ISSUE #92

Author: vladyslav-fenchak

minos/api_gateway/rest/database/repository.py

@@ -68,3 +68,11 @@ def get_auth_rule_by_service(self, service: str):
         for record in r:
             records.append(AuthRuleDTO(record))
         return records
+
+    def get_autz_rule_by_service(self, service: str):
+        r = self.session.query(AutzRule).filter(or_(AutzRule.service == service, AutzRule.service == "*")).all()
+
+        records = list()
+        for record in r:
+            records.append(AutzRuleDTO(record))
+        return records

minos/api_gateway/rest/handler.py

@@ -30,6 +30,9 @@
 from .database.repository import (
     Repository,
 )
+from .urlmatch.autzmatch import (
+    AutzMatch,
+)
 
 logger = logging.getLogger(__name__)
 
@@ -47,20 +50,44 @@ async def orchestrate(request: web.Request) -> web.Response:
     auth = request.app["config"].rest.auth
     user = None
     if auth is not None and auth.enabled:
-        if await check_auth(request=request, service=request.url.parts[1], url=str(request.url), method=request.method):
+        if await check_authentication(
+            request=request, service=request.url.parts[1], url=str(request.url), method=request.method
+        ):
             response = await validate_token(request)
             user = json.loads(response)
             user = user["uuid"]
 
+        if await check_authorization(
+            request=request, service=request.url.parts[1], url=str(request.url), method=request.method
+        ):
+            response = await validate_token(request)
+            data = json.loads(response)
+            user = data["uuid"]
+            role = data["role"]
+            if not await is_authorized_role(
+                request=request, role=role, service=request.url.parts[1], url=str(request.url), method=request.method
+            ):
+                return web.HTTPUnauthorized()
+
     microservice_response = await call(**discovery_data, original_req=request, user=user)
     return microservice_response
 
 
-async def check_auth(request: web.Request, service: str, url: str, method: str) -> bool:
+async def check_authentication(request: web.Request, service: str, url: str, method: str) -> bool:
     records = Repository(request.app["db_engine"]).get_auth_rule_by_service(service)
     return AuthMatch.match(url=url, method=method, records=records)
 
 
+async def check_authorization(request: web.Request, service: str, url: str, method: str) -> bool:
+    records = Repository(request.app["db_engine"]).get_autz_rule_by_service(service)
+    return AuthMatch.match(url=url, method=method, records=records)
+
+
+async def is_authorized_role(request: web.Request, role: int, service: str, url: str, method: str) -> bool:
+    records = Repository(request.app["db_engine"]).get_autz_rule_by_service(service)
+    return AutzMatch.match(url=url, role=role, method=method, records=records)
+
+
 async def authentication_default(request: web.Request) -> web.Response:
     """ Orchestrate discovery and microservice call """
     auth_host = request.app["config"].rest.auth.host

minos/api_gateway/rest/urlmatch/autzmatch.py

@@ -0,0 +1,21 @@
+from ..database.models import (
+    AuthRuleDTO,
+    AutzRuleDTO,
+)
+from .urlmatch import (
+    UrlMatch,
+)
+
+
+class AutzMatch(UrlMatch):
+    @staticmethod
+    def match(url: str, role: int, method: str, records: list[AutzRuleDTO]) -> bool:
+        for record in records:
+            if AutzMatch.urlmatch(record.rule, url):
+                if record.roles is None:  # pragma: no cover
+                    return True
+                else:
+                    if role in record.roles or "*" in record.roles:
+                        return True
+
+        return False