Skip to content

infobloxopen/atlas-authz-middleware

Repository files navigation

Direct (Non-GRPC-Interceptor) Usage

import opamw "github.com/infobloxopen/atlas-authz-middleware/grpc_opa"

// Create Authorizer with example options
authzer := opamw.NewDefaultAuthorizer(
    viper.GetString("app.id"),
    opamw.WithAddress(opa_client.DefaultAddress),
    opamw.WithDecisionInputHandler(&myDecisionInputer{}),
)

// AffirmAuthorization makes an authz request to sidecar-OPA.
// If authorization is permitted, error returned is nil,
// and a new context is returned, possibly containing obligations.
// Caller must further evaluate obligations if required.
newCtx, err := authzer.AffirmAuthorization(ctx, "MyService.MyMethod", nil)

if err == nil {
    // Operation is permitted, fetch and process obligations
    if newCtx != nil {
        obVal := newCtx.Value(opamw.ObKey)
        if obVal != nil {
            obTree, ok := obVal.(opamw.ObligationsNode)
            if ok && obTree != nil  && !obTree.IsShallowEmpty() {
                // process any obligations in obTree if required
            }
        }
    }
}

GRPC Unary Interceptor Usage

import opamw "github.com/infobloxopen/atlas-authz-middleware/grpc_opa"

// Create unary-interceptor with example options
authzOpaInterceptor := opamw.UnaryServerInterceptor(
    viper.GetString("app.id"),
    opamw.WithAddress(opa_client.DefaultAddress),
    opamw.WithDecisionInputHandler(&myDecisionInputer{}),
)

interceptors = append(interceptors, authzOpaInterceptor)