diff --git a/pkg/apis/options/alpha_options.go b/pkg/apis/options/alpha_options.go index 04769d7f..2ee17819 100644 --- a/pkg/apis/options/alpha_options.go +++ b/pkg/apis/options/alpha_options.go @@ -9,6 +9,11 @@ package options // They may change between releases without notice. // ::: type AlphaOptions struct { + // Authorization is used to configure authorization checks. + // Rules can be configured for HTTP requests to allow or deny requests, + // or to delegate the authorization to session based authorization. + Authorization Authorization `json:"authorization,omitempty"` + // UpstreamConfig is used to configure upstream servers. // Once a user is authenticated, requests to the server will be proxied to // these upstream servers based on the path mappings defined in this list. diff --git a/pkg/apis/options/authorization.go b/pkg/apis/options/authorization.go index 2c5f9176..0f6955a0 100644 --- a/pkg/apis/options/authorization.go +++ b/pkg/apis/options/authorization.go @@ -1,17 +1,53 @@ package options +// AuthorizationPolicy is an enumeration of different authorization rule +// policies. Each policy determines a different action for a matching rule. type AuthorizationPolicy string const ( + // AllowPolicy when used, with a matching authorization rule, allows the + // request without further authorization. AllowPolicy AuthorizationPolicy = "Allow" - DenyPolicy AuthorizationPolicy = "Deny" + + // DelegatePolicy when used, with a matching authorization rule, delegates + // the authorization to the session based authorization. + // This can only be used with request based authorization rules. + DelegatePolicy AuthorizationPolicy = "Delegate" + + // DenyPolicy when used, with a matching authorization rule, denies the + // request without further authorization. + DenyPolicy AuthorizationPolicy = "Deny" ) -type AuthorizationRule struct { - Policy AuthorizationPolicy - Path string - Methods []string - IPs []string +// Authorization contains fields to allow configuration of request authorization. +type Authorization struct { + // RequestRules determines a set of rules for which each request to the proxy + // should be matched against. + // If any rule matches the request, the policy for the rule is applied to the + // request. + RequestRules []AuthorizationRule `json:"requestRules,omitempty"` } -type RequestRules []AuthorizationRule +// AuthorizationRule determines the configuration for a particular authorization +// rule. + +type AuthorizationRule struct { + // Policy is the authorization policy to apply should the rule match the given + // request. + // All conditions specified within the rule must match the request for the + // policy to be applied. + // Valid values are Allow, Deny and Delegate. + Policy AuthorizationPolicy + + // Path is a regex string that expects to match the HTTP request path. + Path string + + // Methods is a list of HTTP methods to match against the HTTP request method. + // If any method in the list matches the request method, this rule is + // considered to match. + Methods []string + + // IPs is a list of IP or network addresses (in CIDR notation) with which to + // match the request client IP address. + IPs []string +} diff --git a/pkg/authorization/rules.go b/pkg/authorization/rules.go index 41c36b31..11f97e5f 100644 --- a/pkg/authorization/rules.go +++ b/pkg/authorization/rules.go @@ -12,11 +12,12 @@ type AuthorizationPolicy int const ( NonePolicy AuthorizationPolicy = iota AllowPolicy + DelegatePolicy DenyPolicy ) type RuleSet interface { - Matches(req *http.Request) AuthorizationPolicy + MatchesRequest(req *http.Request) AuthorizationPolicy } type rule struct { @@ -63,6 +64,8 @@ func newRule(authRule options.AuthorizationRule, getClientIPFunc func(*http.Requ switch authRule.Policy { case options.AllowPolicy: policy = AllowPolicy + case options.DelegatePolicy: + policy = DelegatePolicy case options.DenyPolicy: policy = DenyPolicy default: @@ -80,7 +83,7 @@ type ruleSet struct { rules []rule } -func (r ruleSet) Matches(req *http.Request) AuthorizationPolicy { +func (r ruleSet) MatchesRequest(req *http.Request) AuthorizationPolicy { for _, rule := range r.rules { if policy := rule.matches(req); policy != NonePolicy { // The rule applies to this request, return its policy @@ -91,7 +94,7 @@ func (r ruleSet) Matches(req *http.Request) AuthorizationPolicy { return NonePolicy } -func NewRuleSet(requestRules options.RequestRules, getClientIPFunc func(*http.Request) net.IP) (RuleSet, error) { +func NewRuleSet(requestRules []options.AuthorizationRule, getClientIPFunc func(*http.Request) net.IP) (RuleSet, error) { rules := []rule{} for _, requestRule := range requestRules { r, err := newRule(requestRule, getClientIPFunc)