Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Feature Request: Authorizers combination #208

Open
guilhermocc opened this issue Dec 20, 2022 · 0 comments
Open

Feature Request: Authorizers combination #208

guilhermocc opened this issue Dec 20, 2022 · 0 comments

Comments

@guilhermocc
Copy link
Contributor

Recently on spire project, we needed to combine two matchers logic to correctly set the spire-server authorization logic, which should authorize spiffe ID that is either a member of the server trust domain or be included in a permissive list of admin IDs. Since the go-spiffe library doesn't provide this feature by default, we had to create a custom matcher and adapt it to a tlsconfig.Authorizer:

// matchMemberOrOneOf is a custom spiffeid.Matcher which will validate that the peerSpiffeID belongs to the server
// trust domain or if it is included in the admin_ids configuration permissive list.
func matchMemberOrOneOf(trustDomain spiffeid.TrustDomain, adminIds ...spiffeid.ID) spiffeid.Matcher {
	permissiveIDsSet := make(map[spiffeid.ID]struct{})
	for _, adminID := range adminIds {
		permissiveIDsSet[adminID] = struct{}{}
	}

	return func(peerID spiffeid.ID) error {
		if !peerID.MemberOf(trustDomain) {
			if _, ok := permissiveIDsSet[peerID]; !ok {
				return fmt.Errorf("unexpected trust domain in ID %q", peerID)
			}
		}

		return nil
	}
}
...

tlsconfig.AdaptMatcher(matchMemberOrOneOf(e.TrustDomain, e.AdminIDs...))

This feature request proposes to add new mechanisms to go-spiffe library so that we could combine authorizers into logical clauses; I find it valuable to have at least AND and OR combinators, something like:

func AuthorizerOr(authorizers ...Authorizer) Authorizer {
	return func(actual spiffeid.ID, verifiedChains [][]*x509.Certificate) error {
		for _, authorizer := range authorizers {
			err := authorizer(actual, verifiedChains)
			if err == nil {
				return nil
			}
		}
		return errors.New("no matching authorizer")
	}
}

func AuthorizerAnd(authorizers ...Authorizer) Authorizer {
	return func(actual spiffeid.ID, verifiedChains [][]*x509.Certificate) error {
		for _, authorizer := range authorizers {
			err := authorizer(actual, verifiedChains)
			if err != nil {
				return err
			}
		}
		return nil
	}
}

I am willing to open a PR on this in case of approval, and I would like to get some opinions here. What do you think?
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@guilhermocc