micro/auth/service/service.go

326 lines
7.7 KiB
Go
Raw Normal View History

2020-07-19 12:53:38 +03:00
// Package servie is a micro service implementation of the auth interface
package service
import (
"context"
"strings"
"time"
"github.com/micro/go-micro/v2/auth"
pb "github.com/micro/go-micro/v2/auth/service/proto"
"github.com/micro/go-micro/v2/client"
2020-07-19 15:41:23 +03:00
"github.com/micro/go-micro/v2/util/token"
"github.com/micro/go-micro/v2/util/token/jwt"
)
// svc is the service implementation of the Auth interface
2020-07-19 16:41:31 +03:00
type svcAuth struct {
options auth.Options
auth pb.AuthService
2020-05-26 17:52:21 +03:00
rules pb.RulesService
2020-07-19 16:41:31 +03:00
token token.Provider
}
2020-07-19 16:41:31 +03:00
func (s *svcAuth) String() string {
return "service"
}
2020-07-19 16:41:31 +03:00
func (s *svcAuth) Init(opts ...auth.Option) {
for _, o := range opts {
o(&s.options)
}
2020-05-11 19:57:39 +03:00
s.auth = pb.NewAuthService("go.micro.auth", s.options.Client)
2020-05-26 17:52:21 +03:00
s.rules = pb.NewRulesService("go.micro.auth", s.options.Client)
s.setupJWT()
}
2020-07-19 16:41:31 +03:00
func (s *svcAuth) Options() auth.Options {
return s.options
}
// Generate a new account
2020-07-19 16:41:31 +03:00
func (s *svcAuth) Generate(id string, opts ...auth.GenerateOption) (*auth.Account, error) {
options := auth.NewGenerateOptions(opts...)
if len(options.Issuer) == 0 {
options.Issuer = s.options.Issuer
}
// we have the JWT private key and generate ourselves an account
if len(s.options.PrivateKey) > 0 {
acc := &auth.Account{
ID: id,
Type: options.Type,
Scopes: options.Scopes,
Metadata: options.Metadata,
Issuer: options.Issuer,
}
2020-07-19 16:41:31 +03:00
tok, err := s.token.Generate(acc, token.WithExpiry(time.Hour*24*365))
if err != nil {
return nil, err
}
// when using JWTs, the account secret is the JWT's token. This
// can be used as an argument in the Token method.
acc.Secret = tok.Token
return acc, nil
}
rsp, err := s.auth.Generate(context.TODO(), &pb.GenerateRequest{
Id: id,
Type: options.Type,
Secret: options.Secret,
Scopes: options.Scopes,
Metadata: options.Metadata,
Provider: options.Provider,
Options: &pb.Options{
Namespace: options.Issuer,
},
}, s.callOpts()...)
if err != nil {
return nil, err
}
return serializeAccount(rsp.Account), nil
}
// Grant access to a resource
2020-07-19 16:41:31 +03:00
func (s *svcAuth) Grant(rule *auth.Rule) error {
2020-05-21 18:41:55 +03:00
access := pb.Access_UNKNOWN
if rule.Access == auth.AccessGranted {
access = pb.Access_GRANTED
} else if rule.Access == auth.AccessDenied {
access = pb.Access_DENIED
}
2020-05-26 17:52:21 +03:00
_, err := s.rules.Create(context.TODO(), &pb.CreateRequest{
2020-05-20 13:59:01 +03:00
Rule: &pb.Rule{
Id: rule.ID,
2020-05-21 16:56:17 +03:00
Scope: rule.Scope,
2020-05-20 13:59:01 +03:00
Priority: rule.Priority,
2020-05-21 18:41:55 +03:00
Access: access,
2020-05-20 13:59:01 +03:00
Resource: &pb.Resource{
Type: rule.Resource.Type,
Name: rule.Resource.Name,
Endpoint: rule.Resource.Endpoint,
},
},
Options: &pb.Options{
Namespace: s.Options().Issuer,
},
}, s.callOpts()...)
2020-05-21 18:41:55 +03:00
return err
}
// Revoke access to a resource
2020-07-19 16:41:31 +03:00
func (s *svcAuth) Revoke(rule *auth.Rule) error {
2020-05-26 17:52:21 +03:00
_, err := s.rules.Delete(context.TODO(), &pb.DeleteRequest{
Id: rule.ID, Options: &pb.Options{
Namespace: s.Options().Issuer,
},
}, s.callOpts()...)
2020-05-21 18:41:55 +03:00
return err
}
2020-07-19 16:41:31 +03:00
func (s *svcAuth) Rules(opts ...auth.RulesOption) ([]*auth.Rule, error) {
2020-05-26 17:52:21 +03:00
var options auth.RulesOptions
for _, o := range opts {
o(&options)
2020-04-07 18:24:51 +03:00
}
2020-05-26 17:52:21 +03:00
if options.Context == nil {
options.Context = context.TODO()
}
if len(options.Namespace) == 0 {
options.Namespace = s.options.Issuer
}
callOpts := append(s.callOpts(), client.WithCache(time.Second*30))
rsp, err := s.rules.List(options.Context, &pb.ListRequest{
Options: &pb.Options{Namespace: options.Namespace},
}, callOpts...)
2020-05-26 17:52:21 +03:00
if err != nil {
return nil, err
}
2020-05-26 17:52:21 +03:00
rules := make([]*auth.Rule, len(rsp.Rules))
for i, r := range rsp.Rules {
rules[i] = serializeRule(r)
}
2020-05-26 17:52:21 +03:00
return rules, nil
2020-05-20 13:59:01 +03:00
}
// Verify an account has access to a resource
2020-07-19 16:41:31 +03:00
func (s *svcAuth) Verify(acc *auth.Account, res *auth.Resource, opts ...auth.VerifyOption) error {
2020-05-21 18:41:55 +03:00
var options auth.VerifyOptions
2020-05-20 18:49:52 +03:00
for _, o := range opts {
o(&options)
}
rs, err := s.Rules(
auth.RulesContext(options.Context),
auth.RulesNamespace(options.Namespace),
)
2020-05-26 17:52:21 +03:00
if err != nil {
return err
}
2020-05-20 18:49:52 +03:00
2020-07-19 15:12:03 +03:00
return auth.VerifyAccess(rs, acc, res)
}
// Inspect a token
2020-07-19 16:41:31 +03:00
func (s *svcAuth) Inspect(token string) (*auth.Account, error) {
2020-04-01 16:25:00 +03:00
// try to decode JWT locally and fall back to srv if an error occurs
if len(strings.Split(token, ".")) == 3 && len(s.options.PublicKey) > 0 {
2020-07-19 16:41:31 +03:00
return s.token.Inspect(token)
}
2020-04-07 18:24:51 +03:00
// the token is not a JWT or we do not have the keys to decode it,
// fall back to the auth service
rsp, err := s.auth.Inspect(context.TODO(), &pb.InspectRequest{
Token: token, Options: &pb.Options{Namespace: s.Options().Issuer},
}, s.callOpts()...)
if err != nil {
return nil, err
}
return serializeAccount(rsp.Account), nil
}
// Token generation using an account ID and secret
2020-07-19 16:41:31 +03:00
func (s *svcAuth) Token(opts ...auth.TokenOption) (*auth.Token, error) {
options := auth.NewTokenOptions(opts...)
2020-07-14 14:44:51 +03:00
if len(options.Issuer) == 0 {
options.Issuer = s.options.Issuer
}
// we have the JWT private key and refresh accounts locally
if len(s.options.PrivateKey) > 0 {
tok := options.RefreshToken
if len(options.Secret) > 0 {
tok = options.Secret
}
2020-07-19 16:41:31 +03:00
acc, err := s.token.Inspect(tok)
if err != nil {
return nil, err
}
2020-07-19 16:41:31 +03:00
token, err := s.token.Generate(acc, token.WithExpiry(options.Expiry))
if err != nil {
return nil, err
}
return &auth.Token{
Expiry: token.Expiry,
AccessToken: token.Token,
RefreshToken: tok,
}, nil
}
rsp, err := s.auth.Token(context.Background(), &pb.TokenRequest{
2020-04-01 16:25:00 +03:00
Id: options.ID,
Secret: options.Secret,
RefreshToken: options.RefreshToken,
TokenExpiry: int64(options.Expiry.Seconds()),
Options: &pb.Options{
2020-07-14 14:44:51 +03:00
Namespace: options.Issuer,
},
}, s.callOpts()...)
if err != nil {
return nil, err
}
return serializeToken(rsp.Token), nil
}
func serializeToken(t *pb.Token) *auth.Token {
return &auth.Token{
2020-04-01 16:25:00 +03:00
AccessToken: t.AccessToken,
RefreshToken: t.RefreshToken,
Created: time.Unix(t.Created, 0),
Expiry: time.Unix(t.Expiry, 0),
}
}
func serializeAccount(a *pb.Account) *auth.Account {
return &auth.Account{
ID: a.Id,
Secret: a.Secret,
2020-05-21 18:41:55 +03:00
Issuer: a.Issuer,
Metadata: a.Metadata,
Scopes: a.Scopes,
}
}
2020-05-13 19:35:57 +03:00
2020-05-26 17:52:21 +03:00
func serializeRule(r *pb.Rule) *auth.Rule {
var access auth.Access
if r.Access == pb.Access_GRANTED {
access = auth.AccessGranted
} else {
access = auth.AccessDenied
}
return &auth.Rule{
ID: r.Id,
Scope: r.Scope,
Access: access,
Priority: r.Priority,
Resource: &auth.Resource{
Type: r.Resource.Type,
Name: r.Resource.Name,
Endpoint: r.Resource.Endpoint,
},
}
}
2020-05-13 19:35:57 +03:00
2020-07-19 16:41:31 +03:00
func (s *svcAuth) callOpts() []client.CallOption {
return []client.CallOption{
client.WithAddress(s.options.Addrs...),
}
}
2020-05-13 19:35:57 +03:00
// NewAuth returns a new instance of the Auth service
func NewAuth(opts ...auth.Option) auth.Auth {
options := auth.NewOptions(opts...)
if options.Client == nil {
options.Client = client.DefaultClient
}
if len(options.Addrs) == 0 {
options.Addrs = []string{"127.0.0.1:8010"}
}
2020-05-13 19:35:57 +03:00
2020-07-19 16:41:31 +03:00
service := &svcAuth{
2020-05-13 19:35:57 +03:00
auth: pb.NewAuthService("go.micro.auth", options.Client),
2020-05-26 17:52:21 +03:00
rules: pb.NewRulesService("go.micro.auth", options.Client),
2020-05-13 19:35:57 +03:00
options: options,
}
service.setupJWT()
return service
}
2020-07-19 16:41:31 +03:00
func (s *svcAuth) setupJWT() {
tokenOpts := []token.Option{}
// if we have a JWT public key passed as an option,
// we can decode tokens with the type "JWT" locally
// and not have to make an RPC call
if key := s.options.PublicKey; len(key) > 0 {
tokenOpts = append(tokenOpts, token.WithPublicKey(key))
}
// if we have a JWT private key passed as an option,
// we can generate accounts locally and not have to make
// an RPC call, this is used for micro clients such as
// api, web, proxy.
if key := s.options.PrivateKey; len(key) > 0 {
tokenOpts = append(tokenOpts, token.WithPrivateKey(key))
}
2020-07-19 16:41:31 +03:00
s.token = jwt.NewTokenProvider(tokenOpts...)
2020-05-13 19:35:57 +03:00
}