Merge pull request #14 from aserto-dev/check-policy-mapper

New check middleware options

examples/java-application/src/main/java/com/aserto/example/JavaApplication.java

@@ -7,8 +7,8 @@
 @SpringBootApplication
 @ComponentScan("com.aserto")
 public class JavaApplication {
-	public static void main(String[] args) {
-		SpringApplication.run(JavaApplication.class, args);
-	}
+    public static void main(String[] args) {
+        SpringApplication.run(JavaApplication.class, args);
+    }
 
 }

pom.xml

@@ -11,7 +11,7 @@
 
 	<groupId>com.aserto</groupId>
 	<artifactId>aserto-spring</artifactId>
-	<version>0.2.3</version>
+	<version>0.2.4</version>
 
 	<name>spring-middleware</name>
 	<description>Spring Security Filter that enables Aserto authorization</description>
@@ -48,7 +48,7 @@
 		<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
 
 		<protobuf.version>3.25.3</protobuf.version>
-		<aserto-java.version>0.31.1</aserto-java.version>
+		<aserto-java.version>0.31.3</aserto-java.version>
 	</properties>
 
 	<dependencies>

src/main/java/com/aserto/authorizer/AuthzConfig.java

@@ -17,6 +17,12 @@ public class AuthzConfig {
     @Value("${aserto.authorizer.policyName:}")
     private String policyName;
 
+    /**
+     * Policy instance label
+     *
+     * @deprecated no longer used.
+     */
+    @Deprecated
     @Value("${aserto.authorizer.policyLabel:}")
     private String policyLabel;
 
@@ -41,7 +47,7 @@ public AuthzConfig(IdentityMapper identityMapper, PolicyMapper policyMapper, Res
     public AuthzConfig(AuthzConfig authzConfig) {
         this.authorizerDecision = authzConfig.getAuthorizerDecision();
         this.policyName = authzConfig.getPolicyName();
-        this.policyLabel = authzConfig.getPolicyLabel();
+        this.policyLabel = authzConfig.getPolicyName();
         this.authorizerEnabled = authzConfig.isAuthorizerEnabled();
         this.identityMapper = authzConfig.getIdentityMapper();
         this.policyMapper = authzConfig.getPolicyMapper();
@@ -65,10 +71,21 @@ public void setPolicyName(String policyName) {
         this.policyName = policyName;
     }
 
+    /**
+     * Returns the policy instance label
+     *
+     * @deprecated no longer used.
+     */
+    @Deprecated
     public String getPolicyLabel() {
         return policyLabel;
     }
 
+    /**
+     * Sets the policy instance label
+     *
+     * @deprecated no longer used.
+     */
     public void setPolicyLabel(String policyLabel) {
         this.policyLabel = policyLabel;
     }

src/main/java/com/aserto/authorizer/CheckConfig.java

@@ -6,73 +6,170 @@
 import com.aserto.authorizer.mapper.check.object.StaticObjectTypeMapper;
 import com.aserto.authorizer.mapper.check.relation.RelationMapper;
 import com.aserto.authorizer.mapper.check.relation.StaticRelationMapper;
+import com.aserto.authorizer.mapper.policy.PolicyMapper;
 import com.aserto.authorizer.mapper.policy.StaticPolicyMapper;
 import com.aserto.authorizer.mapper.resource.CheckResourceMapper;
+import com.aserto.authorizer.mapper.resource.EmptyResourceMapper;
+import com.aserto.authorizer.mapper.resource.ResourceMapper;
 
 public class CheckConfig {
-    private AuthzConfig authzCfg;
+    private final AuthzConfig authzCfg;
+
+    private final ObjectTypeMapper objectTypeMapper;
+    private final ObjectIdMapper objectIdMapper;
+    private final RelationMapper relationMapper;
+    private final PolicyMapper policyMapper;
+    /**
+     * ResourceMapper for additional fields to be included in the resource context.
+     */
+    private final ResourceMapper baseResourceMapper;
+
+    static final String DEFAULT_POLICY = "rebac.check";
+
+    public CheckConfig(
+        AuthzConfig filterConfig,
+        String objectType,
+        String objectID,
+        String relation
+    ) {
+        this(filterConfig, objectType, objectID, relation, DEFAULT_POLICY);
+    }
 
-    private ObjectTypeMapper objectTypeMapper;
-    private ObjectIdMapper objectIdMapper;
-    private RelationMapper relationMapper;
+    public CheckConfig(
+        AuthzConfig filterConfig,
+        String objectType,
+        String objectID,
+        String relation,
+        String policy
+    ) {
+        this(filterConfig, objectType, objectID, relation, policy, new EmptyResourceMapper());
+    }
 
-    public CheckConfig(AuthzConfig authzCfg) {
-        // Clone the authz config because we will change it
-        this.authzCfg = new AuthzConfig(authzCfg);
+    public CheckConfig(
+        AuthzConfig filterConfig,
+        String objectType,
+        String objectID,
+        String relation,
+        ResourceMapper baseResourceMapper
+    ) {
+        this(filterConfig, objectType, objectID, relation, DEFAULT_POLICY, baseResourceMapper);
     }
 
-    public CheckConfig(AuthzConfig filterConfig, String objectType, String objectKey, String relation) {
-        this.authzCfg = new AuthzConfig(filterConfig);
+    public CheckConfig(
+        AuthzConfig filterConfig,
+        String objectType,
+        String objectID,
+        String relation,
+        String policy,
+        ResourceMapper baseResourceMapper
+    ) {
+        this(
+            filterConfig,
+            new StaticObjectTypeMapper(objectType),
+            new StaticObjectIdMapper(objectID),
+            new StaticRelationMapper(relation),
+            new StaticPolicyMapper(policy),
+            baseResourceMapper
+        );
+    }
 
-        this.objectTypeMapper = new StaticObjectTypeMapper(objectType);
-        this.objectIdMapper = new StaticObjectIdMapper(objectKey);
-        this.relationMapper = new StaticRelationMapper(relation);
+    public CheckConfig(AuthzConfig filterConfig, String objectType, ObjectIdMapper objectIdMapper, String relation) {
+        this(filterConfig, objectType, objectIdMapper, relation, DEFAULT_POLICY);
     }
 
-    public CheckConfig(AuthzConfig filterConfig, ObjectTypeMapper objectTypeMapper, ObjectIdMapper objectIdMapper, RelationMapper relationMapper) {
-        this.authzCfg = new AuthzConfig(filterConfig);
-        this.objectTypeMapper = objectTypeMapper;
-        this.objectIdMapper = objectIdMapper;
-        this.relationMapper = relationMapper;
+    public CheckConfig(AuthzConfig filterConfig, String objectType, ObjectIdMapper objectIdMapper, String relation, String policy) {
+        this(
+            filterConfig,
+            new StaticObjectTypeMapper(objectType),
+            objectIdMapper,
+            new StaticRelationMapper(relation),
+            new StaticPolicyMapper(policy),
+            new EmptyResourceMapper()
+        );
     }
 
-    public CheckConfig setObjectType(String objectType) {
-        this.objectTypeMapper = new StaticObjectTypeMapper(objectType);
-        return this;
+    public CheckConfig(
+        AuthzConfig filterConfig,
+        String objectType,
+        ObjectIdMapper objectIdMapper,
+        String relation,
+        ResourceMapper baseResourceMapper
+    ) {
+        this(
+            filterConfig,
+            new StaticObjectTypeMapper(objectType),
+            objectIdMapper,
+            new StaticRelationMapper(relation),
+            new StaticPolicyMapper(DEFAULT_POLICY),
+            new EmptyResourceMapper()
+        );
     }
 
-    public CheckConfig setObjectTypeMapper(ObjectTypeMapper objectTypeMapper) {
-        this.objectTypeMapper = objectTypeMapper;
-        return this;
+    public CheckConfig(
+        AuthzConfig filterConfig,
+        String objectType,
+        ObjectIdMapper objectIdMapper,
+        String relation,
+        String policy,
+        ResourceMapper baseResourceMapper
+    ) {
+        this(
+            filterConfig,
+            new StaticObjectTypeMapper(objectType),
+            objectIdMapper,
+            new StaticRelationMapper(relation),
+            new StaticPolicyMapper(policy),
+            baseResourceMapper
+        );
     }
 
-    public CheckConfig setObjectKey(String objectKey) {
-        this.objectIdMapper = new StaticObjectIdMapper(objectKey);
-        return this;
+    public CheckConfig(AuthzConfig filterConfig, ObjectTypeMapper objectTypeMapper, ObjectIdMapper objectIdMapper, RelationMapper relationMapper) {
+        this(filterConfig, objectTypeMapper, objectIdMapper, relationMapper, new StaticPolicyMapper(DEFAULT_POLICY));
     }
 
-    public CheckConfig setObjectIdMapper(ObjectIdMapper objectIdMapper) {
-        this.objectIdMapper = objectIdMapper;
-        return this;
+    public CheckConfig(
+        AuthzConfig filterConfig,
+        ObjectTypeMapper objectTypeMapper,
+        ObjectIdMapper objectIdMapper,
+        RelationMapper relationMapper,
+        PolicyMapper policyMapper
+    ) {
+        this(filterConfig, objectTypeMapper, objectIdMapper, relationMapper, policyMapper, new EmptyResourceMapper());
     }
 
-    public CheckConfig setRelation(String relation) {
-        this.relationMapper = new StaticRelationMapper(relation);
-        return this;
+    public CheckConfig(
+        AuthzConfig filterConfig,
+        ObjectTypeMapper objectTypeMapper,
+        ObjectIdMapper objectIdMapper,
+        RelationMapper relationMapper,
+        ResourceMapper baseResourceMapper
+    ) {
+        this(filterConfig, objectTypeMapper, objectIdMapper, relationMapper, new StaticPolicyMapper(DEFAULT_POLICY), new EmptyResourceMapper());
     }
 
-    public CheckConfig setRelationMapper(RelationMapper relationMapper) {
+    public CheckConfig(
+        AuthzConfig filterConfig,
+        ObjectTypeMapper objectTypeMapper,
+        ObjectIdMapper objectIdMapper,
+        RelationMapper relationMapper,
+        PolicyMapper policyMapper,
+        ResourceMapper baseResourceMapper
+    ) {
+        this.authzCfg = new AuthzConfig(filterConfig);
+        this.objectTypeMapper = objectTypeMapper;
+        this.objectIdMapper = objectIdMapper;
         this.relationMapper = relationMapper;
-        return this;
+        this.policyMapper = policyMapper;
+        this.baseResourceMapper = baseResourceMapper != null ? baseResourceMapper : new EmptyResourceMapper();
     }
 
     public AsertoAuthorizationManager getAuthManager() {
         return new AsertoAuthorizationManager(getConfig());
     }
 
     public AuthzConfig getConfig() {
-        authzCfg.setPolicyMapper(new StaticPolicyMapper("rebac.check"));
-        authzCfg.setResourceMapper(new CheckResourceMapper(objectTypeMapper, objectIdMapper, relationMapper));
+        authzCfg.setPolicyMapper(policyMapper);
+        authzCfg.setResourceMapper(new CheckResourceMapper(objectTypeMapper, objectIdMapper, relationMapper, baseResourceMapper));
 
         return authzCfg;
     }

src/main/java/com/aserto/authorizer/MethodAuthorization.java

@@ -1,6 +1,5 @@
 package com.aserto.authorizer;
 
-import jakarta.servlet.http.HttpServletRequest;
 import org.springframework.security.authorization.AuthorizationDecision;
 import org.springframework.stereotype.Component;
 
@@ -15,26 +14,35 @@
 import com.aserto.authorizer.mapper.check.subject.SubjectIdMapper;
 import com.aserto.authorizer.mapper.check.subject.SubjectTypeMapper;
 import com.aserto.authorizer.mapper.identity.ManualIdentityMapper;
+import com.aserto.authorizer.mapper.policy.PolicyMapper;
 import com.aserto.authorizer.mapper.policy.StaticPolicyMapper;
 import com.aserto.authorizer.mapper.resource.CheckResourceMapper;
+import com.aserto.authorizer.mapper.resource.EmptyResourceMapper;
+import com.aserto.authorizer.mapper.resource.ResourceMapper;
+
+import jakarta.servlet.http.HttpServletRequest;
 
 /*
 * This class provides methods to check if the current user is authorized to perform an action.
 * It can be used for method level authorization.
  */
 @Component("check")
 class MethodAuthorization {
-    private AsertoAuthorizationManager asertoAuthzManager;
-    private HttpServletRequest httpRequest;
+    private final AsertoAuthorizationManager asertoAuthzManager;
+    private final HttpServletRequest httpRequest;
     private ObjectTypeMapper objectTypeMapper;
     private ObjectIdMapper objectIdMapper;
     private RelationMapper relationMapper;
     private SubjectTypeMapper subjectTypeMapper;
     private SubjectIdMapper subjectIdMapper;
+    private PolicyMapper policyMapper;
+    private ResourceMapper baseResourceMapper;
 
     public MethodAuthorization(AuthzConfig authzCfg, HttpServletRequest httpRequest) {
         asertoAuthzManager = new AsertoAuthorizationManager(authzCfg);
         this.httpRequest = httpRequest;
+        this.policyMapper = new StaticPolicyMapper("rebac.check");
+        this.baseResourceMapper = new EmptyResourceMapper();
     }
 
     public MethodAuthorization objectType(String objectType) {
@@ -87,11 +95,31 @@ public MethodAuthorization subjectId(SubjectIdMapper subjectIdMapper) {
         return this;
     }
 
+    public MethodAuthorization policyPath(String policyPath) {
+        this.policyMapper = new StaticPolicyMapper(policyPath);
+        return this;
+    }
+
+    public MethodAuthorization policyMapper(PolicyMapper policyMapper) {
+        this.policyMapper = policyMapper;
+        return this;
+    }
+
+    public MethodAuthorization baseResourceMapper(ResourceMapper baseResourceMapper) {
+        this.baseResourceMapper = baseResourceMapper;
+        return this;
+    }
+
     public boolean allowed() {
         validateFields();
 
-        StaticPolicyMapper policyMapper = new StaticPolicyMapper("rebac.check");
-        CheckResourceMapper checkResourceMapper = new CheckResourceMapper(objectTypeMapper, objectIdMapper, relationMapper, subjectTypeMapper);
+        CheckResourceMapper checkResourceMapper = new CheckResourceMapper(
+            objectTypeMapper,
+            objectIdMapper,
+            relationMapper,
+            subjectTypeMapper,
+            baseResourceMapper
+        );
 
         AuthorizationDecision decision;
         if (subjectIdMapper != null && subjectTypeMapper != null) {