Add documentation

2023-02-10 13:45:32 -08:00 · 2023-02-10 13:45:32 -08:00 · 4e31347c27
--- a/pkg/util/azureclient/authz/remotepdp/client.go
+++ b/pkg/util/azureclient/authz/remotepdp/client.go
@ -10,17 +10,21 @@ import (
 	"github.com/Azure/azure-sdk-for-go/sdk/azcore/runtime"
 )

+// RemotePDPClient represents the Microsoft Remote PDP API Spec
 type RemotePDPClient interface {
 	CheckAccess(context.Context, AuthorizationRequest) (*AuthorizationDecisionResponse, error)
 }

-// TODO insert the required attributes
+// remotePDPClient implements RemotePDPClient
 type remotePDPClient struct {
 	endpoint string
 	pipeline runtime.Pipeline
 }

-// TODO Insert the required parameters
+// NewRemotePDPClient returns an implementation of RemotePDPClient
+// endpoint - the fqdn of the regional specific endpoint of PDP
+// scope - the oauth scope required by the PDP serer
+// cred - the credential of the client to call the PDP server
 func NewRemotePDPClient(endpoint, scope string, cred azcore.TokenCredential) RemotePDPClient {
 	authPolicy := runtime.NewBearerTokenPolicy(cred, []string{scope}, nil)

@ -37,7 +41,9 @@ func NewRemotePDPClient(endpoint, scope string, cred azcore.TokenCredential) Rem
 	return &remotePDPClient{endpoint, pipeline}
 }

-// TODO Implement it
+// CheckAccess sends an Authorization query to the PDP server specified in the client
+// ctx - the context to propagate
+// authzReq - the actual AuthorizationRequest
 func (r *remotePDPClient) CheckAccess(ctx context.Context, authzReq AuthorizationRequest) (*AuthorizationDecisionResponse, error) {
 	req, err := runtime.NewRequest(ctx, http.MethodPost, r.endpoint)
 	if err != nil {
@ -62,6 +68,7 @@ func (r *remotePDPClient) CheckAccess(ctx context.Context, authzReq Authorizatio
 	return &accessDecision, nil
 }

+// newCheckAccessError returns an error when non HTTP 200 response is returned.
 func newCheckAccessError(r *http.Response) error {
 	resErr := azcore.ResponseError{
 		StatusCode:  r.StatusCode,
--- a/pkg/util/azureclient/authz/remotepdp/types.go
+++ b/pkg/util/azureclient/authz/remotepdp/types.go
@ -1,5 +1,6 @@
 package remotepdp

+// AuthorizationRequest represents the payload of the request sent to a PDP server
 type AuthorizationRequest struct {
 	Subject            SubjectInfo     `json:"Subject"`
 	Actions            []ActionInfo    `json:"Actions"`
@ -12,6 +13,9 @@ type SubjectInfo struct {
 	Attributes SubjectAttributes `json:"Attributes"`
 }

+// SubjectAttributes contains the possible attributes to describe the subject
+// of query (i.e. if IT has the access). The ObjectId field is the UUID value of
+// the subject and is required.
 type SubjectAttributes struct {
 	ObjectId         string   `json:"ObjectId"`
 	Groups           []string `json:"Groups"`
@ -27,12 +31,16 @@ type SubjectAttributes struct {
 	Issuer           string   `json:"iss,omitempty"`
 }

+// ActionInfo contains an action the query checks whether the subject
+// has access to perform. Example: "Microsoft.Network/virtualNetworks/read"
 type ActionInfo struct {
 	Id           string `json:"Id"`
 	IsDataAction bool   `json:"IsDataAction,omitempty"`
 	Attributes   `json:"Attributes"`
 }

+// ResourceInfo is the resource path of the target object the query
+// checks whether the subject has access to perform against it.
 type ResourceInfo struct {
 	Id         string `json:"Id"`
 	Attributes `json:"Attributes"`
@ -42,11 +50,15 @@ type EnvironmentInfo struct {
 	Attributes `json:"Attributes"`
 }

+// AuthorizationDecisionResponse contains a paginated list of all decision results
+// In case the list is more than 50, follow NextLink to retrieve the next page.
 type AuthorizationDecisionResponse struct {
 	Value    []AuthorizationDecision `json:"value"`
 	NextLink string                  `json:"nextLink"`
 }

+// AuthorizationDecision tells whether the subject can perform the action
+// on the target resource.
 type AuthorizationDecision struct {
 	ActionId       string `json:"actionId,omitempty"`
 	AccessDecision `json:"accessDecision,omitempty"`
@ -56,6 +68,7 @@ type AuthorizationDecision struct {
 	TimeToLiveInMs int            `json:"timeToLiveInMs,omitempty"`
 }

+// AccessDecision can be: Allowed, NotAllowed, Denied.
 type AccessDecision string

 type RoleAssignment struct {
@ -75,7 +88,6 @@ type RoleDefinition struct {
 	Id string `json:"id,omitempty"`
 }

-//
 type Attributes map[string]interface{}

 // RemotePDPErrorPayload represents the body content when the server returns
--- a/pkg/util/azureclient/environments.go
+++ b/pkg/util/azureclient/environments.go
@ -43,7 +43,7 @@ var (
 		AppLensTenantID:          "72f988bf-86f1-41af-91ab-2d7cd011db47",
 		AuthorityHost:            azidentity.AzurePublicCloud,
 		AzureRbacPDPEnvironment: AzureRbacPDPEnvironment{
-			Endpoint:   "https://%s.authorization.azure.net/providers/Microsoft.Authorization/checkAccess",
+			Endpoint:   "https://%s.authorization.azure.net/providers/Microsoft.Authorization/checkAccess?api-version=2021-06-01-preview",
 			OAuthScope: "https://authorization.azure.net/.default",
 		},
 	}
@ -59,7 +59,7 @@ var (
 		AppLensTenantID:          "cab8a31a-1906-4287-a0d8-4eef66b95f6e",
 		AuthorityHost:            azidentity.AzureGovernment,
 		AzureRbacPDPEnvironment: AzureRbacPDPEnvironment{
-			Endpoint:   "https://%s.authorization.azure.us/providers/Microsoft.Authorization/checkAccess",
+			Endpoint:   "https://%s.authorization.azure.us/providers/Microsoft.Authorization/checkAccess?api-version=2021-06-01-preview",
 			OAuthScope: "https://authorization.azure.us/.default",
 		},
 	}