actualise authorize server with latest main changes (#1071)

Signed-off-by: Denis Tingaikin <denis.tingajkin@xored.com>

pkg/networkservice/common/authorize/client.go

@@ -45,7 +45,7 @@ func NewClient(opts ...Option) networkservice.NetworkServiceClient {
 	var result = &authorizeClient{
 		policies: []Policy{
 			opa.WithTokensValidPolicy(),
-			opa.WithCurrentTokenSignedPolicy(),
+			opa.WithNextTokenSignedPolicy(),
 			opa.WithTokensExpiredPolicy(),
 			opa.WithTokenChainPolicy(),
 		},

pkg/networkservice/common/authorize/server.go

@@ -23,6 +23,7 @@ import (
 	"context"
 
 	"github.com/golang/protobuf/ptypes/empty"
+	"google.golang.org/grpc/peer"
 
 	"github.com/networkservicemesh/api/pkg/api/networkservice"
 
@@ -57,9 +58,10 @@ func (a *authorizeServer) Request(ctx context.Context, request *networkservice.N
 		Index:        index,
 		PathSegments: request.GetConnection().GetPath().GetPathSegments()[:index+1],
 	}
-
-	if err := a.policies.check(ctx, leftSide); err != nil {
-		return nil, err
+	if _, ok := peer.FromContext(ctx); ok {
+		if err := a.policies.check(ctx, leftSide); err != nil {
+			return nil, err
+		}
 	}
 	return next.Server(ctx).Request(ctx, request)
 }
@@ -70,10 +72,10 @@ func (a *authorizeServer) Close(ctx context.Context, conn *networkservice.Connec
 		Index:        index,
 		PathSegments: conn.GetPath().GetPathSegments()[:index+1],
 	}
-
-	if err := a.policies.check(ctx, leftSide); err != nil {
-		return nil, err
+	if _, ok := peer.FromContext(ctx); ok {
+		if err := a.policies.check(ctx, leftSide); err != nil {
+			return nil, err
+		}
 	}
-
 	return next.Server(ctx).Close(ctx, conn)
 }

pkg/networkservice/common/authorize/server_test.go

@@ -26,6 +26,7 @@ import (
 	"github.com/stretchr/testify/require"
 	"go.uber.org/goleak"
 	"google.golang.org/grpc/codes"
+	"google.golang.org/grpc/peer"
 	"google.golang.org/grpc/status"
 
 	"github.com/networkservicemesh/sdk/pkg/networkservice/common/authorize"
@@ -58,6 +59,28 @@ func requestWithToken(token string) *networkservice.NetworkServiceRequest {
 	}
 }
 
+func TestAuthorize_ShouldCorrectlyWorkWithHeal(t *testing.T) {
+	t.Cleanup(func() { goleak.VerifyNone(t) })
+
+	r := &networkservice.NetworkServiceRequest{
+		Connection: &networkservice.Connection{
+			Path: &networkservice.Path{
+				PathSegments: []*networkservice.PathSegment{
+					{},
+				},
+			},
+		},
+	}
+
+	// simulate heal request
+	conn, err := authorize.NewServer().Request(context.Background(), r)
+	require.NoError(t, err)
+
+	// simulate timeout close
+	_, err = authorize.NewServer().Close(context.Background(), conn)
+	require.NoError(t, err)
+}
+
 func TestAuthzEndpoint(t *testing.T) {
 	t.Cleanup(func() { goleak.VerifyNone(t) })
 	suits := []struct {
@@ -96,10 +119,12 @@ func TestAuthzEndpoint(t *testing.T) {
 				require.Equal(t, s.Code(), codes.PermissionDenied, "wrong error status code")
 			}
 
-			_, err := srv.Request(context.Background(), s.request)
+			ctx := peer.NewContext(context.Background(), &peer.Peer{})
+
+			_, err := srv.Request(ctx, s.request)
 			checkResult(err)
 
-			_, err = srv.Close(context.Background(), s.request.GetConnection())
+			_, err = srv.Close(ctx, s.request.GetConnection())
 			checkResult(err)
 		})
 	}

pkg/networkservice/common/heal/server.go

@@ -303,6 +303,5 @@ func (f *healServer) createHealContext(requestCtx, cachedCtx context.Context) co
 	if candidates := discover.Candidates(ctx); candidates != nil {
 		healCtx = discover.WithCandidates(healCtx, candidates.Endpoints, candidates.NetworkService)
 	}
-
 	return healCtx
 }

pkg/tools/opa/current_token_signed_policy_test.go → pkg/tools/opa/next_token_signed_policy_test.go

@@ -44,9 +44,10 @@ func Test_CurrentTokenShouldBeSigned_Server(t *testing.T) {
 	validX509crt, err := x509.ParseCertificate(cert.Certificate[0])
 	require.Nil(t, err)
 
-	var p = opa.WithCurrentTokenSignedPolicy()
+	var p = opa.WithNextTokenSignedPolicy()
 	var input = &networkservice.Path{
 		PathSegments: []*networkservice.PathSegment{
+			{},
 			{
 				Token: token,
 			},

pkg/tools/opa/policies.go

@@ -24,7 +24,7 @@ var tokensValidPolicySource string
 //go:embed policies/prev_token_signed.rego
 var prevTokenSignedPolicySource string
 
-//go:embed policies/curr_token_signed.rego
+//go:embed policies/next_token_signed.rego
 var currTokenSignedPolicySource string
 
 //go:embed policies/tokens_chained.rego
@@ -42,12 +42,12 @@ func WithTokensValidPolicy() *AuthorizationPolicy {
 	}
 }
 
-// WithCurrentTokenSignedPolicy returns default policy for checking that last token in path is signed.
-func WithCurrentTokenSignedPolicy() *AuthorizationPolicy {
+// WithNextTokenSignedPolicy returns default policy for checking that last token in path is signed.
+func WithNextTokenSignedPolicy() *AuthorizationPolicy {
 	return &AuthorizationPolicy{
 		policySource: currTokenSignedPolicySource,
-		query:        "curr_token_signed",
-		checker:      True("curr_token_signed"),
+		query:        "next_token_signed",
+		checker:      True("next_token_signed"),
 	}
 }
 

pkg/tools/opa/policies/curr_token_signed.rego → pkg/tools/opa/policies/next_token_signed.rego

@@ -16,12 +16,13 @@
 
 package nsm
 
-default curr_token_signed = false
-default index = 0
+default next_token_signed = false
+default index = 1
 
-index = input.index
+index = input.index + 1
 
-curr_token_signed {
+next_token_signed {
+	count(input.path_segments) > index
 	token := input.path_segments[index].token	
 	cert := input.auth_info.certificate	
 	io.jwt.verify_es256(token, cert) = true