From 1fce0f02b60f075585f6c144bf2a9801714c6d57 Mon Sep 17 00:00:00 2001 From: Ben Toogood Date: Thu, 21 May 2020 18:11:35 +0100 Subject: [PATCH] Verify Namespace --- auth/options.go | 10 +++++++++- auth/service/service.go | 7 +++++-- util/wrapper/wrapper.go | 2 +- 3 files changed, 15 insertions(+), 4 deletions(-) diff --git a/auth/options.go b/auth/options.go index 43ead6ac..ed450709 100644 --- a/auth/options.go +++ b/auth/options.go @@ -225,6 +225,14 @@ func NewTokenOptions(opts ...TokenOption) TokenOptions { return options } -type VerifyOptions struct{} +type VerifyOptions struct { + Namespace string +} type VerifyOption func(o *VerifyOptions) + +func VerifyNamespace(ns string) VerifyOption { + return func(o *VerifyOptions) { + o.Namespace = ns + } +} diff --git a/auth/service/service.go b/auth/service/service.go index 7f2222d4..bb14ece6 100644 --- a/auth/service/service.go +++ b/auth/service/service.go @@ -123,12 +123,15 @@ func (s *svc) Verify(acc *auth.Account, res *auth.Resource, opts ...auth.VerifyO for _, o := range opts { o(&options) } + if len(options.Namespace) == 0 { + options.Namespace = s.options.Namespace + } // load the rules if none are loaded - s.loadRulesIfEmpty(s.Options().Namespace) + s.loadRulesIfEmpty(options.Namespace) // verify the request using the rules - return rules.Verify(s.rules[s.Options().Namespace], acc, res) + return rules.Verify(s.rules[options.Namespace], acc, res) } // Inspect a token diff --git a/util/wrapper/wrapper.go b/util/wrapper/wrapper.go index dce54cb3..ffa3d61b 100644 --- a/util/wrapper/wrapper.go +++ b/util/wrapper/wrapper.go @@ -221,7 +221,7 @@ func AuthHandler(fn func() auth.Auth) server.HandlerWrapper { } // Verify the caller has access to the resource - err := a.Verify(account, res) + err := a.Verify(account, res, auth.VerifyNamespace(ns)) if err != nil && account != nil { return errors.Forbidden(req.Service(), "Forbidden call made to %v:%v by %v", req.Service(), req.Endpoint(), account.ID) } else if err != nil {