Move rules.Verify to auth.VerifyAccess

auth/jwt/jwt.go

@@ -6,7 +6,6 @@ import (
 	"time"
 
 	"github.com/micro/go-micro/v2/auth"
-	"github.com/micro/go-micro/v2/auth/rules"
 	"github.com/micro/go-micro/v2/auth/token"
 	jwtToken "github.com/micro/go-micro/v2/auth/token/jwt"
 )
@@ -107,7 +106,7 @@ func (j *jwt) Verify(acc *auth.Account, res *auth.Resource, opts ...auth.VerifyO
 		o(&options)
 	}
 
-	return rules.Verify(j.rules, acc, res)
+	return auth.VerifyAccess(j.rules, acc, res)
 }
 
 func (j *jwt) Rules(opts ...auth.RulesOption) ([]*auth.Rule, error) {

auth/rules.go

@@ -1,17 +1,15 @@
-package rules
+package auth
 
 import (
 	"fmt"
 	"sort"
 	"strings"
-
-	"github.com/micro/go-micro/v2/auth"
 )
 
-// Verify an account has access to a resource using the rules provided. If the account does not have
+// VerifyAccess an account has access to a resource using the rules provided. If the account does not have
 // access an error will be returned. If there are no rules provided which match the resource, an error
 // will be returned
-func Verify(rules []*auth.Rule, acc *auth.Account, res *auth.Resource) error {
+func VerifyAccess(rules []*Rule, acc *Account, res *Resource) error {
 	// the rule is only to be applied if the type matches the resource or is catch-all (*)
 	validTypes := []string{"*", res.Type}
 
@@ -29,7 +27,7 @@ func Verify(rules []*auth.Rule, acc *auth.Account, res *auth.Resource) error {
 	}
 
 	// filter the rules to the ones which match the criteria above
-	filteredRules := make([]*auth.Rule, 0)
+	filteredRules := make([]*Rule, 0)
 	for _, rule := range rules {
 		if !include(validTypes, rule.Resource.Type) {
 			continue
@@ -51,9 +49,9 @@ func Verify(rules []*auth.Rule, acc *auth.Account, res *auth.Resource) error {
 	// loop through the rules and check for a rule which applies to this account
 	for _, rule := range filteredRules {
 		// a blank scope indicates the rule applies to everyone, even nil accounts
-		if rule.Scope == auth.ScopePublic && rule.Access == auth.AccessDenied {
-			return auth.ErrForbidden
-		} else if rule.Scope == auth.ScopePublic && rule.Access == auth.AccessGranted {
+		if rule.Scope == ScopePublic && rule.Access == AccessDenied {
+			return ErrForbidden
+		} else if rule.Scope == ScopePublic && rule.Access == AccessGranted {
 			return nil
 		}
 
@@ -63,22 +61,22 @@ func Verify(rules []*auth.Rule, acc *auth.Account, res *auth.Resource) error {
 		}
 
 		// this rule applies to any account
-		if rule.Scope == auth.ScopeAccount && rule.Access == auth.AccessDenied {
-			return auth.ErrForbidden
-		} else if rule.Scope == auth.ScopeAccount && rule.Access == auth.AccessGranted {
+		if rule.Scope == ScopeAccount && rule.Access == AccessDenied {
+			return ErrForbidden
+		} else if rule.Scope == ScopeAccount && rule.Access == AccessGranted {
 			return nil
 		}
 
 		// if the account has the necessary scope
-		if include(acc.Scopes, rule.Scope) && rule.Access == auth.AccessDenied {
-			return auth.ErrForbidden
-		} else if include(acc.Scopes, rule.Scope) && rule.Access == auth.AccessGranted {
+		if include(acc.Scopes, rule.Scope) && rule.Access == AccessDenied {
+			return ErrForbidden
+		} else if include(acc.Scopes, rule.Scope) && rule.Access == AccessGranted {
 			return nil
 		}
 	}
 
 	// if no rules matched then return forbidden
-	return auth.ErrForbidden
+	return ErrForbidden
 }
 
 // include is a helper function which checks to see if the slice contains the value. includes is

auth/rules_test.go

@@ -1,25 +1,23 @@
-package rules
+package auth
 
 import (
 	"testing"
-
-	"github.com/micro/go-micro/v2/auth"
 )
 
 func TestVerify(t *testing.T) {
-	srvResource := &auth.Resource{
+	srvResource := &Resource{
 		Type:     "service",
 		Name:     "go.micro.service.foo",
 		Endpoint: "Foo.Bar",
 	}
 
-	webResource := &auth.Resource{
+	webResource := &Resource{
 		Type:     "service",
 		Name:     "go.micro.web.foo",
 		Endpoint: "/foo/bar",
 	}
 
-	catchallResource := &auth.Resource{
+	catchallResource := &Resource{
 		Type:     "*",
 		Name:     "*",
 		Endpoint: "*",
@@ -27,24 +25,24 @@ func TestVerify(t *testing.T) {
 
 	tt := []struct {
 		Name     string
-		Rules    []*auth.Rule
-		Account  *auth.Account
-		Resource *auth.Resource
+		Rules    []*Rule
+		Account  *Account
+		Resource *Resource
 		Error    error
 	}{
 		{
 			Name:     "NoRules",
-			Rules:    []*auth.Rule{},
+			Rules:    []*Rule{},
 			Account:  nil,
 			Resource: srvResource,
-			Error:    auth.ErrForbidden,
+			Error:    ErrForbidden,
 		},
 		{
 			Name:     "CatchallPublicAccount",
-			Account:  &auth.Account{},
+			Account:  &Account{},
 			Resource: srvResource,
-			Rules: []*auth.Rule{
-				&auth.Rule{
+			Rules: []*Rule{
+				&Rule{
 					Scope:    "",
 					Resource: catchallResource,
 				},
@@ -53,8 +51,8 @@ func TestVerify(t *testing.T) {
 		{
 			Name:     "CatchallPublicNoAccount",
 			Resource: srvResource,
-			Rules: []*auth.Rule{
-				&auth.Rule{
+			Rules: []*Rule{
+				&Rule{
 					Scope:    "",
 					Resource: catchallResource,
 				},
@@ -62,10 +60,10 @@ func TestVerify(t *testing.T) {
 		},
 		{
 			Name:     "CatchallPrivateAccount",
-			Account:  &auth.Account{},
+			Account:  &Account{},
 			Resource: srvResource,
-			Rules: []*auth.Rule{
-				&auth.Rule{
+			Rules: []*Rule{
+				&Rule{
 					Scope:    "*",
 					Resource: catchallResource,
 				},
@@ -74,22 +72,22 @@ func TestVerify(t *testing.T) {
 		{
 			Name:     "CatchallPrivateNoAccount",
 			Resource: srvResource,
-			Rules: []*auth.Rule{
-				&auth.Rule{
+			Rules: []*Rule{
+				&Rule{
 					Scope:    "*",
 					Resource: catchallResource,
 				},
 			},
-			Error: auth.ErrForbidden,
+			Error: ErrForbidden,
 		},
 		{
 			Name:     "CatchallServiceRuleMatch",
 			Resource: srvResource,
-			Account:  &auth.Account{},
-			Rules: []*auth.Rule{
-				&auth.Rule{
+			Account:  &Account{},
+			Rules: []*Rule{
+				&Rule{
 					Scope: "*",
-					Resource: &auth.Resource{
+					Resource: &Resource{
 						Type:     srvResource.Type,
 						Name:     srvResource.Name,
 						Endpoint: "*",
@@ -100,27 +98,27 @@ func TestVerify(t *testing.T) {
 		{
 			Name:     "CatchallServiceRuleNoMatch",
 			Resource: srvResource,
-			Account:  &auth.Account{},
-			Rules: []*auth.Rule{
-				&auth.Rule{
+			Account:  &Account{},
+			Rules: []*Rule{
+				&Rule{
 					Scope: "*",
-					Resource: &auth.Resource{
+					Resource: &Resource{
 						Type:     srvResource.Type,
 						Name:     "wrongname",
 						Endpoint: "*",
 					},
 				},
 			},
-			Error: auth.ErrForbidden,
+			Error: ErrForbidden,
 		},
 		{
 			Name:     "ExactRuleValidScope",
 			Resource: srvResource,
-			Account: &auth.Account{
+			Account: &Account{
 				Scopes: []string{"neededscope"},
 			},
-			Rules: []*auth.Rule{
-				&auth.Rule{
+			Rules: []*Rule{
+				&Rule{
 					Scope:    "neededscope",
 					Resource: srvResource,
 				},
@@ -129,58 +127,58 @@ func TestVerify(t *testing.T) {
 		{
 			Name:     "ExactRuleInvalidScope",
 			Resource: srvResource,
-			Account: &auth.Account{
+			Account: &Account{
 				Scopes: []string{"neededscope"},
 			},
-			Rules: []*auth.Rule{
-				&auth.Rule{
+			Rules: []*Rule{
+				&Rule{
 					Scope:    "invalidscope",
 					Resource: srvResource,
 				},
 			},
-			Error: auth.ErrForbidden,
+			Error: ErrForbidden,
 		},
 		{
 			Name:     "CatchallDenyWithAccount",
 			Resource: srvResource,
-			Account:  &auth.Account{},
-			Rules: []*auth.Rule{
-				&auth.Rule{
+			Account:  &Account{},
+			Rules: []*Rule{
+				&Rule{
 					Scope:    "*",
 					Resource: catchallResource,
-					Access:   auth.AccessDenied,
+					Access:   AccessDenied,
 				},
 			},
-			Error: auth.ErrForbidden,
+			Error: ErrForbidden,
 		},
 		{
 			Name:     "CatchallDenyWithNoAccount",
 			Resource: srvResource,
-			Account:  &auth.Account{},
-			Rules: []*auth.Rule{
-				&auth.Rule{
+			Account:  &Account{},
+			Rules: []*Rule{
+				&Rule{
 					Scope:    "*",
 					Resource: catchallResource,
-					Access:   auth.AccessDenied,
+					Access:   AccessDenied,
 				},
 			},
-			Error: auth.ErrForbidden,
+			Error: ErrForbidden,
 		},
 		{
 			Name:     "RulePriorityGrantFirst",
 			Resource: srvResource,
-			Account:  &auth.Account{},
-			Rules: []*auth.Rule{
-				&auth.Rule{
+			Account:  &Account{},
+			Rules: []*Rule{
+				&Rule{
 					Scope:    "*",
 					Resource: catchallResource,
-					Access:   auth.AccessGranted,
+					Access:   AccessGranted,
 					Priority: 1,
 				},
-				&auth.Rule{
+				&Rule{
 					Scope:    "*",
 					Resource: catchallResource,
-					Access:   auth.AccessDenied,
+					Access:   AccessDenied,
 					Priority: 0,
 				},
 			},
@@ -188,29 +186,29 @@ func TestVerify(t *testing.T) {
 		{
 			Name:     "RulePriorityDenyFirst",
 			Resource: srvResource,
-			Account:  &auth.Account{},
-			Rules: []*auth.Rule{
-				&auth.Rule{
+			Account:  &Account{},
+			Rules: []*Rule{
+				&Rule{
 					Scope:    "*",
 					Resource: catchallResource,
-					Access:   auth.AccessGranted,
+					Access:   AccessGranted,
 					Priority: 0,
 				},
-				&auth.Rule{
+				&Rule{
 					Scope:    "*",
 					Resource: catchallResource,
-					Access:   auth.AccessDenied,
+					Access:   AccessDenied,
 					Priority: 1,
 				},
 			},
-			Error: auth.ErrForbidden,
+			Error: ErrForbidden,
 		},
 		{
 			Name:     "WebExactEndpointValid",
 			Resource: webResource,
-			Account:  &auth.Account{},
-			Rules: []*auth.Rule{
-				&auth.Rule{
+			Account:  &Account{},
+			Rules: []*Rule{
+				&Rule{
 					Scope:    "*",
 					Resource: webResource,
 				},
@@ -219,27 +217,27 @@ func TestVerify(t *testing.T) {
 		{
 			Name:     "WebExactEndpointInalid",
 			Resource: webResource,
-			Account:  &auth.Account{},
-			Rules: []*auth.Rule{
-				&auth.Rule{
+			Account:  &Account{},
+			Rules: []*Rule{
+				&Rule{
 					Scope: "*",
-					Resource: &auth.Resource{
+					Resource: &Resource{
 						Type:     webResource.Type,
 						Name:     webResource.Name,
 						Endpoint: "invalidendpoint",
 					},
 				},
 			},
-			Error: auth.ErrForbidden,
+			Error: ErrForbidden,
 		},
 		{
 			Name:     "WebWildcardEndpoint",
 			Resource: webResource,
-			Account:  &auth.Account{},
-			Rules: []*auth.Rule{
-				&auth.Rule{
+			Account:  &Account{},
+			Rules: []*Rule{
+				&Rule{
 					Scope: "*",
-					Resource: &auth.Resource{
+					Resource: &Resource{
 						Type:     webResource.Type,
 						Name:     webResource.Name,
 						Endpoint: "*",
@@ -250,11 +248,11 @@ func TestVerify(t *testing.T) {
 		{
 			Name:     "WebWildcardPathEndpointValid",
 			Resource: webResource,
-			Account:  &auth.Account{},
-			Rules: []*auth.Rule{
-				&auth.Rule{
+			Account:  &Account{},
+			Rules: []*Rule{
+				&Rule{
 					Scope: "*",
-					Resource: &auth.Resource{
+					Resource: &Resource{
 						Type:     webResource.Type,
 						Name:     webResource.Name,
 						Endpoint: "/foo/*",
@@ -265,24 +263,24 @@ func TestVerify(t *testing.T) {
 		{
 			Name:     "WebWildcardPathEndpointInvalid",
 			Resource: webResource,
-			Account:  &auth.Account{},
-			Rules: []*auth.Rule{
-				&auth.Rule{
+			Account:  &Account{},
+			Rules: []*Rule{
+				&Rule{
 					Scope: "*",
-					Resource: &auth.Resource{
+					Resource: &Resource{
 						Type:     webResource.Type,
 						Name:     webResource.Name,
 						Endpoint: "/bar/*",
 					},
 				},
 			},
-			Error: auth.ErrForbidden,
+			Error: ErrForbidden,
 		},
 	}
 
 	for _, tc := range tt {
 		t.Run(tc.Name, func(t *testing.T) {
-			if err := Verify(tc.Rules, tc.Account, tc.Resource); err != tc.Error {
+			if err := VerifyAccess(tc.Rules, tc.Account, tc.Resource); err != tc.Error {
 				t.Errorf("Expected %v but got %v", tc.Error, err)
 			}
 		})

auth/service/service.go

@@ -7,7 +7,6 @@ import (
 	"time"
 
 	"github.com/micro/go-micro/v2/auth"
-	"github.com/micro/go-micro/v2/auth/rules"
 	pb "github.com/micro/go-micro/v2/auth/service/proto"
 	"github.com/micro/go-micro/v2/auth/token"
 	"github.com/micro/go-micro/v2/auth/token/jwt"
@@ -170,7 +169,7 @@ func (s *svc) Verify(acc *auth.Account, res *auth.Resource, opts ...auth.VerifyO
 		return err
 	}
 
-	return rules.Verify(rs, acc, res)
+	return auth.VerifyAccess(rs, acc, res)
 }
 
 // Inspect a token