policy_decision_point 0.1.0

data/lib/policy_decision_point.rb

@@ -0,0 +1,24 @@
+# frozen_string_literal: true
+
+require_relative "policy_decision_point/version"
+require_relative "policy_decision_point/pdp"
+
+module PolicyDecisionPoint
+  ##
+  # Represents an authentication attempt failure.
+  class AuthnError < StandardError
+    def initialize(e = nil)
+      super e
+        set_backtrace e.backtrace if e
+    end
+  end
+
+  ##
+  # Represents an authorization attempt failure.
+  class AuthzError < StandardError
+    def initialize(e = nil)
+      super e
+        set_backtrace e.backtrace if e
+    end
+  end
+end

data/lib/policy_decision_point/pdp.rb

@@ -0,0 +1,155 @@
+# frozen_string_literal: true
+
+require "json"
+
+module PolicyDecisionPoint
+  ##
+  # Ingress middleware that connects to a PDP to request authz decisions.
+  class PDP
+
+    @@DEFAULT_PORT = 8181
+    @@DEFAULT_HOSTNAME = "http://localhost"
+    @@DEFAULT_POLICY_PATH = "/authz/allow"
+    @@DEFAULT_READ_TIMEOUT_MILLISECONDS = 5000
+    @@DEFAULT_CONNECTION_TIMEOUT_MILLISECONDS = 5000
+    @@DEFAULT_RETRY_MAX_ATTEMPTS = 2
+    @@DEFAULT_RETRY_BACKOFF_MILLISECONDS = 250
+
+    ##
+    # Initializes the PolicyDecisionPoint middleware.
+    #
+    # @param port [Integer] The port at which the PDP serves authz decisions.
+    # @param hostname [String] The host at which the PDP serves authz decisions.
+    # @param policy_path [String] The full path to policy (including package and rule) that makes the authz decision.
+    # @param read_timeout_milliseconds [Integer] Timeout for reading packets from server.
+    # @param connection_timeout_milliseconds [Integer] Timeout for establishing connection to server.
+    # @param retry_max_attempts [Integer] Number of retries to server before giving up.
+    # @param retry_backoff_milliseconds [Integer] Initial wait time before retry, doubles for every retry.
+    def initialize(app,
+        port: @@DEFAULT_PORT,
+        hostname: @@DEFAULT_HOSTNAME,
+        policy_path: @@DEFAULT_POLICY_PATH,
+        read_timeout_milliseconds: @@DEFAULT_READ_TIMEOUT_MILLISECONDS,
+        connection_timeout_milliseconds: @@DEFAULT_CONNECTION_TIMEOUT_MILLISECONDS,
+        retry_max_attempts: @@DEFAULT_RETRY_MAX_ATTEMPTS,
+        retry_backoff_milliseconds: @@DEFAULT_RETRY_BACKOFF_MILLISECONDS)
+
+      @port = port
+        @hostname = hostname
+        @policy_path = policy_path
+        @read_timeout_milliseconds = read_timeout_milliseconds
+        @connection_timeout_milliseconds = connection_timeout_milliseconds
+        @retry_max_attempts = 2
+        @retry_backoff_milliseconds = retry_backoff_milliseconds
+
+        @pdp_endpoint = endpoint()
+
+        @client = Faraday.new(
+            url: @pdp_endpoint,
+            request: {
+                read_timeout: @read_timeout_milliseconds,
+                open_timeout: @connection_timeout_milliseconds,
+            }
+        ) do |conn|
+          conn.request(:retry, max: 2, interval: @retry_backoff_milliseconds / 1000, backoff_factor: 2)
+        end
+
+        @app = app
+    end
+
+    ##
+    # Invoked for incoming requests; calls the PDP with request context to make decision.
+    #
+    # @raise [Middleware::Ingress::AuthzError] if the request fails authorization.
+    def call(env)
+      body = input(env).to_json
+
+      response = @client.post("", body, "Content-Type" => "application/json")
+
+      if not response.success?
+        raise AuthzError.new(
+            StandardError.new("Unexpected response #{response.status} from decision endpoint #{@pdp_endpoint}")
+        )
+      end
+
+      if JSON.parse(response.body).with_indifferent_access["result"] != true
+        raise AuthzError.new(
+            StandardError.new("Request was not authorized by decision endpoint #{@pdp_endpoint}")
+        )
+      end
+
+  rescue Faraday::Error => error
+    raise AuthzError.new(error)
+  else
+    # If no exception is raised, pass the request to the next middleware.
+    @app.call(env)
+    end
+
+    ##
+    # Constructs the endpoint to which PDP authz requests are sent.
+    #
+    # @return [String] the endpoint
+    def endpoint
+      if not @hostname.include? "://"
+        @hostname = "http://" + @hostname
+      end
+
+        @hostname = @hostname.delete_suffix("/")
+
+        if @port.respond_to?(:to_s)
+          @port = @port.to_s
+        end
+
+        if not @port.start_with?(":")
+          @port = ":" + @port
+        end
+
+        if not @policy_path.start_with?("/")
+          @policy_path = "/" + @policy_path
+        end
+
+        @hostname + @port + "/v1/data" + @policy_path
+    end
+
+    ##
+    # Constructs the request context required to make authz decision, which is sent to the PDP.
+    # Header values received in the request are normalized. See NOTE below for examples.
+    #
+    # @return [Hash] the request context
+    def input(env)
+      req = Rack::Request.new(env)
+        headers = ActionDispatch::Http::Headers.from_hash(env)
+
+        {
+            'input': {
+                'request': {
+                    'scheme': req.scheme,
+                    'method': req.request_method,
+                    'path': req.path,
+                    'query': Rack::Utils.parse_nested_query(req.query_string),
+
+                    # NOTE: Rack normalizes all headers by adding prefixes, making uppercase and using underscores.
+                    # Examples
+                    #   Content-Type -> CONTENT_TYPE
+                    #   Accept -> HTTP_ACCEPT
+                    #   Custom-Header -> HTTP_CUSTOM_HEADER
+                    #
+                    # To separate these request headers from other environment headers added by Rails/Rack,
+                    # the following prefix matching is performed.
+                    'headers': headers.to_h.select { |k, v|
+                      ["HTTP", "CONTENT", "AUTHORIZATION"].any? { |s| k.to_s.starts_with? s }
+                    },
+                },
+                'source': {
+                    'ipAddress': req.host,
+                    'port': req.port,
+                },
+                'destination': {
+                    'ipAddress': req.server_name,
+                    'port': req.server_port,
+                }
+            }
+        }
+    end
+  end
+end

data/lib/policy_decision_point/version.rb

@@ -0,0 +1,5 @@
+# frozen_string_literal: true
+
+module PolicyDecisionPoint
+  VERSION = "0.1.0"
+end

data/policy_decision_point.gemspec

@@ -0,0 +1,32 @@
+# frozen_string_literal: true
+
+require_relative "lib/policy_decision_point/version"
+
+Gem::Specification.new do |spec|
+  spec.name          = "policy_decision_point"
+  spec.version       = PolicyDecisionPoint::VERSION
+  spec.authors       = ["Yash Tewari"]
+  spec.email         = ["yashtewari1996@gmail.com"]
+
+  spec.summary       = "Rails middleware that authorizes incoming requests against a Policy Decision Point, such as an Open Policy Agent server"
+  # spec.description   = "TODO: Write a longer description or delete this line."
+  spec.homepage      = "https://build.security"
+  spec.required_ruby_version = ">= 2.4.0"
+
+  spec.metadata["homepage_uri"] = spec.homepage
+  spec.metadata["source_code_uri"] = "https://github.com/build-security/opa-rails-middleware"
+
+  # Specify which files should be added to the gem when it is released.
+  # The `git ls-files -z` loads the files in the RubyGem that have been added into git.
+  spec.files = Dir.chdir(File.expand_path(__dir__)) do
+    `git ls-files -z`.split("\x0").reject { |f| f.match(%r{\A(?:test|spec|features)/}) }
+  end
+
+  spec.require_paths = ["lib"]
+
+  # Uncomment to register a new dependency of your gem
+  # spec.add_dependency "example-gem", "~> 1.0"
+
+  # For more information and examples about making a new gem, checkout our
+  # guide at: https://bundler.io/guides/creating_gem.html
+end

metadata

@@ -0,0 +1,160 @@
+--- !ruby/object:Gem::Specification
+name: policy_decision_point
+version: !ruby/object:Gem::Version
+  version: 0.1.0
+platform: ruby
+authors:
+- Yash Tewari
+autorequire:
+bindir: bin
+cert_chain: []
+date: 2021-07-11 00:00:00.000000000 Z
+dependencies: []
+description:
+email:
+- yashtewari1996@gmail.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- ".github/workflows/main.yml"
+- ".gitignore"
+- ".rspec"
+- ".rubocop.yml"
+- ".ruby-version"
+- Gemfile
+- README.md
+- Rakefile
+- bin/console
+- bin/htmldiff
+- bin/ldiff
+- bin/rake
+- bin/rspec
+- bin/rubocop
+- bin/ruby-parse
+- bin/ruby-rewrite
+- bin/setup
+- example/Gemfile
+- example/Gemfile.lock
+- example/README.md
+- example/Rakefile
+- example/app/assets/config/manifest.js
+- example/app/assets/images/.keep
+- example/app/assets/stylesheets/application.css
+- example/app/channels/application_cable/channel.rb
+- example/app/channels/application_cable/connection.rb
+- example/app/controllers/application_controller.rb
+- example/app/controllers/concerns/.keep
+- example/app/controllers/rpc/hello_world/service.proto
+- example/app/controllers/rpc/hello_world/service_pb.rb
+- example/app/controllers/rpc/hello_world/service_twirp.rb
+- example/app/controllers/rpc/hello_world_server.rb
+- example/app/helpers/application_helper.rb
+- example/app/javascript/channels/consumer.js
+- example/app/javascript/channels/index.js
+- example/app/javascript/packs/application.js
+- example/app/jobs/application_job.rb
+- example/app/mailers/application_mailer.rb
+- example/app/models/application_record.rb
+- example/app/models/concerns/.keep
+- example/app/views/layouts/application.html.erb
+- example/app/views/layouts/mailer.html.erb
+- example/app/views/layouts/mailer.text.erb
+- example/babel.config.js
+- example/bin/bundle
+- example/bin/rails
+- example/bin/rake
+- example/bin/setup
+- example/bin/spring
+- example/bin/webpack
+- example/bin/webpack-dev-server
+- example/bin/yarn
+- example/config.ru
+- example/config/application.rb
+- example/config/boot.rb
+- example/config/cable.yml
+- example/config/credentials.yml.enc
+- example/config/database.yml
+- example/config/environment.rb
+- example/config/environments/development.rb
+- example/config/environments/production.rb
+- example/config/environments/test.rb
+- example/config/initializers/application_controller_renderer.rb
+- example/config/initializers/assets.rb
+- example/config/initializers/backtrace_silencers.rb
+- example/config/initializers/content_security_policy.rb
+- example/config/initializers/cookies_serializer.rb
+- example/config/initializers/filter_parameter_logging.rb
+- example/config/initializers/inflections.rb
+- example/config/initializers/mime_types.rb
+- example/config/initializers/permissions_policy.rb
+- example/config/initializers/twirp_rails.rb
+- example/config/initializers/wrap_parameters.rb
+- example/config/locales/en.yml
+- example/config/master.key
+- example/config/puma.rb
+- example/config/routes.rb
+- example/config/spring.rb
+- example/config/storage.yml
+- example/config/webpack/development.js
+- example/config/webpack/environment.js
+- example/config/webpack/production.js
+- example/config/webpack/test.js
+- example/config/webpacker.yml
+- example/extensions/x86_64-linux/3.0.0/ffi-1.15.3/ffi_c.so
+- example/extensions/x86_64-linux/3.0.0/ffi-1.15.3/gem.build_complete
+- example/extensions/x86_64-linux/3.0.0/ffi-1.15.3/gem_make.out
+- example/extensions/x86_64-linux/3.0.0/ffi-1.15.3/mkmf.log
+- example/package.json
+- example/postcss.config.js
+- example/public/404.html
+- example/public/422.html
+- example/public/500.html
+- example/public/apple-touch-icon-precomposed.png
+- example/public/apple-touch-icon.png
+- example/public/favicon.ico
+- example/public/robots.txt
+- example/storage/.keep
+- example/test/application_system_test_case.rb
+- example/test/channels/application_cable/connection_test.rb
+- example/test/controllers/.keep
+- example/test/fixtures/files/.keep
+- example/test/helpers/.keep
+- example/test/integration/.keep
+- example/test/mailers/.keep
+- example/test/models/.keep
+- example/test/system/.keep
+- example/test/test_helper.rb
+- example/tmp/cache/bootsnap/load-path-cache
+- example/vendor/.keep
+- example/yarn.lock
+- lib/policy_decision_point.rb
+- lib/policy_decision_point/pdp.rb
+- lib/policy_decision_point/version.rb
+- policy_decision_point.gemspec
+homepage: https://build.security
+licenses: []
+metadata:
+  homepage_uri: https://build.security
+  source_code_uri: https://github.com/build-security/opa-rails-middleware
+post_install_message:
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: 2.4.0
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubygems_version: 3.2.15
+signing_key:
+specification_version: 4
+summary: Rails middleware that authorizes incoming requests against a Policy Decision
+  Point, such as an Open Policy Agent server
+test_files: []