unistack-org/micro
4
0
Fork 2
Code Issues 18 Pull Requests Actions Packages Projects Releases 331 Wiki Activity

Add context options to the runtime

Browse Source
This commit is contained in:
Ben Toogood
2020-04-14 12:32:59 +01:00
parent 0c75a0306b
commit e17825474f
10 changed files with 112 additions and 43 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
auth/service/service.go
View File

@@ -53,8 +53,9 @@ func (s *svc) Init(opts ...auth.Option) {
}
// load rules periodically from the auth service
ruleTimer := time.NewTicker(time.Second * 30)
go func() {
ruleTimer := time.NewTicker(time.Second * 30)
// load rules immediately on startup
s.loadRules()
@@ -72,10 +73,11 @@ func (s *svc) Init(opts ...auth.Option) {
// we have client credentials and must load a new token
// periodically
if len(s.options.ID) > 0 || len(s.options.Secret) > 0 {
tokenTimer := time.NewTicker(time.Minute)
// get a token immediately
s.refreshToken()
go func() {
s.refreshToken()
tokenTimer := time.NewTicker(time.Minute)
for {
<-tokenTimer.C
@@ -178,11 +180,15 @@ func (s *svc) Verify(acc *auth.Account, res *auth.Resource) error {
}
}
// set a default account id to log
// set a default account id / namespace to log
logID := acc.ID
if len(logID) == 0 {
logID = "[no account]"
}
logNamespace := acc.Namespace
if len(logNamespace) == 0 {
logNamespace = "[no namespace]"
}
for _, q := range queries {
for _, rule := range s.listRules(q...) {
@@ -190,17 +196,17 @@ func (s *svc) Verify(acc *auth.Account, res *auth.Resource) error {
case pb.Access_UNKNOWN:
continue // rule did not specify access, check the next rule
case pb.Access_GRANTED:
log.Infof("%v:%v granted access to %v:%v:%v:%v by rule %v", acc.Namespace, logID, res.Namespace, res.Type, res.Name, res.Endpoint, rule.Id)
log.Tracef("%v:%v granted access to %v:%v:%v:%v by rule %v", logNamespace, logID, res.Namespace, res.Type, res.Name, res.Endpoint, rule.Id)
return nil // rule grants the account access to the resource
case pb.Access_DENIED:
log.Infof("%v:%v denied access to %v:%v:%v:%v by rule %v", acc.Namespace, logID, res.Namespace, res.Type, res.Name, res.Endpoint, rule.Id)
log.Tracef("%v:%v denied access to %v:%v:%v:%v by rule %v", logNamespace, logID, res.Namespace, res.Type, res.Name, res.Endpoint, rule.Id)
return auth.ErrForbidden // rule denies access to the resource
}
}
}
// no rules were found for the resource, default to denying access
log.Infof("%v:%v denied access to %v:%v:%v:%v by lack of rule (%v rules found for namespace)", acc.Namespace, logID, res.Namespace, res.Type, res.Name, res.Endpoint, len(s.listRules(res.Namespace)))
log.Tracef("%v:%v denied access to %v:%v:%v:%v by lack of rule (%v rules found for namespace)", logNamespace, logID, res.Namespace, res.Type, res.Name, res.Endpoint, len(s.listRules(res.Namespace)))
return auth.ErrForbidden
}