micro/auth/auth.go

// Package auth provides authentication and authorization capability
package auth

import (
	"context"
	"encoding/json"
	"errors"
	"fmt"
	"time"

	"github.com/micro/go-micro/v2/metadata"
)

var (
	// ErrNotFound is returned when a resouce cannot be found
	ErrNotFound = errors.New("not found")
	// ErrEncodingToken is returned when the service encounters an error during encoding
	ErrEncodingToken = errors.New("error encoding the token")
	// ErrInvalidToken is returned when the token provided is not valid
	ErrInvalidToken = errors.New("invalid token provided")
	// ErrInvalidRole is returned when the role provided was invalid
	ErrInvalidRole = errors.New("invalid role")
	// ErrForbidden is returned when a user does not have the necessary roles to access a resource
	ErrForbidden = errors.New("resource forbidden")
	// BearerScheme used for Authorization header
	BearerScheme = "Bearer "
)

// Auth providers authentication and authorization
type Auth interface {
	// Init the auth
	Init(opts ...Option)
	// Options set for auth
	Options() Options
	// Generate a new account
	Generate(id string, opts ...GenerateOption) (*Account, error)
	// Grant access to a resource
	Grant(role string, res *Resource) error
	// Revoke access to a resource
	Revoke(role string, res *Resource) error
	// Verify an account has access to a resource
	Verify(acc *Account, res *Resource) error
	// Inspect a token
	Inspect(token string) (*Account, error)
	// Refresh an account using a secret
	Refresh(secret string, opts ...RefreshOption) (*Token, error)
	// String returns the name of the implementation
	String() string
}

// Resource is an entity such as a user or
type Resource struct {
	// Name of the resource
	Name string
	// Type of resource, e.g.
	Type string
	// Endpoint resource e.g NotesService.Create
	Endpoint string
}

// Account provided by an auth provider
type Account struct {
	// ID of the account (UUIDV4, email or username)
	ID string `json:"id"`
	// Secret used to renew the account
	Secret *Token `json:"secret"`
	// Roles associated with the Account
	Roles []string `json:"roles"`
	// Any other associated metadata
	Metadata map[string]string `json:"metadata"`
}

// Token can be short or long lived
type Token struct {
	// The token itself
	Token string `json:"token"`
	// Type of token, e.g. JWT
	Type string `json:"type"`
	// Time of token creation
	Created time.Time `json:"created"`
	// Time of token expiry
	Expiry time.Time `json:"expiry"`
	// Subject of the token, e.g. the account ID
	Subject string `json:"subject"`
	// Roles granted to the token
	Roles []string `json:"roles"`
	// Metadata embedded in the token
	Metadata map[string]string `json:"metadata"`
}

const (
	// MetadataKey is the key used when storing the account in metadata
	MetadataKey = "auth-account"
	// TokenCookieName is the name of the cookie which stores the auth token
	TokenCookieName = "micro-token"
	// SecretCookieName is the name of the cookie which stores the auth secret
	SecretCookieName = "micro-secret"
)

// AccountFromContext gets the account from the context, which
// is set by the auth wrapper at the start of a call. If the account
// is not set, a nil account will be returned. The error is only returned
// when there was a problem retrieving an account
func AccountFromContext(ctx context.Context) (*Account, error) {
	str, ok := metadata.Get(ctx, MetadataKey)
	// there was no account set
	if !ok {
		return nil, nil
	}

	var acc *Account
	// metadata is stored as a string, so unmarshal to an account
	if err := json.Unmarshal([]byte(str), &acc); err != nil {
		return nil, err
	}

	return acc, nil
}

// ContextWithAccount sets the account in the context
func ContextWithAccount(ctx context.Context, account *Account) (context.Context, error) {
	// metadata is stored as a string, so marshal to bytes
	bytes, err := json.Marshal(account)
	if err != nil {
		return ctx, err
	}

	// generate a new context with the MetadataKey set
	return metadata.Set(ctx, MetadataKey, string(bytes)), nil
}

// ContextWithToken sets the auth token in the context
func ContextWithToken(ctx context.Context, token string) (context.Context, error) {
	return metadata.Set(ctx, "Authorization", fmt.Sprintf("%v%v", BearerScheme, token)), nil
}
First interface for auth 2019-11-25 12:30:26 +03:00			`// Package auth provides authentication and authorization capability`
			`package auth`

Undefined time 2019-11-25 12:33:30 +03:00			`import (`
Set auth account in context (#1293) 2020-03-04 12:54:52 +03:00			`"context"`
			`"encoding/json"`
Updated auth interface (#1384) * Updated auth interface * Add Rule * Remove Rule * Return token from Renew * Renew => Refresh * Implement Tokens & Default Auth Implementation * Change default auth to noop * Change default auth to noop * Move token.Token to auth.Token * Remove Token from Account * Auth service implementation * Decode JWT locally * Cookie for secret * Move string to bottom of interface definition * Depricate auth_exclude * Update auth wrappers * Update go.sum Co-authored-by: Ben Toogood <ben@micro.mu> 2020-03-23 19:19:30 +03:00			`"errors"`
Add ContextWithToken (#1407) * Add ContextWithToken * Tidying up BearerScheme Co-authored-by: Ben Toogood <ben@micro.mu> 2020-03-25 14:20:53 +03:00			`"fmt"`
Undefined time 2019-11-25 12:33:30 +03:00			`"time"`
Set auth account in context (#1293) 2020-03-04 12:54:52 +03:00
			`"github.com/micro/go-micro/v2/metadata"`
Undefined time 2019-11-25 12:33:30 +03:00			`)`

Updated auth interface (#1384) * Updated auth interface * Add Rule * Remove Rule * Return token from Renew * Renew => Refresh * Implement Tokens & Default Auth Implementation * Change default auth to noop * Change default auth to noop * Move token.Token to auth.Token * Remove Token from Account * Auth service implementation * Decode JWT locally * Cookie for secret * Move string to bottom of interface definition * Depricate auth_exclude * Update auth wrappers * Update go.sum Co-authored-by: Ben Toogood <ben@micro.mu> 2020-03-23 19:19:30 +03:00			`var (`
			`// ErrNotFound is returned when a resouce cannot be found`
			`ErrNotFound = errors.New("not found")`
			`// ErrEncodingToken is returned when the service encounters an error during encoding`
			`ErrEncodingToken = errors.New("error encoding the token")`
			`// ErrInvalidToken is returned when the token provided is not valid`
			`ErrInvalidToken = errors.New("invalid token provided")`
			`// ErrInvalidRole is returned when the role provided was invalid`
			`ErrInvalidRole = errors.New("invalid role")`
			`// ErrForbidden is returned when a user does not have the necessary roles to access a resource`
			`ErrForbidden = errors.New("resource forbidden")`
Add ContextWithToken (#1407) * Add ContextWithToken * Tidying up BearerScheme Co-authored-by: Ben Toogood <ben@micro.mu> 2020-03-25 14:20:53 +03:00			`// BearerScheme used for Authorization header`
			`BearerScheme = "Bearer "`
Updated auth interface (#1384) * Updated auth interface * Add Rule * Remove Rule * Return token from Renew * Renew => Refresh * Implement Tokens & Default Auth Implementation * Change default auth to noop * Change default auth to noop * Move token.Token to auth.Token * Remove Token from Account * Auth service implementation * Decode JWT locally * Cookie for secret * Move string to bottom of interface definition * Depricate auth_exclude * Update auth wrappers * Update go.sum Co-authored-by: Ben Toogood <ben@micro.mu> 2020-03-23 19:19:30 +03:00			`)`

First interface for auth 2019-11-25 12:30:26 +03:00			`// Auth providers authentication and authorization`
			`type Auth interface {`
Updated auth interface (#1384) * Updated auth interface * Add Rule * Remove Rule * Return token from Renew * Renew => Refresh * Implement Tokens & Default Auth Implementation * Change default auth to noop * Change default auth to noop * Move token.Token to auth.Token * Remove Token from Account * Auth service implementation * Decode JWT locally * Cookie for secret * Move string to bottom of interface definition * Depricate auth_exclude * Update auth wrappers * Update go.sum Co-authored-by: Ben Toogood <ben@micro.mu> 2020-03-23 19:19:30 +03:00			`// Init the auth`
			`Init(opts ...Option)`
			`// Options set for auth`
Auth Wrapper (#1174) * Auth Wrapper * Tweak cmd flag * auth_excludes => auth_exclude * Make Auth.Excludes variadic * Use metadata.Get (passes through http and http2 it will go through various case formats) * fix auth wrapper auth.Auth interface initialisation Co-authored-by: Asim Aslam <asim@aslam.me> 2020-02-10 11:26:28 +03:00			`Options() Options`
Updated auth interface (#1384) * Updated auth interface * Add Rule * Remove Rule * Return token from Renew * Renew => Refresh * Implement Tokens & Default Auth Implementation * Change default auth to noop * Change default auth to noop * Move token.Token to auth.Token * Remove Token from Account * Auth service implementation * Decode JWT locally * Cookie for secret * Move string to bottom of interface definition * Depricate auth_exclude * Update auth wrappers * Update go.sum Co-authored-by: Ben Toogood <ben@micro.mu> 2020-03-23 19:19:30 +03:00			`// Generate a new account`
Auth (#1147) Implement the Auth interface, with JWT and service implementations. * Update Auth Interface * Define Auth Service Implementation * Support Service Auth * Add Auth Service Proto * Remove erronious files * Implement Auth Service Package * Update Auth Interface * Update Auth Interface. Add Validate, remove Add/Remove roles * Make Revoke interface more explicit * Refactor serializing and deserializing service accounts * Fix srv name & update interface to be more explicit * Require jwt public key for auth * Rename Variables (Resource.ID => Resource.Name & ServiceAccount => Account) * Implement JWT Auth Package * Remove parent, add ID * Update auth imports to v2. Add String() to auth interface 2020-02-03 11:16:02 +03:00			`Generate(id string, opts ...GenerateOption) (*Account, error)`
Updated auth interface (#1384) * Updated auth interface * Add Rule * Remove Rule * Return token from Renew * Renew => Refresh * Implement Tokens & Default Auth Implementation * Change default auth to noop * Change default auth to noop * Move token.Token to auth.Token * Remove Token from Account * Auth service implementation * Decode JWT locally * Cookie for secret * Move string to bottom of interface definition * Depricate auth_exclude * Update auth wrappers * Update go.sum Co-authored-by: Ben Toogood <ben@micro.mu> 2020-03-23 19:19:30 +03:00			`// Grant access to a resource`
			`Grant(role string, res *Resource) error`
			`// Revoke access to a resource`
			`Revoke(role string, res *Resource) error`
			`// Verify an account has access to a resource`
			`Verify(acc Account, res Resource) error`
			`// Inspect a token`
			`Inspect(token string) (*Account, error)`
			`// Refresh an account using a secret`
			`Refresh(secret string, opts ...RefreshOption) (*Token, error)`
			`// String returns the name of the implementation`
reorder auth interface (#1204) 2020-02-16 22:36:45 +03:00			`String() string`
update with resource 2019-12-18 00:27:05 +03:00			`}`

Auth (#1147) Implement the Auth interface, with JWT and service implementations. * Update Auth Interface * Define Auth Service Implementation * Support Service Auth * Add Auth Service Proto * Remove erronious files * Implement Auth Service Package * Update Auth Interface * Update Auth Interface. Add Validate, remove Add/Remove roles * Make Revoke interface more explicit * Refactor serializing and deserializing service accounts * Fix srv name & update interface to be more explicit * Require jwt public key for auth * Rename Variables (Resource.ID => Resource.Name & ServiceAccount => Account) * Implement JWT Auth Package * Remove parent, add ID * Update auth imports to v2. Add String() to auth interface 2020-02-03 11:16:02 +03:00			`// Resource is an entity such as a user or`
			`type Resource struct {`
update with resource 2019-12-18 00:27:05 +03:00			`// Name of the resource`
			`Name string`
Auth (#1147) Implement the Auth interface, with JWT and service implementations. * Update Auth Interface * Define Auth Service Implementation * Support Service Auth * Add Auth Service Proto * Remove erronious files * Implement Auth Service Package * Update Auth Interface * Update Auth Interface. Add Validate, remove Add/Remove roles * Make Revoke interface more explicit * Refactor serializing and deserializing service accounts * Fix srv name & update interface to be more explicit * Require jwt public key for auth * Rename Variables (Resource.ID => Resource.Name & ServiceAccount => Account) * Implement JWT Auth Package * Remove parent, add ID * Update auth imports to v2. Add String() to auth interface 2020-02-03 11:16:02 +03:00			`// Type of resource, e.g.`
			`Type string`
Updated auth interface (#1384) * Updated auth interface * Add Rule * Remove Rule * Return token from Renew * Renew => Refresh * Implement Tokens & Default Auth Implementation * Change default auth to noop * Change default auth to noop * Move token.Token to auth.Token * Remove Token from Account * Auth service implementation * Decode JWT locally * Cookie for secret * Move string to bottom of interface definition * Depricate auth_exclude * Update auth wrappers * Update go.sum Co-authored-by: Ben Toogood <ben@micro.mu> 2020-03-23 19:19:30 +03:00			`// Endpoint resource e.g NotesService.Create`
			`Endpoint string`
Auth (#1147) Implement the Auth interface, with JWT and service implementations. * Update Auth Interface * Define Auth Service Implementation * Support Service Auth * Add Auth Service Proto * Remove erronious files * Implement Auth Service Package * Update Auth Interface * Update Auth Interface. Add Validate, remove Add/Remove roles * Make Revoke interface more explicit * Refactor serializing and deserializing service accounts * Fix srv name & update interface to be more explicit * Require jwt public key for auth * Rename Variables (Resource.ID => Resource.Name & ServiceAccount => Account) * Implement JWT Auth Package * Remove parent, add ID * Update auth imports to v2. Add String() to auth interface 2020-02-03 11:16:02 +03:00			`}`

			`// Account provided by an auth provider`
			`type Account struct {`
Auth Provider (#1309) * auth provider mock interface * Auth Provider Options * Implement API Server Auth Package * Add weh utils * Add Login URL * Auth Provider Options * Add auth provider scope and setting token in cookie * Remove auth_login_url flag Co-authored-by: Asim Aslam <asim@aslam.me> Co-authored-by: Ben Toogood <ben@micro.mu> 2020-03-07 14:06:57 +03:00			`// ID of the account (UUIDV4, email or username)`
Updated auth interface (#1384) * Updated auth interface * Add Rule * Remove Rule * Return token from Renew * Renew => Refresh * Implement Tokens & Default Auth Implementation * Change default auth to noop * Change default auth to noop * Move token.Token to auth.Token * Remove Token from Account * Auth service implementation * Decode JWT locally * Cookie for secret * Move string to bottom of interface definition * Depricate auth_exclude * Update auth wrappers * Update go.sum Co-authored-by: Ben Toogood <ben@micro.mu> 2020-03-23 19:19:30 +03:00			ID string `json:"id"`
			`// Secret used to renew the account`
			Secret *Token `json:"secret"`
			`// Roles associated with the Account`
			Roles []string `json:"roles"`
			`// Any other associated metadata`
			Metadata map[string]string `json:"metadata"`
			`}`

			`// Token can be short or long lived`
			`type Token struct {`
			`// The token itself`
Removed redundant spaces (#1196) 2020-02-14 10:32:02 +03:00			Token string `json:"token"`
Updated auth interface (#1384) * Updated auth interface * Add Rule * Remove Rule * Return token from Renew * Renew => Refresh * Implement Tokens & Default Auth Implementation * Change default auth to noop * Change default auth to noop * Move token.Token to auth.Token * Remove Token from Account * Auth service implementation * Decode JWT locally * Cookie for secret * Move string to bottom of interface definition * Depricate auth_exclude * Update auth wrappers * Update go.sum Co-authored-by: Ben Toogood <ben@micro.mu> 2020-03-23 19:19:30 +03:00			`// Type of token, e.g. JWT`
			Type string `json:"type"`
			`// Time of token creation`
First interface for auth 2019-11-25 12:30:26 +03:00			Created time.Time `json:"created"`
Updated auth interface (#1384) * Updated auth interface * Add Rule * Remove Rule * Return token from Renew * Renew => Refresh * Implement Tokens & Default Auth Implementation * Change default auth to noop * Change default auth to noop * Move token.Token to auth.Token * Remove Token from Account * Auth service implementation * Decode JWT locally * Cookie for secret * Move string to bottom of interface definition * Depricate auth_exclude * Update auth wrappers * Update go.sum Co-authored-by: Ben Toogood <ben@micro.mu> 2020-03-23 19:19:30 +03:00			`// Time of token expiry`
First interface for auth 2019-11-25 12:30:26 +03:00			Expiry time.Time `json:"expiry"`
Updated auth interface (#1384) * Updated auth interface * Add Rule * Remove Rule * Return token from Renew * Renew => Refresh * Implement Tokens & Default Auth Implementation * Change default auth to noop * Change default auth to noop * Move token.Token to auth.Token * Remove Token from Account * Auth service implementation * Decode JWT locally * Cookie for secret * Move string to bottom of interface definition * Depricate auth_exclude * Update auth wrappers * Update go.sum Co-authored-by: Ben Toogood <ben@micro.mu> 2020-03-23 19:19:30 +03:00			`// Subject of the token, e.g. the account ID`
			Subject string `json:"subject"`
			`// Roles granted to the token`
			Roles []string `json:"roles"`
			`// Metadata embedded in the token`
First interface for auth 2019-11-25 12:30:26 +03:00			Metadata map[string]string `json:"metadata"`
			`}`
Set auth account in context (#1293) 2020-03-04 12:54:52 +03:00
			`const (`
Updated auth interface (#1384) * Updated auth interface * Add Rule * Remove Rule * Return token from Renew * Renew => Refresh * Implement Tokens & Default Auth Implementation * Change default auth to noop * Change default auth to noop * Move token.Token to auth.Token * Remove Token from Account * Auth service implementation * Decode JWT locally * Cookie for secret * Move string to bottom of interface definition * Depricate auth_exclude * Update auth wrappers * Update go.sum Co-authored-by: Ben Toogood <ben@micro.mu> 2020-03-23 19:19:30 +03:00			`// MetadataKey is the key used when storing the account in metadata`
Set auth account in context (#1293) 2020-03-04 12:54:52 +03:00			`MetadataKey = "auth-account"`
Updated auth interface (#1384) * Updated auth interface * Add Rule * Remove Rule * Return token from Renew * Renew => Refresh * Implement Tokens & Default Auth Implementation * Change default auth to noop * Change default auth to noop * Move token.Token to auth.Token * Remove Token from Account * Auth service implementation * Decode JWT locally * Cookie for secret * Move string to bottom of interface definition * Depricate auth_exclude * Update auth wrappers * Update go.sum Co-authored-by: Ben Toogood <ben@micro.mu> 2020-03-23 19:19:30 +03:00			`// TokenCookieName is the name of the cookie which stores the auth token`
			`TokenCookieName = "micro-token"`
			`// SecretCookieName is the name of the cookie which stores the auth secret`
			`SecretCookieName = "micro-secret"`
Set auth account in context (#1293) 2020-03-04 12:54:52 +03:00			`)`

			`// AccountFromContext gets the account from the context, which`
			`// is set by the auth wrapper at the start of a call. If the account`
			`// is not set, a nil account will be returned. The error is only returned`
			`// when there was a problem retrieving an account`
			`func AccountFromContext(ctx context.Context) (*Account, error) {`
			`str, ok := metadata.Get(ctx, MetadataKey)`
			`// there was no account set`
			`if !ok {`
			`return nil, nil`
			`}`

			`var acc *Account`
			`// metadata is stored as a string, so unmarshal to an account`
			`if err := json.Unmarshal([]byte(str), &acc); err != nil {`
			`return nil, err`
			`}`

			`return acc, nil`
			`}`

			`// ContextWithAccount sets the account in the context`
			`func ContextWithAccount(ctx context.Context, account *Account) (context.Context, error) {`
			`// metadata is stored as a string, so marshal to bytes`
			`bytes, err := json.Marshal(account)`
			`if err != nil {`
			`return ctx, err`
			`}`

			`// generate a new context with the MetadataKey set`
			`return metadata.Set(ctx, MetadataKey, string(bytes)), nil`
			`}`
Add ContextWithToken (#1407) * Add ContextWithToken * Tidying up BearerScheme Co-authored-by: Ben Toogood <ben@micro.mu> 2020-03-25 14:20:53 +03:00
			`// ContextWithToken sets the auth token in the context`
			`func ContextWithToken(ctx context.Context, token string) (context.Context, error) {`
			`return metadata.Set(ctx, "Authorization", fmt.Sprintf("%v%v", BearerScheme, token)), nil`
			`}`