Add auth scope constants

2020-05-22 11:37:12 +01:00 · 2020-05-22 11:37:12 +01:00 · 9c072a372c
commit 9c072a372c
parent fbb91c6cb7
2 changed files with 12 additions and 6 deletions
--- a/auth/auth.go
+++ b/auth/auth.go
@ -7,8 +7,14 @@ import (
 	"time"
 )

-// BearerScheme used for Authorization header
-const BearerScheme = "Bearer "
+const (
+	// BearerScheme used for Authorization header
+	BearerScheme = "Bearer "
+	// ScopePublic is the scope applied to a rule to allow access to the public
+	ScopePublic = ""
+	// ScopeAccount is the scope applied to a rule to limit to users with any valid account
+	ScopeAccount = "*"
+)

 var (
 	// ErrInvalidToken is when the token provided is not valid
--- a/auth/rules/rules.go
+++ b/auth/rules/rules.go
@ -51,9 +51,9 @@ func Verify(rules []*auth.Rule, acc *auth.Account, res *auth.Resource) error {
 	// loop through the rules and check for a rule which applies to this account
 	for _, rule := range filteredRules {
 		// a blank scope indicates the rule applies to everyone, even nil accounts
-		if rule.Scope == "" && rule.Access == auth.AccessDenied {
+		if rule.Scope == auth.ScopePublic && rule.Access == auth.AccessDenied {
 			return auth.ErrForbidden
-		} else if rule.Scope == "" && rule.Access == auth.AccessGranted {
+		} else if rule.Scope == auth.ScopePublic && rule.Access == auth.AccessGranted {
 			return nil
 		}

@ -63,9 +63,9 @@ func Verify(rules []*auth.Rule, acc *auth.Account, res *auth.Resource) error {
 		}

 		// this rule applies to any account
-		if rule.Scope == "*" && rule.Access == auth.AccessDenied {
+		if rule.Scope == auth.ScopeAccount && rule.Access == auth.AccessDenied {
 			return auth.ErrForbidden
-		} else if rule.Scope == "*" && rule.Access == auth.AccessGranted {
+		} else if rule.Scope == auth.ScopeAccount && rule.Access == auth.AccessGranted {
 			return nil
 		}