all: add ability to skip acp checks

ory · Oct 12, 2017 · 18facbb · 18facbb
1 parent 13f9f81
commit 18facbb
Show file tree

Hide file tree

Showing 11 changed files with 165 additions and 58 deletions.
diff --git a/docs/api.swagger.json b/docs/api.swagger.json
@@ -244,6 +244,11 @@
           "type": "boolean",
           "x-go-name": "AllowAnonymous"
         },
+        "bypassAccessControlPolicies": {
+          "description": "BypassAccessControlPolicies if set true disables checking access control policies.",
+          "type": "boolean",
+          "x-go-name": "BypassAccessControlPolicies"
+        },
         "bypassAuthorization": {
           "description": "BypassAuthorization if set true disables firewall capabilities.",
           "type": "boolean",

diff --git a/evaluator/evaluator_test.go b/evaluator/evaluator_test.go
@@ -31,6 +31,7 @@ func mustGenerateURL(t *testing.T, u string) *url.URL {
 func TestEvaluator(t *testing.T) {
 	we := NewWardenEvaluator(nil, nil, nil)
 	publicRule := rule.Rule{MatchesMethods: []string{"GET"}, MatchesPath: mustCompileRegex(t, "/users/[0-9]+"), AllowAnonymous: true}
+	bypassACPRule := rule.Rule{MatchesMethods: []string{"GET"}, MatchesPath: mustCompileRegex(t, "/users/[0-9]+"), BypassAccessControlPolicies: true}
 	privateRule := rule.Rule{
 		MatchesMethods:   []string{"POST"},
 		MatchesPath:      mustCompileRegex(t, "/users/([0-9]+)"),
@@ -157,6 +158,61 @@ func TestEvaluator(t *testing.T) {
 				return s
 			},
 		},
+		{
+			d:     "request is not allowed because it matches a rule without access control policies, but token introspection fails",
+			rules: []rule.Rule{bypassACPRule},
+			r:     &http.Request{Method: "GET", Header: http.Header{"Authorization": []string{"bEaReR token"}}, URL: mustGenerateURL(t, "https://localhost/users/1234")},
+			e: func(t *testing.T, s *Session, err error) {
+				require.Error(t, err)
+			},
+			mock: func(c *gomock.Controller) hydra.SDK {
+				s := NewMockSDK(c)
+				s.EXPECT().IntrospectOAuth2Token(gomock.Eq("token"), gomock.Eq("")).Return(&swagger.OAuth2TokenIntrospection{Active: false}, &swagger.APIResponse{Response: &http.Response{StatusCode: http.StatusOK}}, nil)
+				return s
+			},
+		},
+		{
+			d:     "request is not allowed because it matches a rule without access control policies, but token introspection fails with network error",
+			rules: []rule.Rule{bypassACPRule},
+			r:     &http.Request{Method: "GET", Header: http.Header{"Authorization": []string{"bEaReR token"}}, URL: mustGenerateURL(t, "https://localhost/users/1234")},
+			e: func(t *testing.T, s *Session, err error) {
+				require.Error(t, err)
+			},
+			mock: func(c *gomock.Controller) hydra.SDK {
+				s := NewMockSDK(c)
+				s.EXPECT().IntrospectOAuth2Token(gomock.Eq("token"), gomock.Eq("")).Return(nil, nil, errors.New("Some error"))
+				return s
+			},
+		},
+		{
+			d:     "request is not allowed because it matches a rule without access control policies, but token introspection fails with wrong status code",
+			rules: []rule.Rule{bypassACPRule},
+			r:     &http.Request{Method: "GET", Header: http.Header{"Authorization": []string{"bEaReR token"}}, URL: mustGenerateURL(t, "https://localhost/users/1234")},
+			e: func(t *testing.T, s *Session, err error) {
+				require.Error(t, err)
+			},
+			mock: func(c *gomock.Controller) hydra.SDK {
+				s := NewMockSDK(c)
+				s.EXPECT().IntrospectOAuth2Token(gomock.Eq("token"), gomock.Eq("")).Return(nil, &swagger.APIResponse{Response: &http.Response{StatusCode: http.StatusUnauthorized}}, nil)
+				return s
+			},
+		},
+		{
+			d:     "request is allowed because it matches a rule without access control policies, and token introspection succeeds",
+			rules: []rule.Rule{bypassACPRule},
+			r:     &http.Request{Method: "GET", Header: http.Header{"Authorization": []string{"bEaReR token"}}, URL: mustGenerateURL(t, "https://localhost/users/1234")},
+			e: func(t *testing.T, s *Session, err error) {
+				require.NoError(t, err)
+				assert.Equal(t, "client", s.ClientID)
+				assert.Equal(t, "user", s.User)
+				assert.False(t, s.Anonymous)
+			},
+			mock: func(c *gomock.Controller) hydra.SDK {
+				s := NewMockSDK(c)
+				s.EXPECT().IntrospectOAuth2Token(gomock.Eq("token"), gomock.Eq("")).Return(&swagger.OAuth2TokenIntrospection{Active: true, Sub: "user", ClientId: "client"}, &swagger.APIResponse{Response: &http.Response{StatusCode: http.StatusOK}}, nil)
+				return s
+			},
+		},
 		{
 			d:     "request is denied because token is missing and endpoint is not public",
 			rules: []rule.Rule{privateRule},

diff --git a/evaluator/evaluator_warden.go b/evaluator/evaluator_warden.go
@@ -10,6 +10,7 @@ import (
 	"github.com/pkg/errors"
 	"github.com/sirupsen/logrus"
 	"github.com/tomasen/realip"
+	"strings"
 )
 
 type WardenEvaluator struct {
@@ -76,6 +77,32 @@ func (d *WardenEvaluator) EvaluateAccessRequest(r *http.Request) (*Session, erro
 		return nil, errors.WithStack(helper.ErrMissingBearerToken)
 	}
 
+	if rl.BypassAccessControlPolicies {
+		introspection, response, err := d.Hydra.IntrospectOAuth2Token(token, strings.Join(rl.RequiredScopes, " "))
+		if err != nil {
+			d.Logger.WithError(err).
+				WithField("access_url", r.URL.String()).
+				WithField("token", token[:5]).
+				Errorf("Unable to connect to warden endpoint.")
+			return nil, errors.WithStack(err)
+		} else if response.StatusCode != http.StatusOK {
+			d.Logger.
+				WithField("status_code", response.StatusCode).
+				WithField("token", token[:5]).
+				WithField("access_url", r.URL.String()).
+				Errorf("Expected warden response to return status code 200.")
+			return nil, errors.Errorf("Token introspection expects status code %d but got %d", http.StatusOK, response.StatusCode)
+		} else if !introspection.Active {
+			return nil, errors.WithStack(helper.ErrForbidden)
+		}
+
+		return &Session{
+			User:      introspection.Sub,
+			ClientID:  introspection.ClientId,
+			Anonymous: false,
+		}, nil
+	}
+
 	introspection, response, err := d.Hydra.DoesWardenAllowTokenAccessRequest(d.prepareAccessRequests(r, token, rl))
 	if err != nil {
 		d.Logger.WithError(err).

diff --git a/rule/doc.go b/rule/doc.go
@@ -70,4 +70,7 @@ type jsonRule struct {
 
 	// BypassAuthorization if set true disables firewall capabilities.
 	BypassAuthorization bool `json:"bypassAuthorization"`
+
+	// BypassAccessControlPolicies if set true disables checking access control policies.
+	BypassAccessControlPolicies bool `json:"bypassAccessControlPolicies"`
 }
diff --git a/rule/handler.go b/rule/handler.go
@@ -201,28 +201,30 @@ func toRule(rule *jsonRule) (*Rule, error) {
 	}
 
 	return &Rule{
-		ID:                  rule.ID,
-		MatchesPath:         exp,
-		MatchesMethods:      rule.MatchesMethods,
-		RequiredScopes:      rule.RequiredScopes,
-		RequiredAction:      rule.RequiredAction,
-		RequiredResource:    rule.RequiredResource,
-		AllowAnonymous:      rule.AllowAnonymous,
-		BypassAuthorization: rule.BypassAuthorization,
-		Description:         rule.Description,
+		ID:                          rule.ID,
+		MatchesPath:                 exp,
+		MatchesMethods:              rule.MatchesMethods,
+		RequiredScopes:              rule.RequiredScopes,
+		RequiredAction:              rule.RequiredAction,
+		RequiredResource:            rule.RequiredResource,
+		AllowAnonymous:              rule.AllowAnonymous,
+		BypassAuthorization:         rule.BypassAuthorization,
+		BypassAccessControlPolicies: rule.BypassAccessControlPolicies,
+		Description:                 rule.Description,
 	}, nil
 }
 
 func encodeRule(r *Rule) *jsonRule {
 	return &jsonRule{
-		ID:                  r.ID,
-		MatchesPath:         r.MatchesPath.String(),
-		MatchesMethods:      r.MatchesMethods,
-		RequiredScopes:      r.RequiredScopes,
-		RequiredAction:      r.RequiredAction,
-		RequiredResource:    r.RequiredResource,
-		BypassAuthorization: r.BypassAuthorization,
-		AllowAnonymous:      r.AllowAnonymous,
-		Description:         r.Description,
+		ID:                          r.ID,
+		MatchesPath:                 r.MatchesPath.String(),
+		MatchesMethods:              r.MatchesMethods,
+		RequiredScopes:              r.RequiredScopes,
+		RequiredAction:              r.RequiredAction,
+		RequiredResource:            r.RequiredResource,
+		BypassAuthorization:         r.BypassAuthorization,
+		BypassAccessControlPolicies: r.BypassAccessControlPolicies,
+		AllowAnonymous:              r.AllowAnonymous,
+		Description:                 r.Description,
 	}
 }
diff --git a/rule/handler_test.go b/rule/handler_test.go
@@ -34,11 +34,12 @@ func TestHandler(t *testing.T) {
 		RequiredScopes:   []string{"users.create"},
 	}
 	r2 := swagger.Rule{
-		Description:         "Get users rule",
-		MatchesPath:         "/users/([0-9]+)",
-		MatchesMethods:      []string{"GET"},
-		AllowAnonymous:      true,
-		BypassAuthorization: true,
+		Description:                 "Get users rule",
+		MatchesPath:                 "/users/([0-9]+)",
+		MatchesMethods:              []string{"GET"},
+		AllowAnonymous:              true,
+		BypassAuthorization:         true,
+		BypassAccessControlPolicies: true,
 	}
 
 	t.Run("case=create a new rule", func(t *testing.T) {

diff --git a/rule/manager_sql.go b/rule/manager_sql.go
@@ -14,15 +14,16 @@ import (
 )
 
 type sqlRule struct {
-	ID                  string `db:"id"`
-	MatchesMethods      string `db:"matches_methods"`
-	MatchesPath         string `db:"matches_path"`
-	RequiredScopes      string `db:"required_scopes"`
-	RequiredAction      string `db:"required_action"`
-	RequiredResource    string `db:"required_resource"`
-	AllowAnonymous      bool   `db:"allow_anonymous"`
-	BypassAuthorization bool   `db:"disable_firewall"`
-	Description         string `db:"description"`
+	ID                          string `db:"id"`
+	MatchesMethods              string `db:"matches_methods"`
+	MatchesPath                 string `db:"matches_path"`
+	RequiredScopes              string `db:"required_scopes"`
+	RequiredAction              string `db:"required_action"`
+	RequiredResource            string `db:"required_resource"`
+	AllowAnonymous              bool   `db:"allow_anonymous"`
+	BypassAuthorization         bool   `db:"disable_firewall"`
+	BypassAccessControlPolicies bool   `db:"disable_acp"`
+	Description                 string `db:"description"`
 }
 
 func (r *sqlRule) toRule() (*Rule, error) {
@@ -41,29 +42,31 @@ func (r *sqlRule) toRule() (*Rule, error) {
 	}
 
 	return &Rule{
-		ID:                  r.ID,
-		MatchesMethods:      methods,
-		MatchesPath:         exp,
-		RequiredScopes:      scopes,
-		RequiredAction:      r.RequiredAction,
-		RequiredResource:    r.RequiredResource,
-		AllowAnonymous:      r.AllowAnonymous,
-		BypassAuthorization: r.BypassAuthorization,
-		Description:         r.Description,
+		ID:                          r.ID,
+		MatchesMethods:              methods,
+		MatchesPath:                 exp,
+		RequiredScopes:              scopes,
+		RequiredAction:              r.RequiredAction,
+		RequiredResource:            r.RequiredResource,
+		AllowAnonymous:              r.AllowAnonymous,
+		BypassAuthorization:         r.BypassAuthorization,
+		BypassAccessControlPolicies: r.BypassAccessControlPolicies,
+		Description:                 r.Description,
 	}, nil
 }
 
 func toSqlRule(r *Rule) *sqlRule {
 	return &sqlRule{
-		ID:                  r.ID,
-		MatchesMethods:      strings.Join(r.MatchesMethods, " "),
-		MatchesPath:         r.MatchesPath.String(),
-		RequiredScopes:      strings.Join(r.RequiredScopes, " "),
-		RequiredAction:      r.RequiredAction,
-		RequiredResource:    r.RequiredResource,
-		AllowAnonymous:      r.AllowAnonymous,
-		BypassAuthorization: r.BypassAuthorization,
-		Description:         r.Description,
+		ID:                          r.ID,
+		MatchesMethods:              strings.Join(r.MatchesMethods, " "),
+		MatchesPath:                 r.MatchesPath.String(),
+		RequiredScopes:              strings.Join(r.RequiredScopes, " "),
+		RequiredAction:              r.RequiredAction,
+		RequiredResource:            r.RequiredResource,
+		AllowAnonymous:              r.AllowAnonymous,
+		BypassAuthorization:         r.BypassAuthorization,
+		BypassAccessControlPolicies: r.BypassAccessControlPolicies,
+		Description:                 r.Description,
 	}
 }
 
@@ -80,7 +83,8 @@ var migrations = &migrate.MemoryMigrationSource{
 	required_resource	text NOT NULL,
 	allow_anonymous		bool NOT NULL,
 	description			text NOT NULL,
-	disable_firewall	text NOT NULL
+	disable_firewall	bool NOT NULL,
+	disable_acp			bool NOT NULL
 )`},
 			Down: []string{
 				"DROP TABLE hydra_client",
@@ -99,6 +103,7 @@ var sqlParams = []string{
 	"allow_anonymous",
 	"description",
 	"disable_firewall",
+	"disable_acp",
 }
 
 func NewSQLManager(db *sqlx.DB) *SQLManager {

diff --git a/rule/manager_test.go b/rule/manager_test.go
@@ -58,13 +58,14 @@ func TestManagers(t *testing.T) {
 			RequiredScopes:   []string{"users.create"},
 		}
 		r2 := Rule{
-			ID:                  "foo2",
-			Description:         "Get users rule",
-			MatchesPath:         mustCompileRegex(t, "/users/([0-9]+)"),
-			MatchesMethods:      []string{"GET"},
-			AllowAnonymous:      true,
-			RequiredScopes:      []string{},
-			BypassAuthorization: true,
+			ID:                          "foo2",
+			Description:                 "Get users rule",
+			MatchesPath:                 mustCompileRegex(t, "/users/([0-9]+)"),
+			MatchesMethods:              []string{"GET"},
+			AllowAnonymous:              true,
+			RequiredScopes:              []string{},
+			BypassAuthorization:         true,
+			BypassAccessControlPolicies: true,
 		}
 
 		t.Run("case="+k, func(t *testing.T) {

diff --git a/rule/rule.go b/rule/rule.go
@@ -34,6 +34,9 @@ type Rule struct {
 	// BypassAuthorization if set true disables firewall capabilities.
 	BypassAuthorization bool
 
+	// BypassAccessControlPolicies if set true disables checking access control policies.
+	BypassAccessControlPolicies bool
+
 	// Description describes the rule.
 	Description string
 }

diff --git a/sdk/swagger/docs/Rule.md b/sdk/swagger/docs/Rule.md
@@ -4,6 +4,7 @@
 Name | Type | Description | Notes
 ------------ | ------------- | ------------- | -------------
 **AllowAnonymous** | **bool** | AllowAnonymous sets if the endpoint is public, thus not needing any authorization at all. | [optional] [default to null]
+**BypassAccessControlPolicies** | **bool** | BypassAccessControlPolicies if set true disables checking access control policies. | [optional] [default to null]
 **BypassAuthorization** | **bool** | BypassAuthorization if set true disables firewall capabilities. | [optional] [default to null]
 **Description** | **string** | Description describes the rule. | [optional] [default to null]
 **Id** | **string** | ID the a unique id of a rule. | [optional] [default to null]

diff --git a/sdk/swagger/rule.go b/sdk/swagger/rule.go
@@ -16,6 +16,9 @@ type Rule struct {
 	// AllowAnonymous sets if the endpoint is public, thus not needing any authorization at all.
 	AllowAnonymous bool `json:"allowAnonymous,omitempty"`
 
+	// BypassAccessControlPolicies if set true disables checking access control policies.
+	BypassAccessControlPolicies bool `json:"bypassAccessControlPolicies,omitempty"`
+
 	// BypassAuthorization if set true disables firewall capabilities.
 	BypassAuthorization bool `json:"bypassAuthorization,omitempty"`