Add Rule to Auth interface

2020-05-20 11:59:01 +01:00 · 2020-05-20 11:59:01 +01:00 · f6d9416a9e
commit f6d9416a9e
parent dc10f88c12
8 changed files with 296 additions and 311 deletions
--- a/auth/auth.go
+++ b/auth/auth.go
@ -7,16 +7,13 @@ import (
 	"time"
 )

+// BearerScheme used for Authorization header
+const BearerScheme = "Bearer "
+
 var (
-	// ErrNotFound is returned when a resouce cannot be found
-	ErrNotFound = errors.New("not found")
-	// ErrEncodingToken is returned when the service encounters an error during encoding
-	ErrEncodingToken = errors.New("error encoding the token")
-	// ErrInvalidToken is returned when the token provided is not valid
+	// ErrInvalidToken is when the token provided is not valid
 	ErrInvalidToken = errors.New("invalid token provided")
-	// ErrInvalidRole is returned when the role provided was invalid
-	ErrInvalidRole = errors.New("invalid role")
-	// ErrForbidden is returned when a user does not have the necessary roles to access a resource
+	// ErrForbidden is when a user does not have the necessary roles or scoeps to access a resource
 	ErrForbidden = errors.New("resource forbidden")
 )

@ -28,30 +25,22 @@ type Auth interface {
 	Options() Options
 	// Generate a new account
 	Generate(id string, opts ...GenerateOption) (*Account, error)
-	// Grant access to a resource
-	Grant(role string, res *Resource) error
-	// Revoke access to a resource
-	Revoke(role string, res *Resource) error
-	// Verify an account has access to a resource
+	// Verify an account has access to a resource using the rules
 	Verify(acc *Account, res *Resource) error
 	// Inspect a token
 	Inspect(token string) (*Account, error)
-	// Token generated using refresh token
+	// Token generated using refresh token or credentials
 	Token(opts ...TokenOption) (*Token, error)
+	// Grant access to a resource
+	Grant(rule *Rule) error
+	// Revoke access to a resource
+	Revoke(rule *Rule) error
+	// Rules returns all the rules used to verify requests
+	Rules() ([]*Rule, error)
 	// String returns the name of the implementation
 	String() string
 }

-// Resource is an entity such as a user or
-type Resource struct {
-	// Name of the resource
-	Name string `json:"name"`
-	// Type of resource, e.g.
-	Type string `json:"type"`
-	// Endpoint resource e.g NotesService.Create
-	Endpoint string `json:"endpoint"`
-}
-
 // Account provided by an auth provider
 type Account struct {
 	// ID of the account e.g. email
@ -112,13 +101,47 @@ type Token struct {
 	Expiry time.Time `json:"expiry"`
 }

+// Expired returns a boolean indicating if the token needs to be refreshed
+func (t *Token) Expired() bool {
+	return t.Expiry.Unix() < time.Now().Unix()
+}
+
+// Resource is an entity such as a user or
+type Resource struct {
+	// Name of the resource, e.g. go.micro.service.notes
+	Name string `json:"name"`
+	// Type of resource, e.g. service
+	Type string `json:"type"`
+	// Endpoint resource e.g NotesService.Create
+	Endpoint string `json:"endpoint"`
+}
+
+// Access defines the type of access a rule grants
+type Access int
+
 const (
-	// TokenCookieName is the name of the cookie which stores the auth token
-	TokenCookieName = "micro-token"
-	// BearerScheme used for Authorization header
-	BearerScheme = "Bearer "
+	// AccessGranted to a resource
+	AccessGranted Access = iota
+	// AccessDenied to a resource
+	AccessDenied
 )

+// Rule is used to verify access to a resource
+type Rule struct {
+	// ID of the rule, e.g. "public"
+	ID string
+	// Role the rule requires, a blank role indicates open to the public and * indicates the rule
+	// applies to any valid account
+	Role string
+	// Resource the rule applies to
+	Resource *Resource
+	// Access determines if the rule grants or denies access to the resource
+	Access Access
+	// Priority the rule should take when verifying a request, the higher the value the sooner the
+	// rule will be applied
+	Priority int32
+}
+
 type accountKey struct{}

 // AccountFromContext gets the account from the context, which
--- a/auth/default.go
+++ b/auth/default.go
@ -58,15 +58,20 @@ func (n *noop) Generate(id string, opts ...GenerateOption) (*Account, error) {
 }

 // Grant access to a resource
-func (n *noop) Grant(role string, res *Resource) error {
+func (n *noop) Grant(rule *Rule) error {
 	return nil
 }

 // Revoke access to a resource
-func (n *noop) Revoke(role string, res *Resource) error {
+func (n *noop) Revoke(rule *Rule) error {
 	return nil
 }

+// Rules used to verify requests
+func (n *noop) Rules() ([]*Rule, error) {
+	return []*Rule{}, nil
+}
+
 // Verify an account has access to a resource
 func (n *noop) Verify(acc *Account, res *Resource) error {
 	return nil
--- a/auth/jwt/jwt.go
+++ b/auth/jwt/jwt.go
@ -1,11 +1,11 @@
 package jwt

 import (
-	"fmt"
 	"sync"
 	"time"

 	"github.com/micro/go-micro/v2/auth"
+	"github.com/micro/go-micro/v2/auth/rules"
 	"github.com/micro/go-micro/v2/auth/token"
 	jwtToken "github.com/micro/go-micro/v2/auth/token/jwt"
 )
@ -25,7 +25,7 @@ type rule struct {
 type jwt struct {
 	options auth.Options
 	jwt     token.Provider
-	rules   []*rule
+	rules   []*auth.Rule

 	sync.Mutex
 }
@ -77,84 +77,38 @@ func (j *jwt) Generate(id string, opts ...auth.GenerateOption) (*auth.Account, e
 	return account, nil
 }

-func (j *jwt) Grant(role string, res *auth.Resource) error {
+func (j *jwt) Grant(rule *auth.Rule) error {
 	j.Lock()
 	defer j.Unlock()
-	j.rules = append(j.rules, &rule{role, res})
+	j.rules = append(j.rules, rule)
 	return nil
 }

-func (j *jwt) Revoke(role string, res *auth.Resource) error {
+func (j *jwt) Revoke(rule *auth.Rule) error {
 	j.Lock()
 	defer j.Unlock()

-	rules := make([]*rule, 0, len(j.rules))
-
-	var ruleFound bool
+	rules := []*auth.Rule{}
 	for _, r := range rules {
-		if r.role == role && r.resource == res {
-			ruleFound = true
-		} else {
+		if r.ID != rule.ID {
 			rules = append(rules, r)
 		}
 	}

-	if !ruleFound {
-		return auth.ErrNotFound
-	}
-
 	j.rules = rules
 	return nil
 }

 func (j *jwt) Verify(acc *auth.Account, res *auth.Resource) error {
-	// check the scope
-	scope := "namespace." + j.options.Namespace
-	if acc != nil && !acc.HasScope(scope) {
-		return fmt.Errorf("Missing required scope: %v", scope)
-	}
-
 	j.Lock()
-	rules := j.rules
-	j.Unlock()
+	defer j.Unlock()
+	return rules.Verify(j.options.Namespace, j.rules, acc, res)
+}

-	for _, rule := range rules {
-		// validate the rule applies to the requested resource
-		if rule.resource.Type != "*" && rule.resource.Type != res.Type {
-			continue
-		}
-		if rule.resource.Name != "*" && rule.resource.Name != res.Name {
-			continue
-		}
-		if rule.resource.Endpoint != "*" && rule.resource.Endpoint != res.Endpoint {
-			continue
-		}
-
-		// a blank role indicates anyone can access the resource, even without an account
-		if rule.role == "" {
-			return nil
-		}
-
-		// all furter checks require an account
-		if acc == nil {
-			continue
-		}
-
-		// this rule allows any account access, allow the request
-		if rule.role == "*" {
-			return nil
-		}
-
-		// if the account has the necessary role, allow the request
-		for _, r := range acc.Roles {
-			if r == rule.role {
-				return nil
-			}
-		}
-	}
-
-	// no rules matched, forbid the request
-	return auth.ErrForbidden
+func (j *jwt) Rules() ([]*auth.Rule, error) {
+	j.Lock()
+	defer j.Unlock()
+	return j.rules, nil
 }

 func (j *jwt) Inspect(token string) (*auth.Account, error) {
--- a/auth/rules/rules.go
+++ b/auth/rules/rules.go
@ -0,0 +1,99 @@
+package rules
+
+import (
+	"fmt"
+	"sort"
+	"strings"
+
+	"github.com/micro/go-micro/v2/auth"
+)
+
+// Verify an account has access to a resource using the rules provided. If the account does not have
+// access an error will be returned. If there are no rules provided which match the resource, an error
+// will be returned
+func Verify(namespace string, rules []*auth.Rule, acc *auth.Account, res *auth.Resource) error {
+	// ensure the account has the necessary scope. Some rules allow for public access so we don't
+	// error if the account is nil.
+	if acc != nil && !acc.HasScope("namespace."+namespace) {
+		return fmt.Errorf("Missing required scope: %v", "namespace."+namespace)
+	}
+
+	// the rule is only to be applied if the type matches the resource or is catch-all (*)
+	validTypes := []string{"*", res.Type}
+
+	// the rule is only to be applied if the name matches the resource or is catch-all (*)
+	validNames := []string{"*", res.Name}
+
+	// rules can have wildcard excludes on endpoints since this can also be a path for web services,
+	// e.g. /foo/* would include /foo/bar. We also want to check for wildcards and the exact endpoint
+	validEndpoints := []string{"*", res.Endpoint}
+	if comps := strings.Split(res.Endpoint, "/"); len(comps) > 1 {
+		for i := 1; i < len(comps); i++ {
+			wildcard := fmt.Sprintf("%v/*", strings.Join(comps[0:i], "/"))
+			validEndpoints = append(validEndpoints, wildcard)
+		}
+	}
+
+	// filter the rules to the ones which match the criteria above
+	filteredRules := make([]*auth.Rule, 0)
+	for _, rule := range rules {
+		if !include(validTypes, rule.Resource.Type) {
+			continue
+		}
+		if !include(validNames, rule.Resource.Name) {
+			continue
+		}
+		if !include(validEndpoints, rule.Resource.Endpoint) {
+			continue
+		}
+		filteredRules = append(filteredRules, rule)
+	}
+
+	// sort the filtered rules by priority, highest to lowest
+	sort.SliceStable(filteredRules, func(i, j int) bool {
+		return filteredRules[i].Priority > filteredRules[j].Priority
+	})
+
+	// loop through the rules and check for a rule which applies to this account
+	for _, rule := range filteredRules {
+		// a blank role indicates the rule applies to everyone, even nil accounts
+		if rule.Role == "" && rule.Access == auth.AccessDenied {
+			return auth.ErrForbidden
+		} else if rule.Role == "" && rule.Access == auth.AccessGranted {
+			return nil
+		}
+
+		// all furter checks require an account
+		if acc == nil {
+			continue
+		}
+
+		// this rule applies to any account
+		if rule.Role == "*" && rule.Access == auth.AccessDenied {
+			return auth.ErrForbidden
+		} else if rule.Role == "" && rule.Access == auth.AccessGranted {
+			return nil
+		}
+
+		// if the account has the necessary role
+		if include(acc.Roles, rule.Role) && rule.Access == auth.AccessDenied {
+			return auth.ErrForbidden
+		} else if rule.Role == "" && rule.Access == auth.AccessGranted {
+			return nil
+		}
+	}
+
+	// if no rules matched then return forbidden
+	return auth.ErrForbidden
+}
+
+// include is a helper function which checks to see if the slice contains the value. includes is
+// not case sensitive.
+func include(slice []string, val string) bool {
+	for _, s := range slice {
+		if strings.ToLower(s) == strings.ToLower(val) {
+			return true
+		}
+	}
+	return false
+}
--- a/auth/service/proto/auth.pb.go
+++ b/auth/service/proto/auth.pb.go
@ -861,13 +861,10 @@ func (m *Rule) GetPriority() int32 {
 }

 type CreateRequest struct {
-	Role                 string    `protobuf:"bytes,1,opt,name=role,proto3" json:"role,omitempty"`
-	Resource             *Resource `protobuf:"bytes,2,opt,name=resource,proto3" json:"resource,omitempty"`
-	Access               Access    `protobuf:"varint,3,opt,name=access,proto3,enum=go.micro.auth.Access" json:"access,omitempty"`
-	Priority             int32     `protobuf:"varint,4,opt,name=priority,proto3" json:"priority,omitempty"`
-	XXX_NoUnkeyedLiteral struct{}  `json:"-"`
-	XXX_unrecognized     []byte    `json:"-"`
-	XXX_sizecache        int32     `json:"-"`
+	Rule                 *Rule    `protobuf:"bytes,1,opt,name=rule,proto3" json:"rule,omitempty"`
+	XXX_NoUnkeyedLiteral struct{} `json:"-"`
+	XXX_unrecognized     []byte   `json:"-"`
+	XXX_sizecache        int32    `json:"-"`
 }

 func (m *CreateRequest) Reset()         { *m = CreateRequest{} }
@ -895,34 +892,13 @@ func (m *CreateRequest) XXX_DiscardUnknown() {

 var xxx_messageInfo_CreateRequest proto.InternalMessageInfo

-func (m *CreateRequest) GetRole() string {
+func (m *CreateRequest) GetRule() *Rule {
 	if m != nil {
-		return m.Role
-	}
-	return ""
-}
-
-func (m *CreateRequest) GetResource() *Resource {
-	if m != nil {
-		return m.Resource
+		return m.Rule
 	}
 	return nil
 }

-func (m *CreateRequest) GetAccess() Access {
-	if m != nil {
-		return m.Access
-	}
-	return Access_UNKNOWN
-}
-
-func (m *CreateRequest) GetPriority() int32 {
-	if m != nil {
-		return m.Priority
-	}
-	return 0
-}
-
 type CreateResponse struct {
 	XXX_NoUnkeyedLiteral struct{} `json:"-"`
 	XXX_unrecognized     []byte   `json:"-"`
@ -955,13 +931,10 @@ func (m *CreateResponse) XXX_DiscardUnknown() {
 var xxx_messageInfo_CreateResponse proto.InternalMessageInfo

 type DeleteRequest struct {
-	Role                 string    `protobuf:"bytes,1,opt,name=role,proto3" json:"role,omitempty"`
-	Resource             *Resource `protobuf:"bytes,2,opt,name=resource,proto3" json:"resource,omitempty"`
-	Access               Access    `protobuf:"varint,3,opt,name=access,proto3,enum=go.micro.auth.Access" json:"access,omitempty"`
-	Priority             int32     `protobuf:"varint,4,opt,name=priority,proto3" json:"priority,omitempty"`
-	XXX_NoUnkeyedLiteral struct{}  `json:"-"`
-	XXX_unrecognized     []byte    `json:"-"`
-	XXX_sizecache        int32     `json:"-"`
+	Rule                 *Rule    `protobuf:"bytes,1,opt,name=rule,proto3" json:"rule,omitempty"`
+	XXX_NoUnkeyedLiteral struct{} `json:"-"`
+	XXX_unrecognized     []byte   `json:"-"`
+	XXX_sizecache        int32    `json:"-"`
 }

 func (m *DeleteRequest) Reset()         { *m = DeleteRequest{} }
@ -989,34 +962,13 @@ func (m *DeleteRequest) XXX_DiscardUnknown() {

 var xxx_messageInfo_DeleteRequest proto.InternalMessageInfo

-func (m *DeleteRequest) GetRole() string {
+func (m *DeleteRequest) GetRule() *Rule {
 	if m != nil {
-		return m.Role
-	}
-	return ""
-}
-
-func (m *DeleteRequest) GetResource() *Resource {
-	if m != nil {
-		return m.Resource
+		return m.Rule
 	}
 	return nil
 }

-func (m *DeleteRequest) GetAccess() Access {
-	if m != nil {
-		return m.Access
-	}
-	return Access_UNKNOWN
-}
-
-func (m *DeleteRequest) GetPriority() int32 {
-	if m != nil {
-		return m.Priority
-	}
-	return 0
-}
-
 type DeleteResponse struct {
 	XXX_NoUnkeyedLiteral struct{} `json:"-"`
 	XXX_unrecognized     []byte   `json:"-"`
@ -1149,63 +1101,63 @@ func init() {
 func init() { proto.RegisterFile("auth/service/proto/auth.proto", fileDescriptor_21300bfacc51fc2a) }

 var fileDescriptor_21300bfacc51fc2a = []byte{
-	// 892 bytes of a gzipped FileDescriptorProto
-	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xcc, 0x56, 0xdd, 0x8e, 0xdb, 0x44,
-	0x14, 0x5e, 0xff, 0xc4, 0xc9, 0x9e, 0xc4, 0xd9, 0x68, 0xba, 0x2d, 0x96, 0xcb, 0x96, 0xad, 0x8b,
-	0xd0, 0x52, 0x41, 0x16, 0xa5, 0x37, 0x40, 0x6f, 0x58, 0x35, 0x51, 0x68, 0xa1, 0x41, 0x58, 0x45,
-	0xe5, 0x06, 0x55, 0xc6, 0x39, 0xb0, 0xd6, 0x66, 0x6d, 0x33, 0x33, 0x5e, 0x91, 0x1b, 0x24, 0x5e,
-	0x80, 0x47, 0xe0, 0x86, 0x3b, 0x9e, 0x89, 0x7b, 0x5e, 0x03, 0x79, 0x7e, 0xbc, 0xb1, 0xe3, 0x54,
-	0x05, 0x7a, 0xd1, 0xbb, 0x39, 0x33, 0x67, 0xce, 0x7c, 0xdf, 0x77, 0x7e, 0x6c, 0x38, 0x8a, 0x0a,
-	0x7e, 0x7e, 0xca, 0x90, 0x5e, 0x25, 0x31, 0x9e, 0xe6, 0x34, 0xe3, 0xd9, 0x69, 0xb9, 0x35, 0x16,
-	0x4b, 0xe2, 0xfe, 0x98, 0x8d, 0x2f, 0x93, 0x98, 0x66, 0xe3, 0x72, 0x33, 0xb8, 0x09, 0x37, 0xbe,
-	0x4c, 0x18, 0x3f, 0x8b, 0xe3, 0xac, 0x48, 0x39, 0x0b, 0xf1, 0xa7, 0x02, 0x19, 0x0f, 0x9e, 0xc0,
-	0x61, 0x7d, 0x9b, 0xe5, 0x59, 0xca, 0x90, 0x4c, 0xa0, 0x17, 0xa9, 0x3d, 0xcf, 0x38, 0xb6, 0x4e,
-	0xfa, 0x93, 0x5b, 0xe3, 0x5a, 0xc0, 0xb1, 0xba, 0x12, 0x56, 0x7e, 0xc1, 0xaf, 0x06, 0x74, 0x9e,
-	0x65, 0x17, 0x98, 0x92, 0xbb, 0x30, 0x88, 0xe2, 0x18, 0x19, 0x7b, 0xc1, 0x4b, 0xdb, 0x33, 0x8e,
-	0x8d, 0x93, 0xfd, 0xb0, 0x2f, 0xf7, 0xa4, 0xcb, 0x3d, 0x70, 0x29, 0xfe, 0x40, 0x91, 0x9d, 0x2b,
-	0x1f, 0x53, 0xf8, 0x0c, 0xd4, 0xa6, 0x74, 0xf2, 0xa0, 0x1b, 0x53, 0x8c, 0x38, 0x2e, 0x3d, 0xeb,
-	0xd8, 0x38, 0xb1, 0x42, 0x6d, 0x92, 0x5b, 0xe0, 0xe0, 0xcf, 0x79, 0x42, 0xd7, 0x9e, 0x2d, 0x0e,
-	0x94, 0x15, 0xfc, 0x66, 0x42, 0x57, 0x21, 0x23, 0x43, 0x30, 0x93, 0xa5, 0x7a, 0xdb, 0x4c, 0x96,
-	0x84, 0x80, 0xcd, 0xd7, 0x39, 0xaa, 0x97, 0xc4, 0x9a, 0x1c, 0x42, 0x87, 0x66, 0x2b, 0x64, 0x9e,
-	0x75, 0x6c, 0x9d, 0xec, 0x87, 0xd2, 0x20, 0x9f, 0x41, 0xef, 0x12, 0x79, 0xb4, 0x8c, 0x78, 0xe4,
-	0xd9, 0x82, 0xfd, 0xbb, 0xed, 0xec, 0xc7, 0x4f, 0x95, 0xdb, 0x2c, 0xe5, 0x74, 0x1d, 0x56, 0xb7,
-	0x4a, 0x7c, 0x2c, 0xce, 0x72, 0x64, 0x5e, 0x47, 0x04, 0x56, 0x16, 0xf1, 0xa1, 0x97, 0xd3, 0xec,
-	0x2a, 0x59, 0x22, 0xf5, 0x1c, 0x81, 0xa3, 0xb2, 0xc5, 0x1d, 0x8c, 0x29, 0x72, 0xaf, 0x2b, 0x4e,
-	0x94, 0xe5, 0x3f, 0x04, 0xb7, 0xf6, 0x0c, 0x19, 0x81, 0x75, 0x81, 0x6b, 0xc5, 0xac, 0x5c, 0x96,
-	0x34, 0xae, 0xa2, 0x55, 0xa1, 0xb9, 0x49, 0xe3, 0x53, 0xf3, 0x63, 0x23, 0x58, 0x40, 0x2f, 0x44,
-	0x96, 0x15, 0x34, 0xc6, 0x52, 0x80, 0x34, 0xba, 0x44, 0x75, 0x51, 0xac, 0x5b, 0x45, 0xf1, 0xa1,
-	0x87, 0xe9, 0x32, 0xcf, 0x92, 0x94, 0x0b, 0xdd, 0xf7, 0xc3, 0xca, 0x0e, 0x7e, 0x37, 0xe1, 0x60,
-	0x8e, 0x29, 0xd2, 0x88, 0xa3, 0x2a, 0xa2, 0x2d, 0xa1, 0x2b, 0x51, 0xcd, 0x4d, 0x51, 0x3f, 0xdf,
-	0x10, 0xd5, 0x12, 0xa2, 0x7e, 0xd0, 0x10, 0xb5, 0x11, 0xf7, 0x15, 0xc4, 0xb5, 0x6b, 0xe2, 0x5e,
-	0x0b, 0xd8, 0xd9, 0x14, 0xb0, 0xe2, 0xe8, 0xd4, 0x39, 0x56, 0x89, 0xe8, 0xd6, 0x13, 0xf1, 0xff,
-	0x04, 0x9f, 0xc2, 0xe8, 0x9a, 0x87, 0xea, 0xa6, 0x8f, 0xa0, 0xab, 0xba, 0x44, 0xc4, 0xd8, 0xdd,
-	0x4c, 0xda, 0x2d, 0x78, 0x0e, 0x83, 0x39, 0x8d, 0x52, 0xae, 0x25, 0x26, 0x60, 0x97, 0x2a, 0xea,
-	0xd4, 0x95, 0x6b, 0xf2, 0x00, 0x7a, 0x54, 0xa5, 0x56, 0xc0, 0xe8, 0x4f, 0xde, 0x6a, 0x84, 0xd5,
-	0x99, 0x0f, 0x2b, 0xc7, 0xe0, 0x00, 0x5c, 0x15, 0x58, 0x62, 0x0b, 0xbe, 0x05, 0x37, 0xc4, 0xab,
-	0xec, 0x02, 0x5f, 0xfb, 0x53, 0x23, 0x18, 0xea, 0xc8, 0xea, 0xad, 0xf7, 0x60, 0xf8, 0x38, 0x65,
-	0x39, 0xc6, 0x15, 0xaf, 0x43, 0xe8, 0x6c, 0x8e, 0x08, 0x69, 0x04, 0x8f, 0xe0, 0xa0, 0xf2, 0xfb,
-	0xcf, 0x12, 0xfe, 0x02, 0x03, 0x31, 0x45, 0x76, 0x55, 0xe9, 0x75, 0xb5, 0x98, 0xb5, 0x6a, 0xd9,
-	0x9a, 0x4c, 0x56, 0xcb, 0x64, 0xba, 0x0b, 0x03, 0x71, 0xf8, 0xa2, 0x36, 0x85, 0xfa, 0x62, 0x6f,
-	0x26, 0x47, 0xd1, 0x43, 0x70, 0xd5, 0xfb, 0x8a, 0xc2, 0xfd, 0x4d, 0xae, 0xfd, 0xc9, 0x61, 0x83,
-	0x80, 0x74, 0x56, 0x0a, 0xfc, 0x69, 0x80, 0x1d, 0x16, 0x2b, 0x6c, 0x1b, 0x62, 0x22, 0x3b, 0xe6,
-	0x8e, 0xec, 0x58, 0xaf, 0x98, 0x1d, 0xf2, 0x21, 0x38, 0x72, 0x1e, 0x0b, 0xec, 0xc3, 0xc9, 0xcd,
-	0x6d, 0x3d, 0x91, 0xb1, 0x50, 0x39, 0xc9, 0x7e, 0x49, 0x32, 0x9a, 0xf0, 0xb5, 0xe8, 0xae, 0x4e,
-	0x58, 0xd9, 0xc1, 0x1f, 0x06, 0xb8, 0x8f, 0xc4, 0x60, 0x7e, 0xdd, 0x35, 0xb4, 0x81, 0xd2, 0xfa,
-	0xb7, 0x28, 0xed, 0x06, 0xca, 0x11, 0x0c, 0x35, 0x48, 0x55, 0x8e, 0x25, 0xee, 0x29, 0xae, 0xf0,
-	0x8d, 0xc7, 0xad, 0x41, 0x2a, 0xdc, 0x2e, 0xf4, 0xcb, 0x8f, 0xb6, 0xfe, 0x86, 0x7f, 0x02, 0x03,
-	0x69, 0xaa, 0x3a, 0x7b, 0x1f, 0x3a, 0xb4, 0x28, 0xc7, 0xaf, 0xfc, 0x70, 0xdf, 0x68, 0xa2, 0x2d,
-	0x56, 0x18, 0x4a, 0x8f, 0xfb, 0x63, 0x70, 0x24, 0x12, 0xd2, 0x87, 0xee, 0x37, 0x8b, 0x2f, 0x16,
-	0x5f, 0x3d, 0x5f, 0x8c, 0xf6, 0x4a, 0x63, 0x1e, 0x9e, 0x2d, 0x9e, 0xcd, 0xa6, 0x23, 0x83, 0x00,
-	0x38, 0xd3, 0xd9, 0xe2, 0xf1, 0x6c, 0x3a, 0x32, 0x27, 0x7f, 0x1b, 0x60, 0x9f, 0x15, 0xfc, 0x9c,
-	0x3c, 0x85, 0x9e, 0x9e, 0x72, 0xe4, 0xce, 0xcb, 0xc7, 0xb8, 0xff, 0xce, 0xce, 0x73, 0xc5, 0x67,
-	0x8f, 0x3c, 0x81, 0xae, 0x6a, 0x78, 0x72, 0xd4, 0xf0, 0xae, 0x0f, 0x0c, 0xff, 0xce, 0xae, 0xe3,
-	0x2a, 0xd6, 0x54, 0xff, 0x85, 0xdc, 0x6e, 0x6d, 0x30, 0x15, 0xe7, 0xed, 0xf6, 0x43, 0x1d, 0x65,
-	0xf2, 0x1d, 0xf4, 0xf4, 0x4f, 0x11, 0xf9, 0x1a, 0xec, 0x52, 0x60, 0x12, 0x34, 0xee, 0xb4, 0xfc,
-	0x50, 0xf9, 0xf7, 0x5e, 0xea, 0x53, 0x85, 0xff, 0xcb, 0x80, 0x4e, 0x99, 0x08, 0x46, 0xe6, 0xe0,
-	0xc8, 0xb2, 0x24, 0x4d, 0x48, 0xb5, 0x96, 0xf2, 0x8f, 0x76, 0x9c, 0x56, 0xbc, 0xe7, 0xe0, 0xc8,
-	0x3a, 0xd9, 0x0a, 0x54, 0xab, 0xf1, 0xad, 0x40, 0x8d, 0xe2, 0xda, 0x23, 0x67, 0x8a, 0xae, 0xdf,
-	0x42, 0x45, 0x07, 0xb9, 0xdd, 0x7a, 0xa6, 0x43, 0x7c, 0xef, 0x88, 0x7f, 0xd0, 0x07, 0xff, 0x04,
-	0x00, 0x00, 0xff, 0xff, 0x60, 0xd4, 0x97, 0x04, 0xa4, 0x0a, 0x00, 0x00,
+	// 888 bytes of a gzipped FileDescriptorProto
+	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xac, 0x56, 0xdd, 0x8e, 0xdb, 0x44,
+	0x14, 0x5e, 0xff, 0xc4, 0xc9, 0x9e, 0xc4, 0xbb, 0xd1, 0x74, 0x5b, 0xac, 0x94, 0x2d, 0x5b, 0x17,
+	0xc1, 0x52, 0x41, 0x16, 0xb9, 0x37, 0x0b, 0xbd, 0x61, 0xd5, 0x44, 0xa1, 0x85, 0x06, 0x61, 0x15,
+	0x95, 0x1b, 0x54, 0x19, 0xe7, 0xc0, 0x5a, 0x9b, 0xb5, 0xcd, 0xcc, 0x38, 0x22, 0x37, 0x48, 0xbc,
+	0x00, 0x8f, 0xc0, 0x03, 0xf0, 0x4c, 0xdc, 0xf3, 0x1a, 0xc8, 0xf3, 0xe3, 0x8d, 0x1d, 0xa7, 0xaa,
+	0x0a, 0x77, 0x73, 0x66, 0xce, 0xf9, 0xe6, 0x7c, 0xdf, 0x39, 0x73, 0x6c, 0x38, 0x8e, 0x0a, 0x7e,
+	0x79, 0xc6, 0x90, 0xae, 0x92, 0x18, 0xcf, 0x72, 0x9a, 0xf1, 0xec, 0xac, 0xdc, 0x1a, 0x8b, 0x25,
+	0x71, 0x7f, 0xce, 0xc6, 0xd7, 0x49, 0x4c, 0xb3, 0x71, 0xb9, 0xe9, 0xdf, 0x86, 0x5b, 0x5f, 0x27,
+	0x8c, 0x5f, 0xc4, 0x71, 0x56, 0xa4, 0x9c, 0x85, 0xf8, 0x4b, 0x81, 0x8c, 0xfb, 0xcf, 0xe0, 0xa8,
+	0xbe, 0xcd, 0xf2, 0x2c, 0x65, 0x48, 0x02, 0xe8, 0x45, 0x6a, 0xcf, 0x33, 0x4e, 0xac, 0xd3, 0x7e,
+	0x70, 0x67, 0x5c, 0x03, 0x1c, 0xab, 0x90, 0xb0, 0xf2, 0xf3, 0x7f, 0x37, 0xa0, 0xf3, 0x22, 0xbb,
+	0xc2, 0x94, 0xdc, 0x87, 0x41, 0x14, 0xc7, 0xc8, 0xd8, 0x2b, 0x5e, 0xda, 0x9e, 0x71, 0x62, 0x9c,
+	0xee, 0x87, 0x7d, 0xb9, 0x27, 0x5d, 0x1e, 0x80, 0x4b, 0xf1, 0x27, 0x8a, 0xec, 0x52, 0xf9, 0x98,
+	0xc2, 0x67, 0xa0, 0x36, 0xa5, 0x93, 0x07, 0xdd, 0x98, 0x62, 0xc4, 0x71, 0xe1, 0x59, 0x27, 0xc6,
+	0xa9, 0x15, 0x6a, 0x93, 0xdc, 0x01, 0x07, 0x7f, 0xcd, 0x13, 0xba, 0xf6, 0x6c, 0x71, 0xa0, 0x2c,
+	0xff, 0x0f, 0x13, 0xba, 0x2a, 0x33, 0x72, 0x00, 0x66, 0xb2, 0x50, 0x77, 0x9b, 0xc9, 0x82, 0x10,
+	0xb0, 0xf9, 0x3a, 0x47, 0x75, 0x93, 0x58, 0x93, 0x23, 0xe8, 0xd0, 0x6c, 0x89, 0xcc, 0xb3, 0x4e,
+	0xac, 0xd3, 0xfd, 0x50, 0x1a, 0xe4, 0x0b, 0xe8, 0x5d, 0x23, 0x8f, 0x16, 0x11, 0x8f, 0x3c, 0x5b,
+	0xb0, 0x7f, 0xbf, 0x9d, 0xfd, 0xf8, 0xb9, 0x72, 0x9b, 0xa6, 0x9c, 0xae, 0xc3, 0x2a, 0xaa, 0xcc,
+	0x8f, 0xc5, 0x59, 0x8e, 0xcc, 0xeb, 0x08, 0x60, 0x65, 0x91, 0x11, 0xf4, 0x72, 0x9a, 0xad, 0x92,
+	0x05, 0x52, 0xcf, 0x11, 0x79, 0x54, 0xb6, 0x88, 0xc1, 0x98, 0x22, 0xf7, 0xba, 0xe2, 0x44, 0x59,
+	0xa3, 0xc7, 0xe0, 0xd6, 0xae, 0x21, 0x43, 0xb0, 0xae, 0x70, 0xad, 0x98, 0x95, 0xcb, 0x92, 0xc6,
+	0x2a, 0x5a, 0x16, 0x9a, 0x9b, 0x34, 0x3e, 0x37, 0xcf, 0x0d, 0x7f, 0x0e, 0xbd, 0x10, 0x59, 0x56,
+	0xd0, 0x18, 0x4b, 0x01, 0xd2, 0xe8, 0x1a, 0x55, 0xa0, 0x58, 0xb7, 0x8a, 0x32, 0x82, 0x1e, 0xa6,
+	0x8b, 0x3c, 0x4b, 0x52, 0x2e, 0x74, 0xdf, 0x0f, 0x2b, 0xdb, 0xff, 0xd3, 0x84, 0xc3, 0x19, 0xa6,
+	0x48, 0x23, 0x8e, 0xaa, 0x89, 0xb6, 0x84, 0xae, 0x44, 0x35, 0x37, 0x45, 0xfd, 0x72, 0x43, 0x54,
+	0x4b, 0x88, 0xfa, 0x71, 0x43, 0xd4, 0x06, 0xee, 0x1b, 0x88, 0x6b, 0xd7, 0xc4, 0xbd, 0x11, 0xb0,
+	0xb3, 0x29, 0x60, 0xc5, 0xd1, 0xa9, 0x73, 0xac, 0x0a, 0xd1, 0xad, 0x17, 0xe2, 0xbf, 0x09, 0x3e,
+	0x81, 0xe1, 0x0d, 0x0f, 0xf5, 0x9a, 0x3e, 0x85, 0xae, 0x7a, 0x25, 0x02, 0x63, 0xf7, 0x63, 0xd2,
+	0x6e, 0xfe, 0x4b, 0x18, 0xcc, 0x68, 0x94, 0x72, 0x2d, 0x31, 0x01, 0xbb, 0x54, 0x51, 0x97, 0xae,
+	0x5c, 0x93, 0x47, 0xd0, 0xa3, 0xaa, 0xb4, 0x22, 0x8d, 0x7e, 0xf0, 0x4e, 0x03, 0x56, 0x57, 0x3e,
+	0xac, 0x1c, 0xfd, 0x43, 0x70, 0x15, 0xb0, 0xcc, 0xcd, 0xff, 0x1e, 0xdc, 0x10, 0x57, 0xd9, 0x15,
+	0xfe, 0xef, 0x57, 0x0d, 0xe1, 0x40, 0x23, 0xab, 0xbb, 0x3e, 0x80, 0x83, 0xa7, 0x29, 0xcb, 0x31,
+	0xae, 0x78, 0x1d, 0x41, 0x67, 0x73, 0x44, 0x48, 0xc3, 0x7f, 0x02, 0x87, 0x95, 0xdf, 0x5b, 0x4b,
+	0xf8, 0x1b, 0x0c, 0xc4, 0x14, 0xd9, 0xd5, 0xa5, 0x37, 0xdd, 0x62, 0xd6, 0xba, 0x65, 0x6b, 0x32,
+	0x59, 0x2d, 0x93, 0xe9, 0x3e, 0x0c, 0xc4, 0xe1, 0xab, 0xda, 0x14, 0xea, 0x8b, 0xbd, 0xa9, 0x1c,
+	0x45, 0x8f, 0xc1, 0x55, 0xf7, 0x2b, 0x0a, 0x0f, 0x37, 0xb9, 0xf6, 0x83, 0xa3, 0x06, 0x01, 0xe9,
+	0xac, 0x14, 0xf8, 0xcb, 0x00, 0x3b, 0x2c, 0x96, 0xd8, 0x36, 0xc4, 0x44, 0x75, 0xcc, 0x1d, 0xd5,
+	0xb1, 0xde, 0xb0, 0x3a, 0xe4, 0x13, 0x70, 0xe4, 0x3c, 0x16, 0xb9, 0x1f, 0x04, 0xb7, 0xb7, 0xf5,
+	0x44, 0xc6, 0x42, 0xe5, 0x24, 0xdf, 0x4b, 0x92, 0xd1, 0x84, 0xaf, 0xc5, 0xeb, 0xea, 0x84, 0x95,
+	0xed, 0x9f, 0x83, 0xfb, 0x44, 0xcc, 0x65, 0x2d, 0xf5, 0x87, 0x60, 0xd3, 0x42, 0xb5, 0x50, 0x3f,
+	0xb8, 0xd5, 0x4c, 0xa6, 0x58, 0x62, 0x28, 0x1c, 0xca, 0x16, 0xd1, 0x91, 0xaa, 0x45, 0xce, 0xc1,
+	0x9d, 0xe0, 0x12, 0xdf, 0x0e, 0x4b, 0x47, 0x2a, 0x2c, 0x17, 0xfa, 0xe5, 0xc7, 0x4d, 0x7f, 0xeb,
+	0x3e, 0x83, 0x81, 0x34, 0x55, 0x3d, 0x3e, 0x82, 0x4e, 0x19, 0xa8, 0x3f, 0x70, 0xad, 0xd0, 0xd2,
+	0xe3, 0xe1, 0x18, 0x1c, 0xa9, 0x07, 0xe9, 0x43, 0xf7, 0xbb, 0xf9, 0x57, 0xf3, 0x6f, 0x5e, 0xce,
+	0x87, 0x7b, 0xa5, 0x31, 0x0b, 0x2f, 0xe6, 0x2f, 0xa6, 0x93, 0xa1, 0x41, 0x00, 0x9c, 0xc9, 0x74,
+	0xfe, 0x74, 0x3a, 0x19, 0x9a, 0xc1, 0x3f, 0x06, 0xd8, 0x17, 0x05, 0xbf, 0x24, 0xcf, 0xa1, 0xa7,
+	0xa7, 0x01, 0xb9, 0xf7, 0xfa, 0x71, 0x37, 0x7a, 0x6f, 0xe7, 0xb9, 0xe2, 0xb3, 0x47, 0x9e, 0x41,
+	0x57, 0x3d, 0x0c, 0x72, 0xdc, 0xf0, 0xae, 0x3f, 0xac, 0xd1, 0xbd, 0x5d, 0xc7, 0x15, 0xd6, 0x44,
+	0x7f, 0xad, 0xef, 0xb6, 0x36, 0xa2, 0xc2, 0x79, 0xb7, 0xfd, 0x50, 0xa3, 0x04, 0x3f, 0x40, 0x4f,
+	0xff, 0x3c, 0x90, 0x6f, 0xc1, 0x2e, 0x05, 0x26, 0x7e, 0x23, 0xa6, 0xe5, 0xc7, 0x63, 0xf4, 0xe0,
+	0xb5, 0x3e, 0x15, 0xfc, 0xdf, 0x06, 0x74, 0xca, 0x42, 0x30, 0x32, 0x03, 0x47, 0xb6, 0x0a, 0x69,
+	0xa6, 0x54, 0xeb, 0xbd, 0xd1, 0xf1, 0x8e, 0xd3, 0x8a, 0xf7, 0x0c, 0x1c, 0xd9, 0x27, 0x5b, 0x40,
+	0xb5, 0xc6, 0xdb, 0x02, 0x6a, 0x34, 0xd7, 0x1e, 0xb9, 0x50, 0x74, 0x47, 0x2d, 0x54, 0x34, 0xc8,
+	0xdd, 0xd6, 0x33, 0x0d, 0xf1, 0xa3, 0x23, 0xfe, 0xd5, 0x1e, 0xfd, 0x1b, 0x00, 0x00, 0xff, 0xff,
+	0x7f, 0x20, 0xd5, 0xb8, 0xcc, 0x09, 0x00, 0x00,
 }

 // Reference imports to suppress errors if they are not otherwise used.
--- a/auth/service/proto/auth.proto
+++ b/auth/service/proto/auth.proto
@ -110,19 +110,13 @@ message Rule {
 }

 message CreateRequest {
-	string role = 1;
-	Resource resource = 2;
-	Access access = 3;
-	int32 priority = 4;
+	Rule rule = 1;
 }

 message CreateResponse {}

 message DeleteRequest {
-	string role = 1;
-	Resource resource = 2;
-	Access access = 3;
-	int32 priority = 4;
+	Rule rule = 1;
 }

 message DeleteResponse {}
--- a/auth/service/service.go
+++ b/auth/service/service.go
@ -2,13 +2,12 @@ package service

 import (
 	"context"
-	"fmt"
-	"sort"
 	"strings"
 	"sync"
 	"time"

 	"github.com/micro/go-micro/v2/auth"
+	"github.com/micro/go-micro/v2/auth/rules"
 	pb "github.com/micro/go-micro/v2/auth/service/proto"
 	"github.com/micro/go-micro/v2/auth/token"
 	"github.com/micro/go-micro/v2/auth/token/jwt"
@ -23,8 +22,7 @@ type svc struct {
 	auth    pb.AuthService
 	rule    pb.RulesService
 	jwt     token.Provider
-
-	rules []*pb.Rule
+	rules   []*auth.Rule
 	sync.Mutex
 }

@ -79,84 +77,53 @@ func (s *svc) Generate(id string, opts ...auth.GenerateOption) (*auth.Account, e
 }

 // Grant access to a resource
-func (s *svc) Grant(role string, res *auth.Resource) error {
+func (s *svc) Grant(rule *auth.Rule) error {
 	_, err := s.rule.Create(context.TODO(), &pb.CreateRequest{
-		Role:   role,
-		Access: pb.Access_GRANTED,
-		Resource: &pb.Resource{
-			Type:     res.Type,
-			Name:     res.Name,
-			Endpoint: res.Endpoint,
+		Rule: &pb.Rule{
+			Id:       rule.ID,
+			Role:     rule.Role,
+			Priority: rule.Priority,
+			Access:   pb.Access_GRANTED,
+			Resource: &pb.Resource{
+				Type:     rule.Resource.Type,
+				Name:     rule.Resource.Name,
+				Endpoint: rule.Resource.Endpoint,
+			},
 		},
 	})
+	go s.loadRules()
 	return err
 }

 // Revoke access to a resource
-func (s *svc) Revoke(role string, res *auth.Resource) error {
+func (s *svc) Revoke(rule *auth.Rule) error {
 	_, err := s.rule.Delete(context.TODO(), &pb.DeleteRequest{
-		Role:   role,
-		Access: pb.Access_GRANTED,
-		Resource: &pb.Resource{
-			Type:     res.Type,
-			Name:     res.Name,
-			Endpoint: res.Endpoint,
+		Rule: &pb.Rule{
+			Id:       rule.ID,
+			Role:     rule.Role,
+			Priority: rule.Priority,
+			Access:   pb.Access_GRANTED,
+			Resource: &pb.Resource{
+				Type:     rule.Resource.Type,
+				Name:     rule.Resource.Name,
+				Endpoint: rule.Resource.Endpoint,
+			},
 		},
 	})
+	go s.loadRules()
 	return err
 }

+func (s *svc) Rules() ([]*auth.Rule, error) {
+	return s.rules, nil
+}
+
 // Verify an account has access to a resource
 func (s *svc) Verify(acc *auth.Account, res *auth.Resource) error {
-	// check the scope
-	scope := "namespace." + s.options.Namespace
-	if acc != nil && !acc.HasScope(scope) {
-		return fmt.Errorf("Missing required scope: %v", scope)
-	}
-
 	// load the rules if none are loaded
 	s.loadRulesIfEmpty()
-
-	queries := [][]string{
-		{res.Type, res.Name, res.Endpoint}, // check for specific role, e.g. service.foo.ListFoo:admin (role is checked in accessForRule)
-		{res.Type, res.Name, "*"},          // check for wildcard endpoint, e.g. service.foo*
-		{res.Type, "*"},                    // check for wildcard name, e.g. service.*
-		{"*"},                              // check for wildcard type, e.g. *
-	}
-
-	// endpoint is a url which can have wildcard excludes, e.g.
-	// "/foo/*" will allow "/foo/bar"
-	if comps := strings.Split(res.Endpoint, "/"); len(comps) > 1 {
-		for i := 1; i < len(comps); i++ {
-			wildcard := fmt.Sprintf("%v/*", strings.Join(comps[0:i], "/"))
-			queries = append(queries, []string{res.Type, res.Name, wildcard})
-		}
-	}
-
-	// set a default account id / namespace to log
-	logID := acc.ID
-	if len(logID) == 0 {
-		logID = "[no account]"
-	}
-
-	for _, q := range queries {
-		for _, rule := range s.listRules(q...) {
-			switch accessForRule(rule, acc, res) {
-			case pb.Access_UNKNOWN:
-				continue // rule did not specify access, check the next rule
-			case pb.Access_GRANTED:
-				log.Tracef("%v granted access to %v:%v:%v by rule %v", logID, res.Type, res.Name, res.Endpoint, rule.Id)
-				return nil // rule grants the account access to the resource
-			case pb.Access_DENIED:
-				log.Tracef("%v denied access to %v:%v:%v by rule %v", logID, res.Type, res.Name, res.Endpoint, rule.Id)
-				return auth.ErrForbidden // rule denies access to the resource
-			}
-		}
-	}
-
-	// no rules were found for the resource, default to denying access
-	log.Tracef("%v denied access to %v:%v:%v by lack of rule", logID, res.Type, res.Name, res.Endpoint)
-	return auth.ErrForbidden
+	// verify the request using the rules
+	return rules.Verify(s.options.Namespace, s.rules, acc, res)
 }

 // Inspect a token
@ -221,35 +188,6 @@ func accessForRule(rule *pb.Rule, acc *auth.Account, res *auth.Resource) pb.Acce
 	return pb.Access_UNKNOWN
 }

-// listRules gets all the rules from the store which match the filters.
-// filters are namespace, type, name and then endpoint.
-func (s *svc) listRules(filters ...string) []*pb.Rule {
-	s.Lock()
-	defer s.Unlock()
-
-	var rules []*pb.Rule
-	for _, r := range s.rules {
-		if len(filters) > 1 && r.Resource.Type != filters[0] {
-			continue
-		}
-		if len(filters) > 2 && r.Resource.Name != filters[1] {
-			continue
-		}
-		if len(filters) > 3 && r.Resource.Endpoint != filters[2] {
-			continue
-		}
-
-		rules = append(rules, r)
-	}
-
-	// sort rules by priority
-	sort.Slice(rules, func(i, j int) bool {
-		return rules[i].Priority < rules[j].Priority
-	})
-
-	return rules
-}
-
 // loadRules retrieves the rules from the auth service
 func (s *svc) loadRules() {
 	rsp, err := s.rule.List(context.TODO(), &pb.ListRequest{})
@ -261,7 +199,27 @@ func (s *svc) loadRules() {
 		return
 	}

-	s.rules = rsp.Rules
+	s.rules = make([]*auth.Rule, 0, len(rsp.Rules))
+	for _, r := range rsp.Rules {
+		var access auth.Access
+		if r.Access == pb.Access_GRANTED {
+			access = auth.AccessGranted
+		} else {
+			access = auth.AccessDenied
+		}
+
+		s.rules = append(s.rules, &auth.Rule{
+			ID:       r.Id,
+			Role:     r.Role,
+			Access:   access,
+			Priority: r.Priority,
+			Resource: &auth.Resource{
+				Type:     r.Resource.Type,
+				Name:     r.Resource.Name,
+				Endpoint: r.Resource.Endpoint,
+			},
+		})
+	}
 }

 func (s *svc) loadRulesIfEmpty() {
--- a/util/auth/auth.go
+++ b/util/auth/auth.go
@ -66,7 +66,7 @@ func Generate(id string, name string, a auth.Auth) error {

 			// generate the first token
 			tok, err := a.Token(
-				auth.WithCredentials(accID, accSecret),
+				auth.WithToken(tok.RefreshToken),
 				auth.WithExpiry(time.Minute*10),
 			)
 			if err != nil {