Verify Options
This commit is contained in:
parent
5d14970a55
commit
344ce061ce
@ -27,7 +27,7 @@ type Auth interface {
|
|||||||
// Generate a new account
|
// Generate a new account
|
||||||
Generate(id string, opts ...GenerateOption) (*Account, error)
|
Generate(id string, opts ...GenerateOption) (*Account, error)
|
||||||
// Verify an account has access to a resource using the rules
|
// Verify an account has access to a resource using the rules
|
||||||
Verify(acc *Account, res *Resource) error
|
Verify(acc *Account, res *Resource, opts ...VerifyOption) error
|
||||||
// Inspect a token
|
// Inspect a token
|
||||||
Inspect(token string) (*Account, error)
|
Inspect(token string) (*Account, error)
|
||||||
// Token generated using refresh token or credentials
|
// Token generated using refresh token or credentials
|
||||||
|
@ -73,7 +73,7 @@ func (n *noop) Rules() ([]*Rule, error) {
|
|||||||
}
|
}
|
||||||
|
|
||||||
// Verify an account has access to a resource
|
// Verify an account has access to a resource
|
||||||
func (n *noop) Verify(acc *Account, res *Resource) error {
|
func (n *noop) Verify(acc *Account, res *Resource, opts ...VerifyOption) error {
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -99,10 +99,16 @@ func (j *jwt) Revoke(rule *auth.Rule) error {
|
|||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
func (j *jwt) Verify(acc *auth.Account, res *auth.Resource) error {
|
func (j *jwt) Verify(acc *auth.Account, res *auth.Resource, opts ...auth.VerifyOption) error {
|
||||||
j.Lock()
|
j.Lock()
|
||||||
defer j.Unlock()
|
defer j.Unlock()
|
||||||
return rules.Verify(j.options.Namespace, j.rules, acc, res)
|
|
||||||
|
options := auth.VerifyOptions{Scope: j.options.Namespace}
|
||||||
|
for _, o := range opts {
|
||||||
|
o(&options)
|
||||||
|
}
|
||||||
|
|
||||||
|
return rules.Verify(options.Scope, j.rules, acc, res)
|
||||||
}
|
}
|
||||||
|
|
||||||
func (j *jwt) Rules() ([]*auth.Rule, error) {
|
func (j *jwt) Rules() ([]*auth.Rule, error) {
|
||||||
|
@ -233,3 +233,16 @@ func NewTokenOptions(opts ...TokenOption) TokenOptions {
|
|||||||
|
|
||||||
return options
|
return options
|
||||||
}
|
}
|
||||||
|
|
||||||
|
type VerifyOptions struct {
|
||||||
|
Scope string
|
||||||
|
}
|
||||||
|
|
||||||
|
type VerifyOption func(o *VerifyOptions)
|
||||||
|
|
||||||
|
// WithScope to require when verifying
|
||||||
|
func WithScope(s string) VerifyOption {
|
||||||
|
return func(o *VerifyOptions) {
|
||||||
|
o.Scope = s
|
||||||
|
}
|
||||||
|
}
|
||||||
|
@ -12,12 +12,6 @@ import (
|
|||||||
// access an error will be returned. If there are no rules provided which match the resource, an error
|
// access an error will be returned. If there are no rules provided which match the resource, an error
|
||||||
// will be returned
|
// will be returned
|
||||||
func Verify(namespace string, rules []*auth.Rule, acc *auth.Account, res *auth.Resource) error {
|
func Verify(namespace string, rules []*auth.Rule, acc *auth.Account, res *auth.Resource) error {
|
||||||
// ensure the account has the necessary scope. Some rules allow for public access so we don't
|
|
||||||
// error if the account is nil.
|
|
||||||
if acc != nil && !acc.HasScope("namespace."+namespace) {
|
|
||||||
return fmt.Errorf("Missing required scope: %v", "namespace."+namespace)
|
|
||||||
}
|
|
||||||
|
|
||||||
// the rule is only to be applied if the type matches the resource or is catch-all (*)
|
// the rule is only to be applied if the type matches the resource or is catch-all (*)
|
||||||
validTypes := []string{"*", res.Type}
|
validTypes := []string{"*", res.Type}
|
||||||
|
|
||||||
@ -37,6 +31,7 @@ func Verify(namespace string, rules []*auth.Rule, acc *auth.Account, res *auth.R
|
|||||||
// filter the rules to the ones which match the criteria above
|
// filter the rules to the ones which match the criteria above
|
||||||
filteredRules := make([]*auth.Rule, 0)
|
filteredRules := make([]*auth.Rule, 0)
|
||||||
for _, rule := range rules {
|
for _, rule := range rules {
|
||||||
|
fmt.Printf("All rules: %v\n", rule.ID)
|
||||||
if !include(validTypes, rule.Resource.Type) {
|
if !include(validTypes, rule.Resource.Type) {
|
||||||
continue
|
continue
|
||||||
}
|
}
|
||||||
@ -63,8 +58,8 @@ func Verify(namespace string, rules []*auth.Rule, acc *auth.Account, res *auth.R
|
|||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
// all furter checks require an account
|
// all further checks require an account within the current scope
|
||||||
if acc == nil {
|
if acc == nil || !acc.HasScope("namespace", namespace) {
|
||||||
continue
|
continue
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -119,11 +119,17 @@ func (s *svc) Rules() ([]*auth.Rule, error) {
|
|||||||
}
|
}
|
||||||
|
|
||||||
// Verify an account has access to a resource
|
// Verify an account has access to a resource
|
||||||
func (s *svc) Verify(acc *auth.Account, res *auth.Resource) error {
|
func (s *svc) Verify(acc *auth.Account, res *auth.Resource, opts ...auth.VerifyOption) error {
|
||||||
|
options := auth.VerifyOptions{Scope: s.options.Namespace}
|
||||||
|
for _, o := range opts {
|
||||||
|
o(&options)
|
||||||
|
}
|
||||||
|
|
||||||
// load the rules if none are loaded
|
// load the rules if none are loaded
|
||||||
s.loadRulesIfEmpty()
|
s.loadRulesIfEmpty()
|
||||||
|
|
||||||
// verify the request using the rules
|
// verify the request using the rules
|
||||||
return rules.Verify(s.options.Namespace, s.rules, acc, res)
|
return rules.Verify(options.Scope, s.rules, acc, res)
|
||||||
}
|
}
|
||||||
|
|
||||||
// Inspect a token
|
// Inspect a token
|
||||||
|
Loading…
x
Reference in New Issue
Block a user