From 0b3c0e50e948f00a32f3044c953423ce69355234 Mon Sep 17 00:00:00 2001
From: Jan Gottschick <jan.gottschick@fokus.fraunhofer.de>
Date: Sat, 5 Oct 2024 22:05:21 +0200
Subject: [PATCH] * fix basic authentication -> rm authz.*

---
 generator/authz.go                   | 19 ------
 generator/generator.go               |  8 ---
 generator/policy.go                  | 15 ++---
 templates/Justfile.tmpl              |  9 ++-
 templates/core/config.go.tmpl        |  1 -
 templates/middleware/authz.go.tmpl   | 28 ---------
 templates/middleware/authz.rego.tmpl | 91 +++++++++++++++++++++++++++-
 templates/middleware/policy.go.tmpl  | 14 +++--
 8 files changed, 110 insertions(+), 75 deletions(-)
 delete mode 100644 generator/authz.go
 delete mode 100644 templates/middleware/authz.go.tmpl

diff --git a/generator/authz.go b/generator/authz.go
deleted file mode 100644
index 4853862..0000000
--- a/generator/authz.go
+++ /dev/null
@@ -1,19 +0,0 @@
-package generator
-
-import (
-	fs "dredger/fileUtils"
-	"path/filepath"
-
-	"github.com/rs/zerolog/log"
-)
-
-func generateAuthzFile(conf GeneratorConfig) {
-	log.Info().Msg("Adding auth middleware.")
-
-	fileName := "authz.go"
-	filePath := filepath.Join(config.Path, AuthzPkg, fileName)
-	templateFile := "templates/middleware/authz.go.tmpl"
-
-	fs.GenerateFile(filePath)
-	createFileFromTemplate(filePath, templateFile, conf)
-}
diff --git a/generator/generator.go b/generator/generator.go
index 6ac665d..f7d8af4 100644
--- a/generator/generator.go
+++ b/generator/generator.go
@@ -32,7 +32,6 @@ const (
 	DatabasePkg       = "db"
 	EntitiesPkg       = "entities"
 	UsecasesPkg       = "usecases"
-	AuthzPkg          = "rest/middleware"
 	MiddlewarePackage = "rest/middleware"
 	DefaultPort       = 8080
 )
@@ -90,10 +89,6 @@ func GenerateServer(conf GeneratorConfig) error {
 		generateDatabaseFiles(conf)
 	}
 
-	if conf.AddAuth {
-		generateAuthzFile(conf)
-	}
-
 	generateValidation(conf)
 	generatePolicy(conf)
 
@@ -116,9 +111,6 @@ func createProjectPathDirectory(conf GeneratorConfig) {
 	if conf.AddDatabase {
 		fs.GenerateFolder(filepath.Join(config.Path, DatabasePkg))
 	}
-	if conf.AddAuth {
-		fs.GenerateFolder(filepath.Join(config.Path, AuthzPkg))
-	}
 	fs.GenerateFolder(filepath.Join(config.Path, MiddlewarePackage))
 
 	log.Info().Msg("Created project directory.")
diff --git a/generator/policy.go b/generator/policy.go
index 02c3af9..97a0e01 100644
--- a/generator/policy.go
+++ b/generator/policy.go
@@ -1,7 +1,8 @@
 package generator
 
 import (
-	fs "dredger/fileUtils"
+	"errors"
+	"os"
 	"path/filepath"
 
 	"github.com/rs/zerolog/log"
@@ -13,18 +14,12 @@ func generatePolicy(conf GeneratorConfig) {
 	fileName := "policy.go"
 	filePath := filepath.Join(config.Path, MiddlewarePackage, fileName)
 	templateFile := "templates/middleware/policy.go.tmpl"
-	fs.GenerateFile(filePath)
-	createFileFromTemplate(filePath, templateFile, conf)
-
-	fileName = "authz.go"
-	filePath = filepath.Join(config.Path, MiddlewarePackage, fileName)
-	templateFile = "templates/middleware/authz.go.tmpl"
-	fs.GenerateFile(filePath)
 	createFileFromTemplate(filePath, templateFile, conf)
 
 	fileName = "authz.rego"
 	filePath = filepath.Join(config.Path, MiddlewarePackage, fileName)
 	templateFile = "templates/middleware/authz.rego.tmpl"
-	fs.GenerateFile(filePath)
-	createFileFromTemplate(filePath, templateFile, conf)
+	if _, err := os.Stat(filePath); errors.Is(err, os.ErrNotExist) {
+		createFileFromTemplate(filePath, templateFile, conf)
+	}
 }
diff --git a/templates/Justfile.tmpl b/templates/Justfile.tmpl
index 70fdcad..b2121bb 100644
--- a/templates/Justfile.tmpl
+++ b/templates/Justfile.tmpl
@@ -1,7 +1,7 @@
 # This file was initially generated by dredger, but feel free to adapt it to your needs and environment
 set dotenv-load
 program := `basename $PWD`
-port := env_var_or_default("PORT", "9090")
+port := env_var_or_default("{{ upper ( snakecase .ModuleName ) }}_PORT_NB", "9090")
 
 help:
     just -l
@@ -19,6 +19,9 @@ install: build
 run: build
     go run . -p {{"{{port}}"}}
 
+debug: build
+    go run . -d -p {{"{{port}}"}}
+
 generate:
 	dredger generate OpenAPI.yaml -o . -f -n {{ .ModuleName }}
 
@@ -43,6 +46,10 @@ docker-run:
 required:
     go install github.com/a-h/templ/cmd/templ@latest
 
+update: required
+    go get -u
+    go mod tidy
+
 # List all ToDo items of the source code
 todo:
     rg -ip "to.?do:"
diff --git a/templates/core/config.go.tmpl b/templates/core/config.go.tmpl
index c13fd8e..e016c9f 100644
--- a/templates/core/config.go.tmpl
+++ b/templates/core/config.go.tmpl
@@ -21,7 +21,6 @@ type Config struct {
 	Title               string
 	PortNb              string   `default:"8080"` // Port is a reserved name in k8s
 	ApiKeys             []string `default:"" split_words:"true"`
-	AuthorizationHeader string   `default:"" split_words:"true"`
 	SessionKey          string   `default:"" split_words:"true"`
 	Host                string   `ignored:"true"`
 	User                string
diff --git a/templates/middleware/authz.go.tmpl b/templates/middleware/authz.go.tmpl
deleted file mode 100644
index a45f8a7..0000000
--- a/templates/middleware/authz.go.tmpl
+++ /dev/null
@@ -1,28 +0,0 @@
-// Don't edit this file, as it is generated by dredger
-package middleware
-
-import (
-	"{{ lcfirst ( camelcase .ModuleName ) }}/core"
-	"net/http"
-
-	"github.com/labstack/echo/v4"
-)
-
-func Authz(next echo.HandlerFunc) echo.HandlerFunc {
-	return func(c echo.Context) error {
-		if isAuthorized(c) {
-			return next(c)
-		}
-		return echo.NewHTTPError(http.StatusUnauthorized, "Please provide a valid API key")
-	}
-}
-
-func isAuthorized(c echo.Context) bool {
-	// Check API keys
-	for _, key := range core.AppConfig.ApiKeys {
-		if key == c.Request().Header.Get(core.AppConfig.AuthorizationHeader) {
-			return true
-		}
-	}
-	return false
-}
diff --git a/templates/middleware/authz.rego.tmpl b/templates/middleware/authz.rego.tmpl
index 3095ecb..37b5ce6 100644
--- a/templates/middleware/authz.rego.tmpl
+++ b/templates/middleware/authz.rego.tmpl
@@ -1,4 +1,91 @@
 package {{ lcfirst ( camelcase .ModuleName ) }}.authz
 
-default allowEntrypoint = true
-default allowAccess = true
+#
+# Methods
+#
+
+default getMethod = false
+
+getMethod {
+	lower(input.method) == "get"
+}
+
+default putMethod = false
+
+putMethod {
+	lower(input.method) == "put"
+}
+
+default postMethod = false
+
+postMethod {
+	lower(input.method) == "post"
+}
+
+default deleteMethod = false
+
+deleteMethod {
+	lower(input.method) == "delete"
+}
+
+#
+# Roles
+#
+
+default staff = false
+
+staff {
+	lower(input.role) == "staff"
+}
+
+default user = false
+
+user {
+	lower(input.role) == "user"
+}
+
+default staffuser = false
+
+staffuser {
+	staff
+}
+
+staffuser {
+	user
+}
+
+#
+# API token
+#
+
+default api = false
+
+api {
+	lower(input.role) == "api"
+}
+
+api {
+	input.apitoken == ""
+}
+
+#
+# Rules
+#
+# allowEntryPoint permit general the access to a api function
+# allowAccess check the authorization by the permitted roles
+#
+default allowEntrypoint = false
+
+default allowAccess = false
+
+allowEntrypoint {
+#    user
+#	getMethod
+#   input.path == "/livez"
+}
+
+allowAccess {
+#	user
+#	getMethod
+#   input.path == "/livez"
+}
diff --git a/templates/middleware/policy.go.tmpl b/templates/middleware/policy.go.tmpl
index bb5353a..da0584f 100644
--- a/templates/middleware/policy.go.tmpl
+++ b/templates/middleware/policy.go.tmpl
@@ -37,13 +37,13 @@ func init() {
 	}
 
 	// precompile policy
-	// log.Debug().Str("policy", core.AppConfig.Policy).Msg("got policy")
+	log.Debug().Msg("Precompile rego policy")
 	var err error
 	policyCompiler, err = ast.CompileModules(map[string]string{
 		"authz.rego": core.AppConfig.Policy,
 	})
 	if err != nil {
-		log.Printf("wrong rego policy (%s)\n", err)
+		log.Error().Err(err).Msg("wrong rego policy")
 	}
 
 }
@@ -61,10 +61,11 @@ const (
 type Input map[string]interface{}
 
 func checkAuthorization(authorizationHeader string) (string, bool) {
-
+    log.Debug().Msg("Check authorization")
 	parts := strings.Split(authorizationHeader, " ")
 	if len(parts) < 2 {
-		return "", false
+	   log.Debug().Msg("No authorizationHeader")
+	   return "", false
 	}
 	if strings.ToLower(parts[0]) == "bearer" {
 		if len(core.AppConfig.ApiKeys) > 0 {
@@ -102,6 +103,7 @@ func checkAuthorization(authorizationHeader string) (string, bool) {
 	}
 	user := tokenParts[0]
 	password := tokenParts[1]
+	log.Debug().Str("user",user).Str("password",password).Msg("Basic authentication found")
 	// Check staff user
 	if core.AppConfig.StaffUser != "" && user == core.AppConfig.StaffUser {
 		if password == core.AppConfig.StaffPassword {
@@ -186,9 +188,9 @@ func checkPolicy(c echo.Context) Action {
 	}
 
 	// extract input from request
-	authorization := req.Header.Get(core.AppConfig.AuthorizationHeader)
+	authorization := req.Header.Get("Authorization")
 	role, authorized := checkAuthorization(authorization)
-	if !authorized && core.AppConfig.OpaSvc == "" && core.AppConfig.Policy == "" && (core.AppConfig.ParticipantUser != "" || core.AppConfig.StaffUser != "") {
+	if !authorized && (core.AppConfig.OpaSvc != "" || core.AppConfig.Policy != "") && (core.AppConfig.ParticipantUser != "" || core.AppConfig.StaffUser != "") {
 		log.Debug().Str("authorization", authorization).Msg("Authorization failed")
 		return Authorize
 	}