search

krakend / krakend-jose

Javascript Object Signing and Encryption (JOSE) component for the KrakenD framework
http://www.krakend.io
Apache License 2.0
34 stars 49 forks source link

ACL roles and regex checks enhancement #20

Closed thinkingmik closed 5 years ago

thinkingmik commented 5 years ago

Hello,

I'm using this Krakend plugin for JWT validation, in particular I'm focusing on the ACL validation functionality: roles_key and roles.

It works well, but for a project I need to check if a given role contains words. With this plugin is not possible to do this but only check if the the given role is in the roles list.

So my suggestion is:

  1. Adding a new setting at L27 like roles_regex: true/false

  2. In the method CanAccess, if the previous property roles_regex exists and it is true do something like this instead of the standard check:

    
func CanAccess(roleKey string, claims map[string]interface{}, required []string, roleRegex bool) bool {

...

for _, role := range required {
    for _, r := range roles {

        if roleRegex {
            reg, _ := regexp.Compile(role)
            if reg.MatchString(r) {
                return true
            }
        }
        else {
            if r.(string) == role {
                return true
            }
        }
    }
}

return false
}

So in the JWT validation plugin settings I could have:
```json
{
    "endpoint": "/protected/resource",
    "extra_config": {
        "github.com/devopsfaith/krakend-jose/validator": {
            "alg": "RS256",
            "audience": ["http://api.example.com"],
            "roles_regex": true,
            "roles_key": "roles",
            "roles": ["(\b)?+(.guest.)+(\b)?", "(\b)?+(.admin.)+(\b)?"],
            "jwk-url": "https://albert-test.auth0.com/.well-known/jwks.json"
        }
    },
    "backend": [
        {
        "url_pattern": "/"
        }
    ]
}

In this way I'm able to grant access at roles:

001.admin.0002
002.admin.0002

What do you think about this possbile enhancement?

kpacha commented 5 years ago

hi @thinkingmik !

Please, check the krakend-cel module and this part of the config used in the integration test: https://github.com/devopsfaith/krakend-ce/blob/master/tests/fixtures/krakend.json#L121-L145

Your example could be defined as:

"check_expr": "JWT.roles.exists(r, r.matches('(\b)?+(.guest.)+(\b)?') || r.matches('(\b)?+(.admin.)+(\b)?'))"

You can use regex, other macros, boolean operations, etc over any part of the received JWT. More details at the documentation: https://www.krakend.io/docs/endpoints/common-expression-language-cel/

Cheers!

github-actions[bot] commented 2 years ago

This issue was marked as resolved a long time ago and now has been automatically locked as there has not been any recent activity after it. You can still open a new issue and reference this link.