_manager.AuthError{ + Code: 403, + Message: "Forbidden", + } + } + return nil + }) + + // register the provider with auth provider manager + exp, err := regexp.Compile(`\/rest\/ping-pong2`) + if err != nil { + panic(err) + } + apm.SetRESTAuthProvider(exp, restAuthProvider) +} + +// TODO: demo purpose only. delete before merging + +func AddSampleSTOMPAuthFilters() { + // instantiate auth provider manager + apm := auth_provider_manager.GetAuthProviderManager() + + // create a new auth provider for STOMP + stompAuthProvider := auth_provider_manager.NewSTOMPAuthProvider() + + // first rule on CONNECT: require the value of header access-token to match "something" + stompAuthProvider.AddRule([]string{frame.CONNECT}, 0, func(fr *frame.Frame) *auth_provider_manager.AuthError { + token := fr.Header.Get("access-token") + utils.Log.Warnln("ACCESS TOKEN FROM CLIENT", token) + if token != "something" { + return &auth_provider_manager.AuthError{ + Code: 403, + Message: "Cannot connect to Fabric: Forbidden", + } + } + return nil + }) + + // first rule on SEND: require the presence of header csp-auth-token + stompAuthProvider.AddRule([]string{frame.SEND}, 1, func(fr *frame.Frame) *auth_provider_manager.AuthError { + token := fr.Header.Get("csp-auth-token") + if len(token) == 0 { + return &auth_provider_manager.AuthError{ + Code: 401, + Message: "Unauthorized", + } + } + return nil + }) + + // second rule on SEND: require the exact match of value of csp-auth-token to be "42" + stompAuthProvider.AddRule([]string{frame.SEND}, 2, func(fr *frame.Frame) *auth_provider_manager.AuthError { + token := fr.Header.Get("csp-auth-token-match") + if token != "42" { + return &auth_provider_manager.AuthError{ + Code: 403, + Message: "Forbidden", + } + } + return nil + }) + + apm.SetSTOMPAuthProvider(stompAuthProvider) +} \ No newline at end of file