wip

4 files changed, 110 insertions, 0 deletions

diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..3235664
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1,3 @@
+/*.json
+/*.back
+/build
diff --git a/includes/main.jsonnet b/includes/main.jsonnet
new file mode 100644
index 0000000..32869b2
--- /dev/null
+++ b/includes/main.jsonnet
@@ -0,0 +1,20 @@
+{
+  domain: "random.sh",
+  services: {
+    ca: "https://ca.adm.random.sh",
+    keto_api: "https://keto.sso.internal.random.sh",
+  },
+  internal: {
+    services: {
+      ca: "https://ca.internal.random.sh",
+      keto_api: "https://keto.sso.internal.random.sh",
+    },
+  },
+  sso: {
+    login_url: "https://" + $.domain + "/login",
+    check_api_url: $.services.keto_api + "/check",
+  },
+  admin: {
+    domain: "adm." + $.domain,
+  },
+}
diff --git a/includes/oathkeeper.jsonnet b/includes/oathkeeper.jsonnet
new file mode 100644
index 0000000..02db2b8
--- /dev/null
+++ b/includes/oathkeeper.jsonnet
@@ -0,0 +1,55 @@
+local main = import "main.jsonnet";
+
+local cookieSessionAuthenticator = {
+  handler: "cookie_session"
+};
+local oauth2ClientCredentialsAuthenticator = {
+  handler: "oauth2_client_credentials"
+};
+
+local allowAuthorizer = {
+  handler: "allow"
+};
+local ketoAuthorizer(object) = {
+  handler: "remote_json", config: {
+  remote: "https://keto.sso.internal.random.sh/check",
+  payload: |||
+    {
+      "namespace": "websites",
+      "subject": "{{ print .Subject }}",
+      "object": object,
+      "relation": "access"
+    }
+  |||}
+};
+
+local errorRedirectHandler = {
+  handler: "redirect",
+  config: {
+    to: main.sso.login_url,
+    return_to_query_param: "return_to"
+  }
+};
+
+local idTokenMutator = {handler: "id_token"};
+
+local headerMutator = {handler: "header"};
+
+{
+  authenticators: {
+    cookieSession: cookieSessionAuthenticator,
+    oauth2ClientCredentials: oauth2ClientCredentialsAuthenticator,
+  },
+  authorizers: {
+    keto: ketoAuthorizer,
+    allow: allowAuthorizer,
+  },
+  errors: {
+    redirect: errorRedirectHandler,
+  },
+  mutators: {
+    idToken: idTokenMutator,
+    header: headerMutator
+  },
+  allHttpMethods: ["OPTIONS", "GET", "POST", "PUT", "PATCH", "DELETE"],
+}
diff --git a/src/oathkeeper_adm_rules.jsonnet b/src/oathkeeper_adm_rules.jsonnet
new file mode 100644
index 0000000..1061077
--- /dev/null
+++ b/src/oathkeeper_adm_rules.jsonnet
@@ -0,0 +1,32 @@
+local main = import "../includes/main.jsonnet";
+local oathkeeper = import "../includes/oathkeeper.jsonnet";
+
+local Endpoint(name, remote) = {
+  local sub_domain = name + "." + main.admin.domain,
+  id: main.admin.domain + ":" + name,
+  upstream: {
+    preserve_host: false,
+    url: remote
+  },
+  match: {
+    url: "https://" + sub_domain + "/<.*>",
+    methods: oathkeeper.allHttpMethods,
+  },
+  authenticators: [oathkeeper.authenticators.cookieSession, oathkeeper.authenticators.oauth2ClientCredentials],
+  authorizer: oathkeeper.authorizers.keto(sub_domain),
+  mutators: [oathkeeper.mutators.idToken, oathkeeper.mutators.header],
+  errors: [oathkeeper.errors.redirect],
+};
+
+[
+    Endpoint("prometheus", "http://stairway.internal.random.sh:9090"),
+    Endpoint("alertmanager", "http://stairway.internal.random.sh:9093"),
+    Endpoint("blackbox", "http://stairway.internal.random.sh:9115"),
+    Endpoint("loki", "http://loki.internal.random.sh:3100"),
+    Endpoint("grafana", "http://grafana.internal.random.sh:3000"),
+    Endpoint("kratos-admin-ui", "http://kratos-admin-ui.internal.random.sh"),
+    Endpoint("kratos-admin-api", "https://kratos.admin.sso.internal.random.sh"),
+    Endpoint("kratos-api", "https://kratos.sso.internal.random.sh"),
+    Endpoint("opa", "http://opa.internal.random.sh:8181"),
+    Endpoint("stairway-pushgateway", "https://stairway-pushgateway.adm.random.sh/")
+]