diff --git a/auth/jwt/jwt.go b/auth/jwt/jwt.go index 1a2e7dd6..66c2ffa6 100644 --- a/auth/jwt/jwt.go +++ b/auth/jwt/jwt.go @@ -6,7 +6,6 @@ import ( "time" "github.com/micro/go-micro/v2/auth" - "github.com/micro/go-micro/v2/auth/rules" "github.com/micro/go-micro/v2/auth/token" jwtToken "github.com/micro/go-micro/v2/auth/token/jwt" ) @@ -107,7 +106,7 @@ func (j *jwt) Verify(acc *auth.Account, res *auth.Resource, opts ...auth.VerifyO o(&options) } - return rules.Verify(j.rules, acc, res) + return auth.VerifyAccess(j.rules, acc, res) } func (j *jwt) Rules(opts ...auth.RulesOption) ([]*auth.Rule, error) { diff --git a/auth/rules/rules.go b/auth/rules.go similarity index 71% rename from auth/rules/rules.go rename to auth/rules.go index b6bc0b65..67f44b94 100644 --- a/auth/rules/rules.go +++ b/auth/rules.go @@ -1,17 +1,15 @@ -package rules +package auth import ( "fmt" "sort" "strings" - - "github.com/micro/go-micro/v2/auth" ) -// Verify an account has access to a resource using the rules provided. If the account does not have +// VerifyAccess an account has access to a resource using the rules provided. If the account does not have // access an error will be returned. If there are no rules provided which match the resource, an error // will be returned -func Verify(rules []*auth.Rule, acc *auth.Account, res *auth.Resource) error { +func VerifyAccess(rules []*Rule, acc *Account, res *Resource) error { // the rule is only to be applied if the type matches the resource or is catch-all (*) validTypes := []string{"*", res.Type} @@ -29,7 +27,7 @@ func Verify(rules []*auth.Rule, acc *auth.Account, res *auth.Resource) error { } // filter the rules to the ones which match the criteria above - filteredRules := make([]*auth.Rule, 0) + filteredRules := make([]*Rule, 0) for _, rule := range rules { if !include(validTypes, rule.Resource.Type) { continue @@ -51,9 +49,9 @@ func Verify(rules []*auth.Rule, acc *auth.Account, res *auth.Resource) error { // loop through the rules and check for a rule which applies to this account for _, rule := range filteredRules { // a blank scope indicates the rule applies to everyone, even nil accounts - if rule.Scope == auth.ScopePublic && rule.Access == auth.AccessDenied { - return auth.ErrForbidden - } else if rule.Scope == auth.ScopePublic && rule.Access == auth.AccessGranted { + if rule.Scope == ScopePublic && rule.Access == AccessDenied { + return ErrForbidden + } else if rule.Scope == ScopePublic && rule.Access == AccessGranted { return nil } @@ -63,22 +61,22 @@ func Verify(rules []*auth.Rule, acc *auth.Account, res *auth.Resource) error { } // this rule applies to any account - if rule.Scope == auth.ScopeAccount && rule.Access == auth.AccessDenied { - return auth.ErrForbidden - } else if rule.Scope == auth.ScopeAccount && rule.Access == auth.AccessGranted { + if rule.Scope == ScopeAccount && rule.Access == AccessDenied { + return ErrForbidden + } else if rule.Scope == ScopeAccount && rule.Access == AccessGranted { return nil } // if the account has the necessary scope - if include(acc.Scopes, rule.Scope) && rule.Access == auth.AccessDenied { - return auth.ErrForbidden - } else if include(acc.Scopes, rule.Scope) && rule.Access == auth.AccessGranted { + if include(acc.Scopes, rule.Scope) && rule.Access == AccessDenied { + return ErrForbidden + } else if include(acc.Scopes, rule.Scope) && rule.Access == AccessGranted { return nil } } // if no rules matched then return forbidden - return auth.ErrForbidden + return ErrForbidden } // include is a helper function which checks to see if the slice contains the value. includes is diff --git a/auth/rules/rules_test.go b/auth/rules_test.go similarity index 62% rename from auth/rules/rules_test.go rename to auth/rules_test.go index 773b81ed..12315ed2 100644 --- a/auth/rules/rules_test.go +++ b/auth/rules_test.go @@ -1,25 +1,23 @@ -package rules +package auth import ( "testing" - - "github.com/micro/go-micro/v2/auth" ) func TestVerify(t *testing.T) { - srvResource := &auth.Resource{ + srvResource := &Resource{ Type: "service", Name: "go.micro.service.foo", Endpoint: "Foo.Bar", } - webResource := &auth.Resource{ + webResource := &Resource{ Type: "service", Name: "go.micro.web.foo", Endpoint: "/foo/bar", } - catchallResource := &auth.Resource{ + catchallResource := &Resource{ Type: "*", Name: "*", Endpoint: "*", @@ -27,24 +25,24 @@ func TestVerify(t *testing.T) { tt := []struct { Name string - Rules []*auth.Rule - Account *auth.Account - Resource *auth.Resource + Rules []*Rule + Account *Account + Resource *Resource Error error }{ { Name: "NoRules", - Rules: []*auth.Rule{}, + Rules: []*Rule{}, Account: nil, Resource: srvResource, - Error: auth.ErrForbidden, + Error: ErrForbidden, }, { Name: "CatchallPublicAccount", - Account: &auth.Account{}, + Account: &Account{}, Resource: srvResource, - Rules: []*auth.Rule{ - &auth.Rule{ + Rules: []*Rule{ + &Rule{ Scope: "", Resource: catchallResource, }, @@ -53,8 +51,8 @@ func TestVerify(t *testing.T) { { Name: "CatchallPublicNoAccount", Resource: srvResource, - Rules: []*auth.Rule{ - &auth.Rule{ + Rules: []*Rule{ + &Rule{ Scope: "", Resource: catchallResource, }, @@ -62,10 +60,10 @@ func TestVerify(t *testing.T) { }, { Name: "CatchallPrivateAccount", - Account: &auth.Account{}, + Account: &Account{}, Resource: srvResource, - Rules: []*auth.Rule{ - &auth.Rule{ + Rules: []*Rule{ + &Rule{ Scope: "*", Resource: catchallResource, }, @@ -74,22 +72,22 @@ func TestVerify(t *testing.T) { { Name: "CatchallPrivateNoAccount", Resource: srvResource, - Rules: []*auth.Rule{ - &auth.Rule{ + Rules: []*Rule{ + &Rule{ Scope: "*", Resource: catchallResource, }, }, - Error: auth.ErrForbidden, + Error: ErrForbidden, }, { Name: "CatchallServiceRuleMatch", Resource: srvResource, - Account: &auth.Account{}, - Rules: []*auth.Rule{ - &auth.Rule{ + Account: &Account{}, + Rules: []*Rule{ + &Rule{ Scope: "*", - Resource: &auth.Resource{ + Resource: &Resource{ Type: srvResource.Type, Name: srvResource.Name, Endpoint: "*", @@ -100,27 +98,27 @@ func TestVerify(t *testing.T) { { Name: "CatchallServiceRuleNoMatch", Resource: srvResource, - Account: &auth.Account{}, - Rules: []*auth.Rule{ - &auth.Rule{ + Account: &Account{}, + Rules: []*Rule{ + &Rule{ Scope: "*", - Resource: &auth.Resource{ + Resource: &Resource{ Type: srvResource.Type, Name: "wrongname", Endpoint: "*", }, }, }, - Error: auth.ErrForbidden, + Error: ErrForbidden, }, { Name: "ExactRuleValidScope", Resource: srvResource, - Account: &auth.Account{ + Account: &Account{ Scopes: []string{"neededscope"}, }, - Rules: []*auth.Rule{ - &auth.Rule{ + Rules: []*Rule{ + &Rule{ Scope: "neededscope", Resource: srvResource, }, @@ -129,58 +127,58 @@ func TestVerify(t *testing.T) { { Name: "ExactRuleInvalidScope", Resource: srvResource, - Account: &auth.Account{ + Account: &Account{ Scopes: []string{"neededscope"}, }, - Rules: []*auth.Rule{ - &auth.Rule{ + Rules: []*Rule{ + &Rule{ Scope: "invalidscope", Resource: srvResource, }, }, - Error: auth.ErrForbidden, + Error: ErrForbidden, }, { Name: "CatchallDenyWithAccount", Resource: srvResource, - Account: &auth.Account{}, - Rules: []*auth.Rule{ - &auth.Rule{ + Account: &Account{}, + Rules: []*Rule{ + &Rule{ Scope: "*", Resource: catchallResource, - Access: auth.AccessDenied, + Access: AccessDenied, }, }, - Error: auth.ErrForbidden, + Error: ErrForbidden, }, { Name: "CatchallDenyWithNoAccount", Resource: srvResource, - Account: &auth.Account{}, - Rules: []*auth.Rule{ - &auth.Rule{ + Account: &Account{}, + Rules: []*Rule{ + &Rule{ Scope: "*", Resource: catchallResource, - Access: auth.AccessDenied, + Access: AccessDenied, }, }, - Error: auth.ErrForbidden, + Error: ErrForbidden, }, { Name: "RulePriorityGrantFirst", Resource: srvResource, - Account: &auth.Account{}, - Rules: []*auth.Rule{ - &auth.Rule{ + Account: &Account{}, + Rules: []*Rule{ + &Rule{ Scope: "*", Resource: catchallResource, - Access: auth.AccessGranted, + Access: AccessGranted, Priority: 1, }, - &auth.Rule{ + &Rule{ Scope: "*", Resource: catchallResource, - Access: auth.AccessDenied, + Access: AccessDenied, Priority: 0, }, }, @@ -188,29 +186,29 @@ func TestVerify(t *testing.T) { { Name: "RulePriorityDenyFirst", Resource: srvResource, - Account: &auth.Account{}, - Rules: []*auth.Rule{ - &auth.Rule{ + Account: &Account{}, + Rules: []*Rule{ + &Rule{ Scope: "*", Resource: catchallResource, - Access: auth.AccessGranted, + Access: AccessGranted, Priority: 0, }, - &auth.Rule{ + &Rule{ Scope: "*", Resource: catchallResource, - Access: auth.AccessDenied, + Access: AccessDenied, Priority: 1, }, }, - Error: auth.ErrForbidden, + Error: ErrForbidden, }, { Name: "WebExactEndpointValid", Resource: webResource, - Account: &auth.Account{}, - Rules: []*auth.Rule{ - &auth.Rule{ + Account: &Account{}, + Rules: []*Rule{ + &Rule{ Scope: "*", Resource: webResource, }, @@ -219,27 +217,27 @@ func TestVerify(t *testing.T) { { Name: "WebExactEndpointInalid", Resource: webResource, - Account: &auth.Account{}, - Rules: []*auth.Rule{ - &auth.Rule{ + Account: &Account{}, + Rules: []*Rule{ + &Rule{ Scope: "*", - Resource: &auth.Resource{ + Resource: &Resource{ Type: webResource.Type, Name: webResource.Name, Endpoint: "invalidendpoint", }, }, }, - Error: auth.ErrForbidden, + Error: ErrForbidden, }, { Name: "WebWildcardEndpoint", Resource: webResource, - Account: &auth.Account{}, - Rules: []*auth.Rule{ - &auth.Rule{ + Account: &Account{}, + Rules: []*Rule{ + &Rule{ Scope: "*", - Resource: &auth.Resource{ + Resource: &Resource{ Type: webResource.Type, Name: webResource.Name, Endpoint: "*", @@ -250,11 +248,11 @@ func TestVerify(t *testing.T) { { Name: "WebWildcardPathEndpointValid", Resource: webResource, - Account: &auth.Account{}, - Rules: []*auth.Rule{ - &auth.Rule{ + Account: &Account{}, + Rules: []*Rule{ + &Rule{ Scope: "*", - Resource: &auth.Resource{ + Resource: &Resource{ Type: webResource.Type, Name: webResource.Name, Endpoint: "/foo/*", @@ -265,24 +263,24 @@ func TestVerify(t *testing.T) { { Name: "WebWildcardPathEndpointInvalid", Resource: webResource, - Account: &auth.Account{}, - Rules: []*auth.Rule{ - &auth.Rule{ + Account: &Account{}, + Rules: []*Rule{ + &Rule{ Scope: "*", - Resource: &auth.Resource{ + Resource: &Resource{ Type: webResource.Type, Name: webResource.Name, Endpoint: "/bar/*", }, }, }, - Error: auth.ErrForbidden, + Error: ErrForbidden, }, } for _, tc := range tt { t.Run(tc.Name, func(t *testing.T) { - if err := Verify(tc.Rules, tc.Account, tc.Resource); err != tc.Error { + if err := VerifyAccess(tc.Rules, tc.Account, tc.Resource); err != tc.Error { t.Errorf("Expected %v but got %v", tc.Error, err) } }) diff --git a/auth/service/service.go b/auth/service/service.go index 7c64c602..c7af9b18 100644 --- a/auth/service/service.go +++ b/auth/service/service.go @@ -7,7 +7,6 @@ import ( "time" "github.com/micro/go-micro/v2/auth" - "github.com/micro/go-micro/v2/auth/rules" pb "github.com/micro/go-micro/v2/auth/service/proto" "github.com/micro/go-micro/v2/auth/token" "github.com/micro/go-micro/v2/auth/token/jwt" @@ -170,7 +169,7 @@ func (s *svc) Verify(acc *auth.Account, res *auth.Resource, opts ...auth.VerifyO return err } - return rules.Verify(rs, acc, res) + return auth.VerifyAccess(rs, acc, res) } // Inspect a token