Merge pull request #30 from ryshoooo/feat/pa_http

feat: http permission agent

README.md

@@ -183,13 +183,15 @@ Jokes aside, let's get into some nitty-gritty boring nerd stuff.
 | OIDC Assume User Session - Allow escape       | Flag which determines whether an escape from user session is allowed during the session                   | --oidc-assume-user-session-allow-escape        | OIDC_ASSUME_USER_SESSION_ALLOW_ESCAPE        | boolean                                 |
 | OIDC Post-Auth SQL Template                   | Path to a template file with SQL statement to execute after a successful OIDC authentication              | --oidc-post-auth-sql-template                  | OIDC_POST_AUTH_SQL_TEMPLATE                  | string                                  |
 | Permission Agent Enabled                      | Indicates whether a permission agent should be included in SQL statements handling                        | --permission-agent-enabled                     | PERMISSION_AGENT_ENABLED                     | boolean                                 |
-| Permission Agent Type                         | Type of the permission agent                                                                              | --permission-agent-type                        | PERMISSION_AGENT_TYPE                        | opa                                     |
+| Permission Agent Type                         | Type of the permission agent                                                                              | --permission-agent-type                        | PERMISSION_AGENT_TYPE                        | opa, http                               |
 | Permission Agent: OPA URL                     | URL endpoint for the OPA permissions server                                                               | --permission-agent-opa-url                     | PERMISSION_AGENT_OPA_URL                     | string                                  |
 | Permission Agent: OPA SELECT Query Template   | The Golang template for creating the OPA SELECT query statement                                           | --permission-agent-opa-select-query-template   | PERMISSION_AGENT_OPA_SELECT_QUERY_TEMPLATE   | string                                  |
 | Permission Agent: OPA CREATE Query            | The query to use for determining CREATE permissions                                                       | --permission-agent-opa-create-query            | PERMISSION_AGENT_OPA_CREATE_QUERY            | string                                  |
 | Permission Agent: OPA UPDATE Query            | The query to use for determining UPDATE permissions                                                       | --permission-agent-opa-update-query            | PERMISSION_AGENT_OPA_UPDATE_QUERY            | string                                  |
 | Permission Agent: OPA DELETE Query            | The query to use for determining DELETE permissions                                                       | --permission-agent-opa-delete-query            | PERMISSION_AGENT_OPA_DELETE_QUERY            | string                                  |
 | Permission Agent: OPA String Escape character | The character to use for wrapping string field types from OPA permission statements                       | --permission-agent-opa-string-escape-character | PERMISSION_AGENT_OPA_STRING_ESCAPE_CHARACTER | string                                  |
+| Permission Agent: HTTP DDL Endpoint           | DDL endpoint for the HTTP Permission Agent                                                                | --permission-agent-http-ddl-endpoint           | PERMISSION_AGENT_HTTP_DDL_ENDPOINT           | string                                  |
+| Permission Agent: HTTP Select Endpoint        | The endpoint for handling Select queries for HTTP Permission Agent                                        | --permission-agent-http-select-endpoint        | PERMISSION_AGENT_HTTP_SELECT_ENDPOINT        | string                                  |
 | Server TLS Enabled                            | Indicates whther TLS is enabled in the proxy                                                              | --server-tls-enabled                           | SERVER_TLS_ENABLED                           | boolean                                 |
 | Server TLS Certificate File                   | Path to the server certificate for TLS connections                                                        | --server-tls-certificate-file                  | SERVER_TLS_CERTIFICATE_FILE                  | string                                  |
 | Server TLS Certificate Key File               | Path to the server certificate key file for TLS connections                                               | --server-tls-certificate-key-file              | SERVER_TLS_CERTIFICATE_KEY_FILE              | string                                  |

go.mod

@@ -21,7 +21,7 @@ require (
 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
 	github.com/dustin/go-humanize v1.0.1 // indirect
 	github.com/getsentry/raven-go v0.2.0 // indirect
-	github.com/getsentry/sentry-go v0.29.0 // indirect
+	github.com/getsentry/sentry-go v0.29.1 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/golang/protobuf v1.5.4 // indirect
 	github.com/google/go-cmp v0.6.0 // indirect
@@ -37,11 +37,11 @@ require (
 	github.com/xdg-go/pbkdf2 v1.0.0 // indirect
 	github.com/xdg-go/stringprep v1.0.4 // indirect
 	golang.org/x/sync v0.8.0 // indirect
-	golang.org/x/sys v0.25.0 // indirect
-	golang.org/x/text v0.18.0 // indirect
-	google.golang.org/genproto v0.0.0-20240924160255-9d4c2d233b61 // indirect
-	google.golang.org/genproto/googleapis/api v0.0.0-20240924160255-9d4c2d233b61 // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20240924160255-9d4c2d233b61 // indirect
-	google.golang.org/grpc v1.67.0 // indirect
-	google.golang.org/protobuf v1.34.2 // indirect
+	golang.org/x/sys v0.26.0 // indirect
+	golang.org/x/text v0.19.0 // indirect
+	google.golang.org/genproto v0.0.0-20241015192408-796eee8c2d53 // indirect
+	google.golang.org/genproto/googleapis/api v0.0.0-20241015192408-796eee8c2d53 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20241015192408-796eee8c2d53 // indirect
+	google.golang.org/grpc v1.67.1 // indirect
+	google.golang.org/protobuf v1.35.1 // indirect
 )

go.sum

@@ -63,8 +63,8 @@ github.com/fsnotify/fsnotify v1.4.9/go.mod h1:znqG4EE+3YCdAaPaxE2ZRY/06pZUdp0tY4
 github.com/gavv/httpexpect v2.0.0+incompatible/go.mod h1:x+9tiU1YnrOvnB725RkpoLv1M62hOWzwo5OXotisrKc=
 github.com/getsentry/raven-go v0.2.0 h1:no+xWJRb5ZI7eE8TWgIq1jLulQiIoLG0IfYxv5JYMGs=
 github.com/getsentry/raven-go v0.2.0/go.mod h1:KungGk8q33+aIAZUIVWZDr2OfAEBsO49PX4NzFV5kcQ=
-github.com/getsentry/sentry-go v0.29.0 h1:YtWluuCFg9OfcqnaujpY918N/AhCCwarIDWOYSBAjCA=
-github.com/getsentry/sentry-go v0.29.0/go.mod h1:jhPesDAL0Q0W2+2YEuVOvdWmVtdsr1+jtBrlDEVWwLY=
+github.com/getsentry/sentry-go v0.29.1 h1:DyZuChN8Hz3ARxGVV8ePaNXh1dQ7d76AiB117xcREwA=
+github.com/getsentry/sentry-go v0.29.1/go.mod h1:x3AtIzN01d6SiWkderzaH28Tm0lgkafpJ5Bm3li39O0=
 github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04=
 github.com/gin-contrib/sse v0.0.0-20190301062529-5545eab6dad3/go.mod h1:VJ0WA2NBN22VlZ2dKZQPAPnyWw5XTlK1KymzLKsr59s=
 github.com/gin-gonic/gin v1.4.0/go.mod h1:OW2EZn3DO8Ln9oIKOvM++LBO+5UPHJJDH72/q/3rZdM=
@@ -317,8 +317,8 @@ golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.25.0 h1:r+8e+loiHxRqhXVl6ML1nO3l1+oFoWbnlu2Ehimmi34=
-golang.org/x/sys v0.25.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.26.0 h1:KHjCJyddX0LoSTb3J+vWpupP9p0oznkqVk/IfjymZbo=
+golang.org/x/sys v0.26.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
@@ -327,8 +327,8 @@ golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.4/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
 golang.org/x/text v0.3.8/go.mod h1:E6s5w1FMmriuDzIBO73fBruAKo1PCIq6d2Q6DHfQ8WQ=
-golang.org/x/text v0.18.0 h1:XvMDiNzPAl0jr17s6W9lcaIhGUfUORdGCNsuLmPG224=
-golang.org/x/text v0.18.0/go.mod h1:BuEKDfySbSR4drPmRPG/7iBdf8hvFMuRexcpahXilzY=
+golang.org/x/text v0.19.0 h1:kTxAhCbGbxhK0IwgSKiMO5awPoDQ0RpfiVYBfK860YM=
+golang.org/x/text v0.19.0/go.mod h1:BuEKDfySbSR4drPmRPG/7iBdf8hvFMuRexcpahXilzY=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20181030221726-6c7e314b6563/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20181221001348-537d06c36207/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
@@ -354,21 +354,21 @@ google.golang.org/genproto v0.0.0-20190819201941-24fa4b261c55/go.mod h1:DMBHOl98
 google.golang.org/genproto v0.0.0-20200513103714-09dca8ec2884/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
 google.golang.org/genproto v0.0.0-20200526211855-cb27e3aa2013/go.mod h1:NbSheEEYHJ7i3ixzK3sjbqSGDJWnxyFXZblF3eUsNvo=
 google.golang.org/genproto v0.0.0-20200911024640-645f7a48b24f/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
-google.golang.org/genproto v0.0.0-20240924160255-9d4c2d233b61 h1:KipVMxePgXPFBzXOvpKbny3RVdVmJOD64R/Ob7GPWEs=
-google.golang.org/genproto v0.0.0-20240924160255-9d4c2d233b61/go.mod h1:HiAZQz/G7n0EywFjmncAwsfnmFm2bjm7qPjwl8hyzjM=
-google.golang.org/genproto/googleapis/api v0.0.0-20240924160255-9d4c2d233b61 h1:pAjq8XSSzXoP9ya73v/w+9QEAAJNluLrpmMq5qFJQNY=
-google.golang.org/genproto/googleapis/api v0.0.0-20240924160255-9d4c2d233b61/go.mod h1:O6rP0uBq4k0mdi/b4ZEMAZjkhYWhS815kCvaMha4VN8=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20240924160255-9d4c2d233b61 h1:N9BgCIAUvn/M+p4NJccWPWb3BWh88+zyL0ll9HgbEeM=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20240924160255-9d4c2d233b61/go.mod h1:UqMtugtsSgubUsoxbuAoiCXvqvErP7Gf0so0mK9tHxU=
+google.golang.org/genproto v0.0.0-20241015192408-796eee8c2d53 h1:Df6WuGvthPzc+JiQ/G+m+sNX24kc0aTBqoDN/0yyykE=
+google.golang.org/genproto v0.0.0-20241015192408-796eee8c2d53/go.mod h1:fheguH3Am2dGp1LfXkrvwqC/KlFq8F0nLq3LryOMrrE=
+google.golang.org/genproto/googleapis/api v0.0.0-20241015192408-796eee8c2d53 h1:fVoAXEKA4+yufmbdVYv+SE73+cPZbbbe8paLsHfkK+U=
+google.golang.org/genproto/googleapis/api v0.0.0-20241015192408-796eee8c2d53/go.mod h1:riSXTwQ4+nqmPGtobMFyW5FqVAmIs0St6VPp4Ug7CE4=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20241015192408-796eee8c2d53 h1:X58yt85/IXCx0Y3ZwN6sEIKZzQtDEYaBWrDvErdXrRE=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20241015192408-796eee8c2d53/go.mod h1:GX3210XPVPUjJbTUbvwI8f2IpZDMZuPJWDzDuebbviI=
 google.golang.org/grpc v1.12.0/go.mod h1:yo6s7OP7yaDglbqo1J04qKzAhqBH6lvTonzMVmEdcZw=
 google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c=
 google.golang.org/grpc v1.23.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg=
 google.golang.org/grpc v1.25.1/go.mod h1:c3i+UQWmh7LiEpx4sFZnkU36qjEYZ0imhYfXVyQciAY=
 google.golang.org/grpc v1.27.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk=
 google.golang.org/grpc v1.29.1/go.mod h1:itym6AZVZYACWQqET3MqgPpjcuV5QH3BxFS3IjizoKk=
 google.golang.org/grpc v1.33.1/go.mod h1:fr5YgcSWrqhRRxogOsw7RzIpsmvOZ6IcH4kBYTpR3n0=
-google.golang.org/grpc v1.67.0 h1:IdH9y6PF5MPSdAntIcpjQ+tXO41pcQsfZV2RxtQgVcw=
-google.golang.org/grpc v1.67.0/go.mod h1:1gLDyUQU7CTLJI90u3nXZ9ekeghjeM7pTDZlqFNg2AA=
+google.golang.org/grpc v1.67.1 h1:zWnc1Vrcno+lHZCOofnIMvycFcc0QRGIzm9dhnDX68E=
+google.golang.org/grpc v1.67.1/go.mod h1:1gLDyUQU7CTLJI90u3nXZ9ekeghjeM7pTDZlqFNg2AA=
 google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8=
 google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0=
 google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM=
@@ -379,8 +379,8 @@ google.golang.org/protobuf v1.23.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2
 google.golang.org/protobuf v1.23.1-0.20200526195155-81db48ad09cc/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
 google.golang.org/protobuf v1.24.0/go.mod h1:r/3tXBNzIEhYS9I1OUVjXDlt8tc493IdKGjtUeSXeh4=
 google.golang.org/protobuf v1.25.0/go.mod h1:9JNX74DMeImyA3h4bdi1ymwjUzf21/xIlbajtzgsN7c=
-google.golang.org/protobuf v1.34.2 h1:6xV6lTsCfpGD21XK49h7MhtcApnLqkfYgPcdHftf6hg=
-google.golang.org/protobuf v1.34.2/go.mod h1:qYOHts0dSfpeUzUFpOMr/WGzszTmLH+DiWniOlNbLDw=
+google.golang.org/protobuf v1.35.1 h1:m3LfL6/Ca+fqnjnlqQXNpFPABW1UD7mjh8KO2mKFytA=
+google.golang.org/protobuf v1.35.1/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojtC/QF5bRE=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=

internal/config.go

@@ -47,7 +47,7 @@ type Configuration struct {
 
 	// Permission Agents
 	PermissionAgentEnabled bool   `long:"permission-agent-enabled" env:"PERMISSION_AGENT_ENABLED" description:"Enable permission agent for handling SQL queries"`
-	PermissionAgentType    string `long:"permission-agent-type" env:"PERMISSION_AGENT_TYPE" choice:"opa" description:"Permission agent type"`
+	PermissionAgentType    string `long:"permission-agent-type" env:"PERMISSION_AGENT_TYPE" choice:"opa" choice:"http" description:"Permission agent type"`
 
 	// OPA Permission Agent Configuration
 	PermissionAgentOPAURL                   string `long:"permission-agent-opa-url" env:"PERMISSION_AGENT_OPA_URL" description:"URL endpoint for OPA server"`
@@ -57,6 +57,10 @@ type Configuration struct {
 	PermissionAgentOPADeleteQuery           string `long:"permission-agent-opa-delete-query" env:"PERMISSION_AGENT_OPA_DELETE_QUERY" description:"OPA query for DELETE operations" default:"data.ddl_delete.allow == true"`
 	PermissionAgentOPAStringEscapeCharacter string `long:"permission-agent-opa-string-escape-character" env:"PERMISSION_AGENT_OPA_STRING_ESCAPE_CHARACTER" description:"Wrap the resulting OPA string fields with this characters" default:"'"`
 
+	// HTTP Permission Agent Configuration
+	PermissionAgentHTTPDDLEndpoint    string `long:"permission-agent-http-ddl-endpoint" env:"PERMISSION_AGENT_HTTP_DDL_ENDPOINT" description:"HTTP endpoint for DDL operations"`
+	PermissionAgentHTTPSelectEndpoint string `long:"permission-agent-http-select-endpoint" env:"PERMISSION_AGENT_HTTP_SELECT_ENDPOINT" description:"HTTP endpoint for SELECT operations"`
+
 	// TLS
 	ServerTLSEnabled            bool   `long:"server-tls-enabled" env:"SERVER_TLS_ENABLED" description:"Enable TLS for the server"`
 	ServerTLSCertificateFile    string `long:"server-tls-certificate-file" env:"SERVER_TLS_CERTIFICATE_FILE" description:"TLS certificate file"`

internal/config_test.go

@@ -43,6 +43,8 @@ func TestNewConfigurationDefaults(t *testing.T) {
 	assert.Equal(t, c.PermissionAgentOPAUpdateQuery, "data.ddl_update.allow == true")
 	assert.Equal(t, c.PermissionAgentOPADeleteQuery, "data.ddl_delete.allow == true")
 	assert.Equal(t, c.PermissionAgentOPAStringEscapeCharacter, "'")
+	assert.Equal(t, c.PermissionAgentHTTPDDLEndpoint, "")
+	assert.Equal(t, c.PermissionAgentHTTPSelectEndpoint, "")
 	assert.Equal(t, c.ServerTLSEnabled, false)
 	assert.Equal(t, c.ServerTLSCertificateFile, "")
 	assert.Equal(t, c.ServerTLSCertificateKeyFile, "")
@@ -84,6 +86,8 @@ func TestNewConfigurationFull(t *testing.T) {
 		"--permission-agent-opa-update-query", "update query",
 		"--permission-agent-opa-delete-query", "delete query",
 		"--permission-agent-opa-string-escape-character", "''",
+		"--permission-agent-http-ddl-endpoint", "http://ddl",
+		"--permission-agent-http-select-endpoint", "http://select",
 		"--oidc-assume-user-session",
 		"--oidc-assume-user-session-username-claim", "db_role",
 		"--oidc-assume-user-session-allow-escape",
@@ -128,6 +132,8 @@ func TestNewConfigurationFull(t *testing.T) {
 	assert.Equal(t, c.PermissionAgentOPAUpdateQuery, "update query")
 	assert.Equal(t, c.PermissionAgentOPADeleteQuery, "delete query")
 	assert.Equal(t, c.PermissionAgentOPAStringEscapeCharacter, "''")
+	assert.Equal(t, c.PermissionAgentHTTPDDLEndpoint, "http://ddl")
+	assert.Equal(t, c.PermissionAgentHTTPSelectEndpoint, "http://select")
 	assert.Equal(t, c.OIDCAssumeUserSession, true)
 	assert.Equal(t, c.OIDCAssumeUserSessionUsernameClaim, "db_role")
 	assert.Equal(t, c.OIDCAssumeUserSessionAllowEscape, true)

internal/permission_agent.go

@@ -1,5 +1,15 @@
 package foodme
 
+type SelectFilters struct {
+	WhereFilters []string      `json:"whereFilters"`
+	JoinFilters  []*JoinFilter `json:"joinFilters"`
+}
+
+type JoinFilter struct {
+	TableName  string `json:"tableName"`
+	Conditions string `json:"conditions"`
+}
+
 func NewPermissionAgent(conf *Configuration, httpClient IHttpClient) IPermissionAgent {
 	switch conf.PermissionAgentType {
 	case "opa":
@@ -12,6 +22,8 @@ func NewPermissionAgent(conf *Configuration, httpClient IHttpClient) IPermission
 			conf.PermissionAgentOPAStringEscapeCharacter,
 			httpClient,
 		)
+	case "http":
+		return NewHTTPPermissionAgent(conf.PermissionAgentHTTPDDLEndpoint, conf.PermissionAgentHTTPSelectEndpoint, httpClient)
 	default:
 		return nil
 	}