some renaming of types in auth
This commit is contained in:
parent
d3326efd4b
commit
647ce61dec
@ -7,29 +7,29 @@ import (
|
|||||||
|
|
||||||
"github.com/micro/go-micro/v2/auth"
|
"github.com/micro/go-micro/v2/auth"
|
||||||
"github.com/micro/go-micro/v2/util/token"
|
"github.com/micro/go-micro/v2/util/token"
|
||||||
jwtToken "github.com/micro/go-micro/v2/util/token/jwt"
|
"github.com/micro/go-micro/v2/util/token/jwt"
|
||||||
)
|
)
|
||||||
|
|
||||||
// NewAuth returns a new instance of the Auth service
|
// NewAuth returns a new instance of the Auth service
|
||||||
func NewAuth(opts ...auth.Option) auth.Auth {
|
func NewAuth(opts ...auth.Option) auth.Auth {
|
||||||
j := new(jwt)
|
j := new(jwtAuth)
|
||||||
j.Init(opts...)
|
j.Init(opts...)
|
||||||
return j
|
return j
|
||||||
}
|
}
|
||||||
|
|
||||||
type jwt struct {
|
type jwtAuth struct {
|
||||||
options auth.Options
|
options auth.Options
|
||||||
jwt token.Provider
|
token token.Provider
|
||||||
rules []*auth.Rule
|
rules []*auth.Rule
|
||||||
|
|
||||||
sync.Mutex
|
sync.Mutex
|
||||||
}
|
}
|
||||||
|
|
||||||
func (j *jwt) String() string {
|
func (j *jwtAuth) String() string {
|
||||||
return "jwt"
|
return "jwt"
|
||||||
}
|
}
|
||||||
|
|
||||||
func (j *jwt) Init(opts ...auth.Option) {
|
func (j *jwtAuth) Init(opts ...auth.Option) {
|
||||||
j.Lock()
|
j.Lock()
|
||||||
defer j.Unlock()
|
defer j.Unlock()
|
||||||
|
|
||||||
@ -37,19 +37,19 @@ func (j *jwt) Init(opts ...auth.Option) {
|
|||||||
o(&j.options)
|
o(&j.options)
|
||||||
}
|
}
|
||||||
|
|
||||||
j.jwt = jwtToken.NewTokenProvider(
|
j.token = jwt.NewTokenProvider(
|
||||||
token.WithPrivateKey(j.options.PrivateKey),
|
token.WithPrivateKey(j.options.PrivateKey),
|
||||||
token.WithPublicKey(j.options.PublicKey),
|
token.WithPublicKey(j.options.PublicKey),
|
||||||
)
|
)
|
||||||
}
|
}
|
||||||
|
|
||||||
func (j *jwt) Options() auth.Options {
|
func (j *jwtAuth) Options() auth.Options {
|
||||||
j.Lock()
|
j.Lock()
|
||||||
defer j.Unlock()
|
defer j.Unlock()
|
||||||
return j.options
|
return j.options
|
||||||
}
|
}
|
||||||
|
|
||||||
func (j *jwt) Generate(id string, opts ...auth.GenerateOption) (*auth.Account, error) {
|
func (j *jwtAuth) Generate(id string, opts ...auth.GenerateOption) (*auth.Account, error) {
|
||||||
options := auth.NewGenerateOptions(opts...)
|
options := auth.NewGenerateOptions(opts...)
|
||||||
if len(options.Issuer) == 0 {
|
if len(options.Issuer) == 0 {
|
||||||
options.Issuer = j.Options().Issuer
|
options.Issuer = j.Options().Issuer
|
||||||
@ -65,7 +65,7 @@ func (j *jwt) Generate(id string, opts ...auth.GenerateOption) (*auth.Account, e
|
|||||||
|
|
||||||
// generate a JWT secret which can be provided to the Token() method
|
// generate a JWT secret which can be provided to the Token() method
|
||||||
// and exchanged for an access token
|
// and exchanged for an access token
|
||||||
secret, err := j.jwt.Generate(account, token.WithExpiry(time.Hour*24*365))
|
secret, err := j.token.Generate(account, token.WithExpiry(time.Hour*24*365))
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
@ -75,14 +75,14 @@ func (j *jwt) Generate(id string, opts ...auth.GenerateOption) (*auth.Account, e
|
|||||||
return account, nil
|
return account, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
func (j *jwt) Grant(rule *auth.Rule) error {
|
func (j *jwtAuth) Grant(rule *auth.Rule) error {
|
||||||
j.Lock()
|
j.Lock()
|
||||||
defer j.Unlock()
|
defer j.Unlock()
|
||||||
j.rules = append(j.rules, rule)
|
j.rules = append(j.rules, rule)
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
func (j *jwt) Revoke(rule *auth.Rule) error {
|
func (j *jwtAuth) Revoke(rule *auth.Rule) error {
|
||||||
j.Lock()
|
j.Lock()
|
||||||
defer j.Unlock()
|
defer j.Unlock()
|
||||||
|
|
||||||
@ -97,7 +97,7 @@ func (j *jwt) Revoke(rule *auth.Rule) error {
|
|||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
func (j *jwt) Verify(acc *auth.Account, res *auth.Resource, opts ...auth.VerifyOption) error {
|
func (j *jwtAuth) Verify(acc *auth.Account, res *auth.Resource, opts ...auth.VerifyOption) error {
|
||||||
j.Lock()
|
j.Lock()
|
||||||
defer j.Unlock()
|
defer j.Unlock()
|
||||||
|
|
||||||
@ -109,17 +109,17 @@ func (j *jwt) Verify(acc *auth.Account, res *auth.Resource, opts ...auth.VerifyO
|
|||||||
return auth.VerifyAccess(j.rules, acc, res)
|
return auth.VerifyAccess(j.rules, acc, res)
|
||||||
}
|
}
|
||||||
|
|
||||||
func (j *jwt) Rules(opts ...auth.RulesOption) ([]*auth.Rule, error) {
|
func (j *jwtAuth) Rules(opts ...auth.RulesOption) ([]*auth.Rule, error) {
|
||||||
j.Lock()
|
j.Lock()
|
||||||
defer j.Unlock()
|
defer j.Unlock()
|
||||||
return j.rules, nil
|
return j.rules, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
func (j *jwt) Inspect(token string) (*auth.Account, error) {
|
func (j *jwtAuth) Inspect(token string) (*auth.Account, error) {
|
||||||
return j.jwt.Inspect(token)
|
return j.token.Inspect(token)
|
||||||
}
|
}
|
||||||
|
|
||||||
func (j *jwt) Token(opts ...auth.TokenOption) (*auth.Token, error) {
|
func (j *jwtAuth) Token(opts ...auth.TokenOption) (*auth.Token, error) {
|
||||||
options := auth.NewTokenOptions(opts...)
|
options := auth.NewTokenOptions(opts...)
|
||||||
|
|
||||||
secret := options.RefreshToken
|
secret := options.RefreshToken
|
||||||
@ -127,17 +127,17 @@ func (j *jwt) Token(opts ...auth.TokenOption) (*auth.Token, error) {
|
|||||||
secret = options.Secret
|
secret = options.Secret
|
||||||
}
|
}
|
||||||
|
|
||||||
account, err := j.jwt.Inspect(secret)
|
account, err := j.token.Inspect(secret)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
|
||||||
access, err := j.jwt.Generate(account, token.WithExpiry(options.Expiry))
|
access, err := j.token.Generate(account, token.WithExpiry(options.Expiry))
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
|
||||||
refresh, err := j.jwt.Generate(account, token.WithExpiry(options.Expiry+time.Hour))
|
refresh, err := j.token.Generate(account, token.WithExpiry(options.Expiry+time.Hour))
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
@ -14,18 +14,18 @@ import (
|
|||||||
)
|
)
|
||||||
|
|
||||||
// svc is the service implementation of the Auth interface
|
// svc is the service implementation of the Auth interface
|
||||||
type svc struct {
|
type svcAuth struct {
|
||||||
options auth.Options
|
options auth.Options
|
||||||
auth pb.AuthService
|
auth pb.AuthService
|
||||||
rules pb.RulesService
|
rules pb.RulesService
|
||||||
jwt token.Provider
|
token token.Provider
|
||||||
}
|
}
|
||||||
|
|
||||||
func (s *svc) String() string {
|
func (s *svcAuth) String() string {
|
||||||
return "service"
|
return "service"
|
||||||
}
|
}
|
||||||
|
|
||||||
func (s *svc) Init(opts ...auth.Option) {
|
func (s *svcAuth) Init(opts ...auth.Option) {
|
||||||
for _, o := range opts {
|
for _, o := range opts {
|
||||||
o(&s.options)
|
o(&s.options)
|
||||||
}
|
}
|
||||||
@ -36,12 +36,12 @@ func (s *svc) Init(opts ...auth.Option) {
|
|||||||
s.setupJWT()
|
s.setupJWT()
|
||||||
}
|
}
|
||||||
|
|
||||||
func (s *svc) Options() auth.Options {
|
func (s *svcAuth) Options() auth.Options {
|
||||||
return s.options
|
return s.options
|
||||||
}
|
}
|
||||||
|
|
||||||
// Generate a new account
|
// Generate a new account
|
||||||
func (s *svc) Generate(id string, opts ...auth.GenerateOption) (*auth.Account, error) {
|
func (s *svcAuth) Generate(id string, opts ...auth.GenerateOption) (*auth.Account, error) {
|
||||||
options := auth.NewGenerateOptions(opts...)
|
options := auth.NewGenerateOptions(opts...)
|
||||||
if len(options.Issuer) == 0 {
|
if len(options.Issuer) == 0 {
|
||||||
options.Issuer = s.options.Issuer
|
options.Issuer = s.options.Issuer
|
||||||
@ -57,7 +57,7 @@ func (s *svc) Generate(id string, opts ...auth.GenerateOption) (*auth.Account, e
|
|||||||
Issuer: options.Issuer,
|
Issuer: options.Issuer,
|
||||||
}
|
}
|
||||||
|
|
||||||
tok, err := s.jwt.Generate(acc, token.WithExpiry(time.Hour*24*365))
|
tok, err := s.token.Generate(acc, token.WithExpiry(time.Hour*24*365))
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
@ -87,7 +87,7 @@ func (s *svc) Generate(id string, opts ...auth.GenerateOption) (*auth.Account, e
|
|||||||
}
|
}
|
||||||
|
|
||||||
// Grant access to a resource
|
// Grant access to a resource
|
||||||
func (s *svc) Grant(rule *auth.Rule) error {
|
func (s *svcAuth) Grant(rule *auth.Rule) error {
|
||||||
access := pb.Access_UNKNOWN
|
access := pb.Access_UNKNOWN
|
||||||
if rule.Access == auth.AccessGranted {
|
if rule.Access == auth.AccessGranted {
|
||||||
access = pb.Access_GRANTED
|
access = pb.Access_GRANTED
|
||||||
@ -116,7 +116,7 @@ func (s *svc) Grant(rule *auth.Rule) error {
|
|||||||
}
|
}
|
||||||
|
|
||||||
// Revoke access to a resource
|
// Revoke access to a resource
|
||||||
func (s *svc) Revoke(rule *auth.Rule) error {
|
func (s *svcAuth) Revoke(rule *auth.Rule) error {
|
||||||
_, err := s.rules.Delete(context.TODO(), &pb.DeleteRequest{
|
_, err := s.rules.Delete(context.TODO(), &pb.DeleteRequest{
|
||||||
Id: rule.ID, Options: &pb.Options{
|
Id: rule.ID, Options: &pb.Options{
|
||||||
Namespace: s.Options().Issuer,
|
Namespace: s.Options().Issuer,
|
||||||
@ -126,7 +126,7 @@ func (s *svc) Revoke(rule *auth.Rule) error {
|
|||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
|
||||||
func (s *svc) Rules(opts ...auth.RulesOption) ([]*auth.Rule, error) {
|
func (s *svcAuth) Rules(opts ...auth.RulesOption) ([]*auth.Rule, error) {
|
||||||
var options auth.RulesOptions
|
var options auth.RulesOptions
|
||||||
for _, o := range opts {
|
for _, o := range opts {
|
||||||
o(&options)
|
o(&options)
|
||||||
@ -155,7 +155,7 @@ func (s *svc) Rules(opts ...auth.RulesOption) ([]*auth.Rule, error) {
|
|||||||
}
|
}
|
||||||
|
|
||||||
// Verify an account has access to a resource
|
// Verify an account has access to a resource
|
||||||
func (s *svc) Verify(acc *auth.Account, res *auth.Resource, opts ...auth.VerifyOption) error {
|
func (s *svcAuth) Verify(acc *auth.Account, res *auth.Resource, opts ...auth.VerifyOption) error {
|
||||||
var options auth.VerifyOptions
|
var options auth.VerifyOptions
|
||||||
for _, o := range opts {
|
for _, o := range opts {
|
||||||
o(&options)
|
o(&options)
|
||||||
@ -173,10 +173,10 @@ func (s *svc) Verify(acc *auth.Account, res *auth.Resource, opts ...auth.VerifyO
|
|||||||
}
|
}
|
||||||
|
|
||||||
// Inspect a token
|
// Inspect a token
|
||||||
func (s *svc) Inspect(token string) (*auth.Account, error) {
|
func (s *svcAuth) Inspect(token string) (*auth.Account, error) {
|
||||||
// try to decode JWT locally and fall back to srv if an error occurs
|
// try to decode JWT locally and fall back to srv if an error occurs
|
||||||
if len(strings.Split(token, ".")) == 3 && len(s.options.PublicKey) > 0 {
|
if len(strings.Split(token, ".")) == 3 && len(s.options.PublicKey) > 0 {
|
||||||
return s.jwt.Inspect(token)
|
return s.token.Inspect(token)
|
||||||
}
|
}
|
||||||
|
|
||||||
// the token is not a JWT or we do not have the keys to decode it,
|
// the token is not a JWT or we do not have the keys to decode it,
|
||||||
@ -191,7 +191,7 @@ func (s *svc) Inspect(token string) (*auth.Account, error) {
|
|||||||
}
|
}
|
||||||
|
|
||||||
// Token generation using an account ID and secret
|
// Token generation using an account ID and secret
|
||||||
func (s *svc) Token(opts ...auth.TokenOption) (*auth.Token, error) {
|
func (s *svcAuth) Token(opts ...auth.TokenOption) (*auth.Token, error) {
|
||||||
options := auth.NewTokenOptions(opts...)
|
options := auth.NewTokenOptions(opts...)
|
||||||
if len(options.Issuer) == 0 {
|
if len(options.Issuer) == 0 {
|
||||||
options.Issuer = s.options.Issuer
|
options.Issuer = s.options.Issuer
|
||||||
@ -204,12 +204,12 @@ func (s *svc) Token(opts ...auth.TokenOption) (*auth.Token, error) {
|
|||||||
tok = options.Secret
|
tok = options.Secret
|
||||||
}
|
}
|
||||||
|
|
||||||
acc, err := s.jwt.Inspect(tok)
|
acc, err := s.token.Inspect(tok)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
|
||||||
token, err := s.jwt.Generate(acc, token.WithExpiry(options.Expiry))
|
token, err := s.token.Generate(acc, token.WithExpiry(options.Expiry))
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
@ -277,7 +277,7 @@ func serializeRule(r *pb.Rule) *auth.Rule {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
func (s *svc) callOpts() []client.CallOption {
|
func (s *svcAuth) callOpts() []client.CallOption {
|
||||||
return []client.CallOption{
|
return []client.CallOption{
|
||||||
client.WithAddress(s.options.Addrs...),
|
client.WithAddress(s.options.Addrs...),
|
||||||
}
|
}
|
||||||
@ -293,7 +293,7 @@ func NewAuth(opts ...auth.Option) auth.Auth {
|
|||||||
options.Addrs = []string{"127.0.0.1:8010"}
|
options.Addrs = []string{"127.0.0.1:8010"}
|
||||||
}
|
}
|
||||||
|
|
||||||
service := &svc{
|
service := &svcAuth{
|
||||||
auth: pb.NewAuthService("go.micro.auth", options.Client),
|
auth: pb.NewAuthService("go.micro.auth", options.Client),
|
||||||
rules: pb.NewRulesService("go.micro.auth", options.Client),
|
rules: pb.NewRulesService("go.micro.auth", options.Client),
|
||||||
options: options,
|
options: options,
|
||||||
@ -303,7 +303,7 @@ func NewAuth(opts ...auth.Option) auth.Auth {
|
|||||||
return service
|
return service
|
||||||
}
|
}
|
||||||
|
|
||||||
func (s *svc) setupJWT() {
|
func (s *svcAuth) setupJWT() {
|
||||||
tokenOpts := []token.Option{}
|
tokenOpts := []token.Option{}
|
||||||
|
|
||||||
// if we have a JWT public key passed as an option,
|
// if we have a JWT public key passed as an option,
|
||||||
@ -321,5 +321,5 @@ func (s *svc) setupJWT() {
|
|||||||
tokenOpts = append(tokenOpts, token.WithPrivateKey(key))
|
tokenOpts = append(tokenOpts, token.WithPrivateKey(key))
|
||||||
}
|
}
|
||||||
|
|
||||||
s.jwt = jwt.NewTokenProvider(tokenOpts...)
|
s.token = jwt.NewTokenProvider(tokenOpts...)
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user