stormchaser-api 1.3.0

A robust, distributed workflow engine for event-driven and human-triggered workflows.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54

use crate::AppState;
use anyhow::Result;
use axum::{
    extract::{Request, State},
    http::{header, StatusCode},
    middleware::Next,
    response::Response,
};
use stormchaser_model::auth::ApiOpaContext;
use tracing::{debug, error, info};

/// Middleware to evaluate Open Policy Agent (OPA) rules for incoming requests
pub async fn opa_middleware(
    State(state): State<AppState>,
    request: Request,
    next: Next,
) -> Result<Response, StatusCode> {
    let authorizer = &*state.opa;
    if !authorizer.is_configured() {
        return Ok(next.run(request).await);
    }

    let path = request.uri().path().to_string();
    let method = request.method().to_string();

    // Extract token manually from headers if present
    let token = request
        .headers()
        .get(header::AUTHORIZATION)
        .and_then(|h| h.to_str().ok())
        .and_then(|s| s.strip_prefix("Bearer "));

    let context = ApiOpaContext {
        path: &path,
        method: &method,
        token,
    };

    match authorizer.check(context).await {
        Ok(true) => {
            debug!("OPA allowed access to {} {}", method, path);
            Ok(next.run(request).await)
        }
        Ok(false) => {
            info!("OPA denied access to {} {}", method, path);
            Err(StatusCode::FORBIDDEN)
        }
        Err(e) => {
            error!("OPA check failed for {} {}: {:?}", method, path, e);
            // Hard failure if OPA is unreachable or errors
            Err(StatusCode::INTERNAL_SERVER_ERROR)
        }
    }
}