Merge pull request #14 from benarena/benarena/update-rbac-model

update rbac model

Author: jphorec

README.md

@@ -1,6 +1,6 @@
 # kong-wallet-jwt
 
-Adds an extra layer of security and functions as a role authority. This plugin takes in an `Authorization` header with a user signed JWT token.  With a verified JWT this plugin can also function as a role authority and provide `x-roles` that belong to the associated account that signed the JWT. 
+Adds an extra layer of security and functions as a role authority. This plugin takes in an `Authorization` header with a user signed JWT token.  With a verified JWT this plugin can also function as a role authority and provide `x-wallet-access` that belong to the associated account that signed the JWT. 
 
 ## Getting started
 

cmd/jwt-wallet/main_test.go

@@ -133,7 +133,7 @@ func TestValidJwt(t *testing.T) {
 	token := jwt.NewWithClaims(signing.NewSecp256k1Signer(), claims)
 	sig, _ := token.SignedString(prvk)
 
-	r := ioutil.NopCloser(bytes.NewReader([]byte(grantsJSONString)))
+	r := ioutil.NopCloser(bytes.NewReader([]byte(subjectJSONString)))
 	GetDoFunc = func(*http.Request) (*http.Response, error) {
 		return &http.Response{
 			StatusCode: 200,
@@ -151,8 +151,8 @@ func TestValidJwt(t *testing.T) {
 	env.DoHttp(config)
 
 	assert.Equal(t, 200, env.ClientRes.Status)
-	assert.NotEmpty(t, env.ServiceReq.Headers.Get("x-roles"))
-	assert.Equal(t, xRoles, env.ServiceReq.Headers.Get("x-roles"))
+	assert.NotEmpty(t, env.ServiceReq.Headers.Get("x-wallet-access"))
+	assert.Equal(t, xRoles, env.ServiceReq.Headers.Get("x-wallet-accessz"))
 }
 
 func GenerateClaims(addr string, pubKey *secp256k1.PublicKey) *signing.Claims {
@@ -172,27 +172,25 @@ func GenerateClaims(addr string, pubKey *secp256k1.PublicKey) *signing.Claims {
 	}
 }
 
-var grantsJSONString = `
+var subjectJSONString = `
 {
-	"account": {
-		"address": "1337-wallet",
-		"name": "jwt-wallet",
-		"type": "ORGANIZATION"
-	},
+	"address": "1337-wallet",
+	"name": "jwt-wallet",
 	"grants": [
 		{
-			"org": {
-				"address": "1337-wallet",
-				"name": "jwt-wallet",
-				"type": "ORGANIZATION"
-			},
-			"roles": [
-				"1337_role"
-			],
+			"address": "1337-wallet",
+			"name": "jwt-wallet",
 			"authzGrants": [],
-			"apps": []
+			"applications": [
+				{
+					"name": "myapp",
+					"permissions": [
+						"1337_role"
+					]
+				}
+			]
 		}
 	]
 }`
 
-var xRoles = `{"orgs":[{"name":"jwt-wallet","roles":["1337_role"],"authzGrants":[]}]}`
+var xRoles = `[{"address":"1337-wallet","name":"jwt-wallet","authzGrants":[],"applications":[{"name":"myapp","permissions":["1337_role"]}]}]`

config.yml

@@ -8,6 +8,7 @@ services:
   plugins:
   - name: jwt-wallet
     config:
-#      rbac: http://localhost:8888/api/v1/rbac/account/{addr}/grants    # Running RBAC Service
-#      rbac: http://docker.for.mac.host.internal:8888/{addr}/index.html # Use when running `make http` on Mac
-      rbac: http://localhost:8888/{addr}/index.html                     # Use when running `make http` on Linux
+#      rbac: http://docker.for.mac.host.internal:8069/rbac/api/v1/subjects/{addr}/grants  # Running RBAC Service on Mac
+      rbac: http://localhost:8069/rbac/api/v1/subjects/{addr}/grants                     # Running RBAC Service on Linux
+#      rbac: http://docker.for.mac.host.internal:8888/{addr}/index.html                   # Use when running `make http` on Mac
+#      rbac: http://localhost:8888/{addr}/index.html                                      # Use when running `make http` on Linux

grants/grants.go

@@ -8,32 +8,20 @@ import (
 	"strings"
 )
 
-type RoleResponse struct {
-	Account struct {
-		Address string `json:"address"`
-		Name    string `json:"name"`
-		Type    string `json:"type"`
-	} `json:"account"`
-	Grants []struct {
-		Org struct {
-			Address string `json:"address"`
-			Name    string `json:"name"`
-			Type    string `json:"type"`
-		} `json:"org"`
-		Roles       []string      `json:"roles"`
-		AuthzGrants []string      `json:"authzGrants"`
-		Apps        []interface{} `json:"apps"`
-	} `json:"grants"`
+type SubjectResponse struct {
+	Address string          `json:"address"`
+	Name    string          `json:"name"`
+	Grants  []GrantedAccess `json:"grants"`
 }
 
-type Grants struct {
-	Orgs []Org `json:"orgs"`
-}
-
-type Org struct {
-	Name        string   `json:"name"`
-	Roles       []string `json:"roles"`
-	AuthzGrants []string `json:"authzGrants"`
+type GrantedAccess struct {
+	Address      string   `json:"address"`
+	Name         string   `json:"name"`
+	AuthzGrants  []string `json:"authzGrants"`
+	Applications []struct {
+		Name        string   `json:"name"`
+		Permissions []string `json:"permissions"`
+	} `json:"applications"`
 }
 
 var (
@@ -48,15 +36,15 @@ func init() {
 	Client = &http.Client{}
 }
 
-func GetGrants(grantsURL string, address string, apiKey string) (*Grants, error) {
+func GetGrants(grantsURL string, address string, apiKey string) (*[]GrantedAccess, error) {
 	uri := strings.ReplaceAll(grantsURL, "{addr}", address)
-	roleReq, _ := http.NewRequest("GET", uri, nil)
-	roleReq.Header.Add("x-sender", address)
+	request, _ := http.NewRequest("GET", uri, nil)
+	request.Header.Add("x-sender", address)
 	// Add apikey if supplied.
 	if apiKey != "" {
-		roleReq.Header.Add("apikey", apiKey)
+		request.Header.Add("apikey", apiKey)
 	}
-	resp, err := Client.Do(roleReq)
+	resp, err := Client.Do(request)
 	if err != nil {
 		return nil, err
 	}
@@ -67,21 +55,11 @@ func GetGrants(grantsURL string, address string, apiKey string) (*Grants, error)
 		return nil, err
 	}
 
-	var roleResponse RoleResponse
-	if err := json.Unmarshal(body, &roleResponse); err != nil {
+	var response SubjectResponse
+	if err := json.Unmarshal(body, &response); err != nil {
 		fmt.Println("Can not unmarshal JSON")
 		return nil, err
 	}
 
-	var grants Grants
-	for _, grant := range roleResponse.Grants {
-		org := Org{
-			Name:        grant.Org.Name,
-			Roles:       grant.Roles,
-			AuthzGrants: grant.AuthzGrants,
-		}
-
-		grants.Orgs = append(grants.Orgs, org)
-	}
-	return &grants, nil
+	return &response.Grants, nil
 }

http/tp1uz5g72pvfrdnm9qnjpyvsnwc64d4wygyqanx2t/index.html

@@ -1,34 +1,30 @@
 {
-	"account": {
-		"address": "tp1uz5g72pvfrdnm9qnjpyvsnwc64d4wygyqanx2t",
-		"name": "jwt-wallet",
-		"type": "ORGANIZATION"
-	},
+	"address": "tp1uz5g72pvfrdnm9qnjpyvsnwc64d4wygyqanx2t",
+	"name": "jwt-wallet"
 	"grants": [
 		{
-			"org": {
-				"address": "tp1uz5g72pvfrdnm9qnjpyvsnwc64d4wygyqanx2t",
-				"name": "jwt-wallet",
-				"type": "ORGANIZATION"
-			},
-			"roles": [
-				"role_read_org",
-				"role_read_account",
-				"role_read_account_grants",
-				"role_write_account",
-				"role_create_app",
-				"role_read_app",
-				"role_delete_app",
-				"role_create_org_role",
-				"role_read_org_role",
-				"role_delete_org_role",
-				"role_create_group",
-				"role_read_group",
-				"role_delete_group",
-				"role_write_group"
-			],
+			"address": "tp1uz5g72pvfrdnm9qnjpyvsnwc64d4wygyqanx2t",
+			"name": "jwt-wallet",
 			"authzGrants": [],
-			"apps": []
+			"applications": [
+				{
+					"name": "my_app",
+					"permissions": [
+						"create_subject",
+						"read_subject",
+						"update_subject",
+						"delete_subject",
+						"create_permission",
+						"read_permission",
+						"update_permission",
+						"delete_permission",
+						"create_role",
+						"read_role",
+						"update_role",
+						"delete_role"
+					]
+				}
+			]
 		}
 	]
-}
+}

jwt-wallet.go

@@ -60,36 +60,36 @@ func (conf Config) Access(kong *pdk.PDK) {
 		return
 	}
 
-	grants, err := handleRoles(tok, conf.RBAC, conf.APIKey)
+	access, err := handleGrantedAccess(tok, conf.RBAC, conf.APIKey)
 	if err != nil {
 		kong.Log.Warn("err: " + err.Error())
 		kong.Response.Exit(400, "account does not exist", x)
 		return
 	}
 
-	grantsJson, err := json.Marshal(grants)
+	accessJson, err := json.Marshal(access)
 	if err != nil {
-		kong.Response.Exit(500, "someting went wrong", x)
+		kong.Response.Exit(500, "something went wrong", x)
 		return
 	}
-	kong.ServiceRequest.AddHeader("x-roles", string(grantsJson))
+	kong.ServiceRequest.AddHeader("x-wallet-access", string(accessJson))
 
 	kong.Log.Warn(tok)
 
 }
 
 var parser = jwt.NewParser()
 
-func handleRoles(token *jwt.Token, url string, apiKey string) (*grants.Grants, error) {
+func handleGrantedAccess(token *jwt.Token, url string, apiKey string) (*[]grants.GrantedAccess, error) {
 	if claims, ok := token.Claims.(*signing.Claims); ok {
 		if claims.Addr == "" {
 			return nil, fmt.Errorf("missing addr claim")
 		}
-		grants, err := grants.GetGrants(url, claims.Addr, apiKey) // temporary interpolation until better configuration solutions
+		grantedAccess, err := grants.GetGrants(url, claims.Addr, apiKey)
 		if err != nil {
 			return nil, err
 		}
-		return grants, nil
+		return grantedAccess, nil
 	}
 	return nil, fmt.Errorf("malformed claims")
 }