From 374a676c9d81afb49fa84c84ee72384d825c3d06 Mon Sep 17 00:00:00 2001 From: Joel Speed Date: Sun, 24 Apr 2022 19:07:15 +0100 Subject: [PATCH] Add Authorization to the request scope --- pkg/apis/middleware/scope.go | 53 ++++++++++++++++++++++++++++++++++++ 1 file changed, 53 insertions(+) diff --git a/pkg/apis/middleware/scope.go b/pkg/apis/middleware/scope.go index 2d84f00e..4b0b6a77 100644 --- a/pkg/apis/middleware/scope.go +++ b/pkg/apis/middleware/scope.go @@ -17,6 +17,10 @@ const RequestScopeKey scopeKey = "request-scope" // The RequestScope is used to pass information between different middlewares // within the chain. type RequestScope struct { + // Authorization is used to indicate if the requset has been authorized + // by an authorizer earlier in the request chain. + Authorization Authorization + // ReverseProxy tracks whether OAuth2-Proxy is operating in reverse proxy // mode and if request `X-Forwarded-*` headers should be trusted ReverseProxy bool @@ -43,6 +47,55 @@ type RequestScope struct { Upstream string } +// Authorization contains information about the Authorization of a particular +// request. +type Authorization struct { + // Type is the type of authorization. + // Valid values are: Request. + Type AuthorizationType + + // Policy is the authorization policy to apply to this request + // given the authorization type. + // Valid values are Allow, Delegate, Deny or omitted. + // When omitted the caller should decide how to handle this. + Policy AuthorizationPolicy + + // Message is a message set by the authorizer. + // This can contain any information about the authorization decision. + // It may contain success or failure indications. + Message string +} + +// AuthorizationType is a type of authorization for the request. +type AuthorizationType string + +const ( + // RequestAuthorization indicates that the request was authorized + // based on the request based authorization. For example via an allowed route + // or allow IP combination. + RequestAuthorization AuthorizationType = "Request" +) + +// AuthorizationPolicy is the policy to apply based on the authorization type. +type AuthorizationPolicy string + +const ( + // AllowPolicy indicates the request should be allowed. + AllowPolicy AuthorizationPolicy = "Allow" + + // DelegatePolicy indicates the authorization should be delegated to a later + // authorizer. + DelegatePolicy AuthorizationPolicy = "Delegate" + + // DenyPolicy indicates the request should be denied. + DenyPolicy AuthorizationPolicy = "Deny" + + // OmittedPolicy is the default policy. This should not be set explicitly + // but can be used to determine that the authorization has not yet been + // completed. + OmittedPolicy AuthorizationPolicy = "" +) + // GetRequestScope returns the current request scope from the given request func GetRequestScope(req *http.Request) *RequestScope { scope := req.Context().Value(RequestScopeKey)