Add auth scope constants

This commit is contained in:
Ben Toogood 2020-05-22 11:37:12 +01:00
parent fbb91c6cb7
commit 9c072a372c
2 changed files with 12 additions and 6 deletions

View File

@ -7,8 +7,14 @@ import (
"time" "time"
) )
const (
// BearerScheme used for Authorization header // BearerScheme used for Authorization header
const BearerScheme = "Bearer " BearerScheme = "Bearer "
// ScopePublic is the scope applied to a rule to allow access to the public
ScopePublic = ""
// ScopeAccount is the scope applied to a rule to limit to users with any valid account
ScopeAccount = "*"
)
var ( var (
// ErrInvalidToken is when the token provided is not valid // ErrInvalidToken is when the token provided is not valid

View File

@ -51,9 +51,9 @@ func Verify(rules []*auth.Rule, acc *auth.Account, res *auth.Resource) error {
// loop through the rules and check for a rule which applies to this account // loop through the rules and check for a rule which applies to this account
for _, rule := range filteredRules { for _, rule := range filteredRules {
// a blank scope indicates the rule applies to everyone, even nil accounts // a blank scope indicates the rule applies to everyone, even nil accounts
if rule.Scope == "" && rule.Access == auth.AccessDenied { if rule.Scope == auth.ScopePublic && rule.Access == auth.AccessDenied {
return auth.ErrForbidden return auth.ErrForbidden
} else if rule.Scope == "" && rule.Access == auth.AccessGranted { } else if rule.Scope == auth.ScopePublic && rule.Access == auth.AccessGranted {
return nil return nil
} }
@ -63,9 +63,9 @@ func Verify(rules []*auth.Rule, acc *auth.Account, res *auth.Resource) error {
} }
// this rule applies to any account // this rule applies to any account
if rule.Scope == "*" && rule.Access == auth.AccessDenied { if rule.Scope == auth.ScopeAccount && rule.Access == auth.AccessDenied {
return auth.ErrForbidden return auth.ErrForbidden
} else if rule.Scope == "*" && rule.Access == auth.AccessGranted { } else if rule.Scope == auth.ScopeAccount && rule.Access == auth.AccessGranted {
return nil return nil
} }