Move rules.Verify to auth.VerifyAccess
This commit is contained in:
parent
1838e4a1ee
commit
6920677f1e
@ -6,7 +6,6 @@ import (
|
|||||||
"time"
|
"time"
|
||||||
|
|
||||||
"github.com/micro/go-micro/v2/auth"
|
"github.com/micro/go-micro/v2/auth"
|
||||||
"github.com/micro/go-micro/v2/auth/rules"
|
|
||||||
"github.com/micro/go-micro/v2/auth/token"
|
"github.com/micro/go-micro/v2/auth/token"
|
||||||
jwtToken "github.com/micro/go-micro/v2/auth/token/jwt"
|
jwtToken "github.com/micro/go-micro/v2/auth/token/jwt"
|
||||||
)
|
)
|
||||||
@ -107,7 +106,7 @@ func (j *jwt) Verify(acc *auth.Account, res *auth.Resource, opts ...auth.VerifyO
|
|||||||
o(&options)
|
o(&options)
|
||||||
}
|
}
|
||||||
|
|
||||||
return rules.Verify(j.rules, acc, res)
|
return auth.VerifyAccess(j.rules, acc, res)
|
||||||
}
|
}
|
||||||
|
|
||||||
func (j *jwt) Rules(opts ...auth.RulesOption) ([]*auth.Rule, error) {
|
func (j *jwt) Rules(opts ...auth.RulesOption) ([]*auth.Rule, error) {
|
||||||
|
@ -1,17 +1,15 @@
|
|||||||
package rules
|
package auth
|
||||||
|
|
||||||
import (
|
import (
|
||||||
"fmt"
|
"fmt"
|
||||||
"sort"
|
"sort"
|
||||||
"strings"
|
"strings"
|
||||||
|
|
||||||
"github.com/micro/go-micro/v2/auth"
|
|
||||||
)
|
)
|
||||||
|
|
||||||
// Verify an account has access to a resource using the rules provided. If the account does not have
|
// VerifyAccess an account has access to a resource using the rules provided. If the account does not have
|
||||||
// access an error will be returned. If there are no rules provided which match the resource, an error
|
// access an error will be returned. If there are no rules provided which match the resource, an error
|
||||||
// will be returned
|
// will be returned
|
||||||
func Verify(rules []*auth.Rule, acc *auth.Account, res *auth.Resource) error {
|
func VerifyAccess(rules []*Rule, acc *Account, res *Resource) error {
|
||||||
// the rule is only to be applied if the type matches the resource or is catch-all (*)
|
// the rule is only to be applied if the type matches the resource or is catch-all (*)
|
||||||
validTypes := []string{"*", res.Type}
|
validTypes := []string{"*", res.Type}
|
||||||
|
|
||||||
@ -29,7 +27,7 @@ func Verify(rules []*auth.Rule, acc *auth.Account, res *auth.Resource) error {
|
|||||||
}
|
}
|
||||||
|
|
||||||
// filter the rules to the ones which match the criteria above
|
// filter the rules to the ones which match the criteria above
|
||||||
filteredRules := make([]*auth.Rule, 0)
|
filteredRules := make([]*Rule, 0)
|
||||||
for _, rule := range rules {
|
for _, rule := range rules {
|
||||||
if !include(validTypes, rule.Resource.Type) {
|
if !include(validTypes, rule.Resource.Type) {
|
||||||
continue
|
continue
|
||||||
@ -51,9 +49,9 @@ func Verify(rules []*auth.Rule, acc *auth.Account, res *auth.Resource) error {
|
|||||||
// loop through the rules and check for a rule which applies to this account
|
// loop through the rules and check for a rule which applies to this account
|
||||||
for _, rule := range filteredRules {
|
for _, rule := range filteredRules {
|
||||||
// a blank scope indicates the rule applies to everyone, even nil accounts
|
// a blank scope indicates the rule applies to everyone, even nil accounts
|
||||||
if rule.Scope == auth.ScopePublic && rule.Access == auth.AccessDenied {
|
if rule.Scope == ScopePublic && rule.Access == AccessDenied {
|
||||||
return auth.ErrForbidden
|
return ErrForbidden
|
||||||
} else if rule.Scope == auth.ScopePublic && rule.Access == auth.AccessGranted {
|
} else if rule.Scope == ScopePublic && rule.Access == AccessGranted {
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -63,22 +61,22 @@ func Verify(rules []*auth.Rule, acc *auth.Account, res *auth.Resource) error {
|
|||||||
}
|
}
|
||||||
|
|
||||||
// this rule applies to any account
|
// this rule applies to any account
|
||||||
if rule.Scope == auth.ScopeAccount && rule.Access == auth.AccessDenied {
|
if rule.Scope == ScopeAccount && rule.Access == AccessDenied {
|
||||||
return auth.ErrForbidden
|
return ErrForbidden
|
||||||
} else if rule.Scope == auth.ScopeAccount && rule.Access == auth.AccessGranted {
|
} else if rule.Scope == ScopeAccount && rule.Access == AccessGranted {
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
// if the account has the necessary scope
|
// if the account has the necessary scope
|
||||||
if include(acc.Scopes, rule.Scope) && rule.Access == auth.AccessDenied {
|
if include(acc.Scopes, rule.Scope) && rule.Access == AccessDenied {
|
||||||
return auth.ErrForbidden
|
return ErrForbidden
|
||||||
} else if include(acc.Scopes, rule.Scope) && rule.Access == auth.AccessGranted {
|
} else if include(acc.Scopes, rule.Scope) && rule.Access == AccessGranted {
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
// if no rules matched then return forbidden
|
// if no rules matched then return forbidden
|
||||||
return auth.ErrForbidden
|
return ErrForbidden
|
||||||
}
|
}
|
||||||
|
|
||||||
// include is a helper function which checks to see if the slice contains the value. includes is
|
// include is a helper function which checks to see if the slice contains the value. includes is
|
@ -1,25 +1,23 @@
|
|||||||
package rules
|
package auth
|
||||||
|
|
||||||
import (
|
import (
|
||||||
"testing"
|
"testing"
|
||||||
|
|
||||||
"github.com/micro/go-micro/v2/auth"
|
|
||||||
)
|
)
|
||||||
|
|
||||||
func TestVerify(t *testing.T) {
|
func TestVerify(t *testing.T) {
|
||||||
srvResource := &auth.Resource{
|
srvResource := &Resource{
|
||||||
Type: "service",
|
Type: "service",
|
||||||
Name: "go.micro.service.foo",
|
Name: "go.micro.service.foo",
|
||||||
Endpoint: "Foo.Bar",
|
Endpoint: "Foo.Bar",
|
||||||
}
|
}
|
||||||
|
|
||||||
webResource := &auth.Resource{
|
webResource := &Resource{
|
||||||
Type: "service",
|
Type: "service",
|
||||||
Name: "go.micro.web.foo",
|
Name: "go.micro.web.foo",
|
||||||
Endpoint: "/foo/bar",
|
Endpoint: "/foo/bar",
|
||||||
}
|
}
|
||||||
|
|
||||||
catchallResource := &auth.Resource{
|
catchallResource := &Resource{
|
||||||
Type: "*",
|
Type: "*",
|
||||||
Name: "*",
|
Name: "*",
|
||||||
Endpoint: "*",
|
Endpoint: "*",
|
||||||
@ -27,24 +25,24 @@ func TestVerify(t *testing.T) {
|
|||||||
|
|
||||||
tt := []struct {
|
tt := []struct {
|
||||||
Name string
|
Name string
|
||||||
Rules []*auth.Rule
|
Rules []*Rule
|
||||||
Account *auth.Account
|
Account *Account
|
||||||
Resource *auth.Resource
|
Resource *Resource
|
||||||
Error error
|
Error error
|
||||||
}{
|
}{
|
||||||
{
|
{
|
||||||
Name: "NoRules",
|
Name: "NoRules",
|
||||||
Rules: []*auth.Rule{},
|
Rules: []*Rule{},
|
||||||
Account: nil,
|
Account: nil,
|
||||||
Resource: srvResource,
|
Resource: srvResource,
|
||||||
Error: auth.ErrForbidden,
|
Error: ErrForbidden,
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
Name: "CatchallPublicAccount",
|
Name: "CatchallPublicAccount",
|
||||||
Account: &auth.Account{},
|
Account: &Account{},
|
||||||
Resource: srvResource,
|
Resource: srvResource,
|
||||||
Rules: []*auth.Rule{
|
Rules: []*Rule{
|
||||||
&auth.Rule{
|
&Rule{
|
||||||
Scope: "",
|
Scope: "",
|
||||||
Resource: catchallResource,
|
Resource: catchallResource,
|
||||||
},
|
},
|
||||||
@ -53,8 +51,8 @@ func TestVerify(t *testing.T) {
|
|||||||
{
|
{
|
||||||
Name: "CatchallPublicNoAccount",
|
Name: "CatchallPublicNoAccount",
|
||||||
Resource: srvResource,
|
Resource: srvResource,
|
||||||
Rules: []*auth.Rule{
|
Rules: []*Rule{
|
||||||
&auth.Rule{
|
&Rule{
|
||||||
Scope: "",
|
Scope: "",
|
||||||
Resource: catchallResource,
|
Resource: catchallResource,
|
||||||
},
|
},
|
||||||
@ -62,10 +60,10 @@ func TestVerify(t *testing.T) {
|
|||||||
},
|
},
|
||||||
{
|
{
|
||||||
Name: "CatchallPrivateAccount",
|
Name: "CatchallPrivateAccount",
|
||||||
Account: &auth.Account{},
|
Account: &Account{},
|
||||||
Resource: srvResource,
|
Resource: srvResource,
|
||||||
Rules: []*auth.Rule{
|
Rules: []*Rule{
|
||||||
&auth.Rule{
|
&Rule{
|
||||||
Scope: "*",
|
Scope: "*",
|
||||||
Resource: catchallResource,
|
Resource: catchallResource,
|
||||||
},
|
},
|
||||||
@ -74,22 +72,22 @@ func TestVerify(t *testing.T) {
|
|||||||
{
|
{
|
||||||
Name: "CatchallPrivateNoAccount",
|
Name: "CatchallPrivateNoAccount",
|
||||||
Resource: srvResource,
|
Resource: srvResource,
|
||||||
Rules: []*auth.Rule{
|
Rules: []*Rule{
|
||||||
&auth.Rule{
|
&Rule{
|
||||||
Scope: "*",
|
Scope: "*",
|
||||||
Resource: catchallResource,
|
Resource: catchallResource,
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
Error: auth.ErrForbidden,
|
Error: ErrForbidden,
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
Name: "CatchallServiceRuleMatch",
|
Name: "CatchallServiceRuleMatch",
|
||||||
Resource: srvResource,
|
Resource: srvResource,
|
||||||
Account: &auth.Account{},
|
Account: &Account{},
|
||||||
Rules: []*auth.Rule{
|
Rules: []*Rule{
|
||||||
&auth.Rule{
|
&Rule{
|
||||||
Scope: "*",
|
Scope: "*",
|
||||||
Resource: &auth.Resource{
|
Resource: &Resource{
|
||||||
Type: srvResource.Type,
|
Type: srvResource.Type,
|
||||||
Name: srvResource.Name,
|
Name: srvResource.Name,
|
||||||
Endpoint: "*",
|
Endpoint: "*",
|
||||||
@ -100,27 +98,27 @@ func TestVerify(t *testing.T) {
|
|||||||
{
|
{
|
||||||
Name: "CatchallServiceRuleNoMatch",
|
Name: "CatchallServiceRuleNoMatch",
|
||||||
Resource: srvResource,
|
Resource: srvResource,
|
||||||
Account: &auth.Account{},
|
Account: &Account{},
|
||||||
Rules: []*auth.Rule{
|
Rules: []*Rule{
|
||||||
&auth.Rule{
|
&Rule{
|
||||||
Scope: "*",
|
Scope: "*",
|
||||||
Resource: &auth.Resource{
|
Resource: &Resource{
|
||||||
Type: srvResource.Type,
|
Type: srvResource.Type,
|
||||||
Name: "wrongname",
|
Name: "wrongname",
|
||||||
Endpoint: "*",
|
Endpoint: "*",
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
Error: auth.ErrForbidden,
|
Error: ErrForbidden,
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
Name: "ExactRuleValidScope",
|
Name: "ExactRuleValidScope",
|
||||||
Resource: srvResource,
|
Resource: srvResource,
|
||||||
Account: &auth.Account{
|
Account: &Account{
|
||||||
Scopes: []string{"neededscope"},
|
Scopes: []string{"neededscope"},
|
||||||
},
|
},
|
||||||
Rules: []*auth.Rule{
|
Rules: []*Rule{
|
||||||
&auth.Rule{
|
&Rule{
|
||||||
Scope: "neededscope",
|
Scope: "neededscope",
|
||||||
Resource: srvResource,
|
Resource: srvResource,
|
||||||
},
|
},
|
||||||
@ -129,58 +127,58 @@ func TestVerify(t *testing.T) {
|
|||||||
{
|
{
|
||||||
Name: "ExactRuleInvalidScope",
|
Name: "ExactRuleInvalidScope",
|
||||||
Resource: srvResource,
|
Resource: srvResource,
|
||||||
Account: &auth.Account{
|
Account: &Account{
|
||||||
Scopes: []string{"neededscope"},
|
Scopes: []string{"neededscope"},
|
||||||
},
|
},
|
||||||
Rules: []*auth.Rule{
|
Rules: []*Rule{
|
||||||
&auth.Rule{
|
&Rule{
|
||||||
Scope: "invalidscope",
|
Scope: "invalidscope",
|
||||||
Resource: srvResource,
|
Resource: srvResource,
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
Error: auth.ErrForbidden,
|
Error: ErrForbidden,
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
Name: "CatchallDenyWithAccount",
|
Name: "CatchallDenyWithAccount",
|
||||||
Resource: srvResource,
|
Resource: srvResource,
|
||||||
Account: &auth.Account{},
|
Account: &Account{},
|
||||||
Rules: []*auth.Rule{
|
Rules: []*Rule{
|
||||||
&auth.Rule{
|
&Rule{
|
||||||
Scope: "*",
|
Scope: "*",
|
||||||
Resource: catchallResource,
|
Resource: catchallResource,
|
||||||
Access: auth.AccessDenied,
|
Access: AccessDenied,
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
Error: auth.ErrForbidden,
|
Error: ErrForbidden,
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
Name: "CatchallDenyWithNoAccount",
|
Name: "CatchallDenyWithNoAccount",
|
||||||
Resource: srvResource,
|
Resource: srvResource,
|
||||||
Account: &auth.Account{},
|
Account: &Account{},
|
||||||
Rules: []*auth.Rule{
|
Rules: []*Rule{
|
||||||
&auth.Rule{
|
&Rule{
|
||||||
Scope: "*",
|
Scope: "*",
|
||||||
Resource: catchallResource,
|
Resource: catchallResource,
|
||||||
Access: auth.AccessDenied,
|
Access: AccessDenied,
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
Error: auth.ErrForbidden,
|
Error: ErrForbidden,
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
Name: "RulePriorityGrantFirst",
|
Name: "RulePriorityGrantFirst",
|
||||||
Resource: srvResource,
|
Resource: srvResource,
|
||||||
Account: &auth.Account{},
|
Account: &Account{},
|
||||||
Rules: []*auth.Rule{
|
Rules: []*Rule{
|
||||||
&auth.Rule{
|
&Rule{
|
||||||
Scope: "*",
|
Scope: "*",
|
||||||
Resource: catchallResource,
|
Resource: catchallResource,
|
||||||
Access: auth.AccessGranted,
|
Access: AccessGranted,
|
||||||
Priority: 1,
|
Priority: 1,
|
||||||
},
|
},
|
||||||
&auth.Rule{
|
&Rule{
|
||||||
Scope: "*",
|
Scope: "*",
|
||||||
Resource: catchallResource,
|
Resource: catchallResource,
|
||||||
Access: auth.AccessDenied,
|
Access: AccessDenied,
|
||||||
Priority: 0,
|
Priority: 0,
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
@ -188,29 +186,29 @@ func TestVerify(t *testing.T) {
|
|||||||
{
|
{
|
||||||
Name: "RulePriorityDenyFirst",
|
Name: "RulePriorityDenyFirst",
|
||||||
Resource: srvResource,
|
Resource: srvResource,
|
||||||
Account: &auth.Account{},
|
Account: &Account{},
|
||||||
Rules: []*auth.Rule{
|
Rules: []*Rule{
|
||||||
&auth.Rule{
|
&Rule{
|
||||||
Scope: "*",
|
Scope: "*",
|
||||||
Resource: catchallResource,
|
Resource: catchallResource,
|
||||||
Access: auth.AccessGranted,
|
Access: AccessGranted,
|
||||||
Priority: 0,
|
Priority: 0,
|
||||||
},
|
},
|
||||||
&auth.Rule{
|
&Rule{
|
||||||
Scope: "*",
|
Scope: "*",
|
||||||
Resource: catchallResource,
|
Resource: catchallResource,
|
||||||
Access: auth.AccessDenied,
|
Access: AccessDenied,
|
||||||
Priority: 1,
|
Priority: 1,
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
Error: auth.ErrForbidden,
|
Error: ErrForbidden,
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
Name: "WebExactEndpointValid",
|
Name: "WebExactEndpointValid",
|
||||||
Resource: webResource,
|
Resource: webResource,
|
||||||
Account: &auth.Account{},
|
Account: &Account{},
|
||||||
Rules: []*auth.Rule{
|
Rules: []*Rule{
|
||||||
&auth.Rule{
|
&Rule{
|
||||||
Scope: "*",
|
Scope: "*",
|
||||||
Resource: webResource,
|
Resource: webResource,
|
||||||
},
|
},
|
||||||
@ -219,27 +217,27 @@ func TestVerify(t *testing.T) {
|
|||||||
{
|
{
|
||||||
Name: "WebExactEndpointInalid",
|
Name: "WebExactEndpointInalid",
|
||||||
Resource: webResource,
|
Resource: webResource,
|
||||||
Account: &auth.Account{},
|
Account: &Account{},
|
||||||
Rules: []*auth.Rule{
|
Rules: []*Rule{
|
||||||
&auth.Rule{
|
&Rule{
|
||||||
Scope: "*",
|
Scope: "*",
|
||||||
Resource: &auth.Resource{
|
Resource: &Resource{
|
||||||
Type: webResource.Type,
|
Type: webResource.Type,
|
||||||
Name: webResource.Name,
|
Name: webResource.Name,
|
||||||
Endpoint: "invalidendpoint",
|
Endpoint: "invalidendpoint",
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
Error: auth.ErrForbidden,
|
Error: ErrForbidden,
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
Name: "WebWildcardEndpoint",
|
Name: "WebWildcardEndpoint",
|
||||||
Resource: webResource,
|
Resource: webResource,
|
||||||
Account: &auth.Account{},
|
Account: &Account{},
|
||||||
Rules: []*auth.Rule{
|
Rules: []*Rule{
|
||||||
&auth.Rule{
|
&Rule{
|
||||||
Scope: "*",
|
Scope: "*",
|
||||||
Resource: &auth.Resource{
|
Resource: &Resource{
|
||||||
Type: webResource.Type,
|
Type: webResource.Type,
|
||||||
Name: webResource.Name,
|
Name: webResource.Name,
|
||||||
Endpoint: "*",
|
Endpoint: "*",
|
||||||
@ -250,11 +248,11 @@ func TestVerify(t *testing.T) {
|
|||||||
{
|
{
|
||||||
Name: "WebWildcardPathEndpointValid",
|
Name: "WebWildcardPathEndpointValid",
|
||||||
Resource: webResource,
|
Resource: webResource,
|
||||||
Account: &auth.Account{},
|
Account: &Account{},
|
||||||
Rules: []*auth.Rule{
|
Rules: []*Rule{
|
||||||
&auth.Rule{
|
&Rule{
|
||||||
Scope: "*",
|
Scope: "*",
|
||||||
Resource: &auth.Resource{
|
Resource: &Resource{
|
||||||
Type: webResource.Type,
|
Type: webResource.Type,
|
||||||
Name: webResource.Name,
|
Name: webResource.Name,
|
||||||
Endpoint: "/foo/*",
|
Endpoint: "/foo/*",
|
||||||
@ -265,24 +263,24 @@ func TestVerify(t *testing.T) {
|
|||||||
{
|
{
|
||||||
Name: "WebWildcardPathEndpointInvalid",
|
Name: "WebWildcardPathEndpointInvalid",
|
||||||
Resource: webResource,
|
Resource: webResource,
|
||||||
Account: &auth.Account{},
|
Account: &Account{},
|
||||||
Rules: []*auth.Rule{
|
Rules: []*Rule{
|
||||||
&auth.Rule{
|
&Rule{
|
||||||
Scope: "*",
|
Scope: "*",
|
||||||
Resource: &auth.Resource{
|
Resource: &Resource{
|
||||||
Type: webResource.Type,
|
Type: webResource.Type,
|
||||||
Name: webResource.Name,
|
Name: webResource.Name,
|
||||||
Endpoint: "/bar/*",
|
Endpoint: "/bar/*",
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
Error: auth.ErrForbidden,
|
Error: ErrForbidden,
|
||||||
},
|
},
|
||||||
}
|
}
|
||||||
|
|
||||||
for _, tc := range tt {
|
for _, tc := range tt {
|
||||||
t.Run(tc.Name, func(t *testing.T) {
|
t.Run(tc.Name, func(t *testing.T) {
|
||||||
if err := Verify(tc.Rules, tc.Account, tc.Resource); err != tc.Error {
|
if err := VerifyAccess(tc.Rules, tc.Account, tc.Resource); err != tc.Error {
|
||||||
t.Errorf("Expected %v but got %v", tc.Error, err)
|
t.Errorf("Expected %v but got %v", tc.Error, err)
|
||||||
}
|
}
|
||||||
})
|
})
|
@ -7,7 +7,6 @@ import (
|
|||||||
"time"
|
"time"
|
||||||
|
|
||||||
"github.com/micro/go-micro/v2/auth"
|
"github.com/micro/go-micro/v2/auth"
|
||||||
"github.com/micro/go-micro/v2/auth/rules"
|
|
||||||
pb "github.com/micro/go-micro/v2/auth/service/proto"
|
pb "github.com/micro/go-micro/v2/auth/service/proto"
|
||||||
"github.com/micro/go-micro/v2/auth/token"
|
"github.com/micro/go-micro/v2/auth/token"
|
||||||
"github.com/micro/go-micro/v2/auth/token/jwt"
|
"github.com/micro/go-micro/v2/auth/token/jwt"
|
||||||
@ -170,7 +169,7 @@ func (s *svc) Verify(acc *auth.Account, res *auth.Resource, opts ...auth.VerifyO
|
|||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
|
||||||
return rules.Verify(rs, acc, res)
|
return auth.VerifyAccess(rs, acc, res)
|
||||||
}
|
}
|
||||||
|
|
||||||
// Inspect a token
|
// Inspect a token
|
||||||
|
Loading…
x
Reference in New Issue
Block a user