Auth Wildcard Endpoints (#1394)

* Auth Wildcard Endpoints

* Fix joinkey bug, improve tests

* Change joinKey

Co-authored-by: Ben Toogood <ben@micro.mu>

auth/store/rules.go

@@ -14,10 +14,12 @@ type Rule struct {
 	Resource *auth.Resource `json:"resource"`
 }
 
+var joinKey = ":"
+
 // Key to be used when written to the store
 func (r *Rule) Key() string {
 	comps := []string{r.Resource.Type, r.Resource.Name, r.Resource.Endpoint, r.Role}
-	return strings.Join(comps, "/")
+	return strings.Join(comps, joinKey)
 }
 
 // Bytes returns json encoded bytes
@@ -51,7 +53,7 @@ func isValidRule(rule Rule, acc *auth.Account, res *auth.Resource) bool {
 // prefix matching the filters
 func (s *Store) listRules(filters ...string) ([]Rule, error) {
 	// get the records from the store
-	prefix := strings.Join(filters, "/")
+	prefix := strings.Join(filters, joinKey)
 	recs, err := s.opts.Store.Read(prefix, store.ReadPrefix())
 	if err != nil {
 		return nil, err

auth/store/store.go

@@ -1,6 +1,9 @@
 package store
 
 import (
+	"fmt"
+	"strings"
+
 	"github.com/micro/go-micro/v2/auth"
 	"github.com/micro/go-micro/v2/auth/token"
 	"github.com/micro/go-micro/v2/auth/token/basic"
@@ -108,6 +111,15 @@ func (s *Store) Verify(acc *auth.Account, res *auth.Resource) error {
 		{res.Type, res.Name, res.Endpoint},      // check for specific role, e.g. service.foo.ListFoo:admin
 	}
 
+	// endpoint is a url which can have wildcard excludes, e.g.
+	// "/foo/*" will allow "/foo/bar"
+	if comps := strings.Split(res.Endpoint, "/"); len(comps) > 1 {
+		for i := 1; i < len(comps); i++ {
+			wildcard := fmt.Sprintf("%v/*", strings.Join(comps[0:i], "/"))
+			queries = append(queries, []string{res.Type, res.Name, wildcard})
+		}
+	}
+
 	for _, q := range queries {
 		rules, err := s.listRules(q...)
 		if err != nil {

auth/store/store_test.go

@@ -191,6 +191,14 @@ func TestVerify(t *testing.T) {
 			Role:     "*",
 			Resource: &auth.Resource{Type: "service", Name: "go.micro.apps", Endpoint: "Apps.PublicList"},
 		},
+		{
+			Role:     "*",
+			Resource: &auth.Resource{Type: "service", Name: "go.micro.web", Endpoint: "/foo"},
+		},
+		{
+			Role:     "*",
+			Resource: &auth.Resource{Type: "service", Name: "go.micro.web", Endpoint: "/bar/*"},
+		},
 		{
 			Role:     "user.*",
 			Resource: &auth.Resource{Type: "service", Name: "go.micro.apps", Endpoint: "Apps.List"},
@@ -274,6 +282,19 @@ func TestVerify(t *testing.T) {
 			Resource: &auth.Resource{Type: "infra", Name: "go.micro.foo", Endpoint: "Foo.Bar"},
 			Error:    auth.ErrForbidden,
 		},
+		{
+			Name:     "Accessing a public web path",
+			Resource: &auth.Resource{Type: "service", Name: "go.micro.web", Endpoint: "/foo"},
+		},
+		{
+			Name:     "Accessing a public web path with an invalid wildcard endpoint",
+			Resource: &auth.Resource{Type: "service", Name: "go.micro.web", Endpoint: "/foo/foo"},
+			Error:    auth.ErrForbidden,
+		},
+		{
+			Name:     "Accessing a public web path with wildcard endpoint",
+			Resource: &auth.Resource{Type: "service", Name: "go.micro.web", Endpoint: "/bar/foo"},
+		},
 	}
 
 	for _, tc := range testTable {