Add support for Access Management Plugin (#14875)

- This change renames the OPA integration as Access Management Plugin - there is nothing specific to OPA in the integration, it is just a webhook. - OPA configuration is automatically migrated to Access Management Plugin and OPA specific configuration is marked as deprecated. - OPA doc is updated and moved.
2025-11-07 12:52:58 -05:00 · 2022-05-10 17:14:55 -07:00
parent edf364bf21
commit 83071a3459
13 changed files with 572 additions and 26 deletions
--- a/internal/config/config.go
+++ b/internal/config/config.go
@@ -69,6 +69,7 @@ const (
 const (
 	CredentialsSubSys    = "credentials"
 	PolicyOPASubSys      = "policy_opa"
+	PolicyPluginSubSys   = "policy_plugin"
 	IdentityOpenIDSubSys = "identity_openid"
 	IdentityLDAPSubSys   = "identity_ldap"
 	IdentityTLSSubSys    = "identity_tls"
@@ -141,6 +142,7 @@ var SubSystems = set.CreateStringSet(
 	AuditWebhookSubSys,
 	AuditKafkaSubSys,
 	PolicyOPASubSys,
+	PolicyPluginSubSys,
 	IdentityLDAPSubSys,
 	IdentityOpenIDSubSys,
 	IdentityTLSSubSys,
@@ -183,6 +185,7 @@ var SubSystemsSingleTargets = set.CreateStringSet([]string{
 	StorageClassSubSys,
 	CompressionSubSys,
 	PolicyOPASubSys,
+	PolicyPluginSubSys,
 	IdentityLDAPSubSys,
 	IdentityTLSSubSys,
 	HealSubSys,
--- a/internal/config/policy/opa/help.go
+++ b/internal/config/policy/opa/help.go
@@ -28,13 +28,13 @@ var (
 	Help = config.HelpKVS{
 		config.HelpKV{
 			Key:         URL,
-			Description: `OPA HTTP(s) endpoint e.g. "http://localhost:8181/v1/data/httpapi/authz/allow"` + defaultHelpPostfix(URL),
+			Description: `[DEPRECATED] OPA HTTP(s) endpoint e.g. "http://localhost:8181/v1/data/httpapi/authz/allow"` + defaultHelpPostfix(URL),
 			Type:        "url",
 			Sensitive:   true,
 		},
 		config.HelpKV{
 			Key:         AuthToken,
-			Description: "authorization token for OPA endpoint" + defaultHelpPostfix(AuthToken),
+			Description: "[DEPRECATED] authorization token for OPA endpoint" + defaultHelpPostfix(AuthToken),
 			Optional:    true,
 			Type:        "string",
 			Sensitive:   true,
--- a/internal/config/policy/plugin/config.go
+++ b/internal/config/policy/plugin/config.go
@@ -0,0 +1,223 @@
+// Copyright (c) 2015-2022 MinIO, Inc.
+//
+// This file is part of MinIO Object Storage stack
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU Affero General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU Affero General Public License for more details.
+//
+// You should have received a copy of the GNU Affero General Public License
+// along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+package plugin
+
+import (
+	"bytes"
+	"encoding/json"
+	"io"
+	"io/ioutil"
+	"net/http"
+
+	"github.com/minio/minio/internal/config"
+	"github.com/minio/pkg/env"
+	iampolicy "github.com/minio/pkg/iam/policy"
+	xnet "github.com/minio/pkg/net"
+)
+
+// Authorization Plugin config and env variables
+const (
+	URL       = "url"
+	AuthToken = "auth_token"
+
+	EnvPolicyPluginURL       = "MINIO_POLICY_PLUGIN_URL"
+	EnvPolicyPluginAuthToken = "MINIO_POLICY_PLUGIN_AUTH_TOKEN"
+)
+
+// DefaultKVS - default config for Authz plugin config
+var (
+	DefaultKVS = config.KVS{
+		config.KV{
+			Key:   URL,
+			Value: "",
+		},
+		config.KV{
+			Key:   AuthToken,
+			Value: "",
+		},
+	}
+)
+
+// Args opa general purpose policy engine configuration.
+type Args struct {
+	URL         *xnet.URL             `json:"url"`
+	AuthToken   string                `json:"authToken"`
+	Transport   http.RoundTripper     `json:"-"`
+	CloseRespFn func(r io.ReadCloser) `json:"-"`
+}
+
+// Validate - validate opa configuration params.
+func (a *Args) Validate() error {
+	req, err := http.NewRequest(http.MethodPost, a.URL.String(), bytes.NewReader([]byte("")))
+	if err != nil {
+		return err
+	}
+
+	req.Header.Set("Content-Type", "application/json")
+	if a.AuthToken != "" {
+		req.Header.Set("Authorization", a.AuthToken)
+	}
+
+	client := &http.Client{Transport: a.Transport}
+	resp, err := client.Do(req)
+	if err != nil {
+		return err
+	}
+	defer a.CloseRespFn(resp.Body)
+
+	return nil
+}
+
+// UnmarshalJSON - decodes JSON data.
+func (a *Args) UnmarshalJSON(data []byte) error {
+	// subtype to avoid recursive call to UnmarshalJSON()
+	type subArgs Args
+	var so subArgs
+
+	if err := json.Unmarshal(data, &so); err != nil {
+		return err
+	}
+
+	oa := Args(so)
+	if oa.URL == nil || oa.URL.String() == "" {
+		*a = oa
+		return nil
+	}
+
+	*a = oa
+	return nil
+}
+
+// AuthZPlugin - implements opa policy agent calls.
+type AuthZPlugin struct {
+	args   Args
+	client *http.Client
+}
+
+// Enabled returns if AuthZPlugin is enabled.
+func Enabled(kvs config.KVS) bool {
+	return kvs.Get(URL) != ""
+}
+
+// LookupConfig lookup AuthZPlugin from config, override with any ENVs.
+func LookupConfig(kv config.KVS, transport *http.Transport, closeRespFn func(io.ReadCloser)) (Args, error) {
+	args := Args{}
+
+	if err := config.CheckValidKeys(config.PolicyPluginSubSys, kv, DefaultKVS); err != nil {
+		return args, err
+	}
+
+	pluginURL := env.Get(EnvPolicyPluginURL, kv.Get(URL))
+	if pluginURL == "" {
+		return args, nil
+	}
+
+	authToken := env.Get(EnvPolicyPluginAuthToken, kv.Get(AuthToken))
+
+	u, err := xnet.ParseHTTPURL(pluginURL)
+	if err != nil {
+		return args, err
+	}
+	args = Args{
+		URL:         u,
+		AuthToken:   authToken,
+		Transport:   transport,
+		CloseRespFn: closeRespFn,
+	}
+	if err = args.Validate(); err != nil {
+		return args, err
+	}
+	return args, nil
+}
+
+// New - initializes Authorization Management Plugin.
+func New(args Args) *AuthZPlugin {
+	if args.URL == nil || args.URL.Scheme == "" && args.AuthToken == "" {
+		return nil
+	}
+	return &AuthZPlugin{
+		args:   args,
+		client: &http.Client{Transport: args.Transport},
+	}
+}
+
+// IsAllowed - checks given policy args is allowed to continue the REST API.
+func (o *AuthZPlugin) IsAllowed(args iampolicy.Args) (bool, error) {
+	if o == nil {
+		return false, nil
+	}
+
+	// Access Management Plugin Input
+	body := make(map[string]interface{})
+	body["input"] = args
+
+	inputBytes, err := json.Marshal(body)
+	if err != nil {
+		return false, err
+	}
+
+	req, err := http.NewRequest(http.MethodPost, o.args.URL.String(), bytes.NewReader(inputBytes))
+	if err != nil {
+		return false, err
+	}
+
+	req.Header.Set("Content-Type", "application/json")
+	if o.args.AuthToken != "" {
+		req.Header.Set("Authorization", o.args.AuthToken)
+	}
+
+	resp, err := o.client.Do(req)
+	if err != nil {
+		return false, err
+	}
+	defer o.args.CloseRespFn(resp.Body)
+
+	// Read the body to be saved later.
+	opaRespBytes, err := ioutil.ReadAll(resp.Body)
+	if err != nil {
+		return false, err
+	}
+
+	// Handle large OPA responses when OPA URL is of
+	// form http://localhost:8181/v1/data/httpapi/authz
+	type opaResultAllow struct {
+		Result struct {
+			Allow bool `json:"allow"`
+		} `json:"result"`
+	}
+
+	// Handle simpler OPA responses when OPA URL is of
+	// form http://localhost:8181/v1/data/httpapi/authz/allow
+	type opaResult struct {
+		Result bool `json:"result"`
+	}
+
+	respBody := bytes.NewReader(opaRespBytes)
+
+	var result opaResult
+	if err = json.NewDecoder(respBody).Decode(&result); err != nil {
+		respBody.Seek(0, 0)
+		var resultAllow opaResultAllow
+		if err = json.NewDecoder(respBody).Decode(&resultAllow); err != nil {
+			return false, err
+		}
+		return resultAllow.Result.Allow, nil
+	}
+
+	return result.Result, nil
+}
--- a/internal/config/policy/plugin/help.go
+++ b/internal/config/policy/plugin/help.go
@@ -0,0 +1,49 @@
+// Copyright (c) 2015-2022 MinIO, Inc.
+//
+// This file is part of MinIO Object Storage stack
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU Affero General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU Affero General Public License for more details.
+//
+// You should have received a copy of the GNU Affero General Public License
+// along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+package plugin
+
+import "github.com/minio/minio/internal/config"
+
+// Help template for Access Management Plugin policy feature.
+var (
+	defaultHelpPostfix = func(key string) string {
+		return config.DefaultHelpPostfix(DefaultKVS, key)
+	}
+
+	Help = config.HelpKVS{
+		config.HelpKV{
+			Key:         URL,
+			Description: `plugin hook endpoint (HTTP(S)) e.g. "http://localhost:8181/v1/data/httpapi/authz/allow"` + defaultHelpPostfix(URL),
+			Type:        "url",
+			Sensitive:   true,
+		},
+		config.HelpKV{
+			Key:         AuthToken,
+			Description: "authorization token for plugin hook endpoint" + defaultHelpPostfix(AuthToken),
+			Optional:    true,
+			Type:        "string",
+			Sensitive:   true,
+		},
+		config.HelpKV{
+			Key:         config.Comment,
+			Description: config.DefaultComment,
+			Optional:    true,
+			Type:        "sentence",
+		},
+	}
+)