Protect :8080/router/routes with endpointroles

2 years ago · fb2976062d
parent dc0671c6cd
commit fb2976062d
2 changed files with 15 additions and 0 deletions
--- a/Taskfile.yml
+++ b/Taskfile.yml
@ -99,4 +99,5 @@ tasks:
    desc: Remove all persistent data
    cmds:
      - podman image rm {{.DOCKER_ORG_JO_MICRO}}/router:latest || exit 0
+      - podman volume rm jo_micro-router_go || exit 0
      - rm -rf $PWD/.task
--- a/cmd/microrouterd/main.go
+++ b/cmd/microrouterd/main.go
@ -11,6 +11,7 @@ import (
 	"github.com/gin-gonic/gin"
 	httpServer "github.com/go-micro/plugins/v4/server/http"
 	"jochum.dev/jo-micro/auth2"
+	"jochum.dev/jo-micro/auth2/plugins/verifier/endpointroles"
 	"jochum.dev/jo-micro/router"

 	"jochum.dev/jo-micro/router/cmd/microrouterd/config"
@ -26,6 +27,7 @@ func internalService(routerHandler *handler.Handler) {
 	opts := []micro.Option{
 		micro.Name(config.Name + "-internal"),
 		micro.Version(config.Version),
+		micro.WrapHandler(auth2.ClientAuthRegistry().Plugin().Wrapper()),
 		micro.Action(func(c *cli.Context) error {
 			if err := auth2.ClientAuthRegistry().Init(c, srv); err != nil {
 				ilogger.Logrus().Fatal(err)
@ -33,6 +35,18 @@ func internalService(routerHandler *handler.Handler) {

 			routerserverpb.RegisterRouterServerServiceHandler(srv.Server(), routerHandler)

+			authVerifier := endpointroles.NewVerifier(
+				endpointroles.WithLogrus(ilogger.Logrus()),
+			)
+			authVerifier.AddRules(
+				endpointroles.RouterRule,
+				endpointroles.NewRule(
+					endpointroles.Endpoint(routerserverpb.RouterServerService.Routes),
+					endpointroles.RolesAllow(auth2.RolesServiceAndAdmin),
+				),
+			)
+			auth2.ClientAuthRegistry().Plugin().SetVerifier(authVerifier)
+
 			r := router.NewHandler(
 				c.String("router_basepath"),
 				router.NewRoute(