Merge pull request #166 from permitio/raz/per-10289-support-ngnix

add allowed ngnix support
permitio · Aug 7, 2024 · b4b4e12 · b4b4e12
2 parents 51d2416 + 401128e
commit b4b4e12
Show file tree

Hide file tree

Showing 2 changed files with 53 additions and 0 deletions.
diff --git a/horizon/enforcer/api.py b/horizon/enforcer/api.py
@@ -35,6 +35,7 @@
     UserTenantsResult,
     AuthorizedUsersResult,
     AuthorizedUsersAuthorizationQuery,
+    User,
 )
 from horizon.enforcer.schemas_kong import (
     KongAuthorizationInput,
@@ -43,6 +44,7 @@
     KongWrappedAuthorizationQuery,
 )
 from horizon.enforcer.schemas_v1 import AuthorizationQueryV1
+from horizon.enforcer.utils.headers_utils import get_case_insensitive
 from horizon.enforcer.utils.mapping_rules_utils import MappingRulesUtils
 from horizon.enforcer.utils.statistics_utils import StatisticsManager
 from horizon.state import PersistentStateHandler
@@ -553,6 +555,51 @@ async def is_allowed(
             )
         return result
 
+    @router.post(
+        "/nginx_allowed",
+        response_model=AuthorizationResult,
+        status_code=status.HTTP_200_OK,
+        response_model_exclude_none=True,
+        dependencies=[Depends(enforce_pdp_token)],
+    )
+    async def is_allowed_nginx(
+        request: Request,
+        permit_user_key: str = Header(None),
+        permit_tenant_id: str = Header(None),
+        permit_action: str = Header(None),
+        permit_resource_type: str = Header(None),
+    ):
+
+        query = AuthorizationQuery(
+            user=User(key=permit_user_key),
+            action=permit_action,
+            resource=Resource(type=permit_resource_type, tenant=permit_tenant_id),
+        )
+
+        response = await _is_allowed(query, request, MAIN_POLICY_PACKAGE)
+        log_query_result(query, response)
+        try:
+            raw_result = json.loads(response.body).get("result", {})
+            processed_query = (
+                get_v1_processed_query(raw_result)
+                or get_v2_processed_query(raw_result)
+                or {}
+            )
+            result = {
+                "allow": raw_result.get("allow", False),
+                "result": raw_result.get(
+                    "allow", False
+                ),  # fallback for older sdks (TODO: remove)
+                "query": processed_query,
+                "debug": raw_result.get("debug", {}),
+            }
+        except:
+            result = dict(allow=False, result=False)
+            logger.warning(
+                "is allowed (fallback response)", reason="cannot decode opa response"
+            )
+        return result
+
     @router.post(
         "/kong",
         response_model=KongAuthorizationResult,

diff --git a/horizon/enforcer/utils/headers_utils.py b/horizon/enforcer/utils/headers_utils.py
@@ -0,0 +1,6 @@
+def get_case_insensitive(dictionary, key) -> str | None:
+    if isinstance(key, str):
+        return next(
+            (dictionary[k] for k in dictionary if k.lower() == key.lower()), None
+        )
+    return dictionary.get(key, None)