Skip to content

Commit

Permalink
implement keto-rbac middleware for a route
Browse files Browse the repository at this point in the history
  • Loading branch information
vrag99 committed Dec 28, 2023
1 parent 28a3499 commit e9f9d1c
Show file tree
Hide file tree
Showing 4 changed files with 55 additions and 1 deletion.
2 changes: 1 addition & 1 deletion api/main.go
Original file line number Diff line number Diff line change
Expand Up @@ -37,7 +37,7 @@ func Start() {
r.GET("/mfa", HandleGetMFAFlow)
r.POST("/mfa", HandlePostMFAFlow)

r.GET("/rbac", HandleRbac)
r.GET("/rbac", middleware.CheckIfAllowed, HandleRbac)

r.POST("/create-identity", c.CreateIdentity)
r.GET("/get-identity", c.GetIdentity)
Expand Down
2 changes: 2 additions & 0 deletions go.sum
Original file line number Diff line number Diff line change
Expand Up @@ -159,6 +159,8 @@ github.com/ory/client-go v0.2.0-alpha.60 h1:sMAqrKP5eUNYyyOYbSjDTwr8EucDxYLGrQC0
github.com/ory/client-go v0.2.0-alpha.60/go.mod h1:dWbi9DBEjiDXwyuJ1+A2WT1/bIp9HwvVxZxzHzp4YHU=
github.com/ory/client-go v1.4.6 h1:tW9najNBiWwC3KgU2tq2kCZ1zRCDCNao60a9M1/V71k=
github.com/ory/client-go v1.4.6/go.mod h1:DfrTIlME7tgrdgpn4UN07s4OJ1SwzHfrkz+C6C0Lbm0=
github.com/ory/client-go v1.4.7 h1:uWPGGM5zVwpSBfcDIhvA6D+bu2YB7zF4STtpAvzkOco=
github.com/ory/client-go v1.4.7/go.mod h1:DfrTIlME7tgrdgpn4UN07s4OJ1SwzHfrkz+C6C0Lbm0=
github.com/ory/keto/proto v0.11.1-alpha.0 h1:xVpFRnnIAGGvP9lYIUwjSWmrO7qVoLn20bT6NxzYQy4=
github.com/ory/keto/proto v0.11.1-alpha.0/go.mod h1:M9J/kybmyLKRmvvSqYzmRVYx2avY3yDMdUPinsck1q0=
github.com/ory/keto/proto/ory/keto/acl/v1alpha1 v0.0.0-20210616104402-80e043246cf9 h1:gP86NkMkUlqMOTjFQ8lt8T1HbHtCJGGeeeh/6c+nla0=
Expand Down
47 changes: 47 additions & 0 deletions pkg/middleware/keto_rolecheck.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,47 @@
package middleware

import (
"github.com/gin-gonic/gin"
"github.com/sdslabs/nymeria/log"
"github.com/sdslabs/nymeria/pkg/wrapper/keto"
)

func CheckIfAllowed(c *gin.Context) {
session, err := GetSession(c)
if err != nil {
log.ErrorLogger("Couldn't retrieve session: ", err)
c.Abort()
return
}
identity := session.GetIdentity()
traits := identity.GetTraits()
role := traits.(map[string]interface{})["role"]

requestedRoute := c.Request.URL.String()

data := map[string]interface{}{
"namespace": "accounts",
"object": requestedRoute,
"relation": "view",
"subject_id": role,
}

response, err := keto.MakeRequest(keto.CheckPermissionEndpoint, data)
if err != nil {
log.ErrorLogger("Error in making request to keto", err)
c.Abort()
return
}

if response["allowed"] == true {
c.Next()
return
} else {
c.JSON(403, gin.H{
"error": "Forbidden",
"message": "You don't have permission to access this resource.",
})
c.Abort()
return
}
}
5 changes: 5 additions & 0 deletions pkg/wrapper/keto/endpoints.go
Original file line number Diff line number Diff line change
Expand Up @@ -19,4 +19,9 @@ var (
URL: config.KetoWriteURL + "/admin/relation-tuples",
Method: http.MethodDelete,
}

CheckPermissionEndpoint = Endpoint{
URL: config.KetoReadURL + "/relation-tuples/check",
Method: http.MethodPost,
}
)

0 comments on commit e9f9d1c

Please sign in to comment.