externalized rule head property, fixed ConfigLoader

Author: DavidGitter

README.md

@@ -50,17 +50,19 @@ This builds the ``.nar``-plugin in the ``/target`` folder.
 
 In order to use the plugin in Apache NiFi the following steps must be performed:
 1. Go to the ``/opt/nifi/nifi-current/conf/authorizers.xml`` in your Apache NiFi Instance / Container
-2. Place the the following ``opa-authorizer``-snippet in the file (e.g. beneath the ``managed-authorizer``):
+2. Place the the following ``opa-authorizer``-snippet in the file (for example beneath the ``managed-authorizer``):
 ````xml
-<!-- Overriding the normal managed-authorizer entry -->
+<!-- example snippet -->
 <authorizer>
     <identifier>opa-authorizer</identifier>
     <class>org.nifiopa.nifiopa.OpaAuthorizer</class>
     <property name="CACHE_TIME_SECS">30</property>
     <property name="CACHE_MAX_ENTRY_COUNT">100</property>
-    <property name="OPA_URI">http://opa:8181/</property>
+    <property name="OPA_URI">http://opa:8181/</property> <!--required-->
+    <property name="OPA_RULE_HEAD">nifi/allow</property> <!--required-->
 </authorizer>
 ````
+Alternatively, the properties fields can also be set as environment variables.
 3. Set the env-variable ``NIFI_SECURITY_USER_AUTHORIZER`` of Apache NiFi **or** the ``nifi.security.user.authorizer`` in Apache NiFis nifi.properties-file to ``opa-authorizer``.
 4. Place the ``nar``-plugin you build aboth in the ``/opt/nifi/nifi-current/extensions/`` folder of your Apache NiFi Instance / Container
 5. Restart Apache NiFi
@@ -72,6 +74,7 @@ The following properties can be configurated in the ``authorizers.xml`` or using
 | Property Key | Example | Default | Description |
 | --- | --- | --- | --- |
 | `OPA_URI` | `http://opa:8181/` |  | Endpoint of the OPA policy to query. **required** |
+| `OPA_RULE_HEAD` | `nifi/allow` |  | Rule head against which the query is made (*package*/*rule*). **required** |
 | `CACHE_TIME_SECS` | `30` | `30` | Maximum time in seconds an entry in the decision cache exists. |
 | `CACHE_MAX_ENTRY_COUNT` | `100` | `0` | Maximum entries of the decision cache. |
 

authorizer/src/main/java/org/nifiopa/nifiopa/ConfigLoader.java

@@ -11,13 +11,8 @@
 public class ConfigLoader {
 
 	private static final Logger logger = LoggerFactory.getLogger(ConfigLoader.class);
-	private static AuthorizerConfigurationContext configurationContext;
 
-	public ConfigLoader(AuthorizerConfigurationContext configurationContext) {
-		ConfigLoader.configurationContext = configurationContext;
-	}
-
-	public static String getProperty(String propertyName, String defaultValue) throws InvalidParameterException {
+	public static String getProperty(AuthorizerConfigurationContext configurationContext, String propertyName, String defaultValue) throws InvalidParameterException {
 		// 1. Try load from environment
 		try {
 			String propertyEnv = System.getenv(propertyName);
@@ -43,8 +38,8 @@ public static String getProperty(String propertyName, String defaultValue) throw
 		return defaultValue;
 	}
 
-	public static String getProperty(String propertyName) throws InvalidParameterException {
-		String property = ConfigLoader.getProperty(propertyName, null);
+	public static String getProperty(AuthorizerConfigurationContext configurationContext, String propertyName) throws InvalidParameterException {
+		String property = ConfigLoader.getProperty(configurationContext, propertyName, null);
 		if (property != null)
 			return property;
 		throw new InvalidParameterException(

authorizer/src/main/java/org/nifiopa/nifiopa/OpaAuthorizer.java

@@ -25,6 +25,9 @@ public class OpaAuthorizer implements Authorizer {
 
 	private final String OPA_URI_PROPNAME = "OPA_URI";
 
+	private final String OPA_RULE_HEAD_PROPNAME = "OPA_RULE_HEAD";
+	private String OPA_RULE_HEAD;
+
 	@Override
 	public AuthorizationResult authorize(AuthorizationRequest request) throws AuthorizationAccessException {
 
@@ -79,7 +82,7 @@ public AuthorizationResult authorize(AuthorizationRequest request) throws Author
 
 		OPAResponse opaResponse = null;
 		try {
-			opaResponse = opaClient.evaluate("nifi/allow", requestForm, OPAResponse.class); // TODO: rule not hardcoded
+			opaResponse = opaClient.evaluate(OPA_RULE_HEAD, requestForm, OPAResponse.class);
 		} catch (OPAException e) {
 			logger.error(MessageFormat.format("An error occured while trying to query against OPA: {0}", e.toString()));
 			return AuthorizationResult.denied("An error occured while trying to query against OPA");
@@ -121,10 +124,14 @@ public void initialize(AuthorizerInitializationContext initializationContext) th
 
 	@Override
 	public void onConfigured(AuthorizerConfigurationContext configurationContext) throws AuthorizerCreationException {
-		String uriProp = ConfigLoader.getProperty(OPA_URI_PROPNAME);
+		String uriProp = ConfigLoader.getProperty(configurationContext, OPA_URI_PROPNAME);
 		if (uriProp == null)
 			throw new AuthorizerCreationException("Missing required property OPA_URI");
 
+		OPA_RULE_HEAD = ConfigLoader.getProperty(configurationContext, OPA_RULE_HEAD_PROPNAME);
+		if (OPA_RULE_HEAD == null)
+			throw new AuthorizerCreationException("Missing required property OPA_RULE_HEAD");
+
 		opaClient = new OPAClient(uriProp);
 		cache = new RequestCache();
 		cache.initialize(configurationContext);

authorizer/src/main/java/org/nifiopa/nifiopa/RequestCache.java

@@ -57,7 +57,7 @@ public void initialize(AuthorizerConfigurationContext configurationContext) thro
 	void initializePropertys(AuthorizerConfigurationContext configurationContext) {
 		try {
 			/* Initialize property of maximum cache time after write */
-			String cacheTimeProp = ConfigLoader.getProperty(CACHE_TIME_SECS_PROPNAME, CACHE_TIME_SECS_DEFAULT);
+			String cacheTimeProp = ConfigLoader.getProperty(configurationContext, CACHE_TIME_SECS_PROPNAME, CACHE_TIME_SECS_DEFAULT);
 			if (cacheTimeProp != null)
 				CACHE_TIME_SECS = Integer.parseInt(cacheTimeProp);
 		} catch (NumberFormatException nfe) {
@@ -70,7 +70,7 @@ void initializePropertys(AuthorizerConfigurationContext configurationContext) {
 
 		/* Initialize property of maximum entries in the cache at one time */
 		try {
-			String cacheMaxEntryProp = ConfigLoader.getProperty(CACHE_MAX_ENTRY_COUNT_PROPNAME, CACHE_MAX_ENTRY_COUNT_DEFAULT);
+			String cacheMaxEntryProp = ConfigLoader.getProperty(configurationContext, CACHE_MAX_ENTRY_COUNT_PROPNAME, CACHE_MAX_ENTRY_COUNT_DEFAULT);
 			if (cacheMaxEntryProp != null)
 				CACHE_MAX_ENTRY_COUNT = Integer.parseInt(cacheMaxEntryProp);
 		} catch (NumberFormatException nfe) {

test-env/authorizers-opa.xml

@@ -356,6 +356,7 @@
         <property name="CACHE_TIME_SECS">30</property>
         <property name="CACHE_MAX_ENTRY_COUNT">100</property>
         <property name="OPA_URI">http://opa:8181/</property>
+        <property name="OPA_RULE_HEAD">nifi/allow</property>
     </authorizer>
 
     <!--

test-env/compose.yaml

@@ -56,6 +56,7 @@ services:
       LDAP_IDENTITY_STRATEGY: 'USE_USERNAME'
       LDAP_URL: ldap://openldap:1389
       OPA_URI: "http://opa:8181/"
+      OPA_RULE_HEAD: "nifi/allow"
       NIFI_SECURITY_USER_AUTHORIZER: "opa-authorizer"
     networks:
       - test-network