Merge branch 'main' into dependabot/go_modules/github.com/go-playgrou…

…nd/validator/v10-10.22.0

.devcontainer/Dockerfile

@@ -8,6 +8,13 @@ FROM mcr.microsoft.com/vscode/devcontainers/base:0-${VARIANT}
 ADD zscaler.pem /usr/local/share/ca-certificates/zscaler.crt
 RUN sudo chmod 644 /usr/local/share/ca-certificates/zscaler.crt && sudo update-ca-certificates
 
+# zScaler certificate, for all busy engineers
+ADD zscaler.pem /usr/local/share/ca-certificates/zscaler.crt
+RUN sudo chmod 644 /usr/local/share/ca-certificates/zscaler.crt && sudo update-ca-certificates
+
+# Set the environment variable NODE_EXTRA_CA_CERTS to the zScaler certificate
+ENV NODE_EXTRA_CA_CERTS=/usr/local/share/ca-certificates/zscaler.crt
+
 # [Optional] Uncomment this section to install additional OS packages.
 # RUN apt-get update && export DEBIAN_FRONTEND=noninteractive \
 #     && apt-get -y install protobuf-compiler

Makefile

@@ -1,10 +1,10 @@
 .DEFAULT_GOAL := release
 
-GO ?= go
-GO_RUN_TOOLS ?= $(GO) run -modfile ./tools/go.mod
-GO_TEST = $(GO_RUN_TOOLS) gotest.tools/gotestsum --format pkgname
-GO_RELEASER ?= $(GO_RUN_TOOLS) github.com/goreleaser/goreleaser
-GO_MOD ?= $(shell ${GO} list -m)
+GO 				?= go
+GO_RUN_TOOLS 	?= $(GO) run -modfile ./tools/go.mod
+GO_TEST 		?= $(GO_RUN_TOOLS) gotest.tools/gotestsum --format pkgname
+GO_RELEASER 	?= $(GO_RUN_TOOLS) github.com/goreleaser/goreleaser
+GO_MOD 			?= $(shell ${GO} list -m)
 
 .PHONY: release
 release: ## Release the project.

authenticator.go

@@ -29,15 +29,15 @@ type JWSValidator interface {
 // NewAuthenticator ...
 func NewAuthenticator(c AuthzChecker, v JWSValidator) openapi3filter.AuthenticationFunc {
 	return func(ctx context.Context, input *openapi3filter.AuthenticationInput) error {
-		return Authenticate(ctx, c, v, input)
+		return Authenticated(ctx, c, v, input)
 	}
 }
 
 // ErrForbidden ...
 var ErrForbidden = errors.New("forbidden")
 
-// Authenticate ...
-func Authenticate(ctx context.Context, checker AuthzChecker, validate JWSValidator, input *openapi3filter.AuthenticationInput) error {
+// Authenticated ...
+func Authenticated(ctx context.Context, checker AuthzChecker, validate JWSValidator, input *openapi3filter.AuthenticationInput) error {
 	if input.SecuritySchemeName != "BearerAuth" {
 		return fmt.Errorf("security scheme %s != 'BearerAuth'", input.SecuritySchemeName)
 	}

authz.go

@@ -35,18 +35,21 @@ func (a AuthzAction) String() string {
 }
 
 const (
-	AuthzNoPrincipial = ""
-	AuthzNoObject     = ""
-	AuthzNoAction     = ""
+	AuthzNoPrincipial AuthzPrincipal = ""
+	AuthzNoObject     AuthzObject    = ""
+	AuthzNoAction     AuthzAction    = ""
 )
 
-// AuthzActionDefaults are the default actions.
-const (
-	Read       AuthzAction = "read"
-	Write      AuthzAction = "write"
-	Admin      AuthzAction = "admin"
-	SuperAdmin AuthzAction = "superadmin"
-)
+// AuthzParams is the struct that holds the principal, object and action from the context.
+// There needs to be a :principal, :object and :action in the context.
+type AuthzParams struct {
+	// Principal is the subject.
+	Principal AuthzPrincipal `json:"principal" params:"principal" query:"principal" form:"principal"`
+	// Object is the object.
+	Object AuthzObject `json:"object" params:"object" query:"object" form:"object"`
+	// Action is the action.
+	Action AuthzAction `json:"action" params:"action" query:"action" form:"action"`
+}
 
 // AuthzChecker is the interface that wraps the Allowed method.
 type AuthzChecker interface {
@@ -99,6 +102,15 @@ type Config struct {
 	// Checker is implementing the AuthzChecker interface.
 	Checker AuthzChecker
 
+	// ObjectResolver is the object resolver.
+	ObjectResolver AuthzObjectResolver
+
+	// ActionResolver is the action resolver.
+	ActionResolver AuthzActionResolver
+
+	// PrincipalResolver is the principal resolver.
+	PrincipalResolver AuthzPrincipalResolver
+
 	// ErrorHandler is executed when an error is returned from fiber.Handler.
 	//
 	// Optional. Default: DefaultErrorHandler
@@ -107,8 +119,11 @@ type Config struct {
 
 // ConfigDefault is the default config.
 var ConfigDefault = Config{
-	ErrorHandler: defaultErrorHandler,
-	Checker:      NewNoop(),
+	ErrorHandler:      defaultErrorHandler,
+	ObjectResolver:    NewNoopObjectResolver(),
+	PrincipalResolver: NewNoopPrincipalResolver(),
+	ActionResolver:    NewNoopActionResolver(),
+	Checker:           NewNoop(),
 }
 
 // default ErrorHandler that process return error from fiber.Handler
@@ -134,48 +149,33 @@ type AuthzActionResolver interface {
 	Resolve(c *fiber.Ctx) (AuthzAction, error)
 }
 
-// SetAuthzHandler is a middleware that sets the principal and user in the context.
-// This function can map any thing.
-func SetAuthzHandler(object AuthzObjectResolver, action AuthzActionResolver, principal AuthzPrincipalResolver) func(c *fiber.Ctx) error {
+// Authenticate is a middleware that sets the principal and user in the context.
+func Authenticate(handler fiber.Handler, config ...Config) fiber.Handler {
+	cfg := configDefault(config...)
+
 	return func(c *fiber.Ctx) error {
-		object, err := object.Resolve(c)
-		if err != nil {
-			return err
+		if cfg.Next != nil && cfg.Next(c) {
+			return c.Next()
 		}
 
-		principal, err := principal.Resolve(c)
+		object, err := cfg.ObjectResolver.Resolve(c)
 		if err != nil {
 			return err
 		}
 
-		action, err := action.Resolve(c)
+		principal, err := cfg.PrincipalResolver.Resolve(c)
 		if err != nil {
 			return err
 		}
 
-		return ContextWithAuthz(c, principal, object, action).Next()
-	}
-}
-
-// NewTBACHandler there is a new fiber.Handler that checks if the principal can perform the action on the object.
-func NewTBACHandler(handler fiber.Handler, action AuthzAction, param string, config ...Config) fiber.Handler {
-	cfg := configDefault(config...)
-
-	return func(c *fiber.Ctx) error {
-		if cfg.Next != nil && cfg.Next(c) {
-			return c.Next()
-		}
-
-		team := AuthzObject(c.Params(param, ""))
-
-		principal, _, _, err := AuthzFromContext(c)
+		action, err := cfg.ActionResolver.Resolve(c)
 		if err != nil {
-			return defaultErrorHandler(c, err)
+			return err
 		}
 
-		allowed, err := cfg.Checker.Allowed(c.Context(), principal, team, action)
+		allowed, err := cfg.Checker.Allowed(c.Context(), principal, object, action)
 		if err != nil {
-			return defaultErrorHandler(c, err)
+			return cfg.ErrorHandler(c, err)
 		}
 
 		if !allowed {
@@ -202,12 +202,12 @@ func NewCheckerHandler(config ...Config) fiber.Handler {
 		}{}
 
 		if err := c.BodyParser(&payload); err != nil {
-			return defaultErrorHandler(c, err)
+			return cfg.ErrorHandler(c, err)
 		}
 
 		allowed, err := cfg.Checker.Allowed(c.Context(), payload.Principal, payload.Object, payload.Permission)
 		if err != nil {
-			return defaultErrorHandler(c, err)
+			return cfg.ErrorHandler(c, err)
 		}
 
 		if allowed {
@@ -218,24 +218,6 @@ func NewCheckerHandler(config ...Config) fiber.Handler {
 	}
 }
 
-// ContextWithAuthz returns a new context with the principal, object and action set.
-func ContextWithAuthz(ctx *fiber.Ctx, principal AuthzPrincipal, object AuthzObject, action AuthzAction) *fiber.Ctx {
-	ctx.Locals(authzPrincipial, principal)
-	ctx.Locals(authzObject, object)
-	ctx.Locals(authzAction, action)
-
-	return ctx
-}
-
-// AuthzFromContext return the principal, object and action from the context.
-func AuthzFromContext(ctx *fiber.Ctx) (AuthzPrincipal, AuthzObject, AuthzAction, error) {
-	principal := ctx.Locals(authzPrincipial)
-	object := ctx.Locals(authzObject)
-	action := ctx.Locals(authzAction)
-
-	return principal.(AuthzPrincipal), object.(AuthzObject), action.(AuthzAction), nil
-}
-
 // Helper function to set default values
 func configDefault(config ...Config) Config {
 	if len(config) < 1 {
@@ -253,6 +235,18 @@ func configDefault(config ...Config) Config {
 		cfg.ErrorHandler = ConfigDefault.ErrorHandler
 	}
 
+	if cfg.ObjectResolver == nil {
+		cfg.ObjectResolver = ConfigDefault.ObjectResolver
+	}
+
+	if cfg.PrincipalResolver == nil {
+		cfg.PrincipalResolver = ConfigDefault.PrincipalResolver
+	}
+
+	if cfg.ActionResolver == nil {
+		cfg.ActionResolver = ConfigDefault.ActionResolver
+	}
+
 	return cfg
 }
 

docker-compose.yml

@@ -1,6 +1,12 @@
-version: '3.1'
-
 services:
+  fga:
+    image: openfga/openfga
+    command: "run"
+    restart: always
+    ports:
+      - "8080:8080"
+      - "8081:8081"
+      - "3000:3000"
   db:
     image: postgres
     restart: always