From 856c73b3419a0513ac9395ec57a1353d004df3ed Mon Sep 17 00:00:00 2001 From: Ben Toogood Date: Thu, 21 May 2020 14:56:17 +0100 Subject: [PATCH] Remove roles (replaced with scope) --- auth/auth.go | 39 +-------- auth/auth_test.go | 30 ------- auth/default.go | 1 - auth/jwt/jwt.go | 6 -- auth/options.go | 9 -- auth/rules/rules.go | 20 ++--- auth/service/proto/auth.pb.go | 147 +++++++++++++++------------------ auth/service/proto/auth.proto | 8 +- auth/service/service.go | 35 +------- auth/token/basic/basic_test.go | 8 +- auth/token/jwt/jwt.go | 4 +- auth/token/jwt/jwt_test.go | 8 +- util/auth/auth.go | 4 +- 13 files changed, 93 insertions(+), 226 deletions(-) delete mode 100644 auth/auth_test.go diff --git a/auth/auth.go b/auth/auth.go index 07a9ddab..1bedc944 100644 --- a/auth/auth.go +++ b/auth/auth.go @@ -4,7 +4,6 @@ package auth import ( "context" "errors" - "strings" "time" ) @@ -14,7 +13,7 @@ const BearerScheme = "Bearer " var ( // ErrInvalidToken is when the token provided is not valid ErrInvalidToken = errors.New("invalid token provided") - // ErrForbidden is when a user does not have the necessary roles or scoeps to access a resource + // ErrForbidden is when a user does not have the necessary scope to access a resource ErrForbidden = errors.New("resource forbidden") ) @@ -50,8 +49,6 @@ type Account struct { Type string `json:"type"` // Provider who issued the account Provider string `json:"provider"` - // Roles associated with the Account - Roles []string `json:"roles"` // Any other associated metadata Metadata map[string]string `json:"metadata"` // Scopes the account has access to @@ -60,36 +57,6 @@ type Account struct { Secret string `json:"secret"` } -// HasScope returns a boolean indicating if the account has the given scope -func (a *Account) HasScope(scopes ...string) bool { - if a.Scopes == nil { - return false - } - - for _, s := range a.Scopes { - if s == strings.Join(scopes, ".") { - return true - } - } - - return false -} - -// HasRole returns a boolean indicating if the account has the given role -func (a *Account) HasRole(role string) bool { - if a.Roles == nil { - return false - } - - for _, r := range a.Roles { - if r == role { - return true - } - } - - return false -} - // Token can be short or long lived type Token struct { // The token to be used for accessing resources @@ -131,9 +98,9 @@ const ( type Rule struct { // ID of the rule, e.g. "public" ID string - // Role the rule requires, a blank role indicates open to the public and * indicates the rule + // Scope the rule requires, a blank scope indicates open to the public and * indicates the rule // applies to any valid account - Role string + Scope string // Resource the rule applies to Resource *Resource // Access determines if the rule grants or denies access to the resource diff --git a/auth/auth_test.go b/auth/auth_test.go deleted file mode 100644 index 7985ff76..00000000 --- a/auth/auth_test.go +++ /dev/null @@ -1,30 +0,0 @@ -package auth - -import "testing" - -func TestHasScope(t *testing.T) { - if new(Account).HasScope("namespace", "foo") { - t.Errorf("Expected the blank account to not have a role") - } - - acc := Account{Scopes: []string{"namespace.foo"}} - if !acc.HasScope("namespace", "foo") { - t.Errorf("Expected the account to have the namespace.foo role") - } - if acc.HasScope("namespace", "bar") { - t.Errorf("Expected the account to not have the namespace.bar role") - } -} -func TestHasRole(t *testing.T) { - if new(Account).HasRole("foo") { - t.Errorf("Expected the blank account to not have a role") - } - - acc := Account{Roles: []string{"foo"}} - if !acc.HasRole("foo") { - t.Errorf("Expected the account to have the foo role") - } - if acc.HasRole("bar") { - t.Errorf("Expected the account to not have the bar role") - } -} diff --git a/auth/default.go b/auth/default.go index ac0ae534..668edbd3 100644 --- a/auth/default.go +++ b/auth/default.go @@ -50,7 +50,6 @@ func (n *noop) Generate(id string, opts ...GenerateOption) (*Account, error) { return &Account{ ID: id, - Roles: options.Roles, Secret: options.Secret, Metadata: options.Metadata, Scopes: options.Scopes, diff --git a/auth/jwt/jwt.go b/auth/jwt/jwt.go index 4dafc7e3..2736ee5b 100644 --- a/auth/jwt/jwt.go +++ b/auth/jwt/jwt.go @@ -17,11 +17,6 @@ func NewAuth(opts ...auth.Option) auth.Auth { return j } -type rule struct { - role string - resource *auth.Resource -} - type jwt struct { options auth.Options jwt token.Provider @@ -59,7 +54,6 @@ func (j *jwt) Generate(id string, opts ...auth.GenerateOption) (*auth.Account, e account := &auth.Account{ ID: id, Type: options.Type, - Roles: options.Roles, Scopes: options.Scopes, Provider: options.Provider, Metadata: options.Metadata, diff --git a/auth/options.go b/auth/options.go index 2dd6cc48..6d13a756 100644 --- a/auth/options.go +++ b/auth/options.go @@ -121,8 +121,6 @@ func WithClient(c client.Client) Option { type GenerateOptions struct { // Metadata associated with the account Metadata map[string]string - // Roles/scopes associated with the account - Roles []string // Scopes the account has access too Scopes []string // Provider of the account, e.g. oauth @@ -156,13 +154,6 @@ func WithMetadata(md map[string]string) GenerateOption { } } -// WithRoles for the generated account -func WithRoles(rs ...string) GenerateOption { - return func(o *GenerateOptions) { - o.Roles = rs - } -} - // WithScopes for the generated account func WithScopes(s ...string) GenerateOption { return func(o *GenerateOptions) { diff --git a/auth/rules/rules.go b/auth/rules/rules.go index bfe3594b..16dff5b3 100644 --- a/auth/rules/rules.go +++ b/auth/rules/rules.go @@ -50,29 +50,29 @@ func Verify(namespace string, rules []*auth.Rule, acc *auth.Account, res *auth.R // loop through the rules and check for a rule which applies to this account for _, rule := range filteredRules { - // a blank role indicates the rule applies to everyone, even nil accounts - if rule.Role == "" && rule.Access == auth.AccessDenied { + // a blank scope indicates the rule applies to everyone, even nil accounts + if rule.Scope == "" && rule.Access == auth.AccessDenied { return auth.ErrForbidden - } else if rule.Role == "" && rule.Access == auth.AccessGranted { + } else if rule.Scope == "" && rule.Access == auth.AccessGranted { return nil } - // all further checks require an account within the current scope - if acc == nil || !acc.HasScope("namespace", namespace) { + // all further checks require an account + if acc == nil { continue } // this rule applies to any account - if rule.Role == "*" && rule.Access == auth.AccessDenied { + if rule.Scope == "*" && rule.Access == auth.AccessDenied { return auth.ErrForbidden - } else if rule.Role == "" && rule.Access == auth.AccessGranted { + } else if rule.Scope == "" && rule.Access == auth.AccessGranted { return nil } - // if the account has the necessary role - if include(acc.Roles, rule.Role) && rule.Access == auth.AccessDenied { + // if the account has the necessary scope + if include(acc.Scopes, rule.Scope) && rule.Access == auth.AccessDenied { return auth.ErrForbidden - } else if rule.Role == "" && rule.Access == auth.AccessGranted { + } else if rule.Scope == "" && rule.Access == auth.AccessGranted { return nil } } diff --git a/auth/service/proto/auth.pb.go b/auth/service/proto/auth.pb.go index 8a6e4ea5..97f3a7b9 100644 --- a/auth/service/proto/auth.pb.go +++ b/auth/service/proto/auth.pb.go @@ -188,7 +188,6 @@ func (m *Token) GetExpiry() int64 { type Account struct { Id string `protobuf:"bytes,1,opt,name=id,proto3" json:"id,omitempty"` Type string `protobuf:"bytes,2,opt,name=type,proto3" json:"type,omitempty"` - Roles []string `protobuf:"bytes,3,rep,name=roles,proto3" json:"roles,omitempty"` Metadata map[string]string `protobuf:"bytes,4,rep,name=metadata,proto3" json:"metadata,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value,proto3"` Scopes []string `protobuf:"bytes,5,rep,name=scopes,proto3" json:"scopes,omitempty"` Provider string `protobuf:"bytes,6,opt,name=provider,proto3" json:"provider,omitempty"` @@ -237,13 +236,6 @@ func (m *Account) GetType() string { return "" } -func (m *Account) GetRoles() []string { - if m != nil { - return m.Roles - } - return nil -} - func (m *Account) GetMetadata() map[string]string { if m != nil { return m.Metadata @@ -329,7 +321,6 @@ func (m *Resource) GetEndpoint() string { type GenerateRequest struct { Id string `protobuf:"bytes,1,opt,name=id,proto3" json:"id,omitempty"` - Roles []string `protobuf:"bytes,2,rep,name=roles,proto3" json:"roles,omitempty"` Metadata map[string]string `protobuf:"bytes,3,rep,name=metadata,proto3" json:"metadata,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value,proto3"` Scopes []string `protobuf:"bytes,4,rep,name=scopes,proto3" json:"scopes,omitempty"` Secret string `protobuf:"bytes,5,opt,name=secret,proto3" json:"secret,omitempty"` @@ -372,13 +363,6 @@ func (m *GenerateRequest) GetId() string { return "" } -func (m *GenerateRequest) GetRoles() []string { - if m != nil { - return m.Roles - } - return nil -} - func (m *GenerateRequest) GetMetadata() map[string]string { if m != nil { return m.Metadata @@ -454,7 +438,7 @@ func (m *GenerateResponse) GetAccount() *Account { } type GrantRequest struct { - Role string `protobuf:"bytes,1,opt,name=role,proto3" json:"role,omitempty"` + Scope string `protobuf:"bytes,1,opt,name=scope,proto3" json:"scope,omitempty"` Resource *Resource `protobuf:"bytes,2,opt,name=resource,proto3" json:"resource,omitempty"` XXX_NoUnkeyedLiteral struct{} `json:"-"` XXX_unrecognized []byte `json:"-"` @@ -486,9 +470,9 @@ func (m *GrantRequest) XXX_DiscardUnknown() { var xxx_messageInfo_GrantRequest proto.InternalMessageInfo -func (m *GrantRequest) GetRole() string { +func (m *GrantRequest) GetScope() string { if m != nil { - return m.Role + return m.Scope } return "" } @@ -532,7 +516,7 @@ func (m *GrantResponse) XXX_DiscardUnknown() { var xxx_messageInfo_GrantResponse proto.InternalMessageInfo type RevokeRequest struct { - Role string `protobuf:"bytes,1,opt,name=role,proto3" json:"role,omitempty"` + Scope string `protobuf:"bytes,1,opt,name=scope,proto3" json:"scope,omitempty"` Resource *Resource `protobuf:"bytes,2,opt,name=resource,proto3" json:"resource,omitempty"` XXX_NoUnkeyedLiteral struct{} `json:"-"` XXX_unrecognized []byte `json:"-"` @@ -564,9 +548,9 @@ func (m *RevokeRequest) XXX_DiscardUnknown() { var xxx_messageInfo_RevokeRequest proto.InternalMessageInfo -func (m *RevokeRequest) GetRole() string { +func (m *RevokeRequest) GetScope() string { if m != nil { - return m.Role + return m.Scope } return "" } @@ -791,7 +775,7 @@ func (m *TokenResponse) GetToken() *Token { type Rule struct { Id string `protobuf:"bytes,1,opt,name=id,proto3" json:"id,omitempty"` - Role string `protobuf:"bytes,2,opt,name=role,proto3" json:"role,omitempty"` + Scope string `protobuf:"bytes,2,opt,name=scope,proto3" json:"scope,omitempty"` Resource *Resource `protobuf:"bytes,3,opt,name=resource,proto3" json:"resource,omitempty"` Access Access `protobuf:"varint,4,opt,name=access,proto3,enum=go.micro.auth.Access" json:"access,omitempty"` Priority int32 `protobuf:"varint,5,opt,name=priority,proto3" json:"priority,omitempty"` @@ -832,9 +816,9 @@ func (m *Rule) GetId() string { return "" } -func (m *Rule) GetRole() string { +func (m *Rule) GetScope() string { if m != nil { - return m.Role + return m.Scope } return "" } @@ -1101,63 +1085,62 @@ func init() { func init() { proto.RegisterFile("auth/service/proto/auth.proto", fileDescriptor_21300bfacc51fc2a) } var fileDescriptor_21300bfacc51fc2a = []byte{ - // 890 bytes of a gzipped FileDescriptorProto - 0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xac, 0x56, 0xdd, 0x8e, 0xdb, 0x44, - 0x14, 0x5e, 0xff, 0xc4, 0xc9, 0x9e, 0xc4, 0xbb, 0xd1, 0x74, 0x5b, 0xac, 0x94, 0x6d, 0xb7, 0x2e, - 0x82, 0xa5, 0x82, 0x2c, 0x4a, 0x6f, 0x0a, 0xbd, 0x61, 0xd5, 0x44, 0xa1, 0x85, 0x06, 0x61, 0x15, - 0x95, 0x1b, 0x54, 0x19, 0xe7, 0xc0, 0x5a, 0x9b, 0xb5, 0xc3, 0xcc, 0x38, 0x22, 0x37, 0x48, 0xbc, - 0x00, 0x8f, 0xc0, 0x03, 0xf0, 0x4c, 0xdc, 0xf3, 0x1a, 0x68, 0xfe, 0xbc, 0xb1, 0xe3, 0x54, 0x2b, - 0xe0, 0x6e, 0xce, 0xcc, 0x77, 0xce, 0x9c, 0xef, 0x3b, 0x67, 0x8e, 0x0d, 0xc7, 0x71, 0xc1, 0x2f, - 0xce, 0x18, 0xd2, 0x55, 0x9a, 0xe0, 0xd9, 0x92, 0xe6, 0x3c, 0x3f, 0x13, 0x5b, 0x43, 0xb9, 0x24, - 0xfe, 0x4f, 0xf9, 0xf0, 0x2a, 0x4d, 0x68, 0x3e, 0x14, 0x9b, 0xe1, 0x6d, 0xb8, 0xf5, 0x55, 0xca, - 0xf8, 0x79, 0x92, 0xe4, 0x45, 0xc6, 0x59, 0x84, 0x3f, 0x17, 0xc8, 0x78, 0xf8, 0x02, 0x8e, 0xaa, - 0xdb, 0x6c, 0x99, 0x67, 0x0c, 0xc9, 0x08, 0x3a, 0xb1, 0xde, 0x0b, 0xac, 0x13, 0xe7, 0xb4, 0x3b, - 0xba, 0x33, 0xac, 0x04, 0x1c, 0x6a, 0x97, 0xa8, 0xc4, 0x85, 0xbf, 0x59, 0xd0, 0x7a, 0x95, 0x5f, - 0x62, 0x46, 0x1e, 0x40, 0x2f, 0x4e, 0x12, 0x64, 0xec, 0x0d, 0x17, 0x76, 0x60, 0x9d, 0x58, 0xa7, - 0xfb, 0x51, 0x57, 0xed, 0x29, 0xc8, 0x43, 0xf0, 0x29, 0xfe, 0x48, 0x91, 0x5d, 0x68, 0x8c, 0x2d, - 0x31, 0x3d, 0xbd, 0xa9, 0x40, 0x01, 0xb4, 0x13, 0x8a, 0x31, 0xc7, 0x79, 0xe0, 0x9c, 0x58, 0xa7, - 0x4e, 0x64, 0x4c, 0x72, 0x07, 0x3c, 0xfc, 0x65, 0x99, 0xd2, 0x75, 0xe0, 0xca, 0x03, 0x6d, 0x85, - 0xbf, 0xdb, 0xd0, 0xd6, 0x99, 0x91, 0x03, 0xb0, 0xd3, 0xb9, 0xbe, 0xdb, 0x4e, 0xe7, 0x84, 0x80, - 0xcb, 0xd7, 0x4b, 0xd4, 0x37, 0xc9, 0x35, 0x39, 0x82, 0x16, 0xcd, 0x17, 0xc8, 0x02, 0xe7, 0xc4, - 0x39, 0xdd, 0x8f, 0x94, 0x41, 0x3e, 0x87, 0xce, 0x15, 0xf2, 0x78, 0x1e, 0xf3, 0x38, 0x70, 0x25, - 0xfb, 0xf7, 0x9a, 0xd9, 0x0f, 0x5f, 0x6a, 0xd8, 0x24, 0xe3, 0x74, 0x1d, 0x95, 0x5e, 0x22, 0x3f, - 0x96, 0xe4, 0x4b, 0x64, 0x41, 0x4b, 0x06, 0xd6, 0x16, 0x19, 0x40, 0x67, 0x49, 0xf3, 0x55, 0x3a, - 0x47, 0x1a, 0x78, 0x32, 0x8f, 0xd2, 0x96, 0x3e, 0x98, 0x50, 0xe4, 0x41, 0x5b, 0x9e, 0x68, 0x6b, - 0xf0, 0x14, 0xfc, 0xca, 0x35, 0xa4, 0x0f, 0xce, 0x25, 0xae, 0x35, 0x33, 0xb1, 0x14, 0x34, 0x56, - 0xf1, 0xa2, 0x30, 0xdc, 0x94, 0xf1, 0x99, 0xfd, 0xc4, 0x0a, 0x67, 0xd0, 0x89, 0x90, 0xe5, 0x05, - 0x4d, 0x50, 0x08, 0x90, 0xc5, 0x57, 0xa8, 0x1d, 0xe5, 0xba, 0x51, 0x94, 0x01, 0x74, 0x30, 0x9b, - 0x2f, 0xf3, 0x34, 0xe3, 0x52, 0xf7, 0xfd, 0xa8, 0xb4, 0xc3, 0x3f, 0x6c, 0x38, 0x9c, 0x62, 0x86, - 0x34, 0xe6, 0xa8, 0x9b, 0x68, 0x4b, 0xe8, 0x52, 0x54, 0x7b, 0x53, 0xd4, 0x2f, 0x36, 0x44, 0x75, - 0xa4, 0xa8, 0x1f, 0xd5, 0x44, 0xad, 0xc5, 0xbd, 0x81, 0xb8, 0x6e, 0x45, 0xdc, 0x6b, 0x01, 0x5b, - 0x9b, 0x02, 0x96, 0x1c, 0xbd, 0x2a, 0xc7, 0xb2, 0x10, 0xed, 0x6a, 0x21, 0xfe, 0x9b, 0xe0, 0x63, - 0xe8, 0x5f, 0xf3, 0xd0, 0xaf, 0xe9, 0x13, 0x68, 0xeb, 0x57, 0x22, 0x63, 0xec, 0x7e, 0x4c, 0x06, - 0x16, 0xbe, 0x86, 0xde, 0x94, 0xc6, 0x19, 0x37, 0x12, 0x13, 0x70, 0x85, 0x8a, 0xa6, 0x74, 0x62, - 0x4d, 0x1e, 0x43, 0x87, 0xea, 0xd2, 0xca, 0x34, 0xba, 0xa3, 0x77, 0x6a, 0x61, 0x4d, 0xe5, 0xa3, - 0x12, 0x18, 0x1e, 0x82, 0xaf, 0x03, 0xab, 0xdc, 0xc2, 0xef, 0xc0, 0x8f, 0x70, 0x95, 0x5f, 0xe2, - 0xff, 0x7e, 0x55, 0x1f, 0x0e, 0x4c, 0x64, 0x7d, 0xd7, 0xfb, 0x70, 0xf0, 0x3c, 0x63, 0x4b, 0x4c, - 0x4a, 0x5e, 0x47, 0xd0, 0xda, 0x1c, 0x11, 0xca, 0x08, 0x9f, 0xc1, 0x61, 0x89, 0xfb, 0xd7, 0x12, - 0xfe, 0x0a, 0x3d, 0x39, 0x45, 0x76, 0x75, 0xe9, 0x75, 0xb7, 0xd8, 0x95, 0x6e, 0xd9, 0x9a, 0x4c, - 0x4e, 0xc3, 0x64, 0x7a, 0x00, 0x3d, 0x79, 0xf8, 0xa6, 0x32, 0x85, 0xba, 0x72, 0x6f, 0xa2, 0x46, - 0xd1, 0x53, 0xf0, 0xf5, 0xfd, 0x9a, 0xc2, 0xa3, 0x4d, 0xae, 0xdd, 0xd1, 0x51, 0x8d, 0x80, 0x02, - 0x6b, 0x05, 0xfe, 0xb4, 0xc0, 0x8d, 0x8a, 0x05, 0x36, 0x0d, 0x31, 0x59, 0x1d, 0x7b, 0x47, 0x75, - 0x9c, 0x1b, 0x56, 0x87, 0x7c, 0x0c, 0x9e, 0x9a, 0xc7, 0x32, 0xf7, 0x83, 0xd1, 0xed, 0x6d, 0x3d, - 0x91, 0xb1, 0x48, 0x83, 0xd4, 0x7b, 0x49, 0x73, 0x9a, 0xf2, 0xb5, 0x7c, 0x5d, 0xad, 0xa8, 0xb4, - 0xc3, 0x27, 0xe0, 0x3f, 0x93, 0x73, 0xd9, 0x48, 0xfd, 0x01, 0xb8, 0xb4, 0xd0, 0x2d, 0xd4, 0x1d, - 0xdd, 0xaa, 0x27, 0x53, 0x2c, 0x30, 0x92, 0x00, 0xd1, 0x22, 0xc6, 0x53, 0xb7, 0xc8, 0x7d, 0xf0, - 0xc7, 0xb8, 0xc0, 0x9d, 0xc3, 0x45, 0xb8, 0x18, 0x80, 0x76, 0xf1, 0xa1, 0x2b, 0xbe, 0x61, 0xe6, - 0x93, 0xf6, 0x29, 0xf4, 0x94, 0xa9, 0x65, 0xff, 0x10, 0x5a, 0xe2, 0x2e, 0xf3, 0x1d, 0x6b, 0xcc, - 0x46, 0x21, 0x1e, 0x0d, 0xc1, 0x53, 0xb4, 0x49, 0x17, 0xda, 0xdf, 0xce, 0xbe, 0x9c, 0x7d, 0xfd, - 0x7a, 0xd6, 0xdf, 0x13, 0xc6, 0x34, 0x3a, 0x9f, 0xbd, 0x9a, 0x8c, 0xfb, 0x16, 0x01, 0xf0, 0xc6, - 0x93, 0xd9, 0xf3, 0xc9, 0xb8, 0x6f, 0x8f, 0xfe, 0xb6, 0xc0, 0x3d, 0x2f, 0xf8, 0x05, 0x79, 0x09, - 0x1d, 0xf3, 0xe8, 0xc9, 0xbd, 0xb7, 0x4f, 0xb5, 0xc1, 0xfd, 0x9d, 0xe7, 0x9a, 0xcf, 0x1e, 0x79, - 0x01, 0x6d, 0xdd, 0xff, 0xe4, 0xb8, 0x86, 0xae, 0xbe, 0x9f, 0xc1, 0xbd, 0x5d, 0xc7, 0x65, 0xac, - 0xb1, 0xf9, 0x28, 0xdf, 0x6d, 0xec, 0x37, 0x1d, 0xe7, 0xdd, 0xe6, 0x43, 0x13, 0x65, 0xf4, 0x3d, - 0x74, 0xcc, 0x3f, 0x02, 0xf9, 0x06, 0x5c, 0x21, 0x30, 0x09, 0x6b, 0x3e, 0x0d, 0xff, 0x17, 0x83, - 0x87, 0x6f, 0xc5, 0x94, 0xe1, 0xff, 0xb2, 0xa0, 0x25, 0x0a, 0xc1, 0xc8, 0x14, 0x3c, 0xd5, 0x11, - 0xa4, 0x9e, 0x52, 0xa5, 0xc5, 0x06, 0xc7, 0x3b, 0x4e, 0x4b, 0xde, 0x53, 0xf0, 0x54, 0x9f, 0x6c, - 0x05, 0xaa, 0xf4, 0xd7, 0x56, 0xa0, 0x5a, 0x73, 0xed, 0x91, 0x73, 0x4d, 0x77, 0xd0, 0x40, 0xc5, - 0x04, 0xb9, 0xdb, 0x78, 0x66, 0x42, 0xfc, 0xe0, 0xc9, 0x5f, 0xb2, 0xc7, 0xff, 0x04, 0x00, 0x00, - 0xff, 0xff, 0x27, 0x7b, 0xf3, 0x60, 0xb3, 0x09, 0x00, 0x00, + // 871 bytes of a gzipped FileDescriptorProto + 0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xb4, 0x56, 0x5f, 0x8f, 0xdb, 0x44, + 0x10, 0x3f, 0xe7, 0x8f, 0x93, 0x9b, 0xc4, 0x77, 0xd1, 0xf6, 0x5a, 0xac, 0x94, 0x6b, 0xaf, 0x2e, + 0x82, 0xa3, 0x82, 0x1c, 0x4a, 0x5f, 0x0a, 0x7d, 0xe1, 0xd4, 0x44, 0xa1, 0x85, 0x06, 0x61, 0x15, + 0x21, 0x90, 0x50, 0x65, 0x9c, 0x81, 0xb3, 0x2e, 0x67, 0x9b, 0xdd, 0x75, 0x44, 0x5e, 0x90, 0x78, + 0xe3, 0xc3, 0xf0, 0x91, 0x78, 0xe7, 0x2b, 0xf0, 0x88, 0xbc, 0x3b, 0xeb, 0x8b, 0x1d, 0xa7, 0x3a, + 0x81, 0x78, 0xf3, 0xec, 0xfe, 0x76, 0x66, 0x7e, 0xbf, 0x9d, 0x99, 0x35, 0x1c, 0x07, 0x99, 0xbc, + 0x38, 0x13, 0xc8, 0x57, 0x51, 0x88, 0x67, 0x29, 0x4f, 0x64, 0x72, 0x96, 0x2f, 0x8d, 0xd4, 0x27, + 0x73, 0x7e, 0x4a, 0x46, 0x57, 0x51, 0xc8, 0x93, 0x51, 0xbe, 0xe8, 0xdd, 0x86, 0x5b, 0x5f, 0x44, + 0x42, 0x9e, 0x87, 0x61, 0x92, 0xc5, 0x52, 0xf8, 0xf8, 0x73, 0x86, 0x42, 0x7a, 0x2f, 0xe0, 0xa8, + 0xbc, 0x2c, 0xd2, 0x24, 0x16, 0xc8, 0xc6, 0xd0, 0x0d, 0x68, 0xcd, 0xb5, 0x4e, 0x9a, 0xa7, 0xbd, + 0xf1, 0x9d, 0x51, 0xc9, 0xe1, 0x88, 0x8e, 0xf8, 0x05, 0xce, 0xfb, 0xcd, 0x82, 0xf6, 0xab, 0xe4, + 0x12, 0x63, 0xf6, 0x00, 0xfa, 0x41, 0x18, 0xa2, 0x10, 0xaf, 0x65, 0x6e, 0xbb, 0xd6, 0x89, 0x75, + 0xba, 0xef, 0xf7, 0xf4, 0x9a, 0x86, 0x3c, 0x04, 0x87, 0xe3, 0x8f, 0x1c, 0xc5, 0x05, 0x61, 0x1a, + 0x0a, 0xd3, 0xa7, 0x45, 0x0d, 0x72, 0xa1, 0x13, 0x72, 0x0c, 0x24, 0x2e, 0xdc, 0xe6, 0x89, 0x75, + 0xda, 0xf4, 0x8d, 0xc9, 0xee, 0x80, 0x8d, 0xbf, 0xa4, 0x11, 0x5f, 0xbb, 0x2d, 0xb5, 0x41, 0x96, + 0xf7, 0xb7, 0x05, 0x1d, 0xca, 0x8c, 0x1d, 0x40, 0x23, 0x5a, 0x50, 0xec, 0x46, 0xb4, 0x60, 0x0c, + 0x5a, 0x72, 0x9d, 0x22, 0x45, 0x52, 0xdf, 0xec, 0x53, 0xe8, 0x5e, 0xa1, 0x0c, 0x16, 0x81, 0x0c, + 0xdc, 0x96, 0xe2, 0xf9, 0x4e, 0x3d, 0xcf, 0xd1, 0x4b, 0x82, 0x4d, 0x63, 0xc9, 0xd7, 0x7e, 0x71, + 0x2a, 0xcf, 0x44, 0x84, 0x49, 0x8a, 0xc2, 0x6d, 0x9f, 0x34, 0x4f, 0xf7, 0x7d, 0xb2, 0xd8, 0x10, + 0xba, 0x29, 0x4f, 0x56, 0xd1, 0x02, 0xb9, 0x6b, 0xab, 0x88, 0x85, 0xad, 0xce, 0x60, 0xc8, 0x51, + 0xba, 0x1d, 0xb5, 0x43, 0xd6, 0xf0, 0x29, 0x38, 0xa5, 0x30, 0x6c, 0x00, 0xcd, 0x4b, 0x5c, 0x13, + 0x87, 0xfc, 0x93, 0x1d, 0x41, 0x7b, 0x15, 0x2c, 0x33, 0xc3, 0x42, 0x1b, 0x9f, 0x34, 0x9e, 0x58, + 0xde, 0x1c, 0xba, 0x3e, 0x8a, 0x24, 0xe3, 0x21, 0xe6, 0x54, 0xe3, 0xe0, 0x0a, 0xe9, 0xa0, 0xfa, + 0xae, 0xa5, 0x3f, 0x84, 0x2e, 0xc6, 0x8b, 0x34, 0x89, 0x62, 0xa9, 0x14, 0xde, 0xf7, 0x0b, 0xdb, + 0xfb, 0xbd, 0x01, 0x87, 0x33, 0x8c, 0x91, 0x07, 0x12, 0xa9, 0x5c, 0xb6, 0x24, 0xfd, 0x6c, 0x43, + 0xbe, 0xa6, 0x92, 0xef, 0x83, 0x8a, 0x7c, 0x15, 0x0f, 0x37, 0x90, 0xb1, 0x55, 0x92, 0xf1, 0x5a, + 0xaa, 0xf6, 0xa6, 0x54, 0x05, 0x1b, 0xbb, 0xcc, 0xa6, 0x90, 0xbc, 0x53, 0x96, 0xfc, 0xbf, 0x49, + 0x3b, 0x81, 0xc1, 0x35, 0x0f, 0xea, 0x90, 0x8f, 0xa0, 0x43, 0x95, 0xaf, 0x7c, 0xec, 0x6e, 0x10, + 0x03, 0xf3, 0xbe, 0x85, 0xfe, 0x8c, 0x07, 0xb1, 0x34, 0x62, 0x1e, 0x41, 0x5b, 0x91, 0xa4, 0x1c, + 0xb4, 0xc1, 0x1e, 0x43, 0x97, 0xd3, 0x35, 0xaa, 0x44, 0x7a, 0xe3, 0xb7, 0x2a, 0x8e, 0xcd, 0x2d, + 0xfb, 0x05, 0xd0, 0x3b, 0x04, 0x87, 0x5c, 0xeb, 0xec, 0xbc, 0xef, 0xc0, 0xf1, 0x71, 0x95, 0x5c, + 0xe2, 0xff, 0x10, 0x6c, 0x00, 0x07, 0xc6, 0x37, 0x45, 0x7b, 0x17, 0x0e, 0x9e, 0xc7, 0x22, 0xc5, + 0x70, 0x93, 0xdb, 0x66, 0xeb, 0x6b, 0xc3, 0x7b, 0x06, 0x87, 0x05, 0xee, 0x5f, 0xcb, 0xf8, 0x2b, + 0xf4, 0xd5, 0x74, 0xd8, 0x55, 0x93, 0xd7, 0x15, 0xd3, 0x28, 0x55, 0xcc, 0xd6, 0xc4, 0x69, 0xd6, + 0x4c, 0x9c, 0x07, 0xd0, 0x57, 0x9b, 0xaf, 0x4b, 0xd3, 0xa5, 0xa7, 0xd6, 0xa6, 0x7a, 0xc4, 0x3c, + 0x05, 0x87, 0xe2, 0x13, 0x85, 0x47, 0x9b, 0x5c, 0x7b, 0xe3, 0xa3, 0x0a, 0x01, 0x0d, 0x26, 0x05, + 0xfe, 0xb0, 0xa0, 0xe5, 0x67, 0x4b, 0xdc, 0xca, 0xba, 0xb8, 0x9f, 0xc6, 0xae, 0xfb, 0x69, 0xde, + 0xf0, 0x7e, 0xd8, 0x87, 0x60, 0xeb, 0x49, 0xab, 0xb2, 0x3f, 0x18, 0xdf, 0xde, 0x56, 0x14, 0x85, + 0xf0, 0x09, 0xa4, 0xbb, 0x26, 0x4a, 0x78, 0x24, 0xd7, 0xaa, 0xc7, 0xda, 0x7e, 0x61, 0x7b, 0x4f, + 0xc0, 0x79, 0xa6, 0x26, 0xae, 0x11, 0xfb, 0x3d, 0x68, 0xf1, 0x6c, 0x89, 0x44, 0xf5, 0x56, 0x35, + 0x99, 0x6c, 0x89, 0xbe, 0x02, 0xe4, 0x45, 0x62, 0x4e, 0x52, 0x91, 0xdc, 0x07, 0x67, 0x82, 0x4b, + 0xdc, 0x39, 0x4c, 0xf2, 0x23, 0x06, 0x40, 0x47, 0x1c, 0xe8, 0xe5, 0xaf, 0x93, 0x79, 0xac, 0x3e, + 0x86, 0xbe, 0x36, 0x49, 0xf8, 0xf7, 0xa1, 0x9d, 0xc7, 0x32, 0x2f, 0x54, 0x6d, 0x36, 0x1a, 0xf1, + 0x68, 0x04, 0xb6, 0xa6, 0xcd, 0x7a, 0xd0, 0xf9, 0x7a, 0xfe, 0xf9, 0xfc, 0xcb, 0x6f, 0xe6, 0x83, + 0xbd, 0xdc, 0x98, 0xf9, 0xe7, 0xf3, 0x57, 0xd3, 0xc9, 0xc0, 0x62, 0x00, 0xf6, 0x64, 0x3a, 0x7f, + 0x3e, 0x9d, 0x0c, 0x1a, 0xe3, 0xbf, 0x2c, 0x68, 0x9d, 0x67, 0xf2, 0x82, 0xbd, 0x84, 0xae, 0x69, + 0x7d, 0x76, 0xef, 0xcd, 0xb3, 0x6d, 0x78, 0x7f, 0xe7, 0x3e, 0xf1, 0xd9, 0x63, 0x2f, 0xa0, 0x43, + 0x1d, 0xc0, 0x8e, 0x2b, 0xe8, 0x72, 0x07, 0x0d, 0xef, 0xed, 0xda, 0x2e, 0x7c, 0x4d, 0xcc, 0x73, + 0x7b, 0xb7, 0xb6, 0xe2, 0xc8, 0xcf, 0xdb, 0xf5, 0x9b, 0xc6, 0xcb, 0xf8, 0x7b, 0xe8, 0x9a, 0xd7, + 0x9f, 0x7d, 0x05, 0xad, 0x5c, 0x60, 0xe6, 0x55, 0xce, 0xd4, 0xfc, 0x39, 0x0c, 0x1f, 0xbe, 0x11, + 0x53, 0xb8, 0xff, 0xd3, 0x82, 0x76, 0x7e, 0x11, 0x82, 0xcd, 0xc0, 0xd6, 0x15, 0xc1, 0xaa, 0x29, + 0x95, 0x4a, 0x6c, 0x78, 0xbc, 0x63, 0xb7, 0xe0, 0x3d, 0x03, 0x5b, 0xd7, 0xc9, 0x96, 0xa3, 0x52, + 0x7d, 0x6d, 0x39, 0xaa, 0x14, 0xd7, 0x1e, 0x3b, 0x27, 0xba, 0xc3, 0x1a, 0x2a, 0xc6, 0xc9, 0xdd, + 0xda, 0x3d, 0xe3, 0xe2, 0x07, 0x5b, 0xfd, 0x6c, 0x3d, 0xfe, 0x27, 0x00, 0x00, 0xff, 0xff, 0xda, + 0xef, 0x0e, 0x5f, 0x8d, 0x09, 0x00, 0x00, } // Reference imports to suppress errors if they are not otherwise used. diff --git a/auth/service/proto/auth.proto b/auth/service/proto/auth.proto index 56ddaade..79635f0c 100644 --- a/auth/service/proto/auth.proto +++ b/auth/service/proto/auth.proto @@ -35,7 +35,6 @@ message Token { message Account { string id = 1; string type = 2; - repeated string roles = 3; map metadata = 4; repeated string scopes = 5; string provider = 6; @@ -50,7 +49,6 @@ message Resource{ message GenerateRequest { string id = 1; - repeated string roles = 2; map metadata = 3; repeated string scopes = 4; string secret = 5; @@ -63,14 +61,14 @@ message GenerateResponse { } message GrantRequest { - string role = 1; + string scope = 1; Resource resource = 2; } message GrantResponse {} message RevokeRequest { - string role = 1; + string scope = 1; Resource resource = 2; } @@ -103,7 +101,7 @@ enum Access { message Rule { string id = 1; - string role = 2; + string scope = 2; Resource resource = 3; Access access = 4; int32 priority = 5; diff --git a/auth/service/service.go b/auth/service/service.go index fb77d9b0..c6586ecb 100644 --- a/auth/service/service.go +++ b/auth/service/service.go @@ -65,7 +65,6 @@ func (s *svc) Generate(id string, opts ...auth.GenerateOption) (*auth.Account, e Id: id, Type: options.Type, Secret: options.Secret, - Roles: options.Roles, Scopes: options.Scopes, Metadata: options.Metadata, Provider: options.Provider, @@ -82,7 +81,7 @@ func (s *svc) Grant(rule *auth.Rule) error { _, err := s.rule.Create(context.TODO(), &pb.CreateRequest{ Rule: &pb.Rule{ Id: rule.ID, - Role: rule.Role, + Scope: rule.Scope, Priority: rule.Priority, Access: pb.Access_GRANTED, Resource: &pb.Resource{ @@ -156,35 +155,6 @@ func (s *svc) Token(opts ...auth.TokenOption) (*auth.Token, error) { return serializeToken(rsp.Token), nil } -var ruleJoinKey = ":" - -// accessForRule returns a rule status, indicating if a rule permits access to a -// resource for a given account -func accessForRule(rule *pb.Rule, acc *auth.Account, res *auth.Resource) pb.Access { - // a blank role permits access to the public - if rule.Role == "" { - return rule.Access - } - - // a * role permits access to any user - if rule.Role == "*" && acc != nil { - return rule.Access - } - - for _, role := range acc.Roles { - if rule.Role == role { - return rule.Access - } - - // allow user.anything if role is user.* - if strings.HasSuffix(rule.Role, ".*") && strings.HasPrefix(rule.Role, role+".") { - return rule.Access - } - } - - return pb.Access_UNKNOWN -} - // loadRules retrieves the rules from the auth service. Since this implementation is used by micro // clients, which support muti-tenancy we may have to persist rules in multiple namespaces. func (s *svc) loadRules(namespace string) { @@ -206,7 +176,7 @@ func (s *svc) loadRules(namespace string) { rules = append(rules, &auth.Rule{ ID: r.Id, - Role: r.Role, + Scope: r.Scope, Access: access, Priority: r.Priority, Resource: &auth.Resource{ @@ -244,7 +214,6 @@ func serializeToken(t *pb.Token) *auth.Token { func serializeAccount(a *pb.Account) *auth.Account { return &auth.Account{ ID: a.Id, - Roles: a.Roles, Secret: a.Secret, Metadata: a.Metadata, Provider: a.Provider, diff --git a/auth/token/basic/basic_test.go b/auth/token/basic/basic_test.go index 127e201d..dd07bce1 100644 --- a/auth/token/basic/basic_test.go +++ b/auth/token/basic/basic_test.go @@ -32,10 +32,10 @@ func TestInspect(t *testing.T) { t.Run("Valid token", func(t *testing.T) { md := map[string]string{"foo": "bar"} - roles := []string{"admin"} + scopes := []string{"admin"} subject := "test" - tok, err := b.Generate(&auth.Account{ID: subject, Roles: roles, Metadata: md}) + tok, err := b.Generate(&auth.Account{ID: subject, Scopes: scopes, Metadata: md}) if err != nil { t.Fatalf("Generate returned %v error, expected nil", err) } @@ -47,8 +47,8 @@ func TestInspect(t *testing.T) { if tok2.ID != subject { t.Errorf("Inspect returned %v as the token subject, expected %v", tok2.ID, subject) } - if len(tok2.Roles) != len(roles) { - t.Errorf("Inspect returned %v roles, expected %v", len(tok2.Roles), len(roles)) + if len(tok2.Scopes) != len(scopes) { + t.Errorf("Inspect returned %v scopes, expected %v", len(tok2.Scopes), len(scopes)) } if len(tok2.Metadata) != len(md) { t.Errorf("Inspect returned %v as the token metadata, expected %v", tok2.Metadata, md) diff --git a/auth/token/jwt/jwt.go b/auth/token/jwt/jwt.go index 01f35391..1e865d64 100644 --- a/auth/token/jwt/jwt.go +++ b/auth/token/jwt/jwt.go @@ -12,7 +12,6 @@ import ( // authClaims to be encoded in the JWT type authClaims struct { Type string `json:"type"` - Roles []string `json:"roles"` Scopes []string `json:"scopes"` Provider string `json:"provider"` Metadata map[string]string `json:"metadata"` @@ -52,7 +51,7 @@ func (j *JWT) Generate(acc *auth.Account, opts ...token.GenerateOption) (*token. // generate the JWT expiry := time.Now().Add(options.Expiry) t := jwt.NewWithClaims(jwt.SigningMethodRS256, authClaims{ - acc.Type, acc.Roles, acc.Scopes, acc.Provider, acc.Metadata, jwt.StandardClaims{ + acc.Type, acc.Scopes, acc.Provider, acc.Metadata, jwt.StandardClaims{ Subject: acc.ID, ExpiresAt: expiry.Unix(), }, @@ -99,7 +98,6 @@ func (j *JWT) Inspect(t string) (*auth.Account, error) { return &auth.Account{ ID: claims.Subject, Type: claims.Type, - Roles: claims.Roles, Scopes: claims.Scopes, Provider: claims.Provider, Metadata: claims.Metadata, diff --git a/auth/token/jwt/jwt_test.go b/auth/token/jwt/jwt_test.go index 5d4b5591..a0281637 100644 --- a/auth/token/jwt/jwt_test.go +++ b/auth/token/jwt/jwt_test.go @@ -42,10 +42,10 @@ func TestInspect(t *testing.T) { t.Run("Valid token", func(t *testing.T) { md := map[string]string{"foo": "bar"} - roles := []string{"admin"} + scopes := []string{"admin"} subject := "test" - acc := &auth.Account{ID: subject, Roles: roles, Metadata: md} + acc := &auth.Account{ID: subject, Scopes: scopes, Metadata: md} tok, err := j.Generate(acc) if err != nil { t.Fatalf("Generate returned %v error, expected nil", err) @@ -58,8 +58,8 @@ func TestInspect(t *testing.T) { if acc.ID != subject { t.Errorf("Inspect returned %v as the token subject, expected %v", acc.ID, subject) } - if len(tok2.Roles) != len(roles) { - t.Errorf("Inspect returned %v roles, expected %v", len(tok2.Roles), len(roles)) + if len(tok2.Scopes) != len(scopes) { + t.Errorf("Inspect returned %v scopes, expected %v", len(tok2.Scopes), len(scopes)) } if len(tok2.Metadata) != len(md) { t.Errorf("Inspect returned %v as the token metadata, expected %v", tok2.Metadata, md) diff --git a/util/auth/auth.go b/util/auth/auth.go index 4c7eaa34..e26a6f1f 100644 --- a/util/auth/auth.go +++ b/util/auth/auth.go @@ -18,12 +18,10 @@ func Generate(id string, name string, a auth.Auth) error { // if no credentials were provided, generate an account if len(accID) == 0 || len(accSecret) == 0 { name := fmt.Sprintf("%v-%v", name, id) - scope := "namespace." + a.Options().Namespace opts := []auth.GenerateOption{ auth.WithType("service"), - auth.WithRoles("service"), - auth.WithScopes(scope), + auth.WithScopes("service"), } acc, err := a.Generate(name, opts...)