The goal of this plugin is to integrate Kong with OpenFGA for fine-grained authorization. It allows you to define and enforce access control policies using OpenFGA.
Install the plugin using luarocks
. @TODO: The package is not yet hosted on LuaRocks or as an release asset on GitHub.
luarocks install kong-plugin-kong-authz-openfga-0.1.0-1.all.rock
https://docs.konghq.com/gateway/3.9.x/reference/configuration/#plugins
- Integrates with OpenFGA for authorization
- Supports Lua expressions for dynamic policy evaluation
- No caching support yet
Below is the minimal example configuration one might use in declarative_config
:
- name: kong-authz-openfga
config:
host: localhost
port: 1234
store_id: "your_store_id"
tuple:
user: "user_id"
relation: "relation"
object: "object_id"
Below is the example configuration one might use in declarative_config
:
- name: kong-authz-openfga
config:
host: localhost
port: 1234
https: true
https_verify: true
max_attempts: 3
failed_attempts_backoff_timeout: 1000
timeout: 10000
keepalive: 60000
store_id: "your_store_id"
model_id: "your_model_id"
api_token: "your_api_token"
api_token_issuer: "your_api_token_issuer"
api_audience: "your_api_audience"
api_client_id: "your_api_client_id"
api_client_secret: "your_api_client_secret"
api_token_cache: 600
tuple:
user: "user_id"
relation: "relation"
object: "object_id"
contextual_tuples:
- user: "user_id"
relation: "relation"
object: "object_id"
Property | Default value | Description |
---|---|---|
host required Type: hostname (string) |
- | Hostname of the OpenFGA server |
port required Type: port (number) |
8080 | HTTP API port of OpenFGA |
https optional Type: boolean |
false | Use HTTPS to connect to OpenFGA |
https_verify optional Type: boolean |
false | Verify HTTPS certificate |
max_attempts optional Type: integer |
3 | The maximum number of attempts to make when querying OpenFGA. This is useful for handling transient errors and retries. |
failed_attempts_backoff_timeout optional Type: integer |
1000 | The backoff timeout in milliseconds between retry attempts when querying OpenFGA. This helps to avoid overwhelming the server with rapid retries. Formula: failed_attempts_backoff_timeout * 2 ^ (attempts - 1) / 1000 |
timeout optional Type: number |
10000 | The total timeout time in milliseconds for a request and response cycle. |
keepalive optional Type: number |
60000 | The maximal idle timeout in milliseconds for the current connection. See tcpsock:setkeepalive for more details. |
store_id required Type: string |
- | The store ID in OpenFGA |
model_id optional Type: string |
- | Optional model ID (version). Latest is used if this is empty |
api_token optional Type: string |
- | Optional API token |
api_token_issuer optional Type: string |
- | API token issuer |
api_audience optional Type: string |
- | API audience |
api_client_id optional Type: string |
- | API client ID |
api_client_secret optional Type: string |
- | API client secret |
api_token_cache optional Type: number |
600 | API token cache duration in seconds |
tuple required Type: record |
- | Tuple key for authorization |
contextual_tuples optional Type: set |
{} | Set of contextual tuples for authorization |
Version: 0.1.0
Priority: 901
Handler phases:
- access
For local development, building and testing a containerized environment is used. The containerized environment is defined in the Makefile. For the unit and integration test the busted framework is used. To test Kong the spec helper from the kong-pongo toolkit is bundled in the project.
- git
- make (download it from https://sourceforge.net/projects/ezwinports/files/make-4.4-without-guile-w32-bin.zip/download)
- bash
- Docker
- A text editor
For the initial setup of the local development environment, the following steps are required:
- Copy the file .env.tpl to .env and adjust the values to your needs.
- Docker is running and is able to pull images from docker.io.
make
is installed
To run the lint
, unit
and integration
tests just execute make
. This will all run all tests in a containerized environment.
make
Check linting and general Lua programming errors with make lint
make lint
make test-unit
Runtime configuration | Description |
---|---|
BUSTED_NO_KEEP_GOING | When set to true , busted will stop running tests after the first failure. Default is false . |
BUSTED_COVERAGE | When set to true , busted will generate a code coverage report. Default is false . |
BUSTED_EMMY_DEBUGGER | When set to true , enables the EMMY Lua debugger for busted tests. Default is false . |
- Install the EmmyLua extension in VS Code
-
Start your tests with debugging enabled:
make test-unit BUSTED_EMMY_DEBUGGER=true
-
In VS Code:
- Set breakpoints in your Lua code
- Start the debugger using F5 or the Debug panel
- The debugger will attach to the running tests
-
Debug features available:
- Step through code
- Inspect variables
- View call stack
- Set conditional breakpoints
The debugger will automatically map source files between your local workspace and the container environment using the configured source roots.
make pack
Format the code with make format-code
make format-code
Run each command in a separate terminal. Align the terminal side-by-side for a better overall view.
You might want to prefix the make tail-logs
commands with winpty
for better signal/abort handling.
Tail the kong logs.
make tail-logs
Run the tests.
make test-unit
Run the tests with a BUSTED_FILTER and don't continue on the first failure.
make test-unit BUSTED_FILTER="test case name" BUSTED_NO_KEEP_GOING=1
For further debugging the Kong working directory is mounted to your local ./servroot folder. The working directory contains Kong configuration, logs and additional settings.
🚨 For each test case the Kong working directory is wiped. Just use a combination of BUSTED_FILTER and BUSTED_NO_KEEP_GOING to get a faster feedback loop.
Make sure to populate all the environment variables in the .env file. The smoke test will use the values from the .env file.
In order to run the smoke test two terminal windows are required. In the first terminal window run the following command:
make smoke-test-run-server
In the second terminal window run the following command:
make smoke-test-run-test
The logs from the smoke test are visible in the first terminal window.
It's recommended to clean the local development after a new git fetch&rebase/pull.
make clean
@TODO: Add build, test, and deploy pipeline (GitHub Actions) to the project
To test the plugin against a different Kong version change the KONG_VERSION
and the KONG_IMAGE_HASH
in the plugin.properties file.
The local development environment is inspired by the kong-pongo
toolkit. The spec helper from kong-pongo
is bundled in the project.
All the linting and test are running in a containerized environment that is based on the _build/images/kong-tooling/Dockerfile.
This image could also be reused for CI.
Similar to the tooling image the smoke test run in a different containerized environment that is based on the _build/images/kong-smoke-test/Dockerfile. The smoke test uses the Kong configuration and script from _build/deployment/kong-smoke-test. The smoke test container emulates a Kong environment that installs a .rocks (Luarocks package) file.
The project bundles a mock server for OpenFGA.
@TODO: TBD
@TODO: TBD
- https://marketplace.visualstudio.com/items?itemName=sumneko.lua
- https://marketplace.visualstudio.com/items?itemName=dwenegar.vscode-luacheck
- Checkout the main branch
git checkout main
- Update the version number in plugin.properties
- Update the version number in kong-plugin.rockspec
- Update the version number in README.md
- Update the version number in kong/plugins/kong-authz-openfga/handler.lua
- Add a new section to CHANGELOG.md with the release highlights
- Commit the changes, create a tag and push changes and tag to the remote repository
git add plugin.properties kong-plugin.rockspec README.md kong/plugins/*/handler.lua CHANGELOG.md
git commit -m "Release x.y.z-r"
git tag x.y.z-r
git push
git push --tags
- @TODO: Add step to publish the *.rock file to LuaRocks
- @TODO: Add step to perform a release in GitHub