Added initial support for HTTP checks (logging only)

logging/logging.go

@@ -80,7 +80,7 @@ func LogRequest(allow bool, reason string, context *Context) {
 		outcome = "DENIED"
 	}
 
-	msg := fmt.Sprintf("%s %s %s for '%s' from %s", context.Method, context.Path, outcome, context.ClientID, context.Host)
+	msg := fmt.Sprintf("%s %s %s for '%s' from '%s'", context.Method, context.Path, outcome, context.ClientID, context.Host)
 
 	slog.Info(msg,
 		slog.Bool(KeyAllow, allow),

server/config.go

@@ -1,4 +1,3 @@
-// Package config provides configuration support for the Jarl server
 package server
 
 import "github.com/fredjeck/jarl/authz"
@@ -9,5 +8,6 @@ type Configuration struct {
 	GRPCListenOn             string                // GRPCListenOn stores the InetAddr on which the HTTP Server is listening for inbound connections
 	ClientsConfigurationPath string                // ClientsConfigurationPath stores the path where the client configurations are stored
 	HTTPAuthZHeader          string                // HTTPAuthZHeader contains the name of the http header element which will be matchted for clientID
+	HTTPHostHeader           string                // HTTPHostHeader contains the  name fo the http header element which will match the originally contacted host
 	Authorizations           *authz.Authorizations // Authorizations stores the configured authorizations
 }

server/http.go

@@ -5,8 +5,10 @@ import (
 	"log/slog"
 	"net"
 	"net/http"
+	"strings"
 	"sync"
 
+	"github.com/fredjeck/jarl/authz"
 	"github.com/fredjeck/jarl/logging"
 	"github.com/prometheus/client_golang/prometheus/promhttp"
 )
@@ -48,6 +50,7 @@ func (srv *HTTPAuthzServer) Start(wg *sync.WaitGroup, healthFunc func() (bool, s
 	mux := http.NewServeMux()
 	mux.HandleFunc("/healthz", handleHealth(healthFunc))
 	mux.Handle("/metrics", promhttp.Handler())
+	mux.HandleFunc("/*", handleCheck(srv.configuration))
 
 	srv.httpServer = &http.Server{Handler: mux}
 
@@ -80,3 +83,54 @@ func handleHealth(healthFunc func() (bool, string)) func(w http.ResponseWriter,
 		response.Write([]byte(desc))
 	}
 }
+
+// Handles authorization requests
+func handleCheck(_ *Configuration) func(w http.ResponseWriter, r *http.Request) {
+	return func(response http.ResponseWriter, request *http.Request) {
+		// host := request.Header.Get(config.HTTPHostHeader)
+		// clientID := request.Header.Get(config.HTTPAuthZHeader)
+		clientID := "unset"
+		path := request.URL.Path
+		method := authz.ParseHTTPMethod(request.Method)
+		// headerExists := clientID != "" && host != ""
+
+		reason := ""
+		allowed := true
+
+		// if headerExists {
+		// 	al, err := config.Authorizations.IsAllowed(host, clientID, path, method)
+		// 	if err != nil {
+		// 		reason = err.Error()
+		// 	}
+		// 	allowed = al
+		// } else {
+		// 	allowed = false
+		// 	reason = fmt.Sprintf("missing authz or host configuration header %s/%s", config.HTTPAuthZHeader, config.HTTPHostHeader)
+		// }
+
+		headers := make(map[string]string)
+		for k, v := range request.Header {
+			headers[strings.ToLower(k)] = string(v[0])
+		}
+
+		ctx := &logging.Context{
+			// ClientID: clientID,
+			// Host:     host,
+			Path:    path,
+			Method:  string(method),
+			Headers: headers,
+		}
+
+		logging.LogRequest(allowed, reason, ctx)
+		if allowed {
+			allowedCounter.Inc()
+			response.Header().Set(resultHeader, resultAllowed)
+			response.WriteHeader(http.StatusOK)
+		} else {
+			deniedCounter.WithLabelValues(clientID).Inc()
+			response.Header().Set(resultHeader, resultDenied)
+			response.WriteHeader(http.StatusForbidden)
+			response.Write([]byte(fmt.Sprintf("{'status':'denied', 'reason':%s}", reason)))
+		}
+	}
+}

server/server_test.go

@@ -169,7 +169,7 @@ func TestExtAuthz(t *testing.T) {
 
 	waitForServer(server)
 
-	conn, err := grpc.NewClient(fmt.Sprintf("localhost:%d", server.grpcServer.port), grpc.WithTransportCredentials(insecure.NewCredentials()))
+	conn, err := grpc.NewClient(fmt.Sprintf("localhost:%d", 9000), grpc.WithTransportCredentials(insecure.NewCredentials()))
 	if err != nil {
 		t.Fatalf(err.Error())
 	}