Remove roles (replaced with scope)

This commit is contained in:
Ben Toogood 2020-05-21 14:56:17 +01:00
parent 4de19805ba
commit 856c73b341
13 changed files with 93 additions and 226 deletions

View File

@ -4,7 +4,6 @@ package auth
import ( import (
"context" "context"
"errors" "errors"
"strings"
"time" "time"
) )
@ -14,7 +13,7 @@ const BearerScheme = "Bearer "
var ( var (
// ErrInvalidToken is when the token provided is not valid // ErrInvalidToken is when the token provided is not valid
ErrInvalidToken = errors.New("invalid token provided") ErrInvalidToken = errors.New("invalid token provided")
// ErrForbidden is when a user does not have the necessary roles or scoeps to access a resource // ErrForbidden is when a user does not have the necessary scope to access a resource
ErrForbidden = errors.New("resource forbidden") ErrForbidden = errors.New("resource forbidden")
) )
@ -50,8 +49,6 @@ type Account struct {
Type string `json:"type"` Type string `json:"type"`
// Provider who issued the account // Provider who issued the account
Provider string `json:"provider"` Provider string `json:"provider"`
// Roles associated with the Account
Roles []string `json:"roles"`
// Any other associated metadata // Any other associated metadata
Metadata map[string]string `json:"metadata"` Metadata map[string]string `json:"metadata"`
// Scopes the account has access to // Scopes the account has access to
@ -60,36 +57,6 @@ type Account struct {
Secret string `json:"secret"` Secret string `json:"secret"`
} }
// HasScope returns a boolean indicating if the account has the given scope
func (a *Account) HasScope(scopes ...string) bool {
if a.Scopes == nil {
return false
}
for _, s := range a.Scopes {
if s == strings.Join(scopes, ".") {
return true
}
}
return false
}
// HasRole returns a boolean indicating if the account has the given role
func (a *Account) HasRole(role string) bool {
if a.Roles == nil {
return false
}
for _, r := range a.Roles {
if r == role {
return true
}
}
return false
}
// Token can be short or long lived // Token can be short or long lived
type Token struct { type Token struct {
// The token to be used for accessing resources // The token to be used for accessing resources
@ -131,9 +98,9 @@ const (
type Rule struct { type Rule struct {
// ID of the rule, e.g. "public" // ID of the rule, e.g. "public"
ID string ID string
// Role the rule requires, a blank role indicates open to the public and * indicates the rule // Scope the rule requires, a blank scope indicates open to the public and * indicates the rule
// applies to any valid account // applies to any valid account
Role string Scope string
// Resource the rule applies to // Resource the rule applies to
Resource *Resource Resource *Resource
// Access determines if the rule grants or denies access to the resource // Access determines if the rule grants or denies access to the resource

View File

@ -1,30 +0,0 @@
package auth
import "testing"
func TestHasScope(t *testing.T) {
if new(Account).HasScope("namespace", "foo") {
t.Errorf("Expected the blank account to not have a role")
}
acc := Account{Scopes: []string{"namespace.foo"}}
if !acc.HasScope("namespace", "foo") {
t.Errorf("Expected the account to have the namespace.foo role")
}
if acc.HasScope("namespace", "bar") {
t.Errorf("Expected the account to not have the namespace.bar role")
}
}
func TestHasRole(t *testing.T) {
if new(Account).HasRole("foo") {
t.Errorf("Expected the blank account to not have a role")
}
acc := Account{Roles: []string{"foo"}}
if !acc.HasRole("foo") {
t.Errorf("Expected the account to have the foo role")
}
if acc.HasRole("bar") {
t.Errorf("Expected the account to not have the bar role")
}
}

View File

@ -50,7 +50,6 @@ func (n *noop) Generate(id string, opts ...GenerateOption) (*Account, error) {
return &Account{ return &Account{
ID: id, ID: id,
Roles: options.Roles,
Secret: options.Secret, Secret: options.Secret,
Metadata: options.Metadata, Metadata: options.Metadata,
Scopes: options.Scopes, Scopes: options.Scopes,

View File

@ -17,11 +17,6 @@ func NewAuth(opts ...auth.Option) auth.Auth {
return j return j
} }
type rule struct {
role string
resource *auth.Resource
}
type jwt struct { type jwt struct {
options auth.Options options auth.Options
jwt token.Provider jwt token.Provider
@ -59,7 +54,6 @@ func (j *jwt) Generate(id string, opts ...auth.GenerateOption) (*auth.Account, e
account := &auth.Account{ account := &auth.Account{
ID: id, ID: id,
Type: options.Type, Type: options.Type,
Roles: options.Roles,
Scopes: options.Scopes, Scopes: options.Scopes,
Provider: options.Provider, Provider: options.Provider,
Metadata: options.Metadata, Metadata: options.Metadata,

View File

@ -121,8 +121,6 @@ func WithClient(c client.Client) Option {
type GenerateOptions struct { type GenerateOptions struct {
// Metadata associated with the account // Metadata associated with the account
Metadata map[string]string Metadata map[string]string
// Roles/scopes associated with the account
Roles []string
// Scopes the account has access too // Scopes the account has access too
Scopes []string Scopes []string
// Provider of the account, e.g. oauth // Provider of the account, e.g. oauth
@ -156,13 +154,6 @@ func WithMetadata(md map[string]string) GenerateOption {
} }
} }
// WithRoles for the generated account
func WithRoles(rs ...string) GenerateOption {
return func(o *GenerateOptions) {
o.Roles = rs
}
}
// WithScopes for the generated account // WithScopes for the generated account
func WithScopes(s ...string) GenerateOption { func WithScopes(s ...string) GenerateOption {
return func(o *GenerateOptions) { return func(o *GenerateOptions) {

View File

@ -50,29 +50,29 @@ func Verify(namespace string, rules []*auth.Rule, acc *auth.Account, res *auth.R
// loop through the rules and check for a rule which applies to this account // loop through the rules and check for a rule which applies to this account
for _, rule := range filteredRules { for _, rule := range filteredRules {
// a blank role indicates the rule applies to everyone, even nil accounts // a blank scope indicates the rule applies to everyone, even nil accounts
if rule.Role == "" && rule.Access == auth.AccessDenied { if rule.Scope == "" && rule.Access == auth.AccessDenied {
return auth.ErrForbidden return auth.ErrForbidden
} else if rule.Role == "" && rule.Access == auth.AccessGranted { } else if rule.Scope == "" && rule.Access == auth.AccessGranted {
return nil return nil
} }
// all further checks require an account within the current scope // all further checks require an account
if acc == nil || !acc.HasScope("namespace", namespace) { if acc == nil {
continue continue
} }
// this rule applies to any account // this rule applies to any account
if rule.Role == "*" && rule.Access == auth.AccessDenied { if rule.Scope == "*" && rule.Access == auth.AccessDenied {
return auth.ErrForbidden return auth.ErrForbidden
} else if rule.Role == "" && rule.Access == auth.AccessGranted { } else if rule.Scope == "" && rule.Access == auth.AccessGranted {
return nil return nil
} }
// if the account has the necessary role // if the account has the necessary scope
if include(acc.Roles, rule.Role) && rule.Access == auth.AccessDenied { if include(acc.Scopes, rule.Scope) && rule.Access == auth.AccessDenied {
return auth.ErrForbidden return auth.ErrForbidden
} else if rule.Role == "" && rule.Access == auth.AccessGranted { } else if rule.Scope == "" && rule.Access == auth.AccessGranted {
return nil return nil
} }
} }

View File

@ -188,7 +188,6 @@ func (m *Token) GetExpiry() int64 {
type Account struct { type Account struct {
Id string `protobuf:"bytes,1,opt,name=id,proto3" json:"id,omitempty"` Id string `protobuf:"bytes,1,opt,name=id,proto3" json:"id,omitempty"`
Type string `protobuf:"bytes,2,opt,name=type,proto3" json:"type,omitempty"` Type string `protobuf:"bytes,2,opt,name=type,proto3" json:"type,omitempty"`
Roles []string `protobuf:"bytes,3,rep,name=roles,proto3" json:"roles,omitempty"`
Metadata map[string]string `protobuf:"bytes,4,rep,name=metadata,proto3" json:"metadata,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value,proto3"` Metadata map[string]string `protobuf:"bytes,4,rep,name=metadata,proto3" json:"metadata,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value,proto3"`
Scopes []string `protobuf:"bytes,5,rep,name=scopes,proto3" json:"scopes,omitempty"` Scopes []string `protobuf:"bytes,5,rep,name=scopes,proto3" json:"scopes,omitempty"`
Provider string `protobuf:"bytes,6,opt,name=provider,proto3" json:"provider,omitempty"` Provider string `protobuf:"bytes,6,opt,name=provider,proto3" json:"provider,omitempty"`
@ -237,13 +236,6 @@ func (m *Account) GetType() string {
return "" return ""
} }
func (m *Account) GetRoles() []string {
if m != nil {
return m.Roles
}
return nil
}
func (m *Account) GetMetadata() map[string]string { func (m *Account) GetMetadata() map[string]string {
if m != nil { if m != nil {
return m.Metadata return m.Metadata
@ -329,7 +321,6 @@ func (m *Resource) GetEndpoint() string {
type GenerateRequest struct { type GenerateRequest struct {
Id string `protobuf:"bytes,1,opt,name=id,proto3" json:"id,omitempty"` Id string `protobuf:"bytes,1,opt,name=id,proto3" json:"id,omitempty"`
Roles []string `protobuf:"bytes,2,rep,name=roles,proto3" json:"roles,omitempty"`
Metadata map[string]string `protobuf:"bytes,3,rep,name=metadata,proto3" json:"metadata,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value,proto3"` Metadata map[string]string `protobuf:"bytes,3,rep,name=metadata,proto3" json:"metadata,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value,proto3"`
Scopes []string `protobuf:"bytes,4,rep,name=scopes,proto3" json:"scopes,omitempty"` Scopes []string `protobuf:"bytes,4,rep,name=scopes,proto3" json:"scopes,omitempty"`
Secret string `protobuf:"bytes,5,opt,name=secret,proto3" json:"secret,omitempty"` Secret string `protobuf:"bytes,5,opt,name=secret,proto3" json:"secret,omitempty"`
@ -372,13 +363,6 @@ func (m *GenerateRequest) GetId() string {
return "" return ""
} }
func (m *GenerateRequest) GetRoles() []string {
if m != nil {
return m.Roles
}
return nil
}
func (m *GenerateRequest) GetMetadata() map[string]string { func (m *GenerateRequest) GetMetadata() map[string]string {
if m != nil { if m != nil {
return m.Metadata return m.Metadata
@ -454,7 +438,7 @@ func (m *GenerateResponse) GetAccount() *Account {
} }
type GrantRequest struct { type GrantRequest struct {
Role string `protobuf:"bytes,1,opt,name=role,proto3" json:"role,omitempty"` Scope string `protobuf:"bytes,1,opt,name=scope,proto3" json:"scope,omitempty"`
Resource *Resource `protobuf:"bytes,2,opt,name=resource,proto3" json:"resource,omitempty"` Resource *Resource `protobuf:"bytes,2,opt,name=resource,proto3" json:"resource,omitempty"`
XXX_NoUnkeyedLiteral struct{} `json:"-"` XXX_NoUnkeyedLiteral struct{} `json:"-"`
XXX_unrecognized []byte `json:"-"` XXX_unrecognized []byte `json:"-"`
@ -486,9 +470,9 @@ func (m *GrantRequest) XXX_DiscardUnknown() {
var xxx_messageInfo_GrantRequest proto.InternalMessageInfo var xxx_messageInfo_GrantRequest proto.InternalMessageInfo
func (m *GrantRequest) GetRole() string { func (m *GrantRequest) GetScope() string {
if m != nil { if m != nil {
return m.Role return m.Scope
} }
return "" return ""
} }
@ -532,7 +516,7 @@ func (m *GrantResponse) XXX_DiscardUnknown() {
var xxx_messageInfo_GrantResponse proto.InternalMessageInfo var xxx_messageInfo_GrantResponse proto.InternalMessageInfo
type RevokeRequest struct { type RevokeRequest struct {
Role string `protobuf:"bytes,1,opt,name=role,proto3" json:"role,omitempty"` Scope string `protobuf:"bytes,1,opt,name=scope,proto3" json:"scope,omitempty"`
Resource *Resource `protobuf:"bytes,2,opt,name=resource,proto3" json:"resource,omitempty"` Resource *Resource `protobuf:"bytes,2,opt,name=resource,proto3" json:"resource,omitempty"`
XXX_NoUnkeyedLiteral struct{} `json:"-"` XXX_NoUnkeyedLiteral struct{} `json:"-"`
XXX_unrecognized []byte `json:"-"` XXX_unrecognized []byte `json:"-"`
@ -564,9 +548,9 @@ func (m *RevokeRequest) XXX_DiscardUnknown() {
var xxx_messageInfo_RevokeRequest proto.InternalMessageInfo var xxx_messageInfo_RevokeRequest proto.InternalMessageInfo
func (m *RevokeRequest) GetRole() string { func (m *RevokeRequest) GetScope() string {
if m != nil { if m != nil {
return m.Role return m.Scope
} }
return "" return ""
} }
@ -791,7 +775,7 @@ func (m *TokenResponse) GetToken() *Token {
type Rule struct { type Rule struct {
Id string `protobuf:"bytes,1,opt,name=id,proto3" json:"id,omitempty"` Id string `protobuf:"bytes,1,opt,name=id,proto3" json:"id,omitempty"`
Role string `protobuf:"bytes,2,opt,name=role,proto3" json:"role,omitempty"` Scope string `protobuf:"bytes,2,opt,name=scope,proto3" json:"scope,omitempty"`
Resource *Resource `protobuf:"bytes,3,opt,name=resource,proto3" json:"resource,omitempty"` Resource *Resource `protobuf:"bytes,3,opt,name=resource,proto3" json:"resource,omitempty"`
Access Access `protobuf:"varint,4,opt,name=access,proto3,enum=go.micro.auth.Access" json:"access,omitempty"` Access Access `protobuf:"varint,4,opt,name=access,proto3,enum=go.micro.auth.Access" json:"access,omitempty"`
Priority int32 `protobuf:"varint,5,opt,name=priority,proto3" json:"priority,omitempty"` Priority int32 `protobuf:"varint,5,opt,name=priority,proto3" json:"priority,omitempty"`
@ -832,9 +816,9 @@ func (m *Rule) GetId() string {
return "" return ""
} }
func (m *Rule) GetRole() string { func (m *Rule) GetScope() string {
if m != nil { if m != nil {
return m.Role return m.Scope
} }
return "" return ""
} }
@ -1101,63 +1085,62 @@ func init() {
func init() { proto.RegisterFile("auth/service/proto/auth.proto", fileDescriptor_21300bfacc51fc2a) } func init() { proto.RegisterFile("auth/service/proto/auth.proto", fileDescriptor_21300bfacc51fc2a) }
var fileDescriptor_21300bfacc51fc2a = []byte{ var fileDescriptor_21300bfacc51fc2a = []byte{
// 890 bytes of a gzipped FileDescriptorProto // 871 bytes of a gzipped FileDescriptorProto
0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xac, 0x56, 0xdd, 0x8e, 0xdb, 0x44, 0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xb4, 0x56, 0x5f, 0x8f, 0xdb, 0x44,
0x14, 0x5e, 0xff, 0xc4, 0xc9, 0x9e, 0xc4, 0xbb, 0xd1, 0x74, 0x5b, 0xac, 0x94, 0x6d, 0xb7, 0x2e, 0x10, 0x3f, 0xe7, 0x8f, 0x93, 0x9b, 0xc4, 0x77, 0xd1, 0xf6, 0x5a, 0xac, 0x94, 0x6b, 0xaf, 0x2e,
0x82, 0xa5, 0x82, 0x2c, 0x4a, 0x6f, 0x0a, 0xbd, 0x61, 0xd5, 0x44, 0xa1, 0x85, 0x06, 0x61, 0x15, 0x82, 0xa3, 0x82, 0x1c, 0x4a, 0x5f, 0x0a, 0x7d, 0xe1, 0xd4, 0x44, 0xa1, 0x85, 0x06, 0x61, 0x15,
0x95, 0x1b, 0x54, 0x19, 0xe7, 0xc0, 0x5a, 0x9b, 0xb5, 0xc3, 0xcc, 0x38, 0x22, 0x37, 0x48, 0xbc, 0x21, 0x90, 0x50, 0x65, 0x9c, 0x81, 0xb3, 0x2e, 0x67, 0x9b, 0xdd, 0x75, 0x44, 0x5e, 0x90, 0x78,
0x00, 0x8f, 0xc0, 0x03, 0xf0, 0x4c, 0xdc, 0xf3, 0x1a, 0x68, 0xfe, 0xbc, 0xb1, 0xe3, 0x54, 0x2b, 0xe3, 0xc3, 0xf0, 0x91, 0x78, 0xe7, 0x2b, 0xf0, 0x88, 0xbc, 0x3b, 0xeb, 0x8b, 0x1d, 0xa7, 0x3a,
0xe0, 0x6e, 0xce, 0xcc, 0x77, 0xce, 0x9c, 0xef, 0x3b, 0x67, 0x8e, 0x0d, 0xc7, 0x71, 0xc1, 0x2f, 0x81, 0x78, 0xf3, 0xec, 0xfe, 0x76, 0x66, 0x7e, 0xbf, 0x9d, 0x99, 0x35, 0x1c, 0x07, 0x99, 0xbc,
0xce, 0x18, 0xd2, 0x55, 0x9a, 0xe0, 0xd9, 0x92, 0xe6, 0x3c, 0x3f, 0x13, 0x5b, 0x43, 0xb9, 0x24, 0x38, 0x13, 0xc8, 0x57, 0x51, 0x88, 0x67, 0x29, 0x4f, 0x64, 0x72, 0x96, 0x2f, 0x8d, 0xd4, 0x27,
0xfe, 0x4f, 0xf9, 0xf0, 0x2a, 0x4d, 0x68, 0x3e, 0x14, 0x9b, 0xe1, 0x6d, 0xb8, 0xf5, 0x55, 0xca, 0x73, 0x7e, 0x4a, 0x46, 0x57, 0x51, 0xc8, 0x93, 0x51, 0xbe, 0xe8, 0xdd, 0x86, 0x5b, 0x5f, 0x44,
0xf8, 0x79, 0x92, 0xe4, 0x45, 0xc6, 0x59, 0x84, 0x3f, 0x17, 0xc8, 0x78, 0xf8, 0x02, 0x8e, 0xaa, 0x42, 0x9e, 0x87, 0x61, 0x92, 0xc5, 0x52, 0xf8, 0xf8, 0x73, 0x86, 0x42, 0x7a, 0x2f, 0xe0, 0xa8,
0xdb, 0x6c, 0x99, 0x67, 0x0c, 0xc9, 0x08, 0x3a, 0xb1, 0xde, 0x0b, 0xac, 0x13, 0xe7, 0xb4, 0x3b, 0xbc, 0x2c, 0xd2, 0x24, 0x16, 0xc8, 0xc6, 0xd0, 0x0d, 0x68, 0xcd, 0xb5, 0x4e, 0x9a, 0xa7, 0xbd,
0xba, 0x33, 0xac, 0x04, 0x1c, 0x6a, 0x97, 0xa8, 0xc4, 0x85, 0xbf, 0x59, 0xd0, 0x7a, 0x95, 0x5f, 0xf1, 0x9d, 0x51, 0xc9, 0xe1, 0x88, 0x8e, 0xf8, 0x05, 0xce, 0xfb, 0xcd, 0x82, 0xf6, 0xab, 0xe4,
0x62, 0x46, 0x1e, 0x40, 0x2f, 0x4e, 0x12, 0x64, 0xec, 0x0d, 0x17, 0x76, 0x60, 0x9d, 0x58, 0xa7, 0x12, 0x63, 0xf6, 0x00, 0xfa, 0x41, 0x18, 0xa2, 0x10, 0xaf, 0x65, 0x6e, 0xbb, 0xd6, 0x89, 0x75,
0xfb, 0x51, 0x57, 0xed, 0x29, 0xc8, 0x43, 0xf0, 0x29, 0xfe, 0x48, 0x91, 0x5d, 0x68, 0x8c, 0x2d, 0xba, 0xef, 0xf7, 0xf4, 0x9a, 0x86, 0x3c, 0x04, 0x87, 0xe3, 0x8f, 0x1c, 0xc5, 0x05, 0x61, 0x1a,
0x31, 0x3d, 0xbd, 0xa9, 0x40, 0x01, 0xb4, 0x13, 0x8a, 0x31, 0xc7, 0x79, 0xe0, 0x9c, 0x58, 0xa7, 0x0a, 0xd3, 0xa7, 0x45, 0x0d, 0x72, 0xa1, 0x13, 0x72, 0x0c, 0x24, 0x2e, 0xdc, 0xe6, 0x89, 0x75,
0x4e, 0x64, 0x4c, 0x72, 0x07, 0x3c, 0xfc, 0x65, 0x99, 0xd2, 0x75, 0xe0, 0xca, 0x03, 0x6d, 0x85, 0xda, 0xf4, 0x8d, 0xc9, 0xee, 0x80, 0x8d, 0xbf, 0xa4, 0x11, 0x5f, 0xbb, 0x2d, 0xb5, 0x41, 0x96,
0xbf, 0xdb, 0xd0, 0xd6, 0x99, 0x91, 0x03, 0xb0, 0xd3, 0xb9, 0xbe, 0xdb, 0x4e, 0xe7, 0x84, 0x80, 0xf7, 0xb7, 0x05, 0x1d, 0xca, 0x8c, 0x1d, 0x40, 0x23, 0x5a, 0x50, 0xec, 0x46, 0xb4, 0x60, 0x0c,
0xcb, 0xd7, 0x4b, 0xd4, 0x37, 0xc9, 0x35, 0x39, 0x82, 0x16, 0xcd, 0x17, 0xc8, 0x02, 0xe7, 0xc4, 0x5a, 0x72, 0x9d, 0x22, 0x45, 0x52, 0xdf, 0xec, 0x53, 0xe8, 0x5e, 0xa1, 0x0c, 0x16, 0x81, 0x0c,
0x39, 0xdd, 0x8f, 0x94, 0x41, 0x3e, 0x87, 0xce, 0x15, 0xf2, 0x78, 0x1e, 0xf3, 0x38, 0x70, 0x25, 0xdc, 0x96, 0xe2, 0xf9, 0x4e, 0x3d, 0xcf, 0xd1, 0x4b, 0x82, 0x4d, 0x63, 0xc9, 0xd7, 0x7e, 0x71,
0xfb, 0xf7, 0x9a, 0xd9, 0x0f, 0x5f, 0x6a, 0xd8, 0x24, 0xe3, 0x74, 0x1d, 0x95, 0x5e, 0x22, 0x3f, 0x2a, 0xcf, 0x44, 0x84, 0x49, 0x8a, 0xc2, 0x6d, 0x9f, 0x34, 0x4f, 0xf7, 0x7d, 0xb2, 0xd8, 0x10,
0x96, 0xe4, 0x4b, 0x64, 0x41, 0x4b, 0x06, 0xd6, 0x16, 0x19, 0x40, 0x67, 0x49, 0xf3, 0x55, 0x3a, 0xba, 0x29, 0x4f, 0x56, 0xd1, 0x02, 0xb9, 0x6b, 0xab, 0x88, 0x85, 0xad, 0xce, 0x60, 0xc8, 0x51,
0x47, 0x1a, 0x78, 0x32, 0x8f, 0xd2, 0x96, 0x3e, 0x98, 0x50, 0xe4, 0x41, 0x5b, 0x9e, 0x68, 0x6b, 0xba, 0x1d, 0xb5, 0x43, 0xd6, 0xf0, 0x29, 0x38, 0xa5, 0x30, 0x6c, 0x00, 0xcd, 0x4b, 0x5c, 0x13,
0xf0, 0x14, 0xfc, 0xca, 0x35, 0xa4, 0x0f, 0xce, 0x25, 0xae, 0x35, 0x33, 0xb1, 0x14, 0x34, 0x56, 0x87, 0xfc, 0x93, 0x1d, 0x41, 0x7b, 0x15, 0x2c, 0x33, 0xc3, 0x42, 0x1b, 0x9f, 0x34, 0x9e, 0x58,
0xf1, 0xa2, 0x30, 0xdc, 0x94, 0xf1, 0x99, 0xfd, 0xc4, 0x0a, 0x67, 0xd0, 0x89, 0x90, 0xe5, 0x05, 0xde, 0x1c, 0xba, 0x3e, 0x8a, 0x24, 0xe3, 0x21, 0xe6, 0x54, 0xe3, 0xe0, 0x0a, 0xe9, 0xa0, 0xfa,
0x4d, 0x50, 0x08, 0x90, 0xc5, 0x57, 0xa8, 0x1d, 0xe5, 0xba, 0x51, 0x94, 0x01, 0x74, 0x30, 0x9b, 0xae, 0xa5, 0x3f, 0x84, 0x2e, 0xc6, 0x8b, 0x34, 0x89, 0x62, 0xa9, 0x14, 0xde, 0xf7, 0x0b, 0xdb,
0x2f, 0xf3, 0x34, 0xe3, 0x52, 0xf7, 0xfd, 0xa8, 0xb4, 0xc3, 0x3f, 0x6c, 0x38, 0x9c, 0x62, 0x86, 0xfb, 0xbd, 0x01, 0x87, 0x33, 0x8c, 0x91, 0x07, 0x12, 0xa9, 0x5c, 0xb6, 0x24, 0xfd, 0x6c, 0x43,
0x34, 0xe6, 0xa8, 0x9b, 0x68, 0x4b, 0xe8, 0x52, 0x54, 0x7b, 0x53, 0xd4, 0x2f, 0x36, 0x44, 0x75, 0xbe, 0xa6, 0x92, 0xef, 0x83, 0x8a, 0x7c, 0x15, 0x0f, 0x37, 0x90, 0xb1, 0x55, 0x92, 0xf1, 0x5a,
0xa4, 0xa8, 0x1f, 0xd5, 0x44, 0xad, 0xc5, 0xbd, 0x81, 0xb8, 0x6e, 0x45, 0xdc, 0x6b, 0x01, 0x5b, 0xaa, 0xf6, 0xa6, 0x54, 0x05, 0x1b, 0xbb, 0xcc, 0xa6, 0x90, 0xbc, 0x53, 0x96, 0xfc, 0xbf, 0x49,
0x9b, 0x02, 0x96, 0x1c, 0xbd, 0x2a, 0xc7, 0xb2, 0x10, 0xed, 0x6a, 0x21, 0xfe, 0x9b, 0xe0, 0x63, 0x3b, 0x81, 0xc1, 0x35, 0x0f, 0xea, 0x90, 0x8f, 0xa0, 0x43, 0x95, 0xaf, 0x7c, 0xec, 0x6e, 0x10,
0xe8, 0x5f, 0xf3, 0xd0, 0xaf, 0xe9, 0x13, 0x68, 0xeb, 0x57, 0x22, 0x63, 0xec, 0x7e, 0x4c, 0x06, 0x03, 0xf3, 0xbe, 0x85, 0xfe, 0x8c, 0x07, 0xb1, 0x34, 0x62, 0x1e, 0x41, 0x5b, 0x91, 0xa4, 0x1c,
0x16, 0xbe, 0x86, 0xde, 0x94, 0xc6, 0x19, 0x37, 0x12, 0x13, 0x70, 0x85, 0x8a, 0xa6, 0x74, 0x62, 0xb4, 0xc1, 0x1e, 0x43, 0x97, 0xd3, 0x35, 0xaa, 0x44, 0x7a, 0xe3, 0xb7, 0x2a, 0x8e, 0xcd, 0x2d,
0x4d, 0x1e, 0x43, 0x87, 0xea, 0xd2, 0xca, 0x34, 0xba, 0xa3, 0x77, 0x6a, 0x61, 0x4d, 0xe5, 0xa3, 0xfb, 0x05, 0xd0, 0x3b, 0x04, 0x87, 0x5c, 0xeb, 0xec, 0xbc, 0xef, 0xc0, 0xf1, 0x71, 0x95, 0x5c,
0x12, 0x18, 0x1e, 0x82, 0xaf, 0x03, 0xab, 0xdc, 0xc2, 0xef, 0xc0, 0x8f, 0x70, 0x95, 0x5f, 0xe2, 0xe2, 0xff, 0x10, 0x6c, 0x00, 0x07, 0xc6, 0x37, 0x45, 0x7b, 0x17, 0x0e, 0x9e, 0xc7, 0x22, 0xc5,
0xff, 0x7e, 0x55, 0x1f, 0x0e, 0x4c, 0x64, 0x7d, 0xd7, 0xfb, 0x70, 0xf0, 0x3c, 0x63, 0x4b, 0x4c, 0x70, 0x93, 0xdb, 0x66, 0xeb, 0x6b, 0xc3, 0x7b, 0x06, 0x87, 0x05, 0xee, 0x5f, 0xcb, 0xf8, 0x2b,
0x4a, 0x5e, 0x47, 0xd0, 0xda, 0x1c, 0x11, 0xca, 0x08, 0x9f, 0xc1, 0x61, 0x89, 0xfb, 0xd7, 0x12, 0xf4, 0xd5, 0x74, 0xd8, 0x55, 0x93, 0xd7, 0x15, 0xd3, 0x28, 0x55, 0xcc, 0xd6, 0xc4, 0x69, 0xd6,
0xfe, 0x0a, 0x3d, 0x39, 0x45, 0x76, 0x75, 0xe9, 0x75, 0xb7, 0xd8, 0x95, 0x6e, 0xd9, 0x9a, 0x4c, 0x4c, 0x9c, 0x07, 0xd0, 0x57, 0x9b, 0xaf, 0x4b, 0xd3, 0xa5, 0xa7, 0xd6, 0xa6, 0x7a, 0xc4, 0x3c,
0x4e, 0xc3, 0x64, 0x7a, 0x00, 0x3d, 0x79, 0xf8, 0xa6, 0x32, 0x85, 0xba, 0x72, 0x6f, 0xa2, 0x46, 0x05, 0x87, 0xe2, 0x13, 0x85, 0x47, 0x9b, 0x5c, 0x7b, 0xe3, 0xa3, 0x0a, 0x01, 0x0d, 0x26, 0x05,
0xd1, 0x53, 0xf0, 0xf5, 0xfd, 0x9a, 0xc2, 0xa3, 0x4d, 0xae, 0xdd, 0xd1, 0x51, 0x8d, 0x80, 0x02, 0xfe, 0xb0, 0xa0, 0xe5, 0x67, 0x4b, 0xdc, 0xca, 0xba, 0xb8, 0x9f, 0xc6, 0xae, 0xfb, 0x69, 0xde,
0x6b, 0x05, 0xfe, 0xb4, 0xc0, 0x8d, 0x8a, 0x05, 0x36, 0x0d, 0x31, 0x59, 0x1d, 0x7b, 0x47, 0x75, 0xf0, 0x7e, 0xd8, 0x87, 0x60, 0xeb, 0x49, 0xab, 0xb2, 0x3f, 0x18, 0xdf, 0xde, 0x56, 0x14, 0x85,
0x9c, 0x1b, 0x56, 0x87, 0x7c, 0x0c, 0x9e, 0x9a, 0xc7, 0x32, 0xf7, 0x83, 0xd1, 0xed, 0x6d, 0x3d, 0xf0, 0x09, 0xa4, 0xbb, 0x26, 0x4a, 0x78, 0x24, 0xd7, 0xaa, 0xc7, 0xda, 0x7e, 0x61, 0x7b, 0x4f,
0x91, 0xb1, 0x48, 0x83, 0xd4, 0x7b, 0x49, 0x73, 0x9a, 0xf2, 0xb5, 0x7c, 0x5d, 0xad, 0xa8, 0xb4, 0xc0, 0x79, 0xa6, 0x26, 0xae, 0x11, 0xfb, 0x3d, 0x68, 0xf1, 0x6c, 0x89, 0x44, 0xf5, 0x56, 0x35,
0xc3, 0x27, 0xe0, 0x3f, 0x93, 0x73, 0xd9, 0x48, 0xfd, 0x01, 0xb8, 0xb4, 0xd0, 0x2d, 0xd4, 0x1d, 0x99, 0x6c, 0x89, 0xbe, 0x02, 0xe4, 0x45, 0x62, 0x4e, 0x52, 0x91, 0xdc, 0x07, 0x67, 0x82, 0x4b,
0xdd, 0xaa, 0x27, 0x53, 0x2c, 0x30, 0x92, 0x00, 0xd1, 0x22, 0xc6, 0x53, 0xb7, 0xc8, 0x7d, 0xf0, 0xdc, 0x39, 0x4c, 0xf2, 0x23, 0x06, 0x40, 0x47, 0x1c, 0xe8, 0xe5, 0xaf, 0x93, 0x79, 0xac, 0x3e,
0xc7, 0xb8, 0xc0, 0x9d, 0xc3, 0x45, 0xb8, 0x18, 0x80, 0x76, 0xf1, 0xa1, 0x2b, 0xbe, 0x61, 0xe6, 0x86, 0xbe, 0x36, 0x49, 0xf8, 0xf7, 0xa1, 0x9d, 0xc7, 0x32, 0x2f, 0x54, 0x6d, 0x36, 0x1a, 0xf1,
0x93, 0xf6, 0x29, 0xf4, 0x94, 0xa9, 0x65, 0xff, 0x10, 0x5a, 0xe2, 0x2e, 0xf3, 0x1d, 0x6b, 0xcc, 0x68, 0x04, 0xb6, 0xa6, 0xcd, 0x7a, 0xd0, 0xf9, 0x7a, 0xfe, 0xf9, 0xfc, 0xcb, 0x6f, 0xe6, 0x83,
0x46, 0x21, 0x1e, 0x0d, 0xc1, 0x53, 0xb4, 0x49, 0x17, 0xda, 0xdf, 0xce, 0xbe, 0x9c, 0x7d, 0xfd, 0xbd, 0xdc, 0x98, 0xf9, 0xe7, 0xf3, 0x57, 0xd3, 0xc9, 0xc0, 0x62, 0x00, 0xf6, 0x64, 0x3a, 0x7f,
0x7a, 0xd6, 0xdf, 0x13, 0xc6, 0x34, 0x3a, 0x9f, 0xbd, 0x9a, 0x8c, 0xfb, 0x16, 0x01, 0xf0, 0xc6, 0x3e, 0x9d, 0x0c, 0x1a, 0xe3, 0xbf, 0x2c, 0x68, 0x9d, 0x67, 0xf2, 0x82, 0xbd, 0x84, 0xae, 0x69,
0x93, 0xd9, 0xf3, 0xc9, 0xb8, 0x6f, 0x8f, 0xfe, 0xb6, 0xc0, 0x3d, 0x2f, 0xf8, 0x05, 0x79, 0x09, 0x7d, 0x76, 0xef, 0xcd, 0xb3, 0x6d, 0x78, 0x7f, 0xe7, 0x3e, 0xf1, 0xd9, 0x63, 0x2f, 0xa0, 0x43,
0x1d, 0xf3, 0xe8, 0xc9, 0xbd, 0xb7, 0x4f, 0xb5, 0xc1, 0xfd, 0x9d, 0xe7, 0x9a, 0xcf, 0x1e, 0x79, 0x1d, 0xc0, 0x8e, 0x2b, 0xe8, 0x72, 0x07, 0x0d, 0xef, 0xed, 0xda, 0x2e, 0x7c, 0x4d, 0xcc, 0x73,
0x01, 0x6d, 0xdd, 0xff, 0xe4, 0xb8, 0x86, 0xae, 0xbe, 0x9f, 0xc1, 0xbd, 0x5d, 0xc7, 0x65, 0xac, 0x7b, 0xb7, 0xb6, 0xe2, 0xc8, 0xcf, 0xdb, 0xf5, 0x9b, 0xc6, 0xcb, 0xf8, 0x7b, 0xe8, 0x9a, 0xd7,
0xb1, 0xf9, 0x28, 0xdf, 0x6d, 0xec, 0x37, 0x1d, 0xe7, 0xdd, 0xe6, 0x43, 0x13, 0x65, 0xf4, 0x3d, 0x9f, 0x7d, 0x05, 0xad, 0x5c, 0x60, 0xe6, 0x55, 0xce, 0xd4, 0xfc, 0x39, 0x0c, 0x1f, 0xbe, 0x11,
0x74, 0xcc, 0x3f, 0x02, 0xf9, 0x06, 0x5c, 0x21, 0x30, 0x09, 0x6b, 0x3e, 0x0d, 0xff, 0x17, 0x83, 0x53, 0xb8, 0xff, 0xd3, 0x82, 0x76, 0x7e, 0x11, 0x82, 0xcd, 0xc0, 0xd6, 0x15, 0xc1, 0xaa, 0x29,
0x87, 0x6f, 0xc5, 0x94, 0xe1, 0xff, 0xb2, 0xa0, 0x25, 0x0a, 0xc1, 0xc8, 0x14, 0x3c, 0xd5, 0x11, 0x95, 0x4a, 0x6c, 0x78, 0xbc, 0x63, 0xb7, 0xe0, 0x3d, 0x03, 0x5b, 0xd7, 0xc9, 0x96, 0xa3, 0x52,
0xa4, 0x9e, 0x52, 0xa5, 0xc5, 0x06, 0xc7, 0x3b, 0x4e, 0x4b, 0xde, 0x53, 0xf0, 0x54, 0x9f, 0x6c, 0x7d, 0x6d, 0x39, 0xaa, 0x14, 0xd7, 0x1e, 0x3b, 0x27, 0xba, 0xc3, 0x1a, 0x2a, 0xc6, 0xc9, 0xdd,
0x05, 0xaa, 0xf4, 0xd7, 0x56, 0xa0, 0x5a, 0x73, 0xed, 0x91, 0x73, 0x4d, 0x77, 0xd0, 0x40, 0xc5, 0xda, 0x3d, 0xe3, 0xe2, 0x07, 0x5b, 0xfd, 0x6c, 0x3d, 0xfe, 0x27, 0x00, 0x00, 0xff, 0xff, 0xda,
0x04, 0xb9, 0xdb, 0x78, 0x66, 0x42, 0xfc, 0xe0, 0xc9, 0x5f, 0xb2, 0xc7, 0xff, 0x04, 0x00, 0x00, 0xef, 0x0e, 0x5f, 0x8d, 0x09, 0x00, 0x00,
0xff, 0xff, 0x27, 0x7b, 0xf3, 0x60, 0xb3, 0x09, 0x00, 0x00,
} }
// Reference imports to suppress errors if they are not otherwise used. // Reference imports to suppress errors if they are not otherwise used.

View File

@ -35,7 +35,6 @@ message Token {
message Account { message Account {
string id = 1; string id = 1;
string type = 2; string type = 2;
repeated string roles = 3;
map<string, string> metadata = 4; map<string, string> metadata = 4;
repeated string scopes = 5; repeated string scopes = 5;
string provider = 6; string provider = 6;
@ -50,7 +49,6 @@ message Resource{
message GenerateRequest { message GenerateRequest {
string id = 1; string id = 1;
repeated string roles = 2;
map<string, string> metadata = 3; map<string, string> metadata = 3;
repeated string scopes = 4; repeated string scopes = 4;
string secret = 5; string secret = 5;
@ -63,14 +61,14 @@ message GenerateResponse {
} }
message GrantRequest { message GrantRequest {
string role = 1; string scope = 1;
Resource resource = 2; Resource resource = 2;
} }
message GrantResponse {} message GrantResponse {}
message RevokeRequest { message RevokeRequest {
string role = 1; string scope = 1;
Resource resource = 2; Resource resource = 2;
} }
@ -103,7 +101,7 @@ enum Access {
message Rule { message Rule {
string id = 1; string id = 1;
string role = 2; string scope = 2;
Resource resource = 3; Resource resource = 3;
Access access = 4; Access access = 4;
int32 priority = 5; int32 priority = 5;

View File

@ -65,7 +65,6 @@ func (s *svc) Generate(id string, opts ...auth.GenerateOption) (*auth.Account, e
Id: id, Id: id,
Type: options.Type, Type: options.Type,
Secret: options.Secret, Secret: options.Secret,
Roles: options.Roles,
Scopes: options.Scopes, Scopes: options.Scopes,
Metadata: options.Metadata, Metadata: options.Metadata,
Provider: options.Provider, Provider: options.Provider,
@ -82,7 +81,7 @@ func (s *svc) Grant(rule *auth.Rule) error {
_, err := s.rule.Create(context.TODO(), &pb.CreateRequest{ _, err := s.rule.Create(context.TODO(), &pb.CreateRequest{
Rule: &pb.Rule{ Rule: &pb.Rule{
Id: rule.ID, Id: rule.ID,
Role: rule.Role, Scope: rule.Scope,
Priority: rule.Priority, Priority: rule.Priority,
Access: pb.Access_GRANTED, Access: pb.Access_GRANTED,
Resource: &pb.Resource{ Resource: &pb.Resource{
@ -156,35 +155,6 @@ func (s *svc) Token(opts ...auth.TokenOption) (*auth.Token, error) {
return serializeToken(rsp.Token), nil return serializeToken(rsp.Token), nil
} }
var ruleJoinKey = ":"
// accessForRule returns a rule status, indicating if a rule permits access to a
// resource for a given account
func accessForRule(rule *pb.Rule, acc *auth.Account, res *auth.Resource) pb.Access {
// a blank role permits access to the public
if rule.Role == "" {
return rule.Access
}
// a * role permits access to any user
if rule.Role == "*" && acc != nil {
return rule.Access
}
for _, role := range acc.Roles {
if rule.Role == role {
return rule.Access
}
// allow user.anything if role is user.*
if strings.HasSuffix(rule.Role, ".*") && strings.HasPrefix(rule.Role, role+".") {
return rule.Access
}
}
return pb.Access_UNKNOWN
}
// loadRules retrieves the rules from the auth service. Since this implementation is used by micro // loadRules retrieves the rules from the auth service. Since this implementation is used by micro
// clients, which support muti-tenancy we may have to persist rules in multiple namespaces. // clients, which support muti-tenancy we may have to persist rules in multiple namespaces.
func (s *svc) loadRules(namespace string) { func (s *svc) loadRules(namespace string) {
@ -206,7 +176,7 @@ func (s *svc) loadRules(namespace string) {
rules = append(rules, &auth.Rule{ rules = append(rules, &auth.Rule{
ID: r.Id, ID: r.Id,
Role: r.Role, Scope: r.Scope,
Access: access, Access: access,
Priority: r.Priority, Priority: r.Priority,
Resource: &auth.Resource{ Resource: &auth.Resource{
@ -244,7 +214,6 @@ func serializeToken(t *pb.Token) *auth.Token {
func serializeAccount(a *pb.Account) *auth.Account { func serializeAccount(a *pb.Account) *auth.Account {
return &auth.Account{ return &auth.Account{
ID: a.Id, ID: a.Id,
Roles: a.Roles,
Secret: a.Secret, Secret: a.Secret,
Metadata: a.Metadata, Metadata: a.Metadata,
Provider: a.Provider, Provider: a.Provider,

View File

@ -32,10 +32,10 @@ func TestInspect(t *testing.T) {
t.Run("Valid token", func(t *testing.T) { t.Run("Valid token", func(t *testing.T) {
md := map[string]string{"foo": "bar"} md := map[string]string{"foo": "bar"}
roles := []string{"admin"} scopes := []string{"admin"}
subject := "test" subject := "test"
tok, err := b.Generate(&auth.Account{ID: subject, Roles: roles, Metadata: md}) tok, err := b.Generate(&auth.Account{ID: subject, Scopes: scopes, Metadata: md})
if err != nil { if err != nil {
t.Fatalf("Generate returned %v error, expected nil", err) t.Fatalf("Generate returned %v error, expected nil", err)
} }
@ -47,8 +47,8 @@ func TestInspect(t *testing.T) {
if tok2.ID != subject { if tok2.ID != subject {
t.Errorf("Inspect returned %v as the token subject, expected %v", tok2.ID, subject) t.Errorf("Inspect returned %v as the token subject, expected %v", tok2.ID, subject)
} }
if len(tok2.Roles) != len(roles) { if len(tok2.Scopes) != len(scopes) {
t.Errorf("Inspect returned %v roles, expected %v", len(tok2.Roles), len(roles)) t.Errorf("Inspect returned %v scopes, expected %v", len(tok2.Scopes), len(scopes))
} }
if len(tok2.Metadata) != len(md) { if len(tok2.Metadata) != len(md) {
t.Errorf("Inspect returned %v as the token metadata, expected %v", tok2.Metadata, md) t.Errorf("Inspect returned %v as the token metadata, expected %v", tok2.Metadata, md)

View File

@ -12,7 +12,6 @@ import (
// authClaims to be encoded in the JWT // authClaims to be encoded in the JWT
type authClaims struct { type authClaims struct {
Type string `json:"type"` Type string `json:"type"`
Roles []string `json:"roles"`
Scopes []string `json:"scopes"` Scopes []string `json:"scopes"`
Provider string `json:"provider"` Provider string `json:"provider"`
Metadata map[string]string `json:"metadata"` Metadata map[string]string `json:"metadata"`
@ -52,7 +51,7 @@ func (j *JWT) Generate(acc *auth.Account, opts ...token.GenerateOption) (*token.
// generate the JWT // generate the JWT
expiry := time.Now().Add(options.Expiry) expiry := time.Now().Add(options.Expiry)
t := jwt.NewWithClaims(jwt.SigningMethodRS256, authClaims{ t := jwt.NewWithClaims(jwt.SigningMethodRS256, authClaims{
acc.Type, acc.Roles, acc.Scopes, acc.Provider, acc.Metadata, jwt.StandardClaims{ acc.Type, acc.Scopes, acc.Provider, acc.Metadata, jwt.StandardClaims{
Subject: acc.ID, Subject: acc.ID,
ExpiresAt: expiry.Unix(), ExpiresAt: expiry.Unix(),
}, },
@ -99,7 +98,6 @@ func (j *JWT) Inspect(t string) (*auth.Account, error) {
return &auth.Account{ return &auth.Account{
ID: claims.Subject, ID: claims.Subject,
Type: claims.Type, Type: claims.Type,
Roles: claims.Roles,
Scopes: claims.Scopes, Scopes: claims.Scopes,
Provider: claims.Provider, Provider: claims.Provider,
Metadata: claims.Metadata, Metadata: claims.Metadata,

View File

@ -42,10 +42,10 @@ func TestInspect(t *testing.T) {
t.Run("Valid token", func(t *testing.T) { t.Run("Valid token", func(t *testing.T) {
md := map[string]string{"foo": "bar"} md := map[string]string{"foo": "bar"}
roles := []string{"admin"} scopes := []string{"admin"}
subject := "test" subject := "test"
acc := &auth.Account{ID: subject, Roles: roles, Metadata: md} acc := &auth.Account{ID: subject, Scopes: scopes, Metadata: md}
tok, err := j.Generate(acc) tok, err := j.Generate(acc)
if err != nil { if err != nil {
t.Fatalf("Generate returned %v error, expected nil", err) t.Fatalf("Generate returned %v error, expected nil", err)
@ -58,8 +58,8 @@ func TestInspect(t *testing.T) {
if acc.ID != subject { if acc.ID != subject {
t.Errorf("Inspect returned %v as the token subject, expected %v", acc.ID, subject) t.Errorf("Inspect returned %v as the token subject, expected %v", acc.ID, subject)
} }
if len(tok2.Roles) != len(roles) { if len(tok2.Scopes) != len(scopes) {
t.Errorf("Inspect returned %v roles, expected %v", len(tok2.Roles), len(roles)) t.Errorf("Inspect returned %v scopes, expected %v", len(tok2.Scopes), len(scopes))
} }
if len(tok2.Metadata) != len(md) { if len(tok2.Metadata) != len(md) {
t.Errorf("Inspect returned %v as the token metadata, expected %v", tok2.Metadata, md) t.Errorf("Inspect returned %v as the token metadata, expected %v", tok2.Metadata, md)

View File

@ -18,12 +18,10 @@ func Generate(id string, name string, a auth.Auth) error {
// if no credentials were provided, generate an account // if no credentials were provided, generate an account
if len(accID) == 0 || len(accSecret) == 0 { if len(accID) == 0 || len(accSecret) == 0 {
name := fmt.Sprintf("%v-%v", name, id) name := fmt.Sprintf("%v-%v", name, id)
scope := "namespace." + a.Options().Namespace
opts := []auth.GenerateOption{ opts := []auth.GenerateOption{
auth.WithType("service"), auth.WithType("service"),
auth.WithRoles("service"), auth.WithScopes("service"),
auth.WithScopes(scope),
} }
acc, err := a.Generate(name, opts...) acc, err := a.Generate(name, opts...)