Merge pull request #1 from openfga/initial_commit

feat: adds server.

Author: jcchavezs

.github/workflows/ci.yaml

@@ -0,0 +1,60 @@
+name: CI
+
+on:
+  push:
+    branches:
+      - "main"
+    paths-ignore:
+      - "**/*.md"
+      - "LICENSE"
+  pull_request:
+
+jobs:
+  test-and-build:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Setup Go
+        uses: actions/setup-go@v4
+        with:
+          go-version: 1.22.1
+
+      - name: Test
+        run: make test
+
+      - name: Build
+        run: make build
+
+      - name: E2E Test
+        run: make e2e
+
+      - name: Uploads logs if failure
+        if: failure()
+        uses: actions/upload-artifact@v4
+        with:
+          name: extauthz-e2e-logs
+          path: extauthz/e2e/logs
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Login to GHCR
+        uses: docker/login-action@v2
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Build and push
+        uses: docker/build-push-action@v5
+        with:
+          context: extauthz
+          platforms: linux/amd64,linux/arm64
+          #push: ${{ github.event_name != 'pull_request' }}
+          push: false
+          tags: openfga/openfga-envoy:latest

.gitignore

@@ -0,0 +1,2 @@
+**/build
+**/logs

Makefile

@@ -0,0 +1,15 @@
+.PHONY: run
+run-extauthz:
+	@go run extauthz/cmd/extauthz/main.go
+
+.PHONY: test
+test:
+	@$(MAKE) -C extauthz test
+
+.PHONY: build
+build:
+	@$(MAKE) -C extauthz build
+
+.PHONY: e2e
+e2e:
+	@$(MAKE) -C extauthz e2e

extauthz/Dockerfile

@@ -0,0 +1,7 @@
+FROM scratch
+
+COPY build/envoy-extauthz-linux /envoy-extauthz
+
+EXPOSE 9002
+
+ENTRYPOINT ["/envoy-extauthz"]

extauthz/Makefile

@@ -0,0 +1,16 @@
+.PHONY: test
+test:
+	@go test -count=1 ./...
+
+.PHONY: build
+build:
+	@mkdir -p ./build
+	@GOOS=linux CGO_ENABLED=0 go build -o ./build/envoy-extauthz-linux ./cmd/extauthz/main.go
+
+.PHONY: docker
+docker: build
+	@docker build -t envoy-extauthz -f Dockerfile .
+
+.PHONY: e2e
+e2e:
+	@./e2e/run.sh

extauthz/cmd/extauthz/main.go

@@ -0,0 +1,91 @@
+package main
+
+import (
+	"flag"
+	"fmt"
+	"log"
+	"net"
+
+	auth_pb "github.com/envoyproxy/go-control-plane/envoy/service/auth/v3"
+	"github.com/openfga/go-sdk/client"
+	"github.com/openfga/openfga-envoy/extauthz/internal/extractor"
+	"github.com/openfga/openfga-envoy/extauthz/internal/server/authz"
+	"github.com/openfga/openfga-envoy/extauthz/internal/server/config"
+	"google.golang.org/grpc"
+	"google.golang.org/grpc/health"
+	"google.golang.org/grpc/health/grpc_health_v1"
+)
+
+const port = 9002
+
+func main() {
+	var (
+		configPath string
+	)
+
+	flag.StringVar(&configPath, "config", "./config.yaml", "path to the configuration file")
+	flag.Parse()
+
+	cfg, err := config.LoadConfig(configPath)
+	if err != nil {
+		log.Fatalf("failed to load config: %v", err)
+	}
+
+	fgaClient, err := client.NewSdkClient(&client.ClientConfiguration{
+		//		Debug:                true,
+		ApiUrl:               cfg.Server.APIURL,
+		StoreId:              cfg.Server.StoreID,
+		AuthorizationModelId: cfg.Server.AuthorizationModelID, // optional, recommended to be set for production
+	})
+	if err != nil {
+		log.Fatalf("failed to initialize OpenFGA client: %v", err)
+	}
+
+	extractionSet := make([]extractor.ExtractorSet, 0, len(cfg.ExtractionSet))
+	for _, es := range cfg.ExtractionSet {
+		var (
+			eSet extractor.ExtractorSet
+			err  error
+		)
+
+		eSet.Name = es.Name
+
+		eSet.User, err = extractor.MakeExtractor(es.User.Type, es.User.Config)
+		if err != nil {
+			log.Fatalf("failed to create user extractor: %v", err)
+		}
+
+		eSet.Object, err = extractor.MakeExtractor(es.Object.Type, es.Object.Config)
+		if err != nil {
+			log.Fatalf("failed to create object extractor: %v", err)
+		}
+
+		eSet.Relation, err = extractor.MakeExtractor(es.Relation.Type, es.Relation.Config)
+		if err != nil {
+			log.Fatalf("failed to create relation extractor: %v", err)
+		}
+
+		extractionSet = append(extractionSet, eSet)
+	}
+
+	filter := authz.NewExtAuthZFilter(fgaClient, extractionSet)
+
+	server := createServer(filter)
+
+	listener, err := net.Listen("tcp", fmt.Sprintf(":%d", port))
+	if err != nil {
+		panic(err)
+	}
+
+	fmt.Printf("Starting server on port %d\n", port)
+	log.Fatal(server.Serve(listener))
+}
+
+func createServer(filter *authz.ExtAuthZFilter) *grpc.Server {
+	grpcServer := grpc.NewServer()
+
+	grpc_health_v1.RegisterHealthServer(grpcServer, health.NewServer())
+	auth_pb.RegisterAuthorizationServer(grpcServer, filter)
+
+	return grpcServer
+}

extauthz/cmd/extauthz/main_test.go

@@ -0,0 +1,82 @@
+package main
+
+import (
+	"context"
+	"errors"
+	"log"
+	"net"
+	"testing"
+
+	auth_pb "github.com/envoyproxy/go-control-plane/envoy/service/auth/v3"
+	"github.com/openfga/go-sdk/client"
+	"github.com/openfga/openfga-envoy/extauthz/internal/extractor"
+	"github.com/openfga/openfga-envoy/extauthz/internal/server/authz"
+	"github.com/stretchr/testify/require"
+	"google.golang.org/grpc"
+	"google.golang.org/grpc/credentials/insecure"
+	"google.golang.org/grpc/test/bufconn"
+)
+
+func server(ctx context.Context, e extractor.ExtractorSet) (auth_pb.AuthorizationClient, func()) {
+	buffer := 101024 * 1024
+	lis := bufconn.Listen(buffer)
+
+	fgaClient, err := client.NewSdkClient(&client.ClientConfiguration{
+		ApiUrl: "https://api.fga.example",
+	})
+	if err != nil {
+		panic(err)
+	}
+
+	filter := authz.NewExtAuthZFilter(fgaClient, []extractor.ExtractorSet{e})
+
+	baseServer := grpc.NewServer()
+	auth_pb.RegisterAuthorizationServer(baseServer, filter)
+
+	go func() {
+		if err := baseServer.Serve(lis); err != nil {
+			log.Printf("error serving server: %v", err)
+		}
+	}()
+
+	conn, err := grpc.DialContext(ctx, "",
+		grpc.WithContextDialer(func(context.Context, string) (net.Conn, error) {
+			return lis.Dial()
+		}), grpc.WithTransportCredentials(insecure.NewCredentials()))
+	if err != nil {
+		log.Printf("error connecting to server: %v", err)
+	}
+
+	closer := func() {
+		err := lis.Close()
+		if err != nil {
+			log.Printf("error closing listener: %v", err)
+		}
+		baseServer.Stop()
+	}
+
+	return auth_pb.NewAuthorizationClient(conn), closer
+}
+
+func TestNoUserExtractedFails(t *testing.T) {
+	ctx := context.Background()
+
+	expectedErr := errors.New("no user")
+
+	e := extractor.ExtractorSet{
+		Name: "extauthz",
+		User: func(ctx context.Context, value *auth_pb.CheckRequest) (string, bool, error) {
+			return "", false, expectedErr
+		},
+	}
+
+	client, closer := server(ctx, e)
+	defer closer()
+
+	_, sErr := client.Check(ctx, &auth_pb.CheckRequest{})
+	if sErr == nil {
+		t.Fatal("expected error")
+	}
+
+	require.ErrorContains(t, sErr, expectedErr.Error())
+}

extauthz/e2e/.gitignore

@@ -0,0 +1 @@
+config.yaml

extauthz/e2e/config.yaml.tmpl

@@ -0,0 +1,19 @@
+server:
+  api_url: http://openfga:8080
+  # TODO(jcchavezs): This should be read from an env var
+  store_id: ${STORE_ID}
+
+extraction_sets:
+  - name: test
+    user:
+      type: mock
+      config:
+        value: subject:test_subject
+    object:
+      type: mock
+      config:
+        value: resource:test_resource
+    relation:
+      type: mock
+      config:
+        value: GET

extauthz/e2e/docker-compose.yaml

@@ -0,0 +1,76 @@
+version: '3.2'
+
+services:
+  httpbin:
+    image: mccutchen/go-httpbin:v2.9.0
+    command: [ "/bin/go-httpbin", "-port", "8081" ]
+    ports:
+      - 8081:8081
+    networks:
+      - app_net
+
+  envoy:
+    container_name: envoy
+    depends_on:
+      - httpbin
+      - ext-authz
+    image: ${ENVOY_IMAGE:-envoyproxy/envoy:v1.28-latest}
+    # Entryoint is explicited in order to make the ENVOY_IMAGE compatible also with istio/proxyv2 images
+    # The latter has as default entrypoint pilot-agent instead of envoy
+    # See https://github.com/tetratelabs/proxy-wasm-go-sdk/blob/main/.github/workflows/workflow.yaml#L104
+    entrypoint: /usr/local/bin/envoy
+    command:
+      - -c
+      - /conf/envoy-config.yaml
+      - --service-cluster # required to export metrics
+      - envoy
+      - --service-node # required to export metrics
+      - envoy
+      - --log-level
+      - debug
+    volumes:
+      - .:/conf
+    ports:
+      - 8080:8080
+    networks:
+      - app_net
+  
+  ext-authz:
+    build:
+      context: ..
+      dockerfile: Dockerfile
+    expose:
+      - 9002
+    ports:
+    - 9002:9002
+    command: ["--config", "/etc/extauthz/config.yaml"]
+    volumes:
+      - .:/etc/extauthz
+    depends_on:
+      openfga:
+        condition: service_healthy
+    networks:
+      - app_net
+
+  openfga:
+    image: openfga/openfga:latest
+    container_name: openfga
+    command: run
+    environment:
+      - OPENFGA_DATASTORE_ENGINE=memory
+    ports:
+      - "18080:8080" #http
+      - "18081:8081" #grpc
+      - "3000:3000" #playground
+      - "2112:2112" #prometheus metrics
+    healthcheck:
+      test: ["CMD", "/usr/local/bin/grpc_health_probe", "-addr=openfga:8081"]
+      interval: 5s
+      timeout: 30s
+      retries: 3
+    networks:
+      - app_net
+
+networks:
+  app_net:
+    driver: bridge