From 0e563821076b32133df586a8ef6420cf4b43c718 Mon Sep 17 00:00:00 2001
From: ben-toogood <bentoogood@gmail.com>
Date: Wed, 25 Mar 2020 09:35:29 +0000
Subject: [PATCH] Fix service level auth, add improved error descriptions to
 aid with debugging (#1403)

Co-authored-by: Ben Toogood <ben@micro.mu>
---
 service.go              |  2 +-
 util/wrapper/wrapper.go | 12 +++++++++---
 2 files changed, 10 insertions(+), 4 deletions(-)

diff --git a/service.go b/service.go
index a693aa34..af491f86 100644
--- a/service.go
+++ b/service.go
@@ -46,7 +46,7 @@ func newService(opts ...Option) Service {
 	options.Server.Init(
 		server.WrapHandler(wrapper.HandlerStats(stats.DefaultStats)),
 		server.WrapHandler(wrapper.TraceHandler(trace.DefaultTracer)),
-		server.WrapHandler(wrapper.AuthHandler(authFn)),
+		server.WrapHandler(wrapper.AuthHandler(authFn, serviceName)),
 	)
 
 	// set opts
diff --git a/util/wrapper/wrapper.go b/util/wrapper/wrapper.go
index cd4cc30c..55f3caf3 100644
--- a/util/wrapper/wrapper.go
+++ b/util/wrapper/wrapper.go
@@ -153,7 +153,7 @@ func TraceHandler(t trace.Tracer) server.HandlerWrapper {
 }
 
 // AuthHandler wraps a server handler to perform auth
-func AuthHandler(fn func() auth.Auth) server.HandlerWrapper {
+func AuthHandler(fn func() auth.Auth, srvName string) server.HandlerWrapper {
 	return func(h server.HandlerFunc) server.HandlerFunc {
 		return func(ctx context.Context, req server.Request, rsp interface{}) error {
 			// get the auth.Auth interface
@@ -181,10 +181,16 @@ func AuthHandler(fn func() auth.Auth) server.HandlerWrapper {
 				token = header[len(BearerScheme):]
 			}
 
-			// Verify the token
+			// Inspect the token and get the account
 			account, err := a.Inspect(token)
 			if err != nil {
-				return errors.Unauthorized("go.micro.auth", err.Error())
+				return errors.Unauthorized("go.micro.auth", "Unauthorised call made to %v", req.Endpoint())
+			}
+
+			// Verify the caller has access to the resource
+			resource := &auth.Resource{Type: "service", Name: srvName, Endpoint: req.Endpoint()}
+			if err := a.Verify(account, resource); err != nil {
+				return errors.Forbidden("go.micro.auth", "Forbidden call made to %v %v by %v", srvName, req.Endpoint(), account.ID)
 			}
 
 			// There is an account, set it in the context