Web authorization with Open Policy Agent
28 April 2019
So maybe you upgraded our authentication logic to no longer be a system bottleneck but now find authorization slowing you down, or have custom authorization logic mixed in with business logic - then Open Policy Agent can help! If you have not heard of Open Policy Agent, it is really worth checking out, it is a declarative way to push authorization outside your business logic in an extremely scalable way.
Overview:
- Architecture
- walk-through integrating a golang webserver with OPA
- writing and testing authz policies
- setting up UI for authz admin
- demo, full code here: https://github.com/KlotzAndrew/opa-firefly
Architecture
One of the things that makes Open Policy Agent interesting is that we can embrace the sidecar pattern with it. Each node in our system will be running an instance of Open Policy Agent, allowing any service to make a request to localhost to check authorization, making this solution extremely scalable. Agents can point to a location to fetch current policies on startup, periodically fetch, and be triggered to re-fetch, which gives us some options for keeping them in sync.
Integrating with a Golang server
What is the goal? Just an additional middleware call that checks permissions for the routes.
The most our service will know about authorization will be adding the middleware authz
func main() {
e := echo.New()
e.GET("/accounts/:id", getAccount)
e.GET("/rewards/:id/redeem", getAccount)
e.Use(authz)
e.Logger.Fatal(e.Start(":1323"))
}working with echo, our middleware looks something like this:
func authz(next echo.HandlerFunc) echo.HandlerFunc {
return func(c echo.Context) error {
if isAuthorized(c) {
return next(c)
}
return echo.NewHTTPError(http.StatusUnauthorized, "Please provide valid credentials")
}
}to check isAuthorized, we construct a payload to send to OPA, send it, then check if any of the policies returned true for the route. The payload returns policy name + result where we could check which policy matched, but in this example we only care if any matched.
type user struct {
UserID string `json:"userID"`
Employees []string `json:"employees"`
Role string `json:"role"`
}
func isAuthorized(c echo.Context) bool {
u := unmarshalUser(c.Request().Header.Get("JWT"))
authzRequestPayload := map[string]map[string]interface{}{
"input": {
"userID": u.UserID,
"method": c.Request().Method,
"path": trimPath(c.Request().URL.Path),
"employees": u.Employees,
"role": u.Role,
},
}
response := checkAuthz(authzRequestPayload)
for _, v := range response.Result {
if v == true {
return true
}
}
return false
}OPA uses the sidecar pattern, so we will use an http call to localhost
to check the requester permissions. checkAuthz will just me making a request to a OPA agent on localhost
func checkAuthz(values map[string]map[string]interface{}) opaResponse {
jsonValue, errm := json.Marshal(values)
if errm != nil {
panic(errm)
}
opaURL := "http://localhost:8181/v1/data/httpapi/authz"
resp, errp := http.Post(opaURL, "application/json", bytes.NewBuffer(jsonValue))
if errp != nil {
panic(errp)
}
body, err := ioutil.ReadAll(resp.Body)
if err != nil {
panic(err.Error())
}
var response opaResponse
if errj := json.Unmarshal(body, &response); errj != nil {
panic(errj)
}
return response
}Writing and testing policies
Time to write some policies! So desired goal will be:
- anyone (employees) can access their own account
- managers can access their employees account
- premium users can access rewards for their account
For our policies, we will start with default allowAccounts = false to default
deny, as well as assigning the requesting input payload as http_api. The next block allows the "GET" method for the path "accounts/:userID",
where :userID is assigned from the input payload.
package httpapi.authz
import input as http_api
default allowAccounts = false
allowAccounts {
http_api.method = "GET"
http_api.path = ["accounts", userID]
userID = http_api.userID
}So for an input {"userID": "a"},
we authorize access to "accounts/a", and deny for all others. We can even
write a test around this, testing both the allowed and denied case:
package httpapi.authz
test_get_anonymous_denied {
not allowAccounts with input as {
"path": ["accounts", "a"],
"method": "GET",
"userID": "b"
}
}
test_get_allowed {
allowAccounts with input as {
"path": ["accounts", "a"],
"method": "GET",
"userID": "a"
}
}Next policy is for the managers, we use http_api.employees[_] = userID to
wildcard any field in the employees array to the value userID, using that
for the allowed path "accounts/:userID".
package httpapi.authz
import input as http_api
default allowManagers = false
allowManagers {
http_api.method = "GET"
http_api.path = ["accounts", userID]
http_api.employees[_] = userID
}
So for an input {"employees": ["x"]},
we authorize access to "accounts/x, for any value of x.
For the premium role, we start by checking for premium http_api.role = "premium".
We then assign userID from the input, which we use for checking the path
"rewards/:userID/redeem". Lastly we check if the api method is either GET/POST
by checking array inclusion.
package httpapi.authz
import input as http_api
default allowPremium = false
allowPremium {
userID = http_api.userID
http_api.role = "premium"
http_api.path = ["rewards", userID, "redeem"]
{http_api.method} == {http_api.method} & {"GET", "POST"}
}For our test, we check the methods and the premium role.
package httpapi.authz
test_get_premium_allowed {
allowPremium with input as {
"path": ["rewards", "a", "redeem"],
"method": "GET",
"userID": "a",
"role": "premium"
}
}
test_get_premium_denied {
not allowPremium with input as {
"path": ["rewards", "a", "redeem"],
"method": "GET",
"userID": "a",
"role": "not_premium"
}
}
test_post_premium_allowed {
allowPremium with input as {
"path": ["rewards", "a", "redeem"],
"method": "POST",
"userID": "a",
"role": "premium"
}
}Admin
We are not going to spend too much time on the web UI for the demo, although I find
it pretty cool. There is not much code, we grab the current
policies (here we just check the active agent http://0.0.0.0:8181/v1/policies/),
compare against the available policies (http://0.0.0.0:8000/), then post to our
agent if we want to enable/disable (http://0.0.0.0:8181/v1/policies/)
Demo
Now it is demo time! The full code is over here (https://github.com/KlotzAndrew/opa-firefly)
if you want to follow along. For design, we have a golang http server running
on :1323, for authz it checks with a OPA agent running on localhost:8181
(sidecar pattern can use localhost). To get the policies into OPA we have a
react app running on :3000, it loads the policies from a python webserver
hosting our policies folder on :8000, and to enable/disable it POSTS to
the OPA agent on :8181.
There are a few accommodations here for the purposes of a local demo. The local python server is a replacement for file storage like s3. On start a OPA agent would pull from there, and periodically check for changes. Instead of a webserver making a request directly to a known OPA agent with an update, that would be a backend server updating all known OPA agents. Also, worth noting the nginx server in the sample code is to support the react app making cors request directly to the backend server.
Booting it up, in three terminals
docker-compose up
go run main.go authz-middleware.go
cd opa-admin && npm install && npm start
The admin page is running on http://0.0.0.0:3000. Toggle on some policies and test out some http requests!
curl -H "JWT: {\"userId\": \"a\"}" \
http://0.0.0.0:1323/accounts/a
curl -H "JWT: {\"userId\": \"a\", \"employees\": [\"c\"]}" \
http://0.0.0.0:1323/accounts/b
curl -H "JWT: {\"userId\": \"a\", \"role\": \"premium\"}" \
http://0.0.0.0:1323/rewards/a/redeem
In total this is what is running:
- OPA query page: http://0.0.0.0:8181/
- filesys for OPA: http://0.0.0.0:8000/
- demo website: http://0.0.0.0:1323/
- admin webpage: http://0.0.0.0:3000/
The code for a working example is over here: https://github.com/KlotzAndrew/opa-firefly