Lots of improvements and continuation around suggestions

- Support a new API group (mapping of endpoints to perms)
- Blend the RBAC middleware into the Auth middleware (didn't want to dupe logic for protected endpoints... for now)

Author: speza

apigroup-core.yml

@@ -0,0 +1,91 @@
+name: api-core
+endpoints:
+  # pipelines
+  "/api/v1/pipeline":
+    methods:
+      POST: pipelines/create
+      GET: pipelines/list
+  "/api/v1/pipeline/gitlsremote":
+    methods:
+      POST: pipelines/create
+  "/api/v1/pipeline/name":
+    methods:
+      GET: pipelines/get
+  "/api/v1/pipeline/githook":
+    methods:
+      POST: pipelines/create
+  "/api/v1/pipeline/created":
+    methods:
+      GET: pipelines/list
+  "/api/v1/pipeline/latest":
+    methods:
+      GET: pipelines/list
+  "/api/v1/pipeline/:pipelineid":
+    param: pipelineid
+    methods:
+      GET: pipelines/get
+      PUT: pipelines/update
+      DELETE: pipelines/delete
+  "/api/v1/pipeline/:pipelineid/start":
+    param: pipelineid
+    methods:
+      POST: pipelines/start
+
+  # pipeline-runs
+  "/api/v1/pipelinerun/:pipelineid/:runid/stop":
+    param: pipelineid
+    methods:
+      POST: pipeline-runs/stop
+  "/api/v1/pipelinerun/:pipelineid/:runid":
+    param: pipelineid
+    methods:
+      GET: pipeline-runs/get
+  "/api/v1/pipelinerun/:pipelineid/latest":
+    param: pipelineid
+    methods:
+      GET: pipeline-runs/get
+  "/api/v1/pipelinerun/:pipelineid":
+    param: pipelineid
+    methods:
+      GET: pipeline-runs/list
+  "/api/v1/pipelinerun/:pipelineid/:runid/latest":
+    param: pipelineid
+    methods:
+      GET: pipeline-runs/get
+
+  # secrets
+  "/api/v1/secret":
+    POST: secrets/create
+  "/api/v1/secrets":
+    GET: secrets/list
+  "/api/v1/secret/:key":
+    param: key
+    methods:
+      DELETE: secrets/delete
+  "/api/v1/secret/update":
+    PUT: secrets/update
+
+  # users
+  "/api/v1/user":
+    POST: users/create
+  "/api/v1/users":
+    GET: users/list
+  "/api/v1/user/password":
+    POST: users/update
+  "/api/v1/user/:username":
+    param: username
+    methods:
+      DELETE: users/delete
+
+  # workers
+  "/api/v1/worker/secret":
+    GET: workers/get
+    POST: workers/create
+  "/api/v1/worker/status":
+    GET: workers/get
+  "/api/v1/worker":
+    GET: workers/get
+  "/api/v1/worker/:workerid":
+    param: workerid
+    methods:
+      DELETE: workers/delete

gaia.go

@@ -348,6 +348,17 @@ func (p PipelineType) String() string {
 	return string(p)
 }
 
+// RBACAPIGroup represents API group mappings.
+type RBACAPIGroup struct {
+	Endpoints map[string]RBACAPIGroupEndpoint `yaml:"endpoints"`
+}
+
+// RBACAPIGroupEndpoint represents an endpoint within an API group.
+type RBACAPIGroupEndpoint struct {
+	Param   string            `yaml:"param"`
+	Methods map[string]string `yaml:"methods"`
+}
+
 // ResourceType is the base version and type for a defined resource.
 type ResourceType struct {
 	Version string `yaml:"version"`
@@ -370,9 +381,8 @@ type RBACPolicyResourceV1 struct {
 // RBACPolicyStatementV1 is used to define an individual policy statement.
 type RBACPolicyStatementV1 struct {
 	ID       string   `yaml:"id"`
-	Effect   string   `yaml:"effect"`
 	Action   []string `yaml:"action"`
-	Resource string   `yaml:"resource"`
+	Resource []string `yaml:"resource"`
 }
 
 // RBACPolicyNamespace represents a policy namespace.
@@ -385,4 +395,4 @@ type RBACPolicyAction string
 type RBACPolicyResource string
 
 // RBACEvaluatedPermissions multiple policies combined and evaluated.
-type RBACEvaluatedPermissions map[RBACPolicyNamespace]map[RBACPolicyAction]map[RBACPolicyResource]string
+type RBACEvaluatedPermissions map[RBACPolicyNamespace]map[RBACPolicyAction]map[RBACPolicyResource]interface{}

go.mod

@@ -18,7 +18,6 @@ require (
 	github.com/emirpasic/gods v1.9.0 // indirect
 	github.com/flynn/go-shlex v0.0.0-20150515145356-3f9db97f8568 // indirect
 	github.com/gaia-pipeline/flag v1.7.4-pre
-	github.com/gaia-pipeline/gosdk v0.0.0-20180909192508-cc9f89055777
 	github.com/gaia-pipeline/protobuf v0.0.0-20180812091451-7be8a901b55a
 	github.com/gliderlabs/ssh v0.1.1 // indirect
 	github.com/gofrs/uuid v3.2.0+incompatible

go.sum

@@ -44,8 +44,6 @@ github.com/flynn/go-shlex v0.0.0-20150515145356-3f9db97f8568 h1:BHsljHzVlRcyQhjr
 github.com/flynn/go-shlex v0.0.0-20150515145356-3f9db97f8568/go.mod h1:xEzjJPgXI435gkrCt3MPfRiAkVrwSbHsst4LCFVfpJc=
 github.com/gaia-pipeline/flag v1.7.4-pre h1:/TAmHVYVQGE4Mw9xl0Qs0D5UruVDMF95thexyEFbTAY=
 github.com/gaia-pipeline/flag v1.7.4-pre/go.mod h1:rLpsWzqOEPa2K0Yl4aC34nmblLpIYjGqjP/srZbYvEk=
-github.com/gaia-pipeline/gosdk v0.0.0-20180909192508-cc9f89055777 h1:Gn3nmETr4IE44pIFLeTDNNBBRhNXXh53PqFV23CsVok=
-github.com/gaia-pipeline/gosdk v0.0.0-20180909192508-cc9f89055777/go.mod h1:e3TkvPdcdSdHZTgwiS89fs8lJrveYHsGLlz/Q0oXlN8=
 github.com/gaia-pipeline/protobuf v0.0.0-20180812091451-7be8a901b55a h1:/5XAmdAyGl4yL9BugdPdBLaXquif1zw6Hih6go8E7Xs=
 github.com/gaia-pipeline/protobuf v0.0.0-20180812091451-7be8a901b55a/go.mod h1:H0w7MofSuW53Nz7kesnBdVkvr437flf5B7D9Lcsb+lQ=
 github.com/gliderlabs/ssh v0.1.1 h1:j3L6gSLQalDETeEg/Jg0mGY0/y/N6zI2xX1978P0Uqw=

handlers/auth.go

@@ -13,6 +13,7 @@ import (
 
 	"github.com/gaia-pipeline/gaia"
 	"github.com/gaia-pipeline/gaia/helper/rolehelper"
+	"github.com/gaia-pipeline/gaia/security/rbac"
 )
 
 var (
@@ -38,17 +39,9 @@ var (
 	}
 )
 
-// AuthContext is the wrapped context to pass through the echo handlers and middleware. This allows us to bind the user
-// RBAC policy names into the server request context.
-type AuthContext struct {
-	echo.Context
-	username string
-	policies map[string]interface{}
-}
-
-// AuthMiddleware is middleware used for each request. Includes functionality that validates the JWT tokens and user
+// Do is middleware used for each request. Includes functionality that validates the JWT tokens and user
 // permissions.
-func AuthMiddleware(roleAuth *AuthConfig) echo.MiddlewareFunc {
+func (a *AuthMiddleware) Do() echo.MiddlewareFunc {
 	return func(next echo.HandlerFunc) echo.HandlerFunc {
 		return func(c echo.Context) error {
 			// Check if it matches an explicit paths
@@ -82,49 +75,94 @@ func AuthMiddleware(roleAuth *AuthConfig) echo.MiddlewareFunc {
 				policies, okPolicies := claims["policies"]
 				if okUsername && okPerms && okPolicies && roles != nil {
 					// Look through the perms until we find that the user has this permission
-					err := roleAuth.checkRole(roles, c.Request().Method, c.Path())
-					if err != nil {
-						return c.String(http.StatusForbidden, fmt.Sprintf("Permission denied for user %s. %s", username, err.Error()))
+					if err := a.checkRole(roles, c.Request().Method, c.Path()); err != nil {
+						return c.String(http.StatusForbidden, fmt.Sprintf("Permission denied for user %s: %s", username, err.Error()))
 					}
 
-					policiesFromClaims, err := getPoliciesFromClaims(policies)
-					if err != nil {
-						return c.String(http.StatusForbidden, fmt.Sprintf("Permission denied for user %s. %s", username, err.Error()))
+					if err := a.enforceRBAC(c, username.(string), policies); err != nil {
+						return c.String(http.StatusForbidden, fmt.Sprintf("Permission denied for user %s: %s", username, err.Error()))
 					}
 
-					ctx := AuthContext{
-						Context:  c,
-						username: username.(string),
-						policies: policiesFromClaims,
-					}
-					return next(ctx)
+					return next(c)
 				}
 			}
 			return c.String(http.StatusUnauthorized, errNotAuthorized.Error())
 		}
 	}
 }
 
-// AuthConfig is a simple config struct to be passed into AuthMiddleware. Currently allows the ability to specify
+func (a *AuthMiddleware) enforceRBAC(c echo.Context, username string, policiesFromClaims interface{}) error {
+	policies, err := getPoliciesFromClaims(policiesFromClaims)
+	if err != nil {
+		gaia.Cfg.Logger.Warn("rbac enforcement failed", "error", err.Error(), "username", username)
+		return errors.New("failed to get policies")
+	}
+
+	group := a.rbacEnforcer.GetDefaultAPIGroup()
+
+	endpoint, ok := group.Endpoints[c.Path()]
+	if !ok {
+		gaia.Cfg.Logger.Warn("path not mapped to api group", "path", c.Path())
+		return nil
+	}
+
+	perm, ok := endpoint.Methods[c.Request().Method]
+	if !ok {
+		gaia.Cfg.Logger.Warn("method not mapped to api group path", "path", c.Path(), "method", c.Request().Method)
+		return nil
+	}
+
+	ns, act := rbac.ParseStatementAction(perm)
+
+	fullResource := ""
+	if endpoint.Param != "" {
+		param := c.Param(endpoint.Param)
+		if param == "" {
+			return fmt.Errorf("param %s missing", endpoint.Param)
+		}
+		fullResource = fmt.Sprintf("%s/%s/%s", ns, endpoint.Param, param)
+	}
+
+	enfCfg := rbac.EnforcerConfig{
+		User: rbac.User{
+			Username: username,
+			Policies: policies,
+		},
+		Namespace: ns,
+		Action:    act,
+		Resource:  gaia.RBACPolicyResource(fullResource),
+	}
+
+	if err := a.rbacEnforcer.Enforce(enfCfg); err != nil {
+		gaia.Cfg.Logger.Warn("rbac enforcement failed", "error", err.Error(), "username", username, "namespace", ns, "action", act)
+		return fmt.Errorf("missing required permission %s/%s", ns, act)
+	}
+
+	return nil
+}
+
+// AuthMiddleware is a simple config struct to be passed into AuthMiddleware. Currently allows the ability to specify
 // the permission roles required for each echo endpoint.
-type AuthConfig struct {
+type AuthMiddleware struct {
 	RoleCategories []*gaia.UserRoleCategory
+	rbacEnforcer   rbac.PolicyEnforcer
 }
 
 func getPoliciesFromClaims(policyClaims interface{}) (map[string]interface{}, error) {
 	if policyClaims == nil || reflect.ValueOf(policyClaims).IsNil() {
-		return nil, errors.New("nil policyClaims")
+		return nil, errors.New("policyClaims is nil")
 	}
-	if _, ok := policyClaims.(map[string]interface{}); !ok {
+	pc, ok := policyClaims.(map[string]interface{})
+	if !ok {
 		return nil, errors.New("policyClaims is not correct type")
 	}
-	return policyClaims.(map[string]interface{}), nil
+	return pc, nil
 }
 
 // Finds the required role for the metho & path specified. If it exists we validate that the provided user roles have
 // the permission role. If not, error specifying the required role.
-func (ra *AuthConfig) checkRole(userRoles interface{}, method, path string) error {
-	perm := ra.getRequiredRole(method, path)
+func (a *AuthMiddleware) checkRole(userRoles interface{}, method, path string) error {
+	perm := a.getRequiredRole(method, path)
 	if perm == "" {
 		return nil
 	}
@@ -137,8 +175,8 @@ func (ra *AuthConfig) checkRole(userRoles interface{}, method, path string) erro
 }
 
 // Iterate over each category to find a permission (if existing) for this API endpoint.
-func (ra *AuthConfig) getRequiredRole(method, path string) string {
-	for _, category := range ra.RoleCategories {
+func (a *AuthMiddleware) getRequiredRole(method, path string) string {
+	for _, category := range a.RoleCategories {
 		for _, role := range category.Roles {
 			for _, endpoint := range role.APIEndpoint {
 				// If the http method & path match then return the role required for this endpoint