Initial commit

Author: summerwind

README.md

@@ -0,0 +1,100 @@
+# RBAC on Nginx with Open Policy Agent
+
+This repository demonstrates how to implement role based access control (RBAC) on Nginx with Open Policy Agent.
+
+## How to use
+
+First, start the container of Nginx and Open Policy Agent.
+
+```
+$ docker-compose up -d
+```
+
+When you send a request to `/compute/` using Alice's client certificate, nginx will grant access based on role definition.
+
+```
+$ curl -k --cert ./nginx/tls/alice.pem --key ./nginx/tls/alice-key.pem https://127.0.0.1:8080/compute/
+```
+
+For requests to `/storage/` as well, nginx allows too.
+
+```
+$ curl -k --cert ./nginx/tls/alice.pem --key ./nginx/tls/alice-key.pem https://127.0.0.1:8080/storage/
+```
+
+Access is allowed even if you send a request to `/compute/` using Bob's client certificate.
+
+```
+$ curl -k --cert ./nginx/tls/bob.pem --key ./nginx/tls/bob-key.pem https://127.0.0.1:8080/compute/
+```
+
+However, Bob can not access to `/storage/` based on role definition.
+
+```
+$ curl -k --cert ./nginx/tls/bob.pem --key ./nginx/tls/bob-key.pem https://127.0.0.1:8080/storage/
+```
+
+## Generating a new client certificate
+
+This repository uses a client certificate for user authentication. We use [CFSSL](https://github.com/cloudflare/cfssl) to issue client certificates. How to issue a new client certificate as follows.
+
+Generate a new CSR definition of CFSSL.
+
+```
+$ cd nginx/tls
+$ cfssl print-defaults csr > client-csr.json
+```
+
+Rewrite the CSR definition as you need.
+
+```
+$ vim client-csr.json
+```
+
+Generate client certificate files by using CSR definition.
+
+```
+$ cfssl gencert -ca=ca.pem -ca-key=ca-key.pem client-csr.json | cfssljson -bare client
+```
+
+You can use the new client certificate.
+
+```
+$ curl -k --cert ./nginx/tls/client.pem --key ./nginx/tls/client-key.pem https://127.0.0.1:8080/compute
+```
+
+## Defining roles and role bindings
+
+Authorization by RBAC is implemented by the combination of Nginx and Open Policy Agent. 
+
+The Role definition is defined in the JSON file as follows. The role has a combination of a path and an list of HTTP methods allowing access, and the Open Policy Agent performs authorization based on the role. 
+
+```
+{
+  "roles": {
+    "compute.admin": {
+      "/compute/": ["GET", "POST", "PUT", "DELETE"]
+    },
+    "compute.viewer": {
+      "/compute/": ["GET"]
+    },
+    "storage.admin": {
+      "/storage/": ["GET", "POST", "PUT", "DELETE"]
+    },
+    "storage.viewer": {
+      "/storage/": ["GET"]
+    }
+  },
+
+  "role_bindings": {
+    "alice":   ["compute.admin", "storage.admin"],
+    "bob":     ["compute.viewer"]
+  }
+}
+```
+
+You can add a new role or role binding to the role definition.
+
+```
+$ vim opa/rbac.json
+```

docker-compose.yml

@@ -0,0 +1,32 @@
+version: '3'
+services:
+  opa:
+    image: openpolicyagent/opa:0.8.1
+    ports:
+      - 8181:8181
+    volumes:
+      - ./opa:/etc/opa
+    command:
+      - run
+      - --server
+      - --log-level=debug
+      - /etc/opa/rbac.json
+      - /etc/opa/rbac.rego
+
+  web:
+    image: nginx:1.13.12
+    volumes:
+      - ./web/html:/usr/share/nginx/html:ro
+
+  nginx:
+    image: nginx:1.13.12
+    ports:
+      - 8080:8080
+    volumes:
+      - ./nginx/nginx.conf:/etc/nginx/nginx.conf
+      - ./nginx/conf.d:/etc/nginx/conf.d
+      - ./nginx/tls:/etc/nginx/tls
+    depends_on:
+      - opa
+      - web
+

nginx/conf.d/rbac.conf

@@ -0,0 +1,25 @@
+js_include /etc/nginx/conf.d/rbac.js;
+
+server {
+    listen 8080 ssl http2;
+
+    ssl_certificate        /etc/nginx/tls/server.pem;
+    ssl_certificate_key    /etc/nginx/tls/server-key.pem;
+    ssl_client_certificate /etc/nginx/tls/ca.pem;
+    ssl_verify_client      on;
+
+    location / {
+        auth_request /_authz;
+        proxy_pass http://web;
+    }
+
+    location = /_authz {
+        internal;
+        js_content authz;
+    }
+
+    location = /_opa {
+        internal;
+        proxy_pass http://opa:8181/v1/data/httpapi/rbac;
+    }
+}

nginx/conf.d/rbac.js

@@ -0,0 +1,45 @@
+function authz(req, res) {
+  var dn = req.variables.ssl_client_s_dn;
+  if (dn == "-") {
+    res.return(403);
+    return;
+  }
+
+  req.error("Client certificate: " + dn);
+
+  var match = RegExp('CN=([^,]+),?').exec(dn);
+  if (match == null) {
+    res.return(403);
+    return;
+  }
+
+  var opa_data = {
+    "input": {
+      "user": match[1],
+      "path": req.variables.request_uri,
+      "method": req.variables.request_method
+    }
+  };
+
+  var opts = {
+    method: "POST",
+    body: JSON.stringify(opa_data)
+  };
+
+  req.subrequest("/_opa", opts, function(opa) {
+    req.error("OPA response: " + opa.body);
+
+    var body = JSON.parse(opa.body);
+    if (!body.result)  {
+      res.return(403);
+      return;
+    }
+
+    if (!body.result.allow) {
+      res.return(403);
+      return;
+    }
+
+    res.return(200);
+  });
+}

nginx/nginx.conf

@@ -0,0 +1,32 @@
+load_module modules/ngx_http_js_module.so;
+
+user  nginx;
+worker_processes  1;
+
+error_log  /var/log/nginx/error.log warn;
+pid        /var/run/nginx.pid;
+
+
+events {
+    worker_connections  1024;
+}
+
+http {
+    include       /etc/nginx/mime.types;
+    default_type  application/octet-stream;
+
+    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
+                      '$status $body_bytes_sent "$http_referer" '
+                      '"$http_user_agent" "$http_x_forwarded_for"';
+
+    access_log  /var/log/nginx/access.log  main;
+
+    sendfile        on;
+    #tcp_nopush     on;
+
+    keepalive_timeout  65;
+
+    #gzip  on;
+
+    include /etc/nginx/conf.d/*.conf;
+}

nginx/tls/alice-csr.json

@@ -0,0 +1,15 @@
+{
+    "CN": "alice",
+    "key": {
+        "algo": "ecdsa",
+        "size": 256
+    },
+    "names": [
+        {
+            "C": "JP",
+            "L": "Tokyo",
+            "O": "Demo"
+        }
+    ]
+}
+

nginx/tls/alice-key.pem

@@ -0,0 +1,5 @@
+-----BEGIN EC PRIVATE KEY-----
+MHcCAQEEIBss7j6DnjwG9XiUvn15NHFeGIXnJy+AcNDVLcCY97wJoAoGCCqGSM49
+AwEHoUQDQgAEHtaOsdAdnjatm9ME8IShLaiMYamGbLmZor9tI2V4HfVi5WNy+JRf
+QImJKvW8k26s9zPTLmRtSTOMTr/nZxMjuw==
+-----END EC PRIVATE KEY-----

nginx/tls/alice.csr

@@ -0,0 +1,8 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIH2MIGeAgEAMDwxCzAJBgNVBAYTAkpQMQ4wDAYDVQQHEwVUb2t5bzENMAsGA1UE
+ChMERGVtbzEOMAwGA1UEAxMFYWxpY2UwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNC
+AAQe1o6x0B2eNq2b0wTwhKEtqIxhqYZsuZmiv20jZXgd9WLlY3L4lF9AiYkq9byT
+bqz3M9MuZG1JM4xOv+dnEyO7oAAwCgYIKoZIzj0EAwIDRwAwRAIgdXAq9v7elbrJ
+E8Op80XXCHcamPeNHhqB9aJaVy7bnOcCIGduvOHxbRv5gVxFcMJN+rK506MaraEm
+uamk98bHFAkK
+-----END CERTIFICATE REQUEST-----

nginx/tls/alice.pem

@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICvDCCAaSgAwIBAgIUMOUyOfhS2nk/+yBytalZzszeZeswDQYJKoZIhvcNAQEL
+BQAwPjELMAkGA1UEBhMCSlAxDjAMBgNVBAcTBVRva3lvMQ0wCwYDVQQKEwREZW1v
+MRAwDgYDVQQDEwdEZW1vIENBMB4XDTE4MDUyNjE0MDYwMFoXDTE5MDUyNjE0MDYw
+MFowPDELMAkGA1UEBhMCSlAxDjAMBgNVBAcTBVRva3lvMQ0wCwYDVQQKEwREZW1v
+MQ4wDAYDVQQDEwVhbGljZTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABB7WjrHQ
+HZ42rZvTBPCEoS2ojGGphmy5maK/bSNleB31YuVjcviUX0CJiSr1vJNurPcz0y5k
+bUkzjE6/52cTI7ujfzB9MA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEF
+BQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUhXoQb7ghdMPy
+lPm6PSzKM/jRtwUwHwYDVR0jBBgwFoAUKYEGLnvF3aHzFBLBHtEMe8tt84kwDQYJ
+KoZIhvcNAQELBQADggEBAFdWdv55jUtXs1CazLJLnFA2s7Az4U7WxyA/UkBPNBSa
+tleseDVhJnvjfv5DN5p24fW0CwTfJY7hnaWIjaM0rgFU9Xq3MO69zmcp+9rl+Ih7
+KTd+lI8R2cq8T79cest36m1M/mYLeEOZ2AngC6OvN/QUf5jEfDSk5S1GWA4Qv/cZ
+7rqHriJVmZkGe5XviGAxz1/kYhQyfzCPRo7jtonbJigqWV4cWDdkVX0WmCvn4bHr
+99HRhHNbVdCVwLrV43uh1JP1Wg8+sbhZ6ioaDZ0Fwn/S1Z2isFJz9vUf/b3UtGCF
+7WGFWCnuG6vEiOFNl9Rcp65VUpCS8gclFfZwb9sAZTw=
+-----END CERTIFICATE-----

nginx/tls/bob-csr.json

@@ -0,0 +1,15 @@
+{
+    "CN": "bob",
+    "key": {
+        "algo": "ecdsa",
+        "size": 256
+    },
+    "names": [
+        {
+            "C": "JP",
+            "L": "Tokyo",
+            "O": "Demo"
+        }
+    ]
+}
+

nginx/tls/bob-key.pem

@@ -0,0 +1,5 @@
+-----BEGIN EC PRIVATE KEY-----
+MHcCAQEEINcvQViIGbGENC1RuPcd2wJTpk0spCNXP9sKoC3qC+anoAoGCCqGSM49
+AwEHoUQDQgAE5NhT5VMwJe1/Gy1dvChtv8Phlqd9ZeD1yIG/wzxAAzLT1DGeihQ8
+SWa+82X4Jy2EPALbtS65mq5+ufqwFum14Q==
+-----END EC PRIVATE KEY-----

nginx/tls/bob.csr

@@ -0,0 +1,8 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIH2MIGcAgEAMDoxCzAJBgNVBAYTAkpQMQ4wDAYDVQQHEwVUb2t5bzENMAsGA1UE
+ChMERGVtbzEMMAoGA1UEAxMDYm9iMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE
+5NhT5VMwJe1/Gy1dvChtv8Phlqd9ZeD1yIG/wzxAAzLT1DGeihQ8SWa+82X4Jy2E
+PALbtS65mq5+ufqwFum14aAAMAoGCCqGSM49BAMCA0kAMEYCIQDBKYKeOkhgAS1g
+cwJLBv0SgvYJ/AtqwxXwq5CoA6zMKQIhAOrzfwZUyoyCs/VgvK6qFz9ULqSF9J1l
+b7TIo78KGqTu
+-----END CERTIFICATE REQUEST-----

nginx/tls/bob.pem

@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICujCCAaKgAwIBAgIUSfvCBghMsQVOBOXv+jR6O0ZthpYwDQYJKoZIhvcNAQEL
+BQAwPjELMAkGA1UEBhMCSlAxDjAMBgNVBAcTBVRva3lvMQ0wCwYDVQQKEwREZW1v
+MRAwDgYDVQQDEwdEZW1vIENBMB4XDTE4MDUyNjE0MDYwMFoXDTE5MDUyNjE0MDYw
+MFowOjELMAkGA1UEBhMCSlAxDjAMBgNVBAcTBVRva3lvMQ0wCwYDVQQKEwREZW1v
+MQwwCgYDVQQDEwNib2IwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATk2FPlUzAl
+7X8bLV28KG2/w+GWp31l4PXIgb/DPEADMtPUMZ6KFDxJZr7zZfgnLYQ8Atu1Lrma
+rn65+rAW6bXho38wfTAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUH
+AwEGCCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFK9xy46/dNn+aLE2
+L3yX+45pbZvQMB8GA1UdIwQYMBaAFCmBBi57xd2h8xQSwR7RDHvLbfOJMA0GCSqG
+SIb3DQEBCwUAA4IBAQC9Ic34W/TkTKZ8vTecFb+deXoBH/Bmk2vlzDQNJnVfazx+
+Rg8aO73RE/IRvUMlT8mKV9gS0MR3rhL/kjJ5LXyATkJYIFfuw7BmPaGNllbM8iZl
+RXhfR+ql3PaKIFA/vlDmxmBP+96AuaQfZcRiqbWaNmTkJFjZhVrSCPWT0SBmc7Jk
+XafOlPVnNMOmDHI19OGAjdoANe2HK4cVscaRak1JsdGEOSCJsIHQyBIj2HZKyc/P
+jLIXVRm7lt7dNVMM2yY+uY4wbbFU3UPG/reAErrHvcee0RtMWGMJr148MJl1KQ+g
+fwvB1FygFjE9puIVRz9POu+BV628x8FuVjze9M+U
+-----END CERTIFICATE-----

nginx/tls/ca-csr.json

@@ -0,0 +1,14 @@
+{
+    "CN": "Demo CA",
+    "key": {
+        "algo": "rsa",
+        "size": 2048
+    },
+    "names": [
+        {
+            "C": "JP",
+            "L": "Tokyo",
+            "O": "Demo"
+        }
+    ]
+}

nginx/tls/ca-key.pem

@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEAvaLWQnYBOClxejYQzzmfSnE9R1PlqaR7C9g0qI4hasoxAs7j
+b1XdaUUZMfdW8d/1GnU7ufuWF9TaA30zVknp0NxIi8oqqyeda4u9zMQI8937LrXB
+/Mo9yQimsgdKIDoZMfEVdYO51A+ViiCAqmDEeihj61eBWNpgYwXot+Ym4wLI66iD
+FJcMpZGIqpHg1y+v7+TLpObh3P1JNLOtYIqXfuYupnD29TtEQetqhbaLVrOxOq7g
+tECU6JgKyiQlWtfpY4CMqoSH0BSgqNhqxwXYQpry+vjWmBDos0Y42C1ZT5lKazHJ
+/1i+bRAlVLPUfdVyVbNAFEkMO6SiGxe06sjk2QIDAQABAoIBACcYVgG3oEK60Ik4
+cji2kW9gbxiwZC2YGkHz3c9OFfeVHYuNqXe/hPj55NrXOhZ9bGN6/cg25Nee6x9D
+BX1pmYmUkGQ5VpiYfyy3z3ZSh+H2xpz3nbmG3DwAy5TyScbhE2anZBwo/vuIBvVG
+BCCb+IWSpB7VmHX/91US18pp6WRtSI9CRMtu9qBUpRKUKTO6Zo1mwn6lVy+uRsjR
+y4YQH1wTN960SWZ2FNv2R+N77giiSHuGokmDju1ZwxHNtY6Ml4E1b1iW30iqysRE
+Wp2glHp0NlVOHGV8GHCctyeuuh82bUP6WVTdj2/l+kW3pShk/ZQN1tw8hG+WY+An
+i8glYD0CgYEA0F2PccNoe1R0vYQqYK/s/5sTB1s009V0fF4UgG1m+WNABpUqK/3L
+bL2bVVhRS8hQu53P5A/qNITyMtk73tksBH2DJWj6rwRgr17eak1sG0BdhHKLSMw+
+R0LMFbU5lFmKmY6/8tfBQKmnJWzQTQdW4lnsShmnwE9tICuSMpJIz8MCgYEA6P0n
+EaA8TbAD9vPUNOozPcJn7YdpJd1xcq8pfGsaRLqR5xQ13ud0elneIpi8lieXGc5g
+85UMuBlcSAFDYyGfpyvQCE87v2B6OFwp9dOsYXQjr6VQg1Nrvzr8PEDfYrNQVcD1
+ifB+kc0VoJYrb/eZmd+OcSfLNvb7eRiEFty7azMCgYEAlCOQkm89X0GiZgMLJgat
+1uRn2PkNS/YchTdWGCCv72qS4Js4imI8OKltQHY0Bk76pwkB/sEZ4BENKP2tRTjd
+xKt/jB9g6wGPw98M/kLhM1bFph7RzAX52SwycNSRhVlL4vTMn1iputFjVoZQahNn
+wDHyfpRS4bUWfqK7pFzAi4UCgYBYaT/7E0fu3v0SKAJ9teWN6QiQ/RJsePSE5W0j
+tmy4aefVvTiYBlKP3yxJCpZ9kDZpZ4QoyoWSEqWO+VO9+VNhF2IQ1ShB/fVDD84o
+Z5OBQ5YLH/tGalB3t4Vhw+hAxvSUJe3G00jkQOOVFYcULOvPlSKzU7tsdxqEIEZ3
+enlwOwKBgQDQCbI+jvbjdApBDWFOC2JGOkizIBe1QAfLWkD9Rdvxe87R800OxnT7
+9qTUCizt31z60fJ0qWaoosRx3XAAzgvmYC/GH8qxHJa3AsJi8AMC146nbnxfPPeA
+Nm4Ax0yYKkb0r1SK05VHAxSKljGckahJjFU/9LIad6MzX371Yd7TEw==
+-----END RSA PRIVATE KEY-----

nginx/tls/ca.csr

@@ -0,0 +1,16 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIICgzCCAWsCAQAwPjELMAkGA1UEBhMCSlAxDjAMBgNVBAcTBVRva3lvMQ0wCwYD
+VQQKEwREZW1vMRAwDgYDVQQDEwdEZW1vIENBMIIBIjANBgkqhkiG9w0BAQEFAAOC
+AQ8AMIIBCgKCAQEAvaLWQnYBOClxejYQzzmfSnE9R1PlqaR7C9g0qI4hasoxAs7j
+b1XdaUUZMfdW8d/1GnU7ufuWF9TaA30zVknp0NxIi8oqqyeda4u9zMQI8937LrXB
+/Mo9yQimsgdKIDoZMfEVdYO51A+ViiCAqmDEeihj61eBWNpgYwXot+Ym4wLI66iD
+FJcMpZGIqpHg1y+v7+TLpObh3P1JNLOtYIqXfuYupnD29TtEQetqhbaLVrOxOq7g
+tECU6JgKyiQlWtfpY4CMqoSH0BSgqNhqxwXYQpry+vjWmBDos0Y42C1ZT5lKazHJ
+/1i+bRAlVLPUfdVyVbNAFEkMO6SiGxe06sjk2QIDAQABoAAwDQYJKoZIhvcNAQEL
+BQADggEBAJzAm4HnnFC0yiAu3bPUAA8CxxWkpn7KCIn3F3xrkR8UOMKQn1uWWaaD
+uzCfW5HZh8nOHyOjpLLUwPYxiT19dOJ3muqs+ReKcQ7KH1db88h2c8fbvH5rPlBT
+7slWV3xwjJN7b6WdFlpxzB2eW8nAsgHRXJIpJzNZpPLDCLXJkCdG5K8hbI0QwwMC
+KeDShHNB1nXZlZJPx7WXFz7IkrOTDudqtcEUGa6yFXod13B5FyQJkcsGM7x7LcwG
+e528NR36t83qcinzJI/WCZMSAzw0l2MlVl/bMmbhvtjjalNSX2OV7ezhfWd9xop0
+X+p3Drurdc8b39igIrCPfErdj/gPcBc=
+-----END CERTIFICATE REQUEST-----