micro/auth/auth.go

// Package auth provides authentication and authorization capability
package auth

import (
	"context"
	"encoding/json"
	"errors"
	"time"

	"github.com/micro/go-micro/v2/metadata"
)

var (
	// ErrNotFound is returned when a resouce cannot be found
	ErrNotFound = errors.New("not found")
	// ErrEncodingToken is returned when the service encounters an error during encoding
	ErrEncodingToken = errors.New("error encoding the token")
	// ErrInvalidToken is returned when the token provided is not valid
	ErrInvalidToken = errors.New("invalid token provided")
	// ErrInvalidRole is returned when the role provided was invalid
	ErrInvalidRole = errors.New("invalid role")
	// ErrForbidden is returned when a user does not have the necessary roles to access a resource
	ErrForbidden = errors.New("resource forbidden")
)

// Auth providers authentication and authorization
type Auth interface {
	// Init the auth
	Init(opts ...Option)
	// Options set for auth
	Options() Options
	// Generate a new account
	Generate(id string, opts ...GenerateOption) (*Account, error)
	// Grant access to a resource
	Grant(role string, res *Resource) error
	// Revoke access to a resource
	Revoke(role string, res *Resource) error
	// Verify an account has access to a resource
	Verify(acc *Account, res *Resource) error
	// Inspect a token
	Inspect(token string) (*Account, error)
	// Token generated using refresh token
	Token(opts ...TokenOption) (*Token, error)
	// String returns the name of the implementation
	String() string
}

// Resource is an entity such as a user or
type Resource struct {
	// Name of the resource
	Name string `json:"name"`
	// Type of resource, e.g.
	Type string `json:"type"`
	// Endpoint resource e.g NotesService.Create
	Endpoint string `json:"endpoint"`
	// Namespace the resource belongs to
	Namespace string `json:"namespace"`
}

// Account provided by an auth provider
type Account struct {
	// ID of the account e.g. email
	ID string `json:"id"`
	// Type of the account, e.g. service
	Type string `json:"type"`
	// Provider who issued the account
	Provider string `json:"provider"`
	// Roles associated with the Account
	Roles []string `json:"roles"`
	// Any other associated metadata
	Metadata map[string]string `json:"metadata"`
	// Namespace the account belongs to
	Namespace string `json:"namespace"`
	// Secret for the account, e.g. the password
	Secret string `json:"secret"`
}

// Token can be short or long lived
type Token struct {
	// The token to be used for accessing resources
	AccessToken string `json:"access_token"`
	// RefreshToken to be used to generate a new token
	RefreshToken string `json:"refresh_token"`
	// Time of token creation
	Created time.Time `json:"created"`
	// Time of token expiry
	Expiry time.Time `json:"expiry"`
}

const (
	// DefaultNamespace used for auth
	DefaultNamespace = "go.micro"
	// MetadataKey is the key used when storing the account in metadata
	MetadataKey = "auth-account"
	// TokenCookieName is the name of the cookie which stores the auth token
	TokenCookieName = "micro-token"
	// SecretCookieName is the name of the cookie which stores the auth secret
	SecretCookieName = "micro-secret"
	// BearerScheme used for Authorization header
	BearerScheme = "Bearer "
)

// AccountFromContext gets the account from the context, which
// is set by the auth wrapper at the start of a call. If the account
// is not set, a nil account will be returned. The error is only returned
// when there was a problem retrieving an account
func AccountFromContext(ctx context.Context) (*Account, error) {
	str, ok := metadata.Get(ctx, MetadataKey)
	// there was no account set
	if !ok {
		return nil, nil
	}

	var acc *Account
	// metadata is stored as a string, so unmarshal to an account
	if err := json.Unmarshal([]byte(str), &acc); err != nil {
		return nil, err
	}

	return acc, nil
}

// ContextWithAccount sets the account in the context
func ContextWithAccount(ctx context.Context, account *Account) (context.Context, error) {
	// metadata is stored as a string, so marshal to bytes
	bytes, err := json.Marshal(account)
	if err != nil {
		return ctx, err
	}

	// generate a new context with the MetadataKey set
	return metadata.Set(ctx, MetadataKey, string(bytes)), nil
}
First interface for auth 2019-11-25 12:30:26 +03:00			`// Package auth provides authentication and authorization capability`
			`package auth`

Undefined time 2019-11-25 12:33:30 +03:00			`import (`
Set auth account in context (#1293) 2020-03-04 12:54:52 +03:00			`"context"`
			`"encoding/json"`
Updated auth interface (#1384) * Updated auth interface * Add Rule * Remove Rule * Return token from Renew * Renew => Refresh * Implement Tokens & Default Auth Implementation * Change default auth to noop * Change default auth to noop * Move token.Token to auth.Token * Remove Token from Account * Auth service implementation * Decode JWT locally * Cookie for secret * Move string to bottom of interface definition * Depricate auth_exclude * Update auth wrappers * Update go.sum Co-authored-by: Ben Toogood <ben@micro.mu> 2020-03-23 19:19:30 +03:00			`"errors"`
Undefined time 2019-11-25 12:33:30 +03:00			`"time"`
Set auth account in context (#1293) 2020-03-04 12:54:52 +03:00
			`"github.com/micro/go-micro/v2/metadata"`
Undefined time 2019-11-25 12:33:30 +03:00			`)`

Updated auth interface (#1384) * Updated auth interface * Add Rule * Remove Rule * Return token from Renew * Renew => Refresh * Implement Tokens & Default Auth Implementation * Change default auth to noop * Change default auth to noop * Move token.Token to auth.Token * Remove Token from Account * Auth service implementation * Decode JWT locally * Cookie for secret * Move string to bottom of interface definition * Depricate auth_exclude * Update auth wrappers * Update go.sum Co-authored-by: Ben Toogood <ben@micro.mu> 2020-03-23 19:19:30 +03:00			`var (`
			`// ErrNotFound is returned when a resouce cannot be found`
			`ErrNotFound = errors.New("not found")`
			`// ErrEncodingToken is returned when the service encounters an error during encoding`
			`ErrEncodingToken = errors.New("error encoding the token")`
			`// ErrInvalidToken is returned when the token provided is not valid`
			`ErrInvalidToken = errors.New("invalid token provided")`
			`// ErrInvalidRole is returned when the role provided was invalid`
			`ErrInvalidRole = errors.New("invalid role")`
			`// ErrForbidden is returned when a user does not have the necessary roles to access a resource`
			`ErrForbidden = errors.New("resource forbidden")`
			`)`

First interface for auth 2019-11-25 12:30:26 +03:00			`// Auth providers authentication and authorization`
			`type Auth interface {`
Updated auth interface (#1384) * Updated auth interface * Add Rule * Remove Rule * Return token from Renew * Renew => Refresh * Implement Tokens & Default Auth Implementation * Change default auth to noop * Change default auth to noop * Move token.Token to auth.Token * Remove Token from Account * Auth service implementation * Decode JWT locally * Cookie for secret * Move string to bottom of interface definition * Depricate auth_exclude * Update auth wrappers * Update go.sum Co-authored-by: Ben Toogood <ben@micro.mu> 2020-03-23 19:19:30 +03:00			`// Init the auth`
			`Init(opts ...Option)`
			`// Options set for auth`
Auth Wrapper (#1174) * Auth Wrapper * Tweak cmd flag * auth_excludes => auth_exclude * Make Auth.Excludes variadic * Use metadata.Get (passes through http and http2 it will go through various case formats) * fix auth wrapper auth.Auth interface initialisation Co-authored-by: Asim Aslam <asim@aslam.me> 2020-02-10 11:26:28 +03:00			`Options() Options`
Updated auth interface (#1384) * Updated auth interface * Add Rule * Remove Rule * Return token from Renew * Renew => Refresh * Implement Tokens & Default Auth Implementation * Change default auth to noop * Change default auth to noop * Move token.Token to auth.Token * Remove Token from Account * Auth service implementation * Decode JWT locally * Cookie for secret * Move string to bottom of interface definition * Depricate auth_exclude * Update auth wrappers * Update go.sum Co-authored-by: Ben Toogood <ben@micro.mu> 2020-03-23 19:19:30 +03:00			`// Generate a new account`
Auth Generate, make secret optional 2020-04-01 19:20:02 +03:00			`Generate(id string, opts ...GenerateOption) (*Account, error)`
Updated auth interface (#1384) * Updated auth interface * Add Rule * Remove Rule * Return token from Renew * Renew => Refresh * Implement Tokens & Default Auth Implementation * Change default auth to noop * Change default auth to noop * Move token.Token to auth.Token * Remove Token from Account * Auth service implementation * Decode JWT locally * Cookie for secret * Move string to bottom of interface definition * Depricate auth_exclude * Update auth wrappers * Update go.sum Co-authored-by: Ben Toogood <ben@micro.mu> 2020-03-23 19:19:30 +03:00			`// Grant access to a resource`
			`Grant(role string, res *Resource) error`
			`// Revoke access to a resource`
			`Revoke(role string, res *Resource) error`
			`// Verify an account has access to a resource`
			`Verify(acc Account, res Resource) error`
			`// Inspect a token`
			`Inspect(token string) (*Account, error)`
Tweak Auth Interface 2020-03-31 19:01:51 +03:00			`// Token generated using refresh token`
Further Refactoring 2020-04-01 16:25:00 +03:00			`Token(opts ...TokenOption) (*Token, error)`
Updated auth interface (#1384) * Updated auth interface * Add Rule * Remove Rule * Return token from Renew * Renew => Refresh * Implement Tokens & Default Auth Implementation * Change default auth to noop * Change default auth to noop * Move token.Token to auth.Token * Remove Token from Account * Auth service implementation * Decode JWT locally * Cookie for secret * Move string to bottom of interface definition * Depricate auth_exclude * Update auth wrappers * Update go.sum Co-authored-by: Ben Toogood <ben@micro.mu> 2020-03-23 19:19:30 +03:00			`// String returns the name of the implementation`
reorder auth interface (#1204) 2020-02-16 22:36:45 +03:00			`String() string`
update with resource 2019-12-18 00:27:05 +03:00			`}`

Auth (#1147) Implement the Auth interface, with JWT and service implementations. * Update Auth Interface * Define Auth Service Implementation * Support Service Auth * Add Auth Service Proto * Remove erronious files * Implement Auth Service Package * Update Auth Interface * Update Auth Interface. Add Validate, remove Add/Remove roles * Make Revoke interface more explicit * Refactor serializing and deserializing service accounts * Fix srv name & update interface to be more explicit * Require jwt public key for auth * Rename Variables (Resource.ID => Resource.Name & ServiceAccount => Account) * Implement JWT Auth Package * Remove parent, add ID * Update auth imports to v2. Add String() to auth interface 2020-02-03 11:16:02 +03:00			`// Resource is an entity such as a user or`
			`type Resource struct {`
update with resource 2019-12-18 00:27:05 +03:00			`// Name of the resource`
Namespace requests coming via api & web 2020-04-02 19:01:06 +03:00			Name string `json:"name"`
Auth (#1147) Implement the Auth interface, with JWT and service implementations. * Update Auth Interface * Define Auth Service Implementation * Support Service Auth * Add Auth Service Proto * Remove erronious files * Implement Auth Service Package * Update Auth Interface * Update Auth Interface. Add Validate, remove Add/Remove roles * Make Revoke interface more explicit * Refactor serializing and deserializing service accounts * Fix srv name & update interface to be more explicit * Require jwt public key for auth * Rename Variables (Resource.ID => Resource.Name & ServiceAccount => Account) * Implement JWT Auth Package * Remove parent, add ID * Update auth imports to v2. Add String() to auth interface 2020-02-03 11:16:02 +03:00			`// Type of resource, e.g.`
Namespace requests coming via api & web 2020-04-02 19:01:06 +03:00			Type string `json:"type"`
Updated auth interface (#1384) * Updated auth interface * Add Rule * Remove Rule * Return token from Renew * Renew => Refresh * Implement Tokens & Default Auth Implementation * Change default auth to noop * Change default auth to noop * Move token.Token to auth.Token * Remove Token from Account * Auth service implementation * Decode JWT locally * Cookie for secret * Move string to bottom of interface definition * Depricate auth_exclude * Update auth wrappers * Update go.sum Co-authored-by: Ben Toogood <ben@micro.mu> 2020-03-23 19:19:30 +03:00			`// Endpoint resource e.g NotesService.Create`
Namespace requests coming via api & web 2020-04-02 19:01:06 +03:00			Endpoint string `json:"endpoint"`
			`// Namespace the resource belongs to`
			Namespace string `json:"namespace"`
Auth (#1147) Implement the Auth interface, with JWT and service implementations. * Update Auth Interface * Define Auth Service Implementation * Support Service Auth * Add Auth Service Proto * Remove erronious files * Implement Auth Service Package * Update Auth Interface * Update Auth Interface. Add Validate, remove Add/Remove roles * Make Revoke interface more explicit * Refactor serializing and deserializing service accounts * Fix srv name & update interface to be more explicit * Require jwt public key for auth * Rename Variables (Resource.ID => Resource.Name & ServiceAccount => Account) * Implement JWT Auth Package * Remove parent, add ID * Update auth imports to v2. Add String() to auth interface 2020-02-03 11:16:02 +03:00			`}`

			`// Account provided by an auth provider`
			`type Account struct {`
Tweak Auth Interface 2020-03-31 19:01:51 +03:00			`// ID of the account e.g. email`
Updated auth interface (#1384) * Updated auth interface * Add Rule * Remove Rule * Return token from Renew * Renew => Refresh * Implement Tokens & Default Auth Implementation * Change default auth to noop * Change default auth to noop * Move token.Token to auth.Token * Remove Token from Account * Auth service implementation * Decode JWT locally * Cookie for secret * Move string to bottom of interface definition * Depricate auth_exclude * Update auth wrappers * Update go.sum Co-authored-by: Ben Toogood <ben@micro.mu> 2020-03-23 19:19:30 +03:00			ID string `json:"id"`
Update interface to add provider and make secret optional 2020-03-31 21:01:43 +03:00			`// Type of the account, e.g. service`
			Type string `json:"type"`
			`// Provider who issued the account`
			Provider string `json:"provider"`
Updated auth interface (#1384) * Updated auth interface * Add Rule * Remove Rule * Return token from Renew * Renew => Refresh * Implement Tokens & Default Auth Implementation * Change default auth to noop * Change default auth to noop * Move token.Token to auth.Token * Remove Token from Account * Auth service implementation * Decode JWT locally * Cookie for secret * Move string to bottom of interface definition * Depricate auth_exclude * Update auth wrappers * Update go.sum Co-authored-by: Ben Toogood <ben@micro.mu> 2020-03-23 19:19:30 +03:00			`// Roles associated with the Account`
			Roles []string `json:"roles"`
			`// Any other associated metadata`
			Metadata map[string]string `json:"metadata"`
Namespace requests coming via api & web 2020-04-02 19:01:06 +03:00			`// Namespace the account belongs to`
Add Namespace to Auth (#1438) Co-authored-by: Ben Toogood <ben@micro.mu> 2020-03-30 11:51:37 +03:00			Namespace string `json:"namespace"`
Implement new interface 2020-03-31 20:17:01 +03:00			`// Secret for the account, e.g. the password`
			Secret string `json:"secret"`
Updated auth interface (#1384) * Updated auth interface * Add Rule * Remove Rule * Return token from Renew * Renew => Refresh * Implement Tokens & Default Auth Implementation * Change default auth to noop * Change default auth to noop * Move token.Token to auth.Token * Remove Token from Account * Auth service implementation * Decode JWT locally * Cookie for secret * Move string to bottom of interface definition * Depricate auth_exclude * Update auth wrappers * Update go.sum Co-authored-by: Ben Toogood <ben@micro.mu> 2020-03-23 19:19:30 +03:00			`}`

			`// Token can be short or long lived`
			`type Token struct {`
Further Refactoring 2020-04-01 16:25:00 +03:00			`// The token to be used for accessing resources`
			AccessToken string `json:"access_token"`
			`// RefreshToken to be used to generate a new token`
			RefreshToken string `json:"refresh_token"`
Updated auth interface (#1384) * Updated auth interface * Add Rule * Remove Rule * Return token from Renew * Renew => Refresh * Implement Tokens & Default Auth Implementation * Change default auth to noop * Change default auth to noop * Move token.Token to auth.Token * Remove Token from Account * Auth service implementation * Decode JWT locally * Cookie for secret * Move string to bottom of interface definition * Depricate auth_exclude * Update auth wrappers * Update go.sum Co-authored-by: Ben Toogood <ben@micro.mu> 2020-03-23 19:19:30 +03:00			`// Time of token creation`
First interface for auth 2019-11-25 12:30:26 +03:00			Created time.Time `json:"created"`
Updated auth interface (#1384) * Updated auth interface * Add Rule * Remove Rule * Return token from Renew * Renew => Refresh * Implement Tokens & Default Auth Implementation * Change default auth to noop * Change default auth to noop * Move token.Token to auth.Token * Remove Token from Account * Auth service implementation * Decode JWT locally * Cookie for secret * Move string to bottom of interface definition * Depricate auth_exclude * Update auth wrappers * Update go.sum Co-authored-by: Ben Toogood <ben@micro.mu> 2020-03-23 19:19:30 +03:00			`// Time of token expiry`
First interface for auth 2019-11-25 12:30:26 +03:00			Expiry time.Time `json:"expiry"`
			`}`
Set auth account in context (#1293) 2020-03-04 12:54:52 +03:00
			`const (`
Namespace requests coming via api & web 2020-04-02 19:01:06 +03:00			`// DefaultNamespace used for auth`
Add namespace 2020-04-07 14:46:44 +03:00			`DefaultNamespace = "go.micro"`
Updated auth interface (#1384) * Updated auth interface * Add Rule * Remove Rule * Return token from Renew * Renew => Refresh * Implement Tokens & Default Auth Implementation * Change default auth to noop * Change default auth to noop * Move token.Token to auth.Token * Remove Token from Account * Auth service implementation * Decode JWT locally * Cookie for secret * Move string to bottom of interface definition * Depricate auth_exclude * Update auth wrappers * Update go.sum Co-authored-by: Ben Toogood <ben@micro.mu> 2020-03-23 19:19:30 +03:00			`// MetadataKey is the key used when storing the account in metadata`
Set auth account in context (#1293) 2020-03-04 12:54:52 +03:00			`MetadataKey = "auth-account"`
Updated auth interface (#1384) * Updated auth interface * Add Rule * Remove Rule * Return token from Renew * Renew => Refresh * Implement Tokens & Default Auth Implementation * Change default auth to noop * Change default auth to noop * Move token.Token to auth.Token * Remove Token from Account * Auth service implementation * Decode JWT locally * Cookie for secret * Move string to bottom of interface definition * Depricate auth_exclude * Update auth wrappers * Update go.sum Co-authored-by: Ben Toogood <ben@micro.mu> 2020-03-23 19:19:30 +03:00			`// TokenCookieName is the name of the cookie which stores the auth token`
			`TokenCookieName = "micro-token"`
			`// SecretCookieName is the name of the cookie which stores the auth secret`
			`SecretCookieName = "micro-secret"`
Namespace requests coming via api & web 2020-04-02 19:01:06 +03:00			`// BearerScheme used for Authorization header`
			`BearerScheme = "Bearer "`
Set auth account in context (#1293) 2020-03-04 12:54:52 +03:00			`)`

			`// AccountFromContext gets the account from the context, which`
			`// is set by the auth wrapper at the start of a call. If the account`
			`// is not set, a nil account will be returned. The error is only returned`
			`// when there was a problem retrieving an account`
			`func AccountFromContext(ctx context.Context) (*Account, error) {`
			`str, ok := metadata.Get(ctx, MetadataKey)`
			`// there was no account set`
			`if !ok {`
			`return nil, nil`
			`}`

			`var acc *Account`
			`// metadata is stored as a string, so unmarshal to an account`
			`if err := json.Unmarshal([]byte(str), &acc); err != nil {`
			`return nil, err`
			`}`

			`return acc, nil`
			`}`

			`// ContextWithAccount sets the account in the context`
			`func ContextWithAccount(ctx context.Context, account *Account) (context.Context, error) {`
			`// metadata is stored as a string, so marshal to bytes`
			`bytes, err := json.Marshal(account)`
			`if err != nil {`
			`return ctx, err`
			`}`

			`// generate a new context with the MetadataKey set`
			`return metadata.Set(ctx, MetadataKey, string(bytes)), nil`
			`}`