implement API-Key authorization to apigw (API Gateway) module

hamidreza-ka · hamidreza-ka · commit 9c0402101586 · 2023-11-29T17:20:01.000+03:30
diff --git a/.idea/misc.xml b/.idea/misc.xml
diff --git a/apigw/src/main/java/com/hrk/apigw/security/ApiKeyAuthorizationChecker.java b/apigw/src/main/java/com/hrk/apigw/security/ApiKeyAuthorizationChecker.java
@@ -0,0 +1,5 @@
+package com.hrk.apigw.security;
+
+public interface ApiKeyAuthorizationChecker {
+    boolean isAuthorized(String apiKey, String applicationName);
+}
diff --git a/apigw/src/main/java/com/hrk/apigw/security/ApiKeyAuthorizationCheckerFakeImpl.java b/apigw/src/main/java/com/hrk/apigw/security/ApiKeyAuthorizationCheckerFakeImpl.java
@@ -0,0 +1,22 @@
+package com.hrk.apigw.security;
+
+import org.springframework.stereotype.Service;
+
+import java.util.List;
+import java.util.Map;
+
+@Service("fake")
+public class ApiKeyAuthorizationCheckerFakeImpl implements ApiKeyAuthorizationChecker {
+
+    private final static Map<String, List<String>> apiKeys = Map.of("secretKey", List.of("customer"));
+
+    @Override
+    public boolean isAuthorized(
+            String apiKey,
+            String applicationName
+    ) {
+        return apiKeys.getOrDefault(apiKey, List.of())
+                .stream()
+                .anyMatch(applications -> applications.contains(applicationName));
+    }
+}
diff --git a/apigw/src/main/java/com/hrk/apigw/security/ApiKeyAuthorizationFilter.java b/apigw/src/main/java/com/hrk/apigw/security/ApiKeyAuthorizationFilter.java
@@ -0,0 +1,44 @@
+package com.hrk.apigw.security;
+
+
+import org.springframework.cloud.gateway.filter.GatewayFilterChain;
+import org.springframework.cloud.gateway.filter.GlobalFilter;
+import org.springframework.cloud.gateway.route.Route;
+import org.springframework.cloud.gateway.support.ServerWebExchangeUtils;
+import org.springframework.core.Ordered;
+import org.springframework.http.HttpStatus;
+import org.springframework.stereotype.Component;
+import org.springframework.web.server.ResponseStatusException;
+import org.springframework.web.server.ServerWebExchange;
+import reactor.core.publisher.Mono;
+
+import java.util.List;
+
+@Component
+public record ApiKeyAuthorizationFilter(
+        ApiKeyAuthorizationCheckerFakeImpl apiKeyAuthorizationCheckerFakeImpl) implements GlobalFilter, Ordered {
+
+    @Override
+    public Mono<Void> filter(ServerWebExchange exchange, GatewayFilterChain chain) {
+        System.out.println("ApiKeyAuthorizationFilter... checking the key");
+
+        Route attribute = exchange.getAttribute(ServerWebExchangeUtils.GATEWAY_ROUTE_ATTR);
+        String applicationName = attribute != null ? attribute.getId() : null;
+
+        List<String> apiKey = exchange.getRequest().getHeaders().get("ApiKey");
+
+        if (applicationName == null ||
+                (apiKey == null || apiKey.isEmpty()) ||
+                !apiKeyAuthorizationCheckerFakeImpl.isAuthorized(apiKey.get(0), applicationName)
+        )
+            throw new ResponseStatusException(HttpStatus.UNAUTHORIZED, "you are not authorized");
+
+        System.out.println("API KEY -> " + apiKey);
+        return chain.filter(exchange);
+    }
+
+    @Override
+    public int getOrder() {
+        return Ordered.LOWEST_PRECEDENCE;
+    }
+}
