diff --git a/auth/auth.go b/auth/auth.go index 61567079..f98b2a67 100644 --- a/auth/auth.go +++ b/auth/auth.go @@ -15,8 +15,8 @@ type Auth interface { Generate(id string, opts ...GenerateOption) (*Account, error) // Revoke an authorization Account Revoke(token string) error - // Validate an account token - Validate(token string) (*Account, error) + // Verify an account token + Verify(token string) (*Account, error) // String returns the implementation String() string } @@ -31,7 +31,10 @@ type Resource struct { // Role an account has type Role struct { - Name string + // Name of the role + Name string + // The resource it has access + // TODO: potentially remove Resource *Resource } diff --git a/auth/default.go b/auth/default.go index 0fe97dfc..ef5a5ba3 100644 --- a/auth/default.go +++ b/auth/default.go @@ -6,31 +6,42 @@ var ( // NewAuth returns a new default registry which is noop func NewAuth(opts ...Option) Auth { - return noop{} + var options Options + for _, o := range opts { + o(&options) + } + return &noop{ + opts: options, + } } -type noop struct{} +type noop struct { + opts Options +} -func (noop) Init(opts ...Option) error { +func (n *noop) Init(opts ...Option) error { + for _, o := range opts { + o(&n.opts) + } return nil } -func (noop) Options() Options { - return Options{} +func (n *noop) Options() Options { + return n.opts } -func (noop) Generate(id string, opts ...GenerateOption) (*Account, error) { +func (n *noop) Generate(id string, opts ...GenerateOption) (*Account, error) { return nil, nil } -func (noop) Revoke(token string) error { +func (n *noop) Revoke(token string) error { return nil } -func (noop) Validate(token string) (*Account, error) { +func (n *noop) Verify(token string) (*Account, error) { return nil, nil } -func (noop) String() string { +func (n *noop) String() string { return "noop" } diff --git a/auth/jwt/jwt.go b/auth/jwt/jwt.go index d60c9361..b2aab0a8 100644 --- a/auth/jwt/jwt.go +++ b/auth/jwt/jwt.go @@ -1,6 +1,7 @@ package jwt import ( + "encoding/base64" "errors" "time" @@ -8,17 +9,19 @@ import ( "github.com/micro/go-micro/v2/auth" ) -// ErrInvalidPrivateKey is returned when the service provided an invalid private key -var ErrInvalidPrivateKey = errors.New("An invalid private key was provided") +var ( + // ErrInvalidPrivateKey is returned when the service provided an invalid private key + ErrInvalidPrivateKey = errors.New("An invalid private key was provided") -// ErrEncodingToken is returned when the service encounters an error during encoding -var ErrEncodingToken = errors.New("An error occured while encoding the JWT") + // ErrEncodingToken is returned when the service encounters an error during encoding + ErrEncodingToken = errors.New("An error occured while encoding the JWT") -// ErrInvalidToken is returned when the token provided is not valid -var ErrInvalidToken = errors.New("An invalid token was provided") + // ErrInvalidToken is returned when the token provided is not valid + ErrInvalidToken = errors.New("An invalid token was provided") -// ErrMissingToken is returned when no token is provided -var ErrMissingToken = errors.New("A valid JWT is required") + // ErrMissingToken is returned when no token is provided + ErrMissingToken = errors.New("A valid JWT is required") +) // NewAuth returns a new instance of the Auth service func NewAuth(opts ...auth.Option) auth.Auth { @@ -59,7 +62,13 @@ type AuthClaims struct { // Generate a new JWT func (s *svc) Generate(id string, ops ...auth.GenerateOption) (*auth.Account, error) { - key, err := jwt.ParseRSAPrivateKeyFromPEM(s.options.PrivateKey) + // decode the private key + priv, err := base64.StdEncoding.DecodeString(s.options.PrivateKey) + if err != nil { + return nil, err + } + + key, err := jwt.ParseRSAPrivateKeyFromPEM(priv) if err != nil { return nil, ErrEncodingToken } @@ -90,14 +99,20 @@ func (s *svc) Revoke(token string) error { return nil } -// Validate a JWT -func (s *svc) Validate(token string) (*auth.Account, error) { +// Verify a JWT +func (s *svc) Verify(token string) (*auth.Account, error) { if token == "" { return nil, ErrMissingToken } + // decode the public key + pub, err := base64.StdEncoding.DecodeString(s.options.PublicKey) + if err != nil { + return nil, err + } + res, err := jwt.ParseWithClaims(token, &AuthClaims{}, func(token *jwt.Token) (interface{}, error) { - return jwt.ParseRSAPublicKeyFromPEM(s.options.PublicKey) + return jwt.ParseRSAPublicKeyFromPEM(pub) }) if err != nil { return nil, err diff --git a/auth/options.go b/auth/options.go index 586f7b5f..059c3931 100644 --- a/auth/options.go +++ b/auth/options.go @@ -1,41 +1,51 @@ package auth -import ( - b64 "encoding/base64" -) - type Options struct { - PublicKey []byte - PrivateKey []byte - Excludes []string + // Token is an auth token + Token string + // Public key base64 encoded + PublicKey string + // Private key base64 encoded + PrivateKey string + // Endpoints to exclude + Exclude []string } type Option func(o *Options) -// Excludes endpoints from auth -func Excludes(excludes ...string) Option { +// Exclude ecludes a set of endpoints from authorization +func Exclude(e ...string) Option { return func(o *Options) { - o.Excludes = excludes + o.Exclude = e } } // PublicKey is the JWT public key func PublicKey(key string) Option { return func(o *Options) { - o.PublicKey, _ = b64.StdEncoding.DecodeString(key) + o.PublicKey = key } } // PrivateKey is the JWT private key func PrivateKey(key string) Option { return func(o *Options) { - o.PrivateKey, _ = b64.StdEncoding.DecodeString(key) + o.PrivateKey = key + } +} + +// Token sets an auth token +func Token(t string) Option { + return func(o *Options) { + o.Token = t } } type GenerateOptions struct { + // Metadata associated with the account Metadata map[string]string - Roles []*Role + // Roles/scopes associated with the account + Roles []*Role } type GenerateOption func(o *GenerateOptions) diff --git a/auth/service/proto/auth.pb.go b/auth/service/proto/auth.pb.go index de3d6b28..b57f3cc5 100644 --- a/auth/service/proto/auth.pb.go +++ b/auth/service/proto/auth.pb.go @@ -1,5 +1,5 @@ // Code generated by protoc-gen-go. DO NOT EDIT. -// source: auth/service/proto/auth.proto +// source: micro/go-micro/auth/service/proto/auth.proto package go_micro_auth @@ -36,7 +36,7 @@ func (m *Account) Reset() { *m = Account{} } func (m *Account) String() string { return proto.CompactTextString(m) } func (*Account) ProtoMessage() {} func (*Account) Descriptor() ([]byte, []int) { - return fileDescriptor_21300bfacc51fc2a, []int{0} + return fileDescriptor_de609d4872dacc78, []int{0} } func (m *Account) XXX_Unmarshal(b []byte) error { @@ -111,7 +111,7 @@ func (m *Role) Reset() { *m = Role{} } func (m *Role) String() string { return proto.CompactTextString(m) } func (*Role) ProtoMessage() {} func (*Role) Descriptor() ([]byte, []int) { - return fileDescriptor_21300bfacc51fc2a, []int{1} + return fileDescriptor_de609d4872dacc78, []int{1} } func (m *Role) XXX_Unmarshal(b []byte) error { @@ -158,7 +158,7 @@ func (m *Resource) Reset() { *m = Resource{} } func (m *Resource) String() string { return proto.CompactTextString(m) } func (*Resource) ProtoMessage() {} func (*Resource) Descriptor() ([]byte, []int) { - return fileDescriptor_21300bfacc51fc2a, []int{2} + return fileDescriptor_de609d4872dacc78, []int{2} } func (m *Resource) XXX_Unmarshal(b []byte) error { @@ -204,7 +204,7 @@ func (m *GenerateRequest) Reset() { *m = GenerateRequest{} } func (m *GenerateRequest) String() string { return proto.CompactTextString(m) } func (*GenerateRequest) ProtoMessage() {} func (*GenerateRequest) Descriptor() ([]byte, []int) { - return fileDescriptor_21300bfacc51fc2a, []int{3} + return fileDescriptor_de609d4872dacc78, []int{3} } func (m *GenerateRequest) XXX_Unmarshal(b []byte) error { @@ -243,7 +243,7 @@ func (m *GenerateResponse) Reset() { *m = GenerateResponse{} } func (m *GenerateResponse) String() string { return proto.CompactTextString(m) } func (*GenerateResponse) ProtoMessage() {} func (*GenerateResponse) Descriptor() ([]byte, []int) { - return fileDescriptor_21300bfacc51fc2a, []int{4} + return fileDescriptor_de609d4872dacc78, []int{4} } func (m *GenerateResponse) XXX_Unmarshal(b []byte) error { @@ -271,78 +271,78 @@ func (m *GenerateResponse) GetAccount() *Account { return nil } -type ValidateRequest struct { +type VerifyRequest struct { Token string `protobuf:"bytes,1,opt,name=token,proto3" json:"token,omitempty"` XXX_NoUnkeyedLiteral struct{} `json:"-"` XXX_unrecognized []byte `json:"-"` XXX_sizecache int32 `json:"-"` } -func (m *ValidateRequest) Reset() { *m = ValidateRequest{} } -func (m *ValidateRequest) String() string { return proto.CompactTextString(m) } -func (*ValidateRequest) ProtoMessage() {} -func (*ValidateRequest) Descriptor() ([]byte, []int) { - return fileDescriptor_21300bfacc51fc2a, []int{5} +func (m *VerifyRequest) Reset() { *m = VerifyRequest{} } +func (m *VerifyRequest) String() string { return proto.CompactTextString(m) } +func (*VerifyRequest) ProtoMessage() {} +func (*VerifyRequest) Descriptor() ([]byte, []int) { + return fileDescriptor_de609d4872dacc78, []int{5} } -func (m *ValidateRequest) XXX_Unmarshal(b []byte) error { - return xxx_messageInfo_ValidateRequest.Unmarshal(m, b) +func (m *VerifyRequest) XXX_Unmarshal(b []byte) error { + return xxx_messageInfo_VerifyRequest.Unmarshal(m, b) } -func (m *ValidateRequest) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) { - return xxx_messageInfo_ValidateRequest.Marshal(b, m, deterministic) +func (m *VerifyRequest) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) { + return xxx_messageInfo_VerifyRequest.Marshal(b, m, deterministic) } -func (m *ValidateRequest) XXX_Merge(src proto.Message) { - xxx_messageInfo_ValidateRequest.Merge(m, src) +func (m *VerifyRequest) XXX_Merge(src proto.Message) { + xxx_messageInfo_VerifyRequest.Merge(m, src) } -func (m *ValidateRequest) XXX_Size() int { - return xxx_messageInfo_ValidateRequest.Size(m) +func (m *VerifyRequest) XXX_Size() int { + return xxx_messageInfo_VerifyRequest.Size(m) } -func (m *ValidateRequest) XXX_DiscardUnknown() { - xxx_messageInfo_ValidateRequest.DiscardUnknown(m) +func (m *VerifyRequest) XXX_DiscardUnknown() { + xxx_messageInfo_VerifyRequest.DiscardUnknown(m) } -var xxx_messageInfo_ValidateRequest proto.InternalMessageInfo +var xxx_messageInfo_VerifyRequest proto.InternalMessageInfo -func (m *ValidateRequest) GetToken() string { +func (m *VerifyRequest) GetToken() string { if m != nil { return m.Token } return "" } -type ValidateResponse struct { +type VerifyResponse struct { Account *Account `protobuf:"bytes,1,opt,name=account,proto3" json:"account,omitempty"` XXX_NoUnkeyedLiteral struct{} `json:"-"` XXX_unrecognized []byte `json:"-"` XXX_sizecache int32 `json:"-"` } -func (m *ValidateResponse) Reset() { *m = ValidateResponse{} } -func (m *ValidateResponse) String() string { return proto.CompactTextString(m) } -func (*ValidateResponse) ProtoMessage() {} -func (*ValidateResponse) Descriptor() ([]byte, []int) { - return fileDescriptor_21300bfacc51fc2a, []int{6} +func (m *VerifyResponse) Reset() { *m = VerifyResponse{} } +func (m *VerifyResponse) String() string { return proto.CompactTextString(m) } +func (*VerifyResponse) ProtoMessage() {} +func (*VerifyResponse) Descriptor() ([]byte, []int) { + return fileDescriptor_de609d4872dacc78, []int{6} } -func (m *ValidateResponse) XXX_Unmarshal(b []byte) error { - return xxx_messageInfo_ValidateResponse.Unmarshal(m, b) +func (m *VerifyResponse) XXX_Unmarshal(b []byte) error { + return xxx_messageInfo_VerifyResponse.Unmarshal(m, b) } -func (m *ValidateResponse) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) { - return xxx_messageInfo_ValidateResponse.Marshal(b, m, deterministic) +func (m *VerifyResponse) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) { + return xxx_messageInfo_VerifyResponse.Marshal(b, m, deterministic) } -func (m *ValidateResponse) XXX_Merge(src proto.Message) { - xxx_messageInfo_ValidateResponse.Merge(m, src) +func (m *VerifyResponse) XXX_Merge(src proto.Message) { + xxx_messageInfo_VerifyResponse.Merge(m, src) } -func (m *ValidateResponse) XXX_Size() int { - return xxx_messageInfo_ValidateResponse.Size(m) +func (m *VerifyResponse) XXX_Size() int { + return xxx_messageInfo_VerifyResponse.Size(m) } -func (m *ValidateResponse) XXX_DiscardUnknown() { - xxx_messageInfo_ValidateResponse.DiscardUnknown(m) +func (m *VerifyResponse) XXX_DiscardUnknown() { + xxx_messageInfo_VerifyResponse.DiscardUnknown(m) } -var xxx_messageInfo_ValidateResponse proto.InternalMessageInfo +var xxx_messageInfo_VerifyResponse proto.InternalMessageInfo -func (m *ValidateResponse) GetAccount() *Account { +func (m *VerifyResponse) GetAccount() *Account { if m != nil { return m.Account } @@ -360,7 +360,7 @@ func (m *RevokeRequest) Reset() { *m = RevokeRequest{} } func (m *RevokeRequest) String() string { return proto.CompactTextString(m) } func (*RevokeRequest) ProtoMessage() {} func (*RevokeRequest) Descriptor() ([]byte, []int) { - return fileDescriptor_21300bfacc51fc2a, []int{7} + return fileDescriptor_de609d4872dacc78, []int{7} } func (m *RevokeRequest) XXX_Unmarshal(b []byte) error { @@ -398,7 +398,7 @@ func (m *RevokeResponse) Reset() { *m = RevokeResponse{} } func (m *RevokeResponse) String() string { return proto.CompactTextString(m) } func (*RevokeResponse) ProtoMessage() {} func (*RevokeResponse) Descriptor() ([]byte, []int) { - return fileDescriptor_21300bfacc51fc2a, []int{8} + return fileDescriptor_de609d4872dacc78, []int{8} } func (m *RevokeResponse) XXX_Unmarshal(b []byte) error { @@ -426,41 +426,43 @@ func init() { proto.RegisterType((*Resource)(nil), "go.micro.auth.Resource") proto.RegisterType((*GenerateRequest)(nil), "go.micro.auth.GenerateRequest") proto.RegisterType((*GenerateResponse)(nil), "go.micro.auth.GenerateResponse") - proto.RegisterType((*ValidateRequest)(nil), "go.micro.auth.ValidateRequest") - proto.RegisterType((*ValidateResponse)(nil), "go.micro.auth.ValidateResponse") + proto.RegisterType((*VerifyRequest)(nil), "go.micro.auth.VerifyRequest") + proto.RegisterType((*VerifyResponse)(nil), "go.micro.auth.VerifyResponse") proto.RegisterType((*RevokeRequest)(nil), "go.micro.auth.RevokeRequest") proto.RegisterType((*RevokeResponse)(nil), "go.micro.auth.RevokeResponse") } -func init() { proto.RegisterFile("auth/service/proto/auth.proto", fileDescriptor_21300bfacc51fc2a) } - -var fileDescriptor_21300bfacc51fc2a = []byte{ - // 429 bytes of a gzipped FileDescriptorProto - 0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0x9c, 0x53, 0x4d, 0x6f, 0xd3, 0x40, - 0x10, 0xad, 0x3f, 0xe2, 0x98, 0x89, 0xd2, 0x46, 0x03, 0x2a, 0x56, 0x44, 0x21, 0xb2, 0x40, 0x84, - 0x8b, 0x83, 0xdc, 0x0b, 0x82, 0x0b, 0x15, 0xa0, 0x9e, 0x2a, 0xa4, 0x3d, 0x70, 0x5f, 0xec, 0x11, - 0xb5, 0xe2, 0x78, 0xcd, 0x7a, 0x1d, 0xe1, 0xdf, 0xc0, 0x6f, 0xe5, 0x3f, 0x20, 0xaf, 0xbd, 0x69, - 0xea, 0xb4, 0xaa, 0xd4, 0xdb, 0x7c, 0xbc, 0x79, 0xf3, 0xde, 0x68, 0x17, 0xce, 0x78, 0xad, 0xae, - 0x57, 0x15, 0xc9, 0x6d, 0x96, 0xd0, 0xaa, 0x94, 0x42, 0x89, 0x55, 0x5b, 0x8a, 0x74, 0x88, 0xd3, - 0x5f, 0x22, 0xda, 0x64, 0x89, 0x14, 0x51, 0x5b, 0x0c, 0xff, 0xda, 0x30, 0xbe, 0x48, 0x12, 0x51, - 0x17, 0x0a, 0x8f, 0xc1, 0xce, 0xd2, 0xc0, 0x5a, 0x58, 0xcb, 0x27, 0xcc, 0xce, 0x52, 0x7c, 0x06, - 0x23, 0x25, 0xd6, 0x54, 0x04, 0xb6, 0x2e, 0x75, 0x09, 0x06, 0x30, 0x4e, 0x24, 0x71, 0x45, 0x69, - 0xe0, 0x2c, 0xac, 0xa5, 0xc3, 0x4c, 0x8a, 0xa7, 0xe0, 0xd1, 0x9f, 0x32, 0x93, 0x4d, 0xe0, 0xea, - 0x46, 0x9f, 0xe1, 0x3b, 0x18, 0x49, 0x91, 0x53, 0x15, 0x8c, 0x16, 0xce, 0x72, 0x12, 0x3f, 0x8d, - 0x6e, 0x49, 0x88, 0x98, 0xc8, 0x89, 0x75, 0x08, 0xfc, 0x0c, 0xfe, 0x86, 0x14, 0x4f, 0xb9, 0xe2, - 0x81, 0xa7, 0xd1, 0xaf, 0x07, 0xe8, 0x5e, 0x6c, 0x74, 0xd5, 0xc3, 0xbe, 0x15, 0x4a, 0x36, 0x6c, - 0x37, 0x35, 0xff, 0x04, 0xd3, 0x5b, 0x2d, 0x9c, 0x81, 0xb3, 0xa6, 0xa6, 0xb7, 0xd5, 0x86, 0xad, - 0xaf, 0x2d, 0xcf, 0x6b, 0x32, 0xbe, 0x74, 0xf2, 0xd1, 0xfe, 0x60, 0x85, 0xdf, 0xc1, 0x6d, 0xd5, - 0x20, 0x82, 0x5b, 0xf0, 0x0d, 0xf5, 0x43, 0x3a, 0xc6, 0x73, 0xf0, 0x25, 0x55, 0xa2, 0x96, 0x49, - 0x37, 0x38, 0x89, 0x9f, 0x0f, 0x8d, 0xf4, 0x6d, 0xb6, 0x03, 0x86, 0x31, 0xf8, 0xa6, 0x7a, 0x27, - 0x29, 0x82, 0xab, 0x9a, 0xd2, 0x28, 0xd1, 0x71, 0xf8, 0x05, 0x4e, 0x2e, 0xa9, 0x20, 0xc9, 0x15, - 0x31, 0xfa, 0x5d, 0x53, 0xa5, 0xf0, 0x3d, 0x8c, 0x79, 0xe7, 0x5b, 0x4f, 0x4f, 0xe2, 0xd3, 0xbb, - 0xaf, 0xc2, 0x0c, 0x2c, 0xfc, 0x0a, 0xb3, 0x1b, 0x92, 0xaa, 0x14, 0x45, 0x45, 0x8f, 0x60, 0x79, - 0x0b, 0x27, 0x3f, 0x78, 0x9e, 0xa5, 0x7b, 0x52, 0x76, 0x8f, 0xc2, 0xda, 0x7b, 0x14, 0xed, 0xba, - 0x1b, 0xe0, 0xa3, 0xd7, 0xbd, 0x81, 0x29, 0xa3, 0xad, 0x58, 0x3f, 0xb0, 0x6c, 0x06, 0xc7, 0x06, - 0xd6, 0xad, 0x8a, 0xff, 0x59, 0xe0, 0x5e, 0xd4, 0xea, 0x1a, 0xaf, 0xc0, 0x37, 0xb6, 0xf1, 0xe5, - 0x60, 0xdd, 0xe0, 0xa8, 0xf3, 0x57, 0xf7, 0xf6, 0x3b, 0xd6, 0xf0, 0xa8, 0xa5, 0x33, 0xb6, 0x0e, - 0xe8, 0x06, 0x87, 0x39, 0xa0, 0x1b, 0xde, 0x23, 0x3c, 0xc2, 0x4b, 0xf0, 0x3a, 0xe1, 0xf8, 0xe2, - 0xe0, 0xe9, 0xec, 0xd9, 0x9e, 0x9f, 0xdd, 0xd3, 0x35, 0x44, 0x3f, 0x3d, 0xfd, 0x97, 0xcf, 0xff, - 0x07, 0x00, 0x00, 0xff, 0xff, 0x79, 0x35, 0xb2, 0x7e, 0xec, 0x03, 0x00, 0x00, +func init() { + proto.RegisterFile("micro/go-micro/auth/service/proto/auth.proto", fileDescriptor_de609d4872dacc78) +} + +var fileDescriptor_de609d4872dacc78 = []byte{ + // 432 bytes of a gzipped FileDescriptorProto + 0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xa4, 0x53, 0x4b, 0x6f, 0xd3, 0x40, + 0x10, 0xae, 0x1d, 0xe7, 0xc1, 0x44, 0x09, 0xd1, 0x80, 0x8a, 0x15, 0xf1, 0x88, 0x56, 0x20, 0x05, + 0x09, 0x1c, 0xe4, 0x5e, 0x10, 0x5c, 0x28, 0x0f, 0xf5, 0x54, 0x21, 0xed, 0x81, 0xfb, 0xe2, 0x0c, + 0xad, 0x95, 0xc4, 0x6b, 0xd6, 0xeb, 0x08, 0xff, 0x06, 0x7e, 0x28, 0x7f, 0x03, 0x79, 0xd7, 0x1b, + 0x6a, 0xb7, 0xe5, 0x00, 0xb7, 0x79, 0x7c, 0xf3, 0xcd, 0xf7, 0x8d, 0x76, 0xe1, 0xc5, 0x2e, 0x4d, + 0x94, 0x5c, 0x5d, 0xc8, 0x97, 0x36, 0x10, 0xa5, 0xbe, 0x5c, 0x15, 0xa4, 0xf6, 0x69, 0x42, 0xab, + 0x5c, 0x49, 0x6d, 0x4b, 0x91, 0x09, 0x71, 0x72, 0x21, 0x23, 0x83, 0x8b, 0xea, 0x22, 0xfb, 0xe9, + 0xc3, 0xf0, 0x34, 0x49, 0x64, 0x99, 0x69, 0x9c, 0x82, 0x9f, 0xae, 0x43, 0x6f, 0xe1, 0x2d, 0xef, + 0x70, 0x3f, 0x5d, 0xe3, 0x7d, 0xe8, 0x6b, 0xb9, 0xa1, 0x2c, 0xf4, 0x4d, 0xc9, 0x26, 0x18, 0xc2, + 0x30, 0x51, 0x24, 0x34, 0xad, 0xc3, 0xde, 0xc2, 0x5b, 0xf6, 0xb8, 0x4b, 0xf1, 0x18, 0x06, 0xf4, + 0x23, 0x4f, 0x55, 0x15, 0x06, 0xa6, 0xd1, 0x64, 0xf8, 0x1c, 0xfa, 0x4a, 0x6e, 0xa9, 0x08, 0xfb, + 0x8b, 0xde, 0x72, 0x1c, 0xdf, 0x8b, 0x5a, 0x12, 0x22, 0x2e, 0xb7, 0xc4, 0x2d, 0x02, 0xdf, 0xc1, + 0x68, 0x47, 0x5a, 0xac, 0x85, 0x16, 0xe1, 0xc0, 0xa0, 0x9f, 0x76, 0xd0, 0x8d, 0xd8, 0xe8, 0xbc, + 0x81, 0x7d, 0xca, 0xb4, 0xaa, 0xf8, 0x61, 0x6a, 0xfe, 0x16, 0x26, 0xad, 0x16, 0xce, 0xa0, 0xb7, + 0xa1, 0xaa, 0xb1, 0x55, 0x87, 0xb5, 0xaf, 0xbd, 0xd8, 0x96, 0xe4, 0x7c, 0x99, 0xe4, 0x8d, 0xff, + 0xda, 0x63, 0x9f, 0x21, 0xa8, 0xd5, 0x20, 0x42, 0x90, 0x89, 0x1d, 0x35, 0x43, 0x26, 0xc6, 0x13, + 0x18, 0x29, 0x2a, 0x64, 0xa9, 0x12, 0x3b, 0x38, 0x8e, 0x1f, 0x74, 0x8d, 0x34, 0x6d, 0x7e, 0x00, + 0xb2, 0x18, 0x46, 0xae, 0x7a, 0x23, 0x29, 0x42, 0xa0, 0xab, 0xdc, 0x29, 0x31, 0x31, 0xfb, 0x00, + 0x77, 0xcf, 0x28, 0x23, 0x25, 0x34, 0x71, 0xfa, 0x5e, 0x52, 0xa1, 0xf1, 0x15, 0x0c, 0x85, 0xf5, + 0x6d, 0xa6, 0xc7, 0xf1, 0xf1, 0xcd, 0x57, 0xe1, 0x0e, 0xc6, 0x3e, 0xc2, 0xec, 0x0f, 0x49, 0x91, + 0xcb, 0xac, 0xa0, 0x7f, 0x60, 0x79, 0x06, 0x93, 0x2f, 0xa4, 0xd2, 0x6f, 0x95, 0x13, 0x72, 0x78, + 0x12, 0xde, 0x95, 0x27, 0xc1, 0xde, 0xc3, 0xd4, 0xc1, 0xfe, 0x67, 0x15, 0xa7, 0xbd, 0xdc, 0xd0, + 0xdf, 0x57, 0xcd, 0x60, 0xea, 0x60, 0x76, 0x55, 0xfc, 0xcb, 0x83, 0xe0, 0xb4, 0xd4, 0x97, 0x78, + 0x0e, 0x23, 0x67, 0x19, 0x1f, 0x77, 0xd6, 0x75, 0x0e, 0x3a, 0x7f, 0x72, 0x6b, 0xdf, 0xb2, 0xb2, + 0x23, 0x3c, 0x83, 0x81, 0x35, 0x85, 0x0f, 0x3b, 0xe0, 0xd6, 0x49, 0xe6, 0x8f, 0x6e, 0xe9, 0x5e, + 0x25, 0xb2, 0x92, 0xaf, 0x11, 0xb5, 0x0c, 0x5f, 0x23, 0x6a, 0xfb, 0x64, 0x47, 0x5f, 0x07, 0xe6, + 0x07, 0x9f, 0xfc, 0x0e, 0x00, 0x00, 0xff, 0xff, 0xf0, 0x34, 0xce, 0x17, 0xf1, 0x03, 0x00, 0x00, } diff --git a/auth/service/proto/auth.pb.micro.go b/auth/service/proto/auth.pb.micro.go index 6f2e0741..72b197fa 100644 --- a/auth/service/proto/auth.pb.micro.go +++ b/auth/service/proto/auth.pb.micro.go @@ -1,16 +1,16 @@ // Code generated by protoc-gen-micro. DO NOT EDIT. -// source: auth/service/proto/auth.proto +// source: micro/go-micro/auth/service/proto/auth.proto package go_micro_auth import ( fmt "fmt" - math "math" - - context "context" - proto "github.com/golang/protobuf/proto" + math "math" +) +import ( + context "context" client "github.com/micro/go-micro/v2/client" server "github.com/micro/go-micro/v2/server" ) @@ -35,7 +35,7 @@ var _ server.Option type AuthService interface { Generate(ctx context.Context, in *GenerateRequest, opts ...client.CallOption) (*GenerateResponse, error) - Validate(ctx context.Context, in *ValidateRequest, opts ...client.CallOption) (*ValidateResponse, error) + Verify(ctx context.Context, in *VerifyRequest, opts ...client.CallOption) (*VerifyResponse, error) Revoke(ctx context.Context, in *RevokeRequest, opts ...client.CallOption) (*RevokeResponse, error) } @@ -45,12 +45,6 @@ type authService struct { } func NewAuthService(name string, c client.Client) AuthService { - if c == nil { - c = client.NewClient() - } - if len(name) == 0 { - name = "go.micro.auth" - } return &authService{ c: c, name: name, @@ -67,9 +61,9 @@ func (c *authService) Generate(ctx context.Context, in *GenerateRequest, opts .. return out, nil } -func (c *authService) Validate(ctx context.Context, in *ValidateRequest, opts ...client.CallOption) (*ValidateResponse, error) { - req := c.c.NewRequest(c.name, "Auth.Validate", in) - out := new(ValidateResponse) +func (c *authService) Verify(ctx context.Context, in *VerifyRequest, opts ...client.CallOption) (*VerifyResponse, error) { + req := c.c.NewRequest(c.name, "Auth.Verify", in) + out := new(VerifyResponse) err := c.c.Call(ctx, req, out, opts...) if err != nil { return nil, err @@ -91,14 +85,14 @@ func (c *authService) Revoke(ctx context.Context, in *RevokeRequest, opts ...cli type AuthHandler interface { Generate(context.Context, *GenerateRequest, *GenerateResponse) error - Validate(context.Context, *ValidateRequest, *ValidateResponse) error + Verify(context.Context, *VerifyRequest, *VerifyResponse) error Revoke(context.Context, *RevokeRequest, *RevokeResponse) error } func RegisterAuthHandler(s server.Server, hdlr AuthHandler, opts ...server.HandlerOption) error { type auth interface { Generate(ctx context.Context, in *GenerateRequest, out *GenerateResponse) error - Validate(ctx context.Context, in *ValidateRequest, out *ValidateResponse) error + Verify(ctx context.Context, in *VerifyRequest, out *VerifyResponse) error Revoke(ctx context.Context, in *RevokeRequest, out *RevokeResponse) error } type Auth struct { @@ -116,8 +110,8 @@ func (h *authHandler) Generate(ctx context.Context, in *GenerateRequest, out *Ge return h.AuthHandler.Generate(ctx, in, out) } -func (h *authHandler) Validate(ctx context.Context, in *ValidateRequest, out *ValidateResponse) error { - return h.AuthHandler.Validate(ctx, in, out) +func (h *authHandler) Verify(ctx context.Context, in *VerifyRequest, out *VerifyResponse) error { + return h.AuthHandler.Verify(ctx, in, out) } func (h *authHandler) Revoke(ctx context.Context, in *RevokeRequest, out *RevokeResponse) error { diff --git a/auth/service/proto/auth.proto b/auth/service/proto/auth.proto index 03f8ca76..7f60f8bb 100644 --- a/auth/service/proto/auth.proto +++ b/auth/service/proto/auth.proto @@ -4,47 +4,47 @@ package go.micro.auth; service Auth { rpc Generate(GenerateRequest) returns (GenerateResponse) {}; - rpc Validate(ValidateRequest) returns (ValidateResponse) {}; + rpc Verify(VerifyRequest) returns (VerifyResponse) {}; rpc Revoke(RevokeRequest) returns (RevokeResponse) {}; } message Account{ - string id = 1; - string token = 2; - int64 created = 3; - int64 expiry = 4; - repeated Role roles = 5; + string id = 1; + string token = 2; + int64 created = 3; + int64 expiry = 4; + repeated Role roles = 5; map metadata = 6; } message Role { - string name = 1; - Resource resource = 2; + string name = 1; + Resource resource = 2; } message Resource{ - string name = 1; - string type = 2; + string name = 1; + string type = 2; } message GenerateRequest { - Account account = 1; + Account account = 1; } message GenerateResponse { - Account account = 1; + Account account = 1; } -message ValidateRequest { - string token = 1; +message VerifyRequest { + string token = 1; } -message ValidateResponse { - Account account = 1; +message VerifyResponse { + Account account = 1; } message RevokeRequest { - string token = 1; + string token = 1; } message RevokeResponse {} diff --git a/auth/service/service.go b/auth/service/service.go index 91949c51..6131eda2 100644 --- a/auth/service/service.go +++ b/auth/service/service.go @@ -72,9 +72,9 @@ func (s *svc) Revoke(token string) error { return err } -// Validate an account token -func (s *svc) Validate(token string) (*auth.Account, error) { - resp, err := s.auth.Validate(context.Background(), &pb.ValidateRequest{Token: token}) +// Verify an account token +func (s *svc) Verify(token string) (*auth.Account, error) { + resp, err := s.auth.Verify(context.Background(), &pb.VerifyRequest{Token: token}) if err != nil { return nil, err } diff --git a/auth/store/store.go b/auth/store/store.go index d53e7a14..3f3f4d42 100644 --- a/auth/store/store.go +++ b/auth/store/store.go @@ -7,14 +7,19 @@ import ( "github.com/google/uuid" "github.com/micro/go-micro/v2/auth" - "github.com/micro/go-micro/v2/errors" "github.com/micro/go-micro/v2/store" ) +type Auth struct { + store store.Store + opts auth.Options +} + // NewAuth returns an instance of store auth func NewAuth(opts ...auth.Option) auth.Auth { - options := auth.Options{} + var options auth.Options + for _, o := range opts { o(&options) } @@ -25,11 +30,6 @@ func NewAuth(opts ...auth.Option) auth.Auth { } } -type Auth struct { - store store.Store - opts auth.Options -} - // Init the auth package func (a *Auth) Init(opts ...auth.Option) error { for _, o := range opts { @@ -64,6 +64,7 @@ func (a *Auth) Generate(id string, opts ...auth.GenerateOption) (*auth.Account, } // encode the data to bytes + // TODO: replace with json buf := &bytes.Buffer{} e := gob.NewEncoder(buf) if err := e.Encode(sa); err != nil { @@ -102,8 +103,8 @@ func (a *Auth) Revoke(token string) error { return nil } -// Validate an account token -func (a *Auth) Validate(token string) (*auth.Account, error) { +// Verify an account token +func (a *Auth) Verify(token string) (*auth.Account, error) { // lookup the record by token records, err := a.store.Read(token, store.ReadSuffix()) if err == store.ErrNotFound || len(records) == 0 { @@ -113,6 +114,7 @@ func (a *Auth) Validate(token string) (*auth.Account, error) { } // decode the result + // TODO: replace with json b := bytes.NewBuffer(records[0].Value) decoder := gob.NewDecoder(b) var sa auth.Account diff --git a/client/grpc/grpc.go b/client/grpc/grpc.go index cefb3150..0905eac9 100644 --- a/client/grpc/grpc.go +++ b/client/grpc/grpc.go @@ -18,7 +18,6 @@ import ( "github.com/micro/go-micro/v2/errors" "github.com/micro/go-micro/v2/metadata" "github.com/micro/go-micro/v2/registry" - "github.com/micro/go-micro/v2/util/config" "google.golang.org/grpc" "google.golang.org/grpc/credentials" @@ -129,10 +128,6 @@ func (g *grpcClient) call(ctx context.Context, node *registry.Node, req client.R header["timeout"] = fmt.Sprintf("%d", opts.RequestTimeout) // set the content type for the request header["x-content-type"] = req.ContentType() - // set the authorization token if one is saved locally - if token, err := config.Get("token"); err == nil && len(token) > 0 { - header["authorization"] = fmt.Sprintf("Bearer %v", token) - } md := gmetadata.New(header) ctx = gmetadata.NewOutgoingContext(ctx, md) diff --git a/config/cmd/cmd.go b/config/cmd/cmd.go index 894cceb9..fbb253dc 100644 --- a/config/cmd/cmd.go +++ b/config/cmd/cmd.go @@ -249,6 +249,11 @@ var ( EnvVars: []string{"MICRO_AUTH"}, Usage: "Auth for role based access control, e.g. service", }, + &cli.StringFlag{ + Name: "auth_token", + EnvVars: []string{"MICRO_AUTH_TOKEN"}, + Usage: "Auth token used for client authentication", + }, &cli.StringFlag{ Name: "auth_public_key", EnvVars: []string{"MICRO_AUTH_PUBLIC_KEY"}, @@ -606,6 +611,10 @@ func (c *cmd) Before(ctx *cli.Context) error { } } + if len(ctx.String("auth_token")) > 0 { + authOpts = append(authOpts, auth.Token(ctx.String("auth_token"))) + } + if len(ctx.String("auth_public_key")) > 0 { authOpts = append(authOpts, auth.PublicKey(ctx.String("auth_public_key"))) } @@ -615,7 +624,7 @@ func (c *cmd) Before(ctx *cli.Context) error { } if len(ctx.StringSlice("auth_exclude")) > 0 { - authOpts = append(authOpts, auth.Excludes(ctx.StringSlice("auth_exclude")...)) + authOpts = append(authOpts, auth.Exclude(ctx.StringSlice("auth_exclude")...)) } if len(authOpts) > 0 { diff --git a/service.go b/service.go index d9fe2ca6..3ce750ae 100644 --- a/service.go +++ b/service.go @@ -17,6 +17,7 @@ import ( log "github.com/micro/go-micro/v2/logger" "github.com/micro/go-micro/v2/plugin" "github.com/micro/go-micro/v2/server" + "github.com/micro/go-micro/v2/util/config" "github.com/micro/go-micro/v2/util/wrapper" ) @@ -37,7 +38,7 @@ func newService(opts ...Option) Service { authFn := func() auth.Auth { return service.opts.Auth } // wrap client to inject From-Service header on any calls - options.Client = wrapper.FromService(serviceName, options.Client) + options.Client = wrapper.FromService(serviceName, options.Client, authFn) options.Client = wrapper.TraceCall(serviceName, trace.DefaultTracer, options.Client) // wrap the server to provide handler stats @@ -102,6 +103,14 @@ func (s *service) Init(opts ...Option) { ); err != nil { log.Fatal(err) } + + // TODO: replace Cmd.Init with config.Load + // Right now we're just going to load a token + // May need to re-read value on change + // TODO: should be scoped to micro/auth/token + if tk, _ := config.Get("token"); len(tk) > 0 { + s.opts.Auth.Init(auth.Token(tk)) + } }) } diff --git a/util/wrapper/wrapper.go b/util/wrapper/wrapper.go index b9c4275f..b83aeca0 100644 --- a/util/wrapper/wrapper.go +++ b/util/wrapper/wrapper.go @@ -15,6 +15,10 @@ import ( type clientWrapper struct { client.Client + + // Auth interface + auth func() auth.Auth + // headers to inject headers metadata.Metadata } @@ -27,7 +31,7 @@ type traceWrapper struct { var ( HeaderPrefix = "Micro-" - BearerSchema = "Bearer " + BearerScheme = "Bearer " ) func (c *clientWrapper) setHeaders(ctx context.Context) context.Context { @@ -35,6 +39,15 @@ func (c *clientWrapper) setHeaders(ctx context.Context) context.Context { mda, _ := metadata.FromContext(ctx) md := metadata.Copy(mda) + // get auth token + if a := c.auth(); a != nil { + tk := a.Options().Token + // if the token if exists and auth header isn't set then set it + if len(tk) > 0 && len(md["Authorization"]) == 0 { + md["Authorization"] = BearerScheme + tk + } + } + // set headers for k, v := range c.headers { if _, ok := md[k]; !ok { @@ -75,10 +88,11 @@ func (c *traceWrapper) Call(ctx context.Context, req client.Request, rsp interfa return err } -// FromService wraps a client to inject From-Service header into metadata -func FromService(name string, c client.Client) client.Client { +// FromService wraps a client to inject service and auth metadata +func FromService(name string, c client.Client, fn func() auth.Auth) client.Client { return &clientWrapper{ c, + fn, metadata.Metadata{ HeaderPrefix + "From-Service": name, }, @@ -151,7 +165,7 @@ func AuthHandler(fn func() auth.Auth) server.HandlerWrapper { } // Exclude any user excluded endpoints - for _, e := range a.Options().Excludes { + for _, e := range a.Options().Exclude { if e == req.Endpoint() { return h(ctx, req, rsp) } @@ -162,15 +176,15 @@ func AuthHandler(fn func() auth.Auth) server.HandlerWrapper { var token string if header, ok := metadata.Get(ctx, "Authorization"); ok { // Ensure the correct scheme is being used - if !strings.HasPrefix(header, BearerSchema) { + if !strings.HasPrefix(header, BearerScheme) { return errors.Unauthorized("go.micro.auth", "invalid authorization header. expected Bearer schema") } - token = header[len(BearerSchema):] + token = header[len(BearerScheme):] } - // Validate the token - if _, err := a.Validate(token); err != nil { + // Verify the token + if _, err := a.Verify(token); err != nil { return errors.Unauthorized("go.micro.auth", err.Error()) } diff --git a/util/wrapper/wrapper_test.go b/util/wrapper/wrapper_test.go index b45fb86b..7fb99bf3 100644 --- a/util/wrapper/wrapper_test.go +++ b/util/wrapper/wrapper_test.go @@ -4,6 +4,7 @@ import ( "context" "testing" + "github.com/micro/go-micro/v2/auth" "github.com/micro/go-micro/v2/metadata" ) @@ -33,6 +34,7 @@ func TestWrapper(t *testing.T) { for _, d := range testData { c := &clientWrapper{ + auth: func() auth.Auth { return nil }, headers: d.headers, }