micro/auth/rules/rules.go

94 lines
2.9 KiB
Go
Raw Normal View History

2020-05-20 11:59:01 +01:00
package rules
import (
"fmt"
"sort"
"strings"
"github.com/micro/go-micro/v2/auth"
)
// Verify an account has access to a resource using the rules provided. If the account does not have
// access an error will be returned. If there are no rules provided which match the resource, an error
// will be returned
2020-05-21 16:41:55 +01:00
func Verify(rules []*auth.Rule, acc *auth.Account, res *auth.Resource) error {
2020-05-20 11:59:01 +01:00
// the rule is only to be applied if the type matches the resource or is catch-all (*)
validTypes := []string{"*", res.Type}
// the rule is only to be applied if the name matches the resource or is catch-all (*)
validNames := []string{"*", res.Name}
// rules can have wildcard excludes on endpoints since this can also be a path for web services,
// e.g. /foo/* would include /foo/bar. We also want to check for wildcards and the exact endpoint
validEndpoints := []string{"*", res.Endpoint}
if comps := strings.Split(res.Endpoint, "/"); len(comps) > 1 {
for i := 1; i < len(comps)+1; i++ {
2020-05-20 11:59:01 +01:00
wildcard := fmt.Sprintf("%v/*", strings.Join(comps[0:i], "/"))
validEndpoints = append(validEndpoints, wildcard)
}
}
// filter the rules to the ones which match the criteria above
filteredRules := make([]*auth.Rule, 0)
for _, rule := range rules {
if !include(validTypes, rule.Resource.Type) {
continue
}
if !include(validNames, rule.Resource.Name) {
continue
}
if !include(validEndpoints, rule.Resource.Endpoint) {
continue
}
filteredRules = append(filteredRules, rule)
}
// sort the filtered rules by priority, highest to lowest
sort.SliceStable(filteredRules, func(i, j int) bool {
return filteredRules[i].Priority > filteredRules[j].Priority
})
// loop through the rules and check for a rule which applies to this account
for _, rule := range filteredRules {
2020-05-21 14:56:17 +01:00
// a blank scope indicates the rule applies to everyone, even nil accounts
2020-05-22 11:37:12 +01:00
if rule.Scope == auth.ScopePublic && rule.Access == auth.AccessDenied {
2020-05-20 11:59:01 +01:00
return auth.ErrForbidden
2020-05-22 11:37:12 +01:00
} else if rule.Scope == auth.ScopePublic && rule.Access == auth.AccessGranted {
2020-05-20 11:59:01 +01:00
return nil
}
2020-05-21 14:56:17 +01:00
// all further checks require an account
if acc == nil {
2020-05-20 11:59:01 +01:00
continue
}
// this rule applies to any account
2020-05-22 11:37:12 +01:00
if rule.Scope == auth.ScopeAccount && rule.Access == auth.AccessDenied {
2020-05-20 11:59:01 +01:00
return auth.ErrForbidden
2020-05-22 11:37:12 +01:00
} else if rule.Scope == auth.ScopeAccount && rule.Access == auth.AccessGranted {
2020-05-20 11:59:01 +01:00
return nil
}
2020-05-21 14:56:17 +01:00
// if the account has the necessary scope
if include(acc.Scopes, rule.Scope) && rule.Access == auth.AccessDenied {
2020-05-20 11:59:01 +01:00
return auth.ErrForbidden
2020-05-22 09:31:15 +01:00
} else if include(acc.Scopes, rule.Scope) && rule.Access == auth.AccessGranted {
2020-05-20 11:59:01 +01:00
return nil
}
}
// if no rules matched then return forbidden
return auth.ErrForbidden
}
// include is a helper function which checks to see if the slice contains the value. includes is
// not case sensitive.
func include(slice []string, val string) bool {
for _, s := range slice {
if strings.ToLower(s) == strings.ToLower(val) {
return true
}
}
return false
}