Merge pull request #14 from DavidGitter/feat/reworked-opa-response

Reworked OpaResponse to use only boolean values and to follow NiFi's naming for AuthorizationResult variants more closely.

Author: labrenbe

authorizer/src/main/java/org/nifiopa/nifiopa/OPAResponse.java

@@ -5,25 +5,32 @@
 
 public class OPAResponse {
 
-    private String allowed;
+    private boolean allowed;
+    private boolean resourceNotFound;
     private boolean dumpCache;
     private String message;
 
     @JsonCreator
     public OPAResponse(
-    		@JsonProperty("allowed") String allowed, 
-    		@JsonProperty("dumpCache") boolean dumpCache,
-    		@JsonProperty("message") String message
+            @JsonProperty("allowed") boolean allowed,
+            @JsonProperty("resourceNotFound") boolean resourceNotFound,
+            @JsonProperty("dumpCache") boolean dumpCache,
+            @JsonProperty("message") String message
     		) {
     	this.allowed = allowed;
+        this.resourceNotFound = resourceNotFound;
     	this.dumpCache = dumpCache;
     	this.message = message;
     }
 
-    public String allowed() {
+    public boolean allowed() {
         return allowed;
     }
 
+    public boolean resourceNotFound() {
+        return resourceNotFound;
+    }
+
     public boolean dumpCache() {
     	return dumpCache;
     }

authorizer/src/main/java/org/nifiopa/nifiopa/OpaAuthorizer.java

@@ -66,16 +66,16 @@ public AuthorizationResult authorize(AuthorizationRequest request) throws Author
 					request.getResourceContext() != null && !request.getUserContext().isEmpty() ? request.getUserContext() : Map.of("", ""));
 		} catch (Exception e) {
 			logger.error(
-					"An error occured while trying to build the OPA-request", e);
-			return AuthorizationResult.denied("An error occured while trying to build the OPA-request");
+					"An error occured while trying to build the OPA-request.", e);
+			return AuthorizationResult.denied("An error occured while trying to build the OPA-request.");
 		}
 
 		OPAResponse opaResponse = null;
 		try {
 			opaResponse = opaClient.evaluate(OPA_RULE_HEAD, requestForm, OPAResponse.class);
 		} catch (OPAException e) {
-			logger.error(MessageFormat.format("An error occured while trying to query against OPA: {0}", e.toString()));
-			return AuthorizationResult.denied("An error occured while trying to query against OPA");
+			logger.error("An error occured while trying to query against OPA.", e);
+			return AuthorizationResult.denied("An error occured while trying to query against OPA.");
 		}
 		if (opaResponse == null) {
 			logger.error("An error occured while unmarshalling an OPA response.");
@@ -89,23 +89,22 @@ public AuthorizationResult authorize(AuthorizationRequest request) throws Author
 			cache.clear();
 		}
 
-		switch (opaResponse.allowed()) {
-			case "true":
+		if (opaResponse.resourceNotFound()) {
+			cache.putCachedResult(request, AuthorizationResult.resourceNotFound());
+			logger.debug("Authorizer-Result: Resource not found");
+			return AuthorizationResult.resourceNotFound();
+		}
+
+		if (opaResponse.allowed()) {
 				cache.putCachedResult(request, AuthorizationResult.approved());
 				logger.debug("Authorizer-Result: Access was approved");
 				return AuthorizationResult.approved();
-			case "unknown":
-				cache.putCachedResult(request, AuthorizationResult.resourceNotFound());
-				logger.debug("Authorizer-Result: No access resource found");
-				return AuthorizationResult.resourceNotFound();
-			default:
+		} else {
 				cache.putCachedResult(request, AuthorizationResult.denied());
 				logger.debug("Authorizer-Result: Access was denied");
 				return AuthorizationResult
 						.denied(opaResponse.message() != null ? opaResponse.message() : "Access denied.");
 		}
-
-		// enum - switch
 	}
 
 	@Override

rego/nifi_rules.rego

@@ -17,15 +17,15 @@ import data.nifi_comp
 
 # default return values
 default allow = {
-    "allowed": "unknown",
+    "resourceNotFound": true,
     "dumpCache": true
 }
 
 ### GLOBAL POLICIES
 
 # check for reading permission
 allow := {
-    "allowed": "true", 
+    "allowed": true, 
     "dumpCache": true
 } if {
     nifi_glob.res_is_global_type
@@ -35,7 +35,7 @@ allow := {
 
 # check for writing permission
 allow := {
-    "allowed": "true", 
+    "allowed": true, 
     "dumpCache": true
 } if {
     nifi_glob.res_is_global_type
@@ -45,7 +45,7 @@ allow := {
 
 # check for full permission when action is read
 allow := {
-    "allowed": "true", 
+    "allowed": true, 
     "dumpCache": true
 } if {
     nifi_glob.res_is_global_type
@@ -55,7 +55,7 @@ allow := {
 
 # check for full permission when action is write
 allow := {
-    "allowed": "true", 
+    "allowed": true, 
     "dumpCache": true
 } if {
     nifi_glob.res_is_global_type
@@ -65,7 +65,7 @@ allow := {
 
 # check for denied permission
 allow := {
-    "allowed": "false", 
+    "allowed": false, 
     "dumpCache": true,
     "message": sprintf("Action %s on global resource %s denied.", [nifi_inp.action, nifi_inp.resource_name])
 } if {
@@ -81,7 +81,7 @@ allow := {
 
 # explicit allowed 
 allow := {
-    "allowed": "true", 
+    "allowed": true, 
     "dumpCache": true
 } if {
     nifi_comp.comp_is_root_type
@@ -92,7 +92,7 @@ allow := {
 
 # implicit denied
 allow := {
-    "allowed": "false", 
+    "allowed": false, 
     "dumpCache": true,
     "message": sprintf("Action %s on component %s is implicity denied.", [nifi_inp.action, nifi_inp.resource_name])
 } if {
@@ -107,7 +107,7 @@ allow := {
 
 # explicit root-inherit allowed
 allow := {
-    "allowed": "true", 
+    "allowed": true, 
     "dumpCache": true
 } if { 
     nifi_comp.comp_is_root_type
@@ -119,7 +119,7 @@ allow := {
 
 # implicit root-inherit denied
 allow := {
-    "allowed": "false", 
+    "allowed": false, 
     "dumpCache": true,
     "message": sprintf("Action %s on component %s is implicity denied.", [nifi_inp.action, nifi_inp.resource_name])
 } if { 
@@ -132,7 +132,7 @@ allow := {
 
 # explicit root-inherit denied
 allow := {
-    "allowed": "false", 
+    "allowed": false, 
     "dumpCache": true,
     "message": sprintf("Action %s on component %s is explicitly denied.", [nifi_inp.action, nifi_inp.resource_name])
 } if { 
@@ -148,7 +148,7 @@ allow := {
 
 # explicit root component allowed
 allow := {
-    "allowed": "true", 
+    "allowed": true, 
     "dumpCache": true
 } if {
     nifi_comp.comp_is_root_type
@@ -162,7 +162,7 @@ allow := {
 
 # implicit denied
 allow := { 
-    "allowed": "false", 
+    "allowed": false, 
     "dumpCache": true,
     "message": sprintf("Action %s on component %s is implicity denied.", [nifi_inp.action, nifi_inp.resource_name])
 } if { 
@@ -177,7 +177,7 @@ allow := {
 
 ## check for illegal 'non-root equals root name' component name
 allow := {
-    "allowed": "false", 
+    "allowed": false, 
     "dumpCache": true,
     "message": sprintf("Multiple use of root component name %s detected.", [nifi_inp.resource_name])
 } if { 
@@ -193,7 +193,7 @@ allow := {
 
 # explicit node component allowed
 allow := {
-    "allowed": "true", 
+    "allowed": true, 
     "dumpCache": true
 } if {
     nifi_comp.comp_is_node_type
@@ -206,7 +206,7 @@ allow := {
 
 # explicit node component permission changed
 allow := { 
-    "allowed": "false", 
+    "allowed": false, 
     "dumpCache": true,
     "message": sprintf("Action %s on component %s is implicitly denied.", [nifi_inp.action, nifi_inp.resource_name])
 } if { 
@@ -222,7 +222,7 @@ allow := {
 
 # explicit node denied
 allow := { 
-    "allowed": "false", 
+    "allowed": false, 
     "dumpCache": true,
     "message": sprintf("Action %s on component %s is explicity denied.", [nifi_inp.action, nifi_inp.resource_name])
 } if { 
@@ -238,7 +238,7 @@ allow := {
 
 # explicit node component allowed
 allow := {
-    "allowed": "true", 
+    "allowed": true, 
     "dumpCache": true
 } if {
     nifi_comp.comp_is_node_type
@@ -251,7 +251,7 @@ allow := {
 
 # implicit node component permission changed
 allow := { 
-    "allowed": "false", 
+    "allowed": false, 
     "dumpCache": true,
     "message": sprintf("Action %s on component %s is implicitly denied.", [nifi_inp.action, nifi_inp.resource_name])
 } if { 
@@ -266,7 +266,7 @@ allow := {
 
 # explicit node denied
 allow := { 
-    "allowed": "false", 
+    "allowed": false, 
     "dumpCache": true,
     "message": sprintf("Action %s on component %s is explicity denied.", [nifi_inp.action, nifi_inp.resource_name])
 } if {