diff --git a/README.md b/README.md index dbc0ed5..bcafcbc 100644 --- a/README.md +++ b/README.md @@ -2,6 +2,16 @@ The Guard is a HTTP Server that responds to requests on http://localhost:8000/auth and authenticates the header `Authorization: Bearer JWT` against the configured ISSUER, AUDIENCE and authorizes the request agains a comma separated list of subjects. + +## How to use + +This application is designed to use with Forward Auth, specifically for ingress-nginx, enable with this annotation: +```yaml +metadata: + annotations: + nginx.ingress.kubernetes.io/auth-url: "http://oauth-guard.monitor.svc.cluster.local:8000/auth" +``` + ## Configuration - `ISSUER` - Required. A issuer to verify JWT against. Must support the `${ISSUER}.well-known/openid-configuration` endpoint. diff --git a/auth.go b/auth.go index 89ef8f6..210e5d6 100644 --- a/auth.go +++ b/auth.go @@ -25,12 +25,14 @@ func AuthHandler(subjects []string, verifier Verifier) http.Handler { return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { t := time.Now() + event := log.Info().Str("method", r.Method).Str("path", r.URL.Path) + auth := r.Header.Get("Authorization") jwt, err := parseAuthHeader(auth) if err != nil { w.WriteHeader(http.StatusUnauthorized) _, _ = w.Write([]byte("Forbidden")) - log.Info().Err(err).Dur("latency", time.Since(t)).Int("status", http.StatusUnauthorized).Msg("Unauthorized") + event.Err(err).Dur("elappsed_ms", time.Since(t)).Int("status", http.StatusUnauthorized).Msg("Unauthorized") return } @@ -39,7 +41,7 @@ func AuthHandler(subjects []string, verifier Verifier) http.Handler { if err != nil { w.WriteHeader(http.StatusUnauthorized) _, _ = w.Write([]byte("Forbidden")) - log.Info().Err(err).Dur("latency", time.Since(t)).Int("status", http.StatusUnauthorized).Msg("Unauthorized") + event.Err(err).Dur("elappsed_ms", time.Since(t)).Int("status", http.StatusUnauthorized).Msg("Unauthorized") return } @@ -48,13 +50,13 @@ func AuthHandler(subjects []string, verifier Verifier) http.Handler { if !found { w.WriteHeader(http.StatusForbidden) _, _ = w.Write([]byte("Forbidden")) - log.Info().Err(err).Dur("latency", time.Since(t)).Int("status", http.StatusForbidden).Str("sub", subject).Msg("Forbidden") + event.Err(err).Dur("elappsed_ms", time.Since(t)).Int("status", http.StatusForbidden).Str("sub", subject).Msg("Forbidden") return } w.WriteHeader(http.StatusOK) _, _ = w.Write([]byte("OK")) - log.Info().Dur("latency", time.Since(t)).Int("status", http.StatusOK).Str("sub", subject).Msg("Authorized") + event.Dur("elappsed_ms", time.Since(t)).Int("status", http.StatusOK).Str("sub", subject).Msg("Authorized") }) } diff --git a/deploymet.yaml b/deploymet.yaml new file mode 100644 index 0000000..8f01205 --- /dev/null +++ b/deploymet.yaml @@ -0,0 +1,50 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: oauth-guard + namespace: monitor +spec: + selector: + matchLabels: + app: radix-oauth-guard + template: + metadata: + labels: + app: radix-oauth-guard + spec: + containers: + - name: guard + image: ghcr.io/equinor/radix-oauth-guard:v0.2.1 + imagePullPolicy: Always + ports: + - containerPort: 8000 + name: http + securityContext: + readOnlyRootFilesystem: true + runAsNonRoot: true + capabilities: + drop: + - ALL + env: + - name: LOG_PRETTY + value: "True" + - name: LOG_LEVEL + value: debug + - name: ISSUER + value: https://northeurope.oic.prod-aks.azure.com/3aa4a235-b6e2-48d5-9195-7fcf05b459b0/a2d93ba1-cbde-4408-8979-c100cce7b448/ + - name: AUDIENCE + value: extmonprom + - name: SUBJECTS + value: system:serviceaccount:monitor:prometheus-operator-prometheus +--- +apiVersion: v1 +kind: Service +metadata: + name: oauth-guard + namespace: monitor +spec: + selector: + app: radix-oauth-guard + ports: + - name: http + port: 8000 diff --git a/main.go b/main.go index d2b007e..a024fe1 100644 --- a/main.go +++ b/main.go @@ -61,6 +61,7 @@ func initLogger(opts Options) { logWriter = &zerolog.ConsoleWriter{Out: os.Stderr, TimeFormat: time.TimeOnly} } + zerolog.DurationFieldUnit = time.Millisecond logger := zerolog.New(logWriter).Level(logLevel).With().Timestamp().Logger() log.Logger = logger