Move rules.Verify to auth.VerifyAccess

This commit is contained in:
Asim Aslam 2020-07-19 13:12:03 +01:00
parent 1838e4a1ee
commit 6920677f1e
4 changed files with 97 additions and 103 deletions

View File

@ -6,7 +6,6 @@ import (
"time" "time"
"github.com/micro/go-micro/v2/auth" "github.com/micro/go-micro/v2/auth"
"github.com/micro/go-micro/v2/auth/rules"
"github.com/micro/go-micro/v2/auth/token" "github.com/micro/go-micro/v2/auth/token"
jwtToken "github.com/micro/go-micro/v2/auth/token/jwt" jwtToken "github.com/micro/go-micro/v2/auth/token/jwt"
) )
@ -107,7 +106,7 @@ func (j *jwt) Verify(acc *auth.Account, res *auth.Resource, opts ...auth.VerifyO
o(&options) o(&options)
} }
return rules.Verify(j.rules, acc, res) return auth.VerifyAccess(j.rules, acc, res)
} }
func (j *jwt) Rules(opts ...auth.RulesOption) ([]*auth.Rule, error) { func (j *jwt) Rules(opts ...auth.RulesOption) ([]*auth.Rule, error) {

View File

@ -1,17 +1,15 @@
package rules package auth
import ( import (
"fmt" "fmt"
"sort" "sort"
"strings" "strings"
"github.com/micro/go-micro/v2/auth"
) )
// Verify an account has access to a resource using the rules provided. If the account does not have // VerifyAccess an account has access to a resource using the rules provided. If the account does not have
// access an error will be returned. If there are no rules provided which match the resource, an error // access an error will be returned. If there are no rules provided which match the resource, an error
// will be returned // will be returned
func Verify(rules []*auth.Rule, acc *auth.Account, res *auth.Resource) error { func VerifyAccess(rules []*Rule, acc *Account, res *Resource) error {
// the rule is only to be applied if the type matches the resource or is catch-all (*) // the rule is only to be applied if the type matches the resource or is catch-all (*)
validTypes := []string{"*", res.Type} validTypes := []string{"*", res.Type}
@ -29,7 +27,7 @@ func Verify(rules []*auth.Rule, acc *auth.Account, res *auth.Resource) error {
} }
// filter the rules to the ones which match the criteria above // filter the rules to the ones which match the criteria above
filteredRules := make([]*auth.Rule, 0) filteredRules := make([]*Rule, 0)
for _, rule := range rules { for _, rule := range rules {
if !include(validTypes, rule.Resource.Type) { if !include(validTypes, rule.Resource.Type) {
continue continue
@ -51,9 +49,9 @@ func Verify(rules []*auth.Rule, acc *auth.Account, res *auth.Resource) error {
// loop through the rules and check for a rule which applies to this account // loop through the rules and check for a rule which applies to this account
for _, rule := range filteredRules { for _, rule := range filteredRules {
// a blank scope indicates the rule applies to everyone, even nil accounts // a blank scope indicates the rule applies to everyone, even nil accounts
if rule.Scope == auth.ScopePublic && rule.Access == auth.AccessDenied { if rule.Scope == ScopePublic && rule.Access == AccessDenied {
return auth.ErrForbidden return ErrForbidden
} else if rule.Scope == auth.ScopePublic && rule.Access == auth.AccessGranted { } else if rule.Scope == ScopePublic && rule.Access == AccessGranted {
return nil return nil
} }
@ -63,22 +61,22 @@ func Verify(rules []*auth.Rule, acc *auth.Account, res *auth.Resource) error {
} }
// this rule applies to any account // this rule applies to any account
if rule.Scope == auth.ScopeAccount && rule.Access == auth.AccessDenied { if rule.Scope == ScopeAccount && rule.Access == AccessDenied {
return auth.ErrForbidden return ErrForbidden
} else if rule.Scope == auth.ScopeAccount && rule.Access == auth.AccessGranted { } else if rule.Scope == ScopeAccount && rule.Access == AccessGranted {
return nil return nil
} }
// if the account has the necessary scope // if the account has the necessary scope
if include(acc.Scopes, rule.Scope) && rule.Access == auth.AccessDenied { if include(acc.Scopes, rule.Scope) && rule.Access == AccessDenied {
return auth.ErrForbidden return ErrForbidden
} else if include(acc.Scopes, rule.Scope) && rule.Access == auth.AccessGranted { } else if include(acc.Scopes, rule.Scope) && rule.Access == AccessGranted {
return nil return nil
} }
} }
// if no rules matched then return forbidden // if no rules matched then return forbidden
return auth.ErrForbidden return ErrForbidden
} }
// include is a helper function which checks to see if the slice contains the value. includes is // include is a helper function which checks to see if the slice contains the value. includes is

View File

@ -1,25 +1,23 @@
package rules package auth
import ( import (
"testing" "testing"
"github.com/micro/go-micro/v2/auth"
) )
func TestVerify(t *testing.T) { func TestVerify(t *testing.T) {
srvResource := &auth.Resource{ srvResource := &Resource{
Type: "service", Type: "service",
Name: "go.micro.service.foo", Name: "go.micro.service.foo",
Endpoint: "Foo.Bar", Endpoint: "Foo.Bar",
} }
webResource := &auth.Resource{ webResource := &Resource{
Type: "service", Type: "service",
Name: "go.micro.web.foo", Name: "go.micro.web.foo",
Endpoint: "/foo/bar", Endpoint: "/foo/bar",
} }
catchallResource := &auth.Resource{ catchallResource := &Resource{
Type: "*", Type: "*",
Name: "*", Name: "*",
Endpoint: "*", Endpoint: "*",
@ -27,24 +25,24 @@ func TestVerify(t *testing.T) {
tt := []struct { tt := []struct {
Name string Name string
Rules []*auth.Rule Rules []*Rule
Account *auth.Account Account *Account
Resource *auth.Resource Resource *Resource
Error error Error error
}{ }{
{ {
Name: "NoRules", Name: "NoRules",
Rules: []*auth.Rule{}, Rules: []*Rule{},
Account: nil, Account: nil,
Resource: srvResource, Resource: srvResource,
Error: auth.ErrForbidden, Error: ErrForbidden,
}, },
{ {
Name: "CatchallPublicAccount", Name: "CatchallPublicAccount",
Account: &auth.Account{}, Account: &Account{},
Resource: srvResource, Resource: srvResource,
Rules: []*auth.Rule{ Rules: []*Rule{
&auth.Rule{ &Rule{
Scope: "", Scope: "",
Resource: catchallResource, Resource: catchallResource,
}, },
@ -53,8 +51,8 @@ func TestVerify(t *testing.T) {
{ {
Name: "CatchallPublicNoAccount", Name: "CatchallPublicNoAccount",
Resource: srvResource, Resource: srvResource,
Rules: []*auth.Rule{ Rules: []*Rule{
&auth.Rule{ &Rule{
Scope: "", Scope: "",
Resource: catchallResource, Resource: catchallResource,
}, },
@ -62,10 +60,10 @@ func TestVerify(t *testing.T) {
}, },
{ {
Name: "CatchallPrivateAccount", Name: "CatchallPrivateAccount",
Account: &auth.Account{}, Account: &Account{},
Resource: srvResource, Resource: srvResource,
Rules: []*auth.Rule{ Rules: []*Rule{
&auth.Rule{ &Rule{
Scope: "*", Scope: "*",
Resource: catchallResource, Resource: catchallResource,
}, },
@ -74,22 +72,22 @@ func TestVerify(t *testing.T) {
{ {
Name: "CatchallPrivateNoAccount", Name: "CatchallPrivateNoAccount",
Resource: srvResource, Resource: srvResource,
Rules: []*auth.Rule{ Rules: []*Rule{
&auth.Rule{ &Rule{
Scope: "*", Scope: "*",
Resource: catchallResource, Resource: catchallResource,
}, },
}, },
Error: auth.ErrForbidden, Error: ErrForbidden,
}, },
{ {
Name: "CatchallServiceRuleMatch", Name: "CatchallServiceRuleMatch",
Resource: srvResource, Resource: srvResource,
Account: &auth.Account{}, Account: &Account{},
Rules: []*auth.Rule{ Rules: []*Rule{
&auth.Rule{ &Rule{
Scope: "*", Scope: "*",
Resource: &auth.Resource{ Resource: &Resource{
Type: srvResource.Type, Type: srvResource.Type,
Name: srvResource.Name, Name: srvResource.Name,
Endpoint: "*", Endpoint: "*",
@ -100,27 +98,27 @@ func TestVerify(t *testing.T) {
{ {
Name: "CatchallServiceRuleNoMatch", Name: "CatchallServiceRuleNoMatch",
Resource: srvResource, Resource: srvResource,
Account: &auth.Account{}, Account: &Account{},
Rules: []*auth.Rule{ Rules: []*Rule{
&auth.Rule{ &Rule{
Scope: "*", Scope: "*",
Resource: &auth.Resource{ Resource: &Resource{
Type: srvResource.Type, Type: srvResource.Type,
Name: "wrongname", Name: "wrongname",
Endpoint: "*", Endpoint: "*",
}, },
}, },
}, },
Error: auth.ErrForbidden, Error: ErrForbidden,
}, },
{ {
Name: "ExactRuleValidScope", Name: "ExactRuleValidScope",
Resource: srvResource, Resource: srvResource,
Account: &auth.Account{ Account: &Account{
Scopes: []string{"neededscope"}, Scopes: []string{"neededscope"},
}, },
Rules: []*auth.Rule{ Rules: []*Rule{
&auth.Rule{ &Rule{
Scope: "neededscope", Scope: "neededscope",
Resource: srvResource, Resource: srvResource,
}, },
@ -129,58 +127,58 @@ func TestVerify(t *testing.T) {
{ {
Name: "ExactRuleInvalidScope", Name: "ExactRuleInvalidScope",
Resource: srvResource, Resource: srvResource,
Account: &auth.Account{ Account: &Account{
Scopes: []string{"neededscope"}, Scopes: []string{"neededscope"},
}, },
Rules: []*auth.Rule{ Rules: []*Rule{
&auth.Rule{ &Rule{
Scope: "invalidscope", Scope: "invalidscope",
Resource: srvResource, Resource: srvResource,
}, },
}, },
Error: auth.ErrForbidden, Error: ErrForbidden,
}, },
{ {
Name: "CatchallDenyWithAccount", Name: "CatchallDenyWithAccount",
Resource: srvResource, Resource: srvResource,
Account: &auth.Account{}, Account: &Account{},
Rules: []*auth.Rule{ Rules: []*Rule{
&auth.Rule{ &Rule{
Scope: "*", Scope: "*",
Resource: catchallResource, Resource: catchallResource,
Access: auth.AccessDenied, Access: AccessDenied,
}, },
}, },
Error: auth.ErrForbidden, Error: ErrForbidden,
}, },
{ {
Name: "CatchallDenyWithNoAccount", Name: "CatchallDenyWithNoAccount",
Resource: srvResource, Resource: srvResource,
Account: &auth.Account{}, Account: &Account{},
Rules: []*auth.Rule{ Rules: []*Rule{
&auth.Rule{ &Rule{
Scope: "*", Scope: "*",
Resource: catchallResource, Resource: catchallResource,
Access: auth.AccessDenied, Access: AccessDenied,
}, },
}, },
Error: auth.ErrForbidden, Error: ErrForbidden,
}, },
{ {
Name: "RulePriorityGrantFirst", Name: "RulePriorityGrantFirst",
Resource: srvResource, Resource: srvResource,
Account: &auth.Account{}, Account: &Account{},
Rules: []*auth.Rule{ Rules: []*Rule{
&auth.Rule{ &Rule{
Scope: "*", Scope: "*",
Resource: catchallResource, Resource: catchallResource,
Access: auth.AccessGranted, Access: AccessGranted,
Priority: 1, Priority: 1,
}, },
&auth.Rule{ &Rule{
Scope: "*", Scope: "*",
Resource: catchallResource, Resource: catchallResource,
Access: auth.AccessDenied, Access: AccessDenied,
Priority: 0, Priority: 0,
}, },
}, },
@ -188,29 +186,29 @@ func TestVerify(t *testing.T) {
{ {
Name: "RulePriorityDenyFirst", Name: "RulePriorityDenyFirst",
Resource: srvResource, Resource: srvResource,
Account: &auth.Account{}, Account: &Account{},
Rules: []*auth.Rule{ Rules: []*Rule{
&auth.Rule{ &Rule{
Scope: "*", Scope: "*",
Resource: catchallResource, Resource: catchallResource,
Access: auth.AccessGranted, Access: AccessGranted,
Priority: 0, Priority: 0,
}, },
&auth.Rule{ &Rule{
Scope: "*", Scope: "*",
Resource: catchallResource, Resource: catchallResource,
Access: auth.AccessDenied, Access: AccessDenied,
Priority: 1, Priority: 1,
}, },
}, },
Error: auth.ErrForbidden, Error: ErrForbidden,
}, },
{ {
Name: "WebExactEndpointValid", Name: "WebExactEndpointValid",
Resource: webResource, Resource: webResource,
Account: &auth.Account{}, Account: &Account{},
Rules: []*auth.Rule{ Rules: []*Rule{
&auth.Rule{ &Rule{
Scope: "*", Scope: "*",
Resource: webResource, Resource: webResource,
}, },
@ -219,27 +217,27 @@ func TestVerify(t *testing.T) {
{ {
Name: "WebExactEndpointInalid", Name: "WebExactEndpointInalid",
Resource: webResource, Resource: webResource,
Account: &auth.Account{}, Account: &Account{},
Rules: []*auth.Rule{ Rules: []*Rule{
&auth.Rule{ &Rule{
Scope: "*", Scope: "*",
Resource: &auth.Resource{ Resource: &Resource{
Type: webResource.Type, Type: webResource.Type,
Name: webResource.Name, Name: webResource.Name,
Endpoint: "invalidendpoint", Endpoint: "invalidendpoint",
}, },
}, },
}, },
Error: auth.ErrForbidden, Error: ErrForbidden,
}, },
{ {
Name: "WebWildcardEndpoint", Name: "WebWildcardEndpoint",
Resource: webResource, Resource: webResource,
Account: &auth.Account{}, Account: &Account{},
Rules: []*auth.Rule{ Rules: []*Rule{
&auth.Rule{ &Rule{
Scope: "*", Scope: "*",
Resource: &auth.Resource{ Resource: &Resource{
Type: webResource.Type, Type: webResource.Type,
Name: webResource.Name, Name: webResource.Name,
Endpoint: "*", Endpoint: "*",
@ -250,11 +248,11 @@ func TestVerify(t *testing.T) {
{ {
Name: "WebWildcardPathEndpointValid", Name: "WebWildcardPathEndpointValid",
Resource: webResource, Resource: webResource,
Account: &auth.Account{}, Account: &Account{},
Rules: []*auth.Rule{ Rules: []*Rule{
&auth.Rule{ &Rule{
Scope: "*", Scope: "*",
Resource: &auth.Resource{ Resource: &Resource{
Type: webResource.Type, Type: webResource.Type,
Name: webResource.Name, Name: webResource.Name,
Endpoint: "/foo/*", Endpoint: "/foo/*",
@ -265,24 +263,24 @@ func TestVerify(t *testing.T) {
{ {
Name: "WebWildcardPathEndpointInvalid", Name: "WebWildcardPathEndpointInvalid",
Resource: webResource, Resource: webResource,
Account: &auth.Account{}, Account: &Account{},
Rules: []*auth.Rule{ Rules: []*Rule{
&auth.Rule{ &Rule{
Scope: "*", Scope: "*",
Resource: &auth.Resource{ Resource: &Resource{
Type: webResource.Type, Type: webResource.Type,
Name: webResource.Name, Name: webResource.Name,
Endpoint: "/bar/*", Endpoint: "/bar/*",
}, },
}, },
}, },
Error: auth.ErrForbidden, Error: ErrForbidden,
}, },
} }
for _, tc := range tt { for _, tc := range tt {
t.Run(tc.Name, func(t *testing.T) { t.Run(tc.Name, func(t *testing.T) {
if err := Verify(tc.Rules, tc.Account, tc.Resource); err != tc.Error { if err := VerifyAccess(tc.Rules, tc.Account, tc.Resource); err != tc.Error {
t.Errorf("Expected %v but got %v", tc.Error, err) t.Errorf("Expected %v but got %v", tc.Error, err)
} }
}) })

View File

@ -7,7 +7,6 @@ import (
"time" "time"
"github.com/micro/go-micro/v2/auth" "github.com/micro/go-micro/v2/auth"
"github.com/micro/go-micro/v2/auth/rules"
pb "github.com/micro/go-micro/v2/auth/service/proto" pb "github.com/micro/go-micro/v2/auth/service/proto"
"github.com/micro/go-micro/v2/auth/token" "github.com/micro/go-micro/v2/auth/token"
"github.com/micro/go-micro/v2/auth/token/jwt" "github.com/micro/go-micro/v2/auth/token/jwt"
@ -170,7 +169,7 @@ func (s *svc) Verify(acc *auth.Account, res *auth.Resource, opts ...auth.VerifyO
return err return err
} }
return rules.Verify(rs, acc, res) return auth.VerifyAccess(rs, acc, res)
} }
// Inspect a token // Inspect a token