diff --git a/auth/auth.go b/auth/auth.go index f3bcefb0..0a03eda5 100644 --- a/auth/auth.go +++ b/auth/auth.go @@ -7,16 +7,13 @@ import ( "time" ) +// BearerScheme used for Authorization header +const BearerScheme = "Bearer " + var ( - // ErrNotFound is returned when a resouce cannot be found - ErrNotFound = errors.New("not found") - // ErrEncodingToken is returned when the service encounters an error during encoding - ErrEncodingToken = errors.New("error encoding the token") - // ErrInvalidToken is returned when the token provided is not valid + // ErrInvalidToken is when the token provided is not valid ErrInvalidToken = errors.New("invalid token provided") - // ErrInvalidRole is returned when the role provided was invalid - ErrInvalidRole = errors.New("invalid role") - // ErrForbidden is returned when a user does not have the necessary roles to access a resource + // ErrForbidden is when a user does not have the necessary roles or scoeps to access a resource ErrForbidden = errors.New("resource forbidden") ) @@ -28,30 +25,22 @@ type Auth interface { Options() Options // Generate a new account Generate(id string, opts ...GenerateOption) (*Account, error) - // Grant access to a resource - Grant(role string, res *Resource) error - // Revoke access to a resource - Revoke(role string, res *Resource) error - // Verify an account has access to a resource + // Verify an account has access to a resource using the rules Verify(acc *Account, res *Resource) error // Inspect a token Inspect(token string) (*Account, error) - // Token generated using refresh token + // Token generated using refresh token or credentials Token(opts ...TokenOption) (*Token, error) + // Grant access to a resource + Grant(rule *Rule) error + // Revoke access to a resource + Revoke(rule *Rule) error + // Rules returns all the rules used to verify requests + Rules() ([]*Rule, error) // String returns the name of the implementation String() string } -// Resource is an entity such as a user or -type Resource struct { - // Name of the resource - Name string `json:"name"` - // Type of resource, e.g. - Type string `json:"type"` - // Endpoint resource e.g NotesService.Create - Endpoint string `json:"endpoint"` -} - // Account provided by an auth provider type Account struct { // ID of the account e.g. email @@ -112,13 +101,47 @@ type Token struct { Expiry time.Time `json:"expiry"` } +// Expired returns a boolean indicating if the token needs to be refreshed +func (t *Token) Expired() bool { + return t.Expiry.Unix() < time.Now().Unix() +} + +// Resource is an entity such as a user or +type Resource struct { + // Name of the resource, e.g. go.micro.service.notes + Name string `json:"name"` + // Type of resource, e.g. service + Type string `json:"type"` + // Endpoint resource e.g NotesService.Create + Endpoint string `json:"endpoint"` +} + +// Access defines the type of access a rule grants +type Access int + const ( - // TokenCookieName is the name of the cookie which stores the auth token - TokenCookieName = "micro-token" - // BearerScheme used for Authorization header - BearerScheme = "Bearer " + // AccessGranted to a resource + AccessGranted Access = iota + // AccessDenied to a resource + AccessDenied ) +// Rule is used to verify access to a resource +type Rule struct { + // ID of the rule, e.g. "public" + ID string + // Role the rule requires, a blank role indicates open to the public and * indicates the rule + // applies to any valid account + Role string + // Resource the rule applies to + Resource *Resource + // Access determines if the rule grants or denies access to the resource + Access Access + // Priority the rule should take when verifying a request, the higher the value the sooner the + // rule will be applied + Priority int32 +} + type accountKey struct{} // AccountFromContext gets the account from the context, which diff --git a/auth/default.go b/auth/default.go index 9fd42f2d..11f9e6ae 100644 --- a/auth/default.go +++ b/auth/default.go @@ -58,15 +58,20 @@ func (n *noop) Generate(id string, opts ...GenerateOption) (*Account, error) { } // Grant access to a resource -func (n *noop) Grant(role string, res *Resource) error { +func (n *noop) Grant(rule *Rule) error { return nil } // Revoke access to a resource -func (n *noop) Revoke(role string, res *Resource) error { +func (n *noop) Revoke(rule *Rule) error { return nil } +// Rules used to verify requests +func (n *noop) Rules() ([]*Rule, error) { + return []*Rule{}, nil +} + // Verify an account has access to a resource func (n *noop) Verify(acc *Account, res *Resource) error { return nil diff --git a/auth/jwt/jwt.go b/auth/jwt/jwt.go index 310c110b..2397586f 100644 --- a/auth/jwt/jwt.go +++ b/auth/jwt/jwt.go @@ -1,11 +1,11 @@ package jwt import ( - "fmt" "sync" "time" "github.com/micro/go-micro/v2/auth" + "github.com/micro/go-micro/v2/auth/rules" "github.com/micro/go-micro/v2/auth/token" jwtToken "github.com/micro/go-micro/v2/auth/token/jwt" ) @@ -25,7 +25,7 @@ type rule struct { type jwt struct { options auth.Options jwt token.Provider - rules []*rule + rules []*auth.Rule sync.Mutex } @@ -77,84 +77,38 @@ func (j *jwt) Generate(id string, opts ...auth.GenerateOption) (*auth.Account, e return account, nil } -func (j *jwt) Grant(role string, res *auth.Resource) error { +func (j *jwt) Grant(rule *auth.Rule) error { j.Lock() defer j.Unlock() - j.rules = append(j.rules, &rule{role, res}) + j.rules = append(j.rules, rule) return nil } -func (j *jwt) Revoke(role string, res *auth.Resource) error { +func (j *jwt) Revoke(rule *auth.Rule) error { j.Lock() defer j.Unlock() - rules := make([]*rule, 0, len(j.rules)) - - var ruleFound bool + rules := []*auth.Rule{} for _, r := range rules { - if r.role == role && r.resource == res { - ruleFound = true - } else { + if r.ID != rule.ID { rules = append(rules, r) } } - if !ruleFound { - return auth.ErrNotFound - } - j.rules = rules return nil } func (j *jwt) Verify(acc *auth.Account, res *auth.Resource) error { - // check the scope - scope := "namespace." + j.options.Namespace - if acc != nil && !acc.HasScope(scope) { - return fmt.Errorf("Missing required scope: %v", scope) - } - j.Lock() - rules := j.rules - j.Unlock() + defer j.Unlock() + return rules.Verify(j.options.Namespace, j.rules, acc, res) +} - for _, rule := range rules { - // validate the rule applies to the requested resource - if rule.resource.Type != "*" && rule.resource.Type != res.Type { - continue - } - if rule.resource.Name != "*" && rule.resource.Name != res.Name { - continue - } - if rule.resource.Endpoint != "*" && rule.resource.Endpoint != res.Endpoint { - continue - } - - // a blank role indicates anyone can access the resource, even without an account - if rule.role == "" { - return nil - } - - // all furter checks require an account - if acc == nil { - continue - } - - // this rule allows any account access, allow the request - if rule.role == "*" { - return nil - } - - // if the account has the necessary role, allow the request - for _, r := range acc.Roles { - if r == rule.role { - return nil - } - } - } - - // no rules matched, forbid the request - return auth.ErrForbidden +func (j *jwt) Rules() ([]*auth.Rule, error) { + j.Lock() + defer j.Unlock() + return j.rules, nil } func (j *jwt) Inspect(token string) (*auth.Account, error) { diff --git a/auth/rules/rules.go b/auth/rules/rules.go new file mode 100644 index 00000000..35736a8b --- /dev/null +++ b/auth/rules/rules.go @@ -0,0 +1,99 @@ +package rules + +import ( + "fmt" + "sort" + "strings" + + "github.com/micro/go-micro/v2/auth" +) + +// Verify an account has access to a resource using the rules provided. If the account does not have +// access an error will be returned. If there are no rules provided which match the resource, an error +// will be returned +func Verify(namespace string, rules []*auth.Rule, acc *auth.Account, res *auth.Resource) error { + // ensure the account has the necessary scope. Some rules allow for public access so we don't + // error if the account is nil. + if acc != nil && !acc.HasScope("namespace."+namespace) { + return fmt.Errorf("Missing required scope: %v", "namespace."+namespace) + } + + // the rule is only to be applied if the type matches the resource or is catch-all (*) + validTypes := []string{"*", res.Type} + + // the rule is only to be applied if the name matches the resource or is catch-all (*) + validNames := []string{"*", res.Name} + + // rules can have wildcard excludes on endpoints since this can also be a path for web services, + // e.g. /foo/* would include /foo/bar. We also want to check for wildcards and the exact endpoint + validEndpoints := []string{"*", res.Endpoint} + if comps := strings.Split(res.Endpoint, "/"); len(comps) > 1 { + for i := 1; i < len(comps); i++ { + wildcard := fmt.Sprintf("%v/*", strings.Join(comps[0:i], "/")) + validEndpoints = append(validEndpoints, wildcard) + } + } + + // filter the rules to the ones which match the criteria above + filteredRules := make([]*auth.Rule, 0) + for _, rule := range rules { + if !include(validTypes, rule.Resource.Type) { + continue + } + if !include(validNames, rule.Resource.Name) { + continue + } + if !include(validEndpoints, rule.Resource.Endpoint) { + continue + } + filteredRules = append(filteredRules, rule) + } + + // sort the filtered rules by priority, highest to lowest + sort.SliceStable(filteredRules, func(i, j int) bool { + return filteredRules[i].Priority > filteredRules[j].Priority + }) + + // loop through the rules and check for a rule which applies to this account + for _, rule := range filteredRules { + // a blank role indicates the rule applies to everyone, even nil accounts + if rule.Role == "" && rule.Access == auth.AccessDenied { + return auth.ErrForbidden + } else if rule.Role == "" && rule.Access == auth.AccessGranted { + return nil + } + + // all furter checks require an account + if acc == nil { + continue + } + + // this rule applies to any account + if rule.Role == "*" && rule.Access == auth.AccessDenied { + return auth.ErrForbidden + } else if rule.Role == "" && rule.Access == auth.AccessGranted { + return nil + } + + // if the account has the necessary role + if include(acc.Roles, rule.Role) && rule.Access == auth.AccessDenied { + return auth.ErrForbidden + } else if rule.Role == "" && rule.Access == auth.AccessGranted { + return nil + } + } + + // if no rules matched then return forbidden + return auth.ErrForbidden +} + +// include is a helper function which checks to see if the slice contains the value. includes is +// not case sensitive. +func include(slice []string, val string) bool { + for _, s := range slice { + if strings.ToLower(s) == strings.ToLower(val) { + return true + } + } + return false +} diff --git a/auth/service/proto/auth.pb.go b/auth/service/proto/auth.pb.go index 43bb6ee1..26ea23bb 100644 --- a/auth/service/proto/auth.pb.go +++ b/auth/service/proto/auth.pb.go @@ -861,13 +861,10 @@ func (m *Rule) GetPriority() int32 { } type CreateRequest struct { - Role string `protobuf:"bytes,1,opt,name=role,proto3" json:"role,omitempty"` - Resource *Resource `protobuf:"bytes,2,opt,name=resource,proto3" json:"resource,omitempty"` - Access Access `protobuf:"varint,3,opt,name=access,proto3,enum=go.micro.auth.Access" json:"access,omitempty"` - Priority int32 `protobuf:"varint,4,opt,name=priority,proto3" json:"priority,omitempty"` - XXX_NoUnkeyedLiteral struct{} `json:"-"` - XXX_unrecognized []byte `json:"-"` - XXX_sizecache int32 `json:"-"` + Rule *Rule `protobuf:"bytes,1,opt,name=rule,proto3" json:"rule,omitempty"` + XXX_NoUnkeyedLiteral struct{} `json:"-"` + XXX_unrecognized []byte `json:"-"` + XXX_sizecache int32 `json:"-"` } func (m *CreateRequest) Reset() { *m = CreateRequest{} } @@ -895,34 +892,13 @@ func (m *CreateRequest) XXX_DiscardUnknown() { var xxx_messageInfo_CreateRequest proto.InternalMessageInfo -func (m *CreateRequest) GetRole() string { +func (m *CreateRequest) GetRule() *Rule { if m != nil { - return m.Role - } - return "" -} - -func (m *CreateRequest) GetResource() *Resource { - if m != nil { - return m.Resource + return m.Rule } return nil } -func (m *CreateRequest) GetAccess() Access { - if m != nil { - return m.Access - } - return Access_UNKNOWN -} - -func (m *CreateRequest) GetPriority() int32 { - if m != nil { - return m.Priority - } - return 0 -} - type CreateResponse struct { XXX_NoUnkeyedLiteral struct{} `json:"-"` XXX_unrecognized []byte `json:"-"` @@ -955,13 +931,10 @@ func (m *CreateResponse) XXX_DiscardUnknown() { var xxx_messageInfo_CreateResponse proto.InternalMessageInfo type DeleteRequest struct { - Role string `protobuf:"bytes,1,opt,name=role,proto3" json:"role,omitempty"` - Resource *Resource `protobuf:"bytes,2,opt,name=resource,proto3" json:"resource,omitempty"` - Access Access `protobuf:"varint,3,opt,name=access,proto3,enum=go.micro.auth.Access" json:"access,omitempty"` - Priority int32 `protobuf:"varint,4,opt,name=priority,proto3" json:"priority,omitempty"` - XXX_NoUnkeyedLiteral struct{} `json:"-"` - XXX_unrecognized []byte `json:"-"` - XXX_sizecache int32 `json:"-"` + Rule *Rule `protobuf:"bytes,1,opt,name=rule,proto3" json:"rule,omitempty"` + XXX_NoUnkeyedLiteral struct{} `json:"-"` + XXX_unrecognized []byte `json:"-"` + XXX_sizecache int32 `json:"-"` } func (m *DeleteRequest) Reset() { *m = DeleteRequest{} } @@ -989,34 +962,13 @@ func (m *DeleteRequest) XXX_DiscardUnknown() { var xxx_messageInfo_DeleteRequest proto.InternalMessageInfo -func (m *DeleteRequest) GetRole() string { +func (m *DeleteRequest) GetRule() *Rule { if m != nil { - return m.Role - } - return "" -} - -func (m *DeleteRequest) GetResource() *Resource { - if m != nil { - return m.Resource + return m.Rule } return nil } -func (m *DeleteRequest) GetAccess() Access { - if m != nil { - return m.Access - } - return Access_UNKNOWN -} - -func (m *DeleteRequest) GetPriority() int32 { - if m != nil { - return m.Priority - } - return 0 -} - type DeleteResponse struct { XXX_NoUnkeyedLiteral struct{} `json:"-"` XXX_unrecognized []byte `json:"-"` @@ -1149,63 +1101,63 @@ func init() { func init() { proto.RegisterFile("auth/service/proto/auth.proto", fileDescriptor_21300bfacc51fc2a) } var fileDescriptor_21300bfacc51fc2a = []byte{ - // 892 bytes of a gzipped FileDescriptorProto - 0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xcc, 0x56, 0xdd, 0x8e, 0xdb, 0x44, - 0x14, 0x5e, 0xff, 0xc4, 0xc9, 0x9e, 0xc4, 0xd9, 0x68, 0xba, 0x2d, 0x96, 0xcb, 0x96, 0xad, 0x8b, - 0xd0, 0x52, 0x41, 0x16, 0xa5, 0x37, 0x40, 0x6f, 0x58, 0x35, 0x51, 0x68, 0xa1, 0x41, 0x58, 0x45, - 0xe5, 0x06, 0x55, 0xc6, 0x39, 0xb0, 0xd6, 0x66, 0x6d, 0x33, 0x33, 0x5e, 0x91, 0x1b, 0x24, 0x5e, - 0x80, 0x47, 0xe0, 0x86, 0x3b, 0x9e, 0x89, 0x7b, 0x5e, 0x03, 0x79, 0x7e, 0xbc, 0xb1, 0xe3, 0x54, - 0x05, 0x7a, 0xd1, 0xbb, 0x39, 0x33, 0x67, 0xce, 0x7c, 0xdf, 0x77, 0x7e, 0x6c, 0x38, 0x8a, 0x0a, - 0x7e, 0x7e, 0xca, 0x90, 0x5e, 0x25, 0x31, 0x9e, 0xe6, 0x34, 0xe3, 0xd9, 0x69, 0xb9, 0x35, 0x16, - 0x4b, 0xe2, 0xfe, 0x98, 0x8d, 0x2f, 0x93, 0x98, 0x66, 0xe3, 0x72, 0x33, 0xb8, 0x09, 0x37, 0xbe, - 0x4c, 0x18, 0x3f, 0x8b, 0xe3, 0xac, 0x48, 0x39, 0x0b, 0xf1, 0xa7, 0x02, 0x19, 0x0f, 0x9e, 0xc0, - 0x61, 0x7d, 0x9b, 0xe5, 0x59, 0xca, 0x90, 0x4c, 0xa0, 0x17, 0xa9, 0x3d, 0xcf, 0x38, 0xb6, 0x4e, - 0xfa, 0x93, 0x5b, 0xe3, 0x5a, 0xc0, 0xb1, 0xba, 0x12, 0x56, 0x7e, 0xc1, 0xaf, 0x06, 0x74, 0x9e, - 0x65, 0x17, 0x98, 0x92, 0xbb, 0x30, 0x88, 0xe2, 0x18, 0x19, 0x7b, 0xc1, 0x4b, 0xdb, 0x33, 0x8e, - 0x8d, 0x93, 0xfd, 0xb0, 0x2f, 0xf7, 0xa4, 0xcb, 0x3d, 0x70, 0x29, 0xfe, 0x40, 0x91, 0x9d, 0x2b, - 0x1f, 0x53, 0xf8, 0x0c, 0xd4, 0xa6, 0x74, 0xf2, 0xa0, 0x1b, 0x53, 0x8c, 0x38, 0x2e, 0x3d, 0xeb, - 0xd8, 0x38, 0xb1, 0x42, 0x6d, 0x92, 0x5b, 0xe0, 0xe0, 0xcf, 0x79, 0x42, 0xd7, 0x9e, 0x2d, 0x0e, - 0x94, 0x15, 0xfc, 0x66, 0x42, 0x57, 0x21, 0x23, 0x43, 0x30, 0x93, 0xa5, 0x7a, 0xdb, 0x4c, 0x96, - 0x84, 0x80, 0xcd, 0xd7, 0x39, 0xaa, 0x97, 0xc4, 0x9a, 0x1c, 0x42, 0x87, 0x66, 0x2b, 0x64, 0x9e, - 0x75, 0x6c, 0x9d, 0xec, 0x87, 0xd2, 0x20, 0x9f, 0x41, 0xef, 0x12, 0x79, 0xb4, 0x8c, 0x78, 0xe4, - 0xd9, 0x82, 0xfd, 0xbb, 0xed, 0xec, 0xc7, 0x4f, 0x95, 0xdb, 0x2c, 0xe5, 0x74, 0x1d, 0x56, 0xb7, - 0x4a, 0x7c, 0x2c, 0xce, 0x72, 0x64, 0x5e, 0x47, 0x04, 0x56, 0x16, 0xf1, 0xa1, 0x97, 0xd3, 0xec, - 0x2a, 0x59, 0x22, 0xf5, 0x1c, 0x81, 0xa3, 0xb2, 0xc5, 0x1d, 0x8c, 0x29, 0x72, 0xaf, 0x2b, 0x4e, - 0x94, 0xe5, 0x3f, 0x04, 0xb7, 0xf6, 0x0c, 0x19, 0x81, 0x75, 0x81, 0x6b, 0xc5, 0xac, 0x5c, 0x96, - 0x34, 0xae, 0xa2, 0x55, 0xa1, 0xb9, 0x49, 0xe3, 0x53, 0xf3, 0x63, 0x23, 0x58, 0x40, 0x2f, 0x44, - 0x96, 0x15, 0x34, 0xc6, 0x52, 0x80, 0x34, 0xba, 0x44, 0x75, 0x51, 0xac, 0x5b, 0x45, 0xf1, 0xa1, - 0x87, 0xe9, 0x32, 0xcf, 0x92, 0x94, 0x0b, 0xdd, 0xf7, 0xc3, 0xca, 0x0e, 0x7e, 0x37, 0xe1, 0x60, - 0x8e, 0x29, 0xd2, 0x88, 0xa3, 0x2a, 0xa2, 0x2d, 0xa1, 0x2b, 0x51, 0xcd, 0x4d, 0x51, 0x3f, 0xdf, - 0x10, 0xd5, 0x12, 0xa2, 0x7e, 0xd0, 0x10, 0xb5, 0x11, 0xf7, 0x15, 0xc4, 0xb5, 0x6b, 0xe2, 0x5e, - 0x0b, 0xd8, 0xd9, 0x14, 0xb0, 0xe2, 0xe8, 0xd4, 0x39, 0x56, 0x89, 0xe8, 0xd6, 0x13, 0xf1, 0xff, - 0x04, 0x9f, 0xc2, 0xe8, 0x9a, 0x87, 0xea, 0xa6, 0x8f, 0xa0, 0xab, 0xba, 0x44, 0xc4, 0xd8, 0xdd, - 0x4c, 0xda, 0x2d, 0x78, 0x0e, 0x83, 0x39, 0x8d, 0x52, 0xae, 0x25, 0x26, 0x60, 0x97, 0x2a, 0xea, - 0xd4, 0x95, 0x6b, 0xf2, 0x00, 0x7a, 0x54, 0xa5, 0x56, 0xc0, 0xe8, 0x4f, 0xde, 0x6a, 0x84, 0xd5, - 0x99, 0x0f, 0x2b, 0xc7, 0xe0, 0x00, 0x5c, 0x15, 0x58, 0x62, 0x0b, 0xbe, 0x05, 0x37, 0xc4, 0xab, - 0xec, 0x02, 0x5f, 0xfb, 0x53, 0x23, 0x18, 0xea, 0xc8, 0xea, 0xad, 0xf7, 0x60, 0xf8, 0x38, 0x65, - 0x39, 0xc6, 0x15, 0xaf, 0x43, 0xe8, 0x6c, 0x8e, 0x08, 0x69, 0x04, 0x8f, 0xe0, 0xa0, 0xf2, 0xfb, - 0xcf, 0x12, 0xfe, 0x02, 0x03, 0x31, 0x45, 0x76, 0x55, 0xe9, 0x75, 0xb5, 0x98, 0xb5, 0x6a, 0xd9, - 0x9a, 0x4c, 0x56, 0xcb, 0x64, 0xba, 0x0b, 0x03, 0x71, 0xf8, 0xa2, 0x36, 0x85, 0xfa, 0x62, 0x6f, - 0x26, 0x47, 0xd1, 0x43, 0x70, 0xd5, 0xfb, 0x8a, 0xc2, 0xfd, 0x4d, 0xae, 0xfd, 0xc9, 0x61, 0x83, - 0x80, 0x74, 0x56, 0x0a, 0xfc, 0x69, 0x80, 0x1d, 0x16, 0x2b, 0x6c, 0x1b, 0x62, 0x22, 0x3b, 0xe6, - 0x8e, 0xec, 0x58, 0xaf, 0x98, 0x1d, 0xf2, 0x21, 0x38, 0x72, 0x1e, 0x0b, 0xec, 0xc3, 0xc9, 0xcd, - 0x6d, 0x3d, 0x91, 0xb1, 0x50, 0x39, 0xc9, 0x7e, 0x49, 0x32, 0x9a, 0xf0, 0xb5, 0xe8, 0xae, 0x4e, - 0x58, 0xd9, 0xc1, 0x1f, 0x06, 0xb8, 0x8f, 0xc4, 0x60, 0x7e, 0xdd, 0x35, 0xb4, 0x81, 0xd2, 0xfa, - 0xb7, 0x28, 0xed, 0x06, 0xca, 0x11, 0x0c, 0x35, 0x48, 0x55, 0x8e, 0x25, 0xee, 0x29, 0xae, 0xf0, - 0x8d, 0xc7, 0xad, 0x41, 0x2a, 0xdc, 0x2e, 0xf4, 0xcb, 0x8f, 0xb6, 0xfe, 0x86, 0x7f, 0x02, 0x03, - 0x69, 0xaa, 0x3a, 0x7b, 0x1f, 0x3a, 0xb4, 0x28, 0xc7, 0xaf, 0xfc, 0x70, 0xdf, 0x68, 0xa2, 0x2d, - 0x56, 0x18, 0x4a, 0x8f, 0xfb, 0x63, 0x70, 0x24, 0x12, 0xd2, 0x87, 0xee, 0x37, 0x8b, 0x2f, 0x16, - 0x5f, 0x3d, 0x5f, 0x8c, 0xf6, 0x4a, 0x63, 0x1e, 0x9e, 0x2d, 0x9e, 0xcd, 0xa6, 0x23, 0x83, 0x00, - 0x38, 0xd3, 0xd9, 0xe2, 0xf1, 0x6c, 0x3a, 0x32, 0x27, 0x7f, 0x1b, 0x60, 0x9f, 0x15, 0xfc, 0x9c, - 0x3c, 0x85, 0x9e, 0x9e, 0x72, 0xe4, 0xce, 0xcb, 0xc7, 0xb8, 0xff, 0xce, 0xce, 0x73, 0xc5, 0x67, - 0x8f, 0x3c, 0x81, 0xae, 0x6a, 0x78, 0x72, 0xd4, 0xf0, 0xae, 0x0f, 0x0c, 0xff, 0xce, 0xae, 0xe3, - 0x2a, 0xd6, 0x54, 0xff, 0x85, 0xdc, 0x6e, 0x6d, 0x30, 0x15, 0xe7, 0xed, 0xf6, 0x43, 0x1d, 0x65, - 0xf2, 0x1d, 0xf4, 0xf4, 0x4f, 0x11, 0xf9, 0x1a, 0xec, 0x52, 0x60, 0x12, 0x34, 0xee, 0xb4, 0xfc, - 0x50, 0xf9, 0xf7, 0x5e, 0xea, 0x53, 0x85, 0xff, 0xcb, 0x80, 0x4e, 0x99, 0x08, 0x46, 0xe6, 0xe0, - 0xc8, 0xb2, 0x24, 0x4d, 0x48, 0xb5, 0x96, 0xf2, 0x8f, 0x76, 0x9c, 0x56, 0xbc, 0xe7, 0xe0, 0xc8, - 0x3a, 0xd9, 0x0a, 0x54, 0xab, 0xf1, 0xad, 0x40, 0x8d, 0xe2, 0xda, 0x23, 0x67, 0x8a, 0xae, 0xdf, - 0x42, 0x45, 0x07, 0xb9, 0xdd, 0x7a, 0xa6, 0x43, 0x7c, 0xef, 0x88, 0x7f, 0xd0, 0x07, 0xff, 0x04, - 0x00, 0x00, 0xff, 0xff, 0x60, 0xd4, 0x97, 0x04, 0xa4, 0x0a, 0x00, 0x00, + // 888 bytes of a gzipped FileDescriptorProto + 0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xac, 0x56, 0xdd, 0x8e, 0xdb, 0x44, + 0x14, 0x5e, 0xff, 0xc4, 0xc9, 0x9e, 0xc4, 0xbb, 0xd1, 0x74, 0x5b, 0xac, 0x94, 0x2d, 0x5b, 0x17, + 0xc1, 0x52, 0x41, 0x16, 0xb9, 0x37, 0x0b, 0xbd, 0x61, 0xd5, 0x44, 0xa1, 0x85, 0x06, 0x61, 0x15, + 0x95, 0x1b, 0x54, 0x19, 0xe7, 0xc0, 0x5a, 0x9b, 0xb5, 0xcd, 0xcc, 0x38, 0x22, 0x37, 0x48, 0xbc, + 0x00, 0x8f, 0xc0, 0x03, 0xf0, 0x4c, 0xdc, 0xf3, 0x1a, 0xc8, 0xf3, 0xe3, 0x8d, 0x1d, 0xa7, 0xaa, + 0x0a, 0x77, 0x73, 0x66, 0xce, 0xf9, 0xe6, 0x7c, 0xdf, 0x39, 0x73, 0x6c, 0x38, 0x8e, 0x0a, 0x7e, + 0x79, 0xc6, 0x90, 0xae, 0x92, 0x18, 0xcf, 0x72, 0x9a, 0xf1, 0xec, 0xac, 0xdc, 0x1a, 0x8b, 0x25, + 0x71, 0x7f, 0xce, 0xc6, 0xd7, 0x49, 0x4c, 0xb3, 0x71, 0xb9, 0xe9, 0xdf, 0x86, 0x5b, 0x5f, 0x27, + 0x8c, 0x5f, 0xc4, 0x71, 0x56, 0xa4, 0x9c, 0x85, 0xf8, 0x4b, 0x81, 0x8c, 0xfb, 0xcf, 0xe0, 0xa8, + 0xbe, 0xcd, 0xf2, 0x2c, 0x65, 0x48, 0x02, 0xe8, 0x45, 0x6a, 0xcf, 0x33, 0x4e, 0xac, 0xd3, 0x7e, + 0x70, 0x67, 0x5c, 0x03, 0x1c, 0xab, 0x90, 0xb0, 0xf2, 0xf3, 0x7f, 0x37, 0xa0, 0xf3, 0x22, 0xbb, + 0xc2, 0x94, 0xdc, 0x87, 0x41, 0x14, 0xc7, 0xc8, 0xd8, 0x2b, 0x5e, 0xda, 0x9e, 0x71, 0x62, 0x9c, + 0xee, 0x87, 0x7d, 0xb9, 0x27, 0x5d, 0x1e, 0x80, 0x4b, 0xf1, 0x27, 0x8a, 0xec, 0x52, 0xf9, 0x98, + 0xc2, 0x67, 0xa0, 0x36, 0xa5, 0x93, 0x07, 0xdd, 0x98, 0x62, 0xc4, 0x71, 0xe1, 0x59, 0x27, 0xc6, + 0xa9, 0x15, 0x6a, 0x93, 0xdc, 0x01, 0x07, 0x7f, 0xcd, 0x13, 0xba, 0xf6, 0x6c, 0x71, 0xa0, 0x2c, + 0xff, 0x0f, 0x13, 0xba, 0x2a, 0x33, 0x72, 0x00, 0x66, 0xb2, 0x50, 0x77, 0x9b, 0xc9, 0x82, 0x10, + 0xb0, 0xf9, 0x3a, 0x47, 0x75, 0x93, 0x58, 0x93, 0x23, 0xe8, 0xd0, 0x6c, 0x89, 0xcc, 0xb3, 0x4e, + 0xac, 0xd3, 0xfd, 0x50, 0x1a, 0xe4, 0x0b, 0xe8, 0x5d, 0x23, 0x8f, 0x16, 0x11, 0x8f, 0x3c, 0x5b, + 0xb0, 0x7f, 0xbf, 0x9d, 0xfd, 0xf8, 0xb9, 0x72, 0x9b, 0xa6, 0x9c, 0xae, 0xc3, 0x2a, 0xaa, 0xcc, + 0x8f, 0xc5, 0x59, 0x8e, 0xcc, 0xeb, 0x08, 0x60, 0x65, 0x91, 0x11, 0xf4, 0x72, 0x9a, 0xad, 0x92, + 0x05, 0x52, 0xcf, 0x11, 0x79, 0x54, 0xb6, 0x88, 0xc1, 0x98, 0x22, 0xf7, 0xba, 0xe2, 0x44, 0x59, + 0xa3, 0xc7, 0xe0, 0xd6, 0xae, 0x21, 0x43, 0xb0, 0xae, 0x70, 0xad, 0x98, 0x95, 0xcb, 0x92, 0xc6, + 0x2a, 0x5a, 0x16, 0x9a, 0x9b, 0x34, 0x3e, 0x37, 0xcf, 0x0d, 0x7f, 0x0e, 0xbd, 0x10, 0x59, 0x56, + 0xd0, 0x18, 0x4b, 0x01, 0xd2, 0xe8, 0x1a, 0x55, 0xa0, 0x58, 0xb7, 0x8a, 0x32, 0x82, 0x1e, 0xa6, + 0x8b, 0x3c, 0x4b, 0x52, 0x2e, 0x74, 0xdf, 0x0f, 0x2b, 0xdb, 0xff, 0xd3, 0x84, 0xc3, 0x19, 0xa6, + 0x48, 0x23, 0x8e, 0xaa, 0x89, 0xb6, 0x84, 0xae, 0x44, 0x35, 0x37, 0x45, 0xfd, 0x72, 0x43, 0x54, + 0x4b, 0x88, 0xfa, 0x71, 0x43, 0xd4, 0x06, 0xee, 0x1b, 0x88, 0x6b, 0xd7, 0xc4, 0xbd, 0x11, 0xb0, + 0xb3, 0x29, 0x60, 0xc5, 0xd1, 0xa9, 0x73, 0xac, 0x0a, 0xd1, 0xad, 0x17, 0xe2, 0xbf, 0x09, 0x3e, + 0x81, 0xe1, 0x0d, 0x0f, 0xf5, 0x9a, 0x3e, 0x85, 0xae, 0x7a, 0x25, 0x02, 0x63, 0xf7, 0x63, 0xd2, + 0x6e, 0xfe, 0x4b, 0x18, 0xcc, 0x68, 0x94, 0x72, 0x2d, 0x31, 0x01, 0xbb, 0x54, 0x51, 0x97, 0xae, + 0x5c, 0x93, 0x47, 0xd0, 0xa3, 0xaa, 0xb4, 0x22, 0x8d, 0x7e, 0xf0, 0x4e, 0x03, 0x56, 0x57, 0x3e, + 0xac, 0x1c, 0xfd, 0x43, 0x70, 0x15, 0xb0, 0xcc, 0xcd, 0xff, 0x1e, 0xdc, 0x10, 0x57, 0xd9, 0x15, + 0xfe, 0xef, 0x57, 0x0d, 0xe1, 0x40, 0x23, 0xab, 0xbb, 0x3e, 0x80, 0x83, 0xa7, 0x29, 0xcb, 0x31, + 0xae, 0x78, 0x1d, 0x41, 0x67, 0x73, 0x44, 0x48, 0xc3, 0x7f, 0x02, 0x87, 0x95, 0xdf, 0x5b, 0x4b, + 0xf8, 0x1b, 0x0c, 0xc4, 0x14, 0xd9, 0xd5, 0xa5, 0x37, 0xdd, 0x62, 0xd6, 0xba, 0x65, 0x6b, 0x32, + 0x59, 0x2d, 0x93, 0xe9, 0x3e, 0x0c, 0xc4, 0xe1, 0xab, 0xda, 0x14, 0xea, 0x8b, 0xbd, 0xa9, 0x1c, + 0x45, 0x8f, 0xc1, 0x55, 0xf7, 0x2b, 0x0a, 0x0f, 0x37, 0xb9, 0xf6, 0x83, 0xa3, 0x06, 0x01, 0xe9, + 0xac, 0x14, 0xf8, 0xcb, 0x00, 0x3b, 0x2c, 0x96, 0xd8, 0x36, 0xc4, 0x44, 0x75, 0xcc, 0x1d, 0xd5, + 0xb1, 0xde, 0xb0, 0x3a, 0xe4, 0x13, 0x70, 0xe4, 0x3c, 0x16, 0xb9, 0x1f, 0x04, 0xb7, 0xb7, 0xf5, + 0x44, 0xc6, 0x42, 0xe5, 0x24, 0xdf, 0x4b, 0x92, 0xd1, 0x84, 0xaf, 0xc5, 0xeb, 0xea, 0x84, 0x95, + 0xed, 0x9f, 0x83, 0xfb, 0x44, 0xcc, 0x65, 0x2d, 0xf5, 0x87, 0x60, 0xd3, 0x42, 0xb5, 0x50, 0x3f, + 0xb8, 0xd5, 0x4c, 0xa6, 0x58, 0x62, 0x28, 0x1c, 0xca, 0x16, 0xd1, 0x91, 0xaa, 0x45, 0xce, 0xc1, + 0x9d, 0xe0, 0x12, 0xdf, 0x0e, 0x4b, 0x47, 0x2a, 0x2c, 0x17, 0xfa, 0xe5, 0xc7, 0x4d, 0x7f, 0xeb, + 0x3e, 0x83, 0x81, 0x34, 0x55, 0x3d, 0x3e, 0x82, 0x4e, 0x19, 0xa8, 0x3f, 0x70, 0xad, 0xd0, 0xd2, + 0xe3, 0xe1, 0x18, 0x1c, 0xa9, 0x07, 0xe9, 0x43, 0xf7, 0xbb, 0xf9, 0x57, 0xf3, 0x6f, 0x5e, 0xce, + 0x87, 0x7b, 0xa5, 0x31, 0x0b, 0x2f, 0xe6, 0x2f, 0xa6, 0x93, 0xa1, 0x41, 0x00, 0x9c, 0xc9, 0x74, + 0xfe, 0x74, 0x3a, 0x19, 0x9a, 0xc1, 0x3f, 0x06, 0xd8, 0x17, 0x05, 0xbf, 0x24, 0xcf, 0xa1, 0xa7, + 0xa7, 0x01, 0xb9, 0xf7, 0xfa, 0x71, 0x37, 0x7a, 0x6f, 0xe7, 0xb9, 0xe2, 0xb3, 0x47, 0x9e, 0x41, + 0x57, 0x3d, 0x0c, 0x72, 0xdc, 0xf0, 0xae, 0x3f, 0xac, 0xd1, 0xbd, 0x5d, 0xc7, 0x15, 0xd6, 0x44, + 0x7f, 0xad, 0xef, 0xb6, 0x36, 0xa2, 0xc2, 0x79, 0xb7, 0xfd, 0x50, 0xa3, 0x04, 0x3f, 0x40, 0x4f, + 0xff, 0x3c, 0x90, 0x6f, 0xc1, 0x2e, 0x05, 0x26, 0x7e, 0x23, 0xa6, 0xe5, 0xc7, 0x63, 0xf4, 0xe0, + 0xb5, 0x3e, 0x15, 0xfc, 0xdf, 0x06, 0x74, 0xca, 0x42, 0x30, 0x32, 0x03, 0x47, 0xb6, 0x0a, 0x69, + 0xa6, 0x54, 0xeb, 0xbd, 0xd1, 0xf1, 0x8e, 0xd3, 0x8a, 0xf7, 0x0c, 0x1c, 0xd9, 0x27, 0x5b, 0x40, + 0xb5, 0xc6, 0xdb, 0x02, 0x6a, 0x34, 0xd7, 0x1e, 0xb9, 0x50, 0x74, 0x47, 0x2d, 0x54, 0x34, 0xc8, + 0xdd, 0xd6, 0x33, 0x0d, 0xf1, 0xa3, 0x23, 0xfe, 0xd5, 0x1e, 0xfd, 0x1b, 0x00, 0x00, 0xff, 0xff, + 0x7f, 0x20, 0xd5, 0xb8, 0xcc, 0x09, 0x00, 0x00, } // Reference imports to suppress errors if they are not otherwise used. diff --git a/auth/service/proto/auth.proto b/auth/service/proto/auth.proto index 65763bd0..0080b67e 100644 --- a/auth/service/proto/auth.proto +++ b/auth/service/proto/auth.proto @@ -110,19 +110,13 @@ message Rule { } message CreateRequest { - string role = 1; - Resource resource = 2; - Access access = 3; - int32 priority = 4; + Rule rule = 1; } message CreateResponse {} message DeleteRequest { - string role = 1; - Resource resource = 2; - Access access = 3; - int32 priority = 4; + Rule rule = 1; } message DeleteResponse {} diff --git a/auth/service/service.go b/auth/service/service.go index 27995ef7..7f31b5a4 100644 --- a/auth/service/service.go +++ b/auth/service/service.go @@ -2,13 +2,12 @@ package service import ( "context" - "fmt" - "sort" "strings" "sync" "time" "github.com/micro/go-micro/v2/auth" + "github.com/micro/go-micro/v2/auth/rules" pb "github.com/micro/go-micro/v2/auth/service/proto" "github.com/micro/go-micro/v2/auth/token" "github.com/micro/go-micro/v2/auth/token/jwt" @@ -23,8 +22,7 @@ type svc struct { auth pb.AuthService rule pb.RulesService jwt token.Provider - - rules []*pb.Rule + rules []*auth.Rule sync.Mutex } @@ -79,84 +77,53 @@ func (s *svc) Generate(id string, opts ...auth.GenerateOption) (*auth.Account, e } // Grant access to a resource -func (s *svc) Grant(role string, res *auth.Resource) error { +func (s *svc) Grant(rule *auth.Rule) error { _, err := s.rule.Create(context.TODO(), &pb.CreateRequest{ - Role: role, - Access: pb.Access_GRANTED, - Resource: &pb.Resource{ - Type: res.Type, - Name: res.Name, - Endpoint: res.Endpoint, + Rule: &pb.Rule{ + Id: rule.ID, + Role: rule.Role, + Priority: rule.Priority, + Access: pb.Access_GRANTED, + Resource: &pb.Resource{ + Type: rule.Resource.Type, + Name: rule.Resource.Name, + Endpoint: rule.Resource.Endpoint, + }, }, }) + go s.loadRules() return err } // Revoke access to a resource -func (s *svc) Revoke(role string, res *auth.Resource) error { +func (s *svc) Revoke(rule *auth.Rule) error { _, err := s.rule.Delete(context.TODO(), &pb.DeleteRequest{ - Role: role, - Access: pb.Access_GRANTED, - Resource: &pb.Resource{ - Type: res.Type, - Name: res.Name, - Endpoint: res.Endpoint, + Rule: &pb.Rule{ + Id: rule.ID, + Role: rule.Role, + Priority: rule.Priority, + Access: pb.Access_GRANTED, + Resource: &pb.Resource{ + Type: rule.Resource.Type, + Name: rule.Resource.Name, + Endpoint: rule.Resource.Endpoint, + }, }, }) + go s.loadRules() return err } +func (s *svc) Rules() ([]*auth.Rule, error) { + return s.rules, nil +} + // Verify an account has access to a resource func (s *svc) Verify(acc *auth.Account, res *auth.Resource) error { - // check the scope - scope := "namespace." + s.options.Namespace - if acc != nil && !acc.HasScope(scope) { - return fmt.Errorf("Missing required scope: %v", scope) - } - // load the rules if none are loaded s.loadRulesIfEmpty() - - queries := [][]string{ - {res.Type, res.Name, res.Endpoint}, // check for specific role, e.g. service.foo.ListFoo:admin (role is checked in accessForRule) - {res.Type, res.Name, "*"}, // check for wildcard endpoint, e.g. service.foo* - {res.Type, "*"}, // check for wildcard name, e.g. service.* - {"*"}, // check for wildcard type, e.g. * - } - - // endpoint is a url which can have wildcard excludes, e.g. - // "/foo/*" will allow "/foo/bar" - if comps := strings.Split(res.Endpoint, "/"); len(comps) > 1 { - for i := 1; i < len(comps); i++ { - wildcard := fmt.Sprintf("%v/*", strings.Join(comps[0:i], "/")) - queries = append(queries, []string{res.Type, res.Name, wildcard}) - } - } - - // set a default account id / namespace to log - logID := acc.ID - if len(logID) == 0 { - logID = "[no account]" - } - - for _, q := range queries { - for _, rule := range s.listRules(q...) { - switch accessForRule(rule, acc, res) { - case pb.Access_UNKNOWN: - continue // rule did not specify access, check the next rule - case pb.Access_GRANTED: - log.Tracef("%v granted access to %v:%v:%v by rule %v", logID, res.Type, res.Name, res.Endpoint, rule.Id) - return nil // rule grants the account access to the resource - case pb.Access_DENIED: - log.Tracef("%v denied access to %v:%v:%v by rule %v", logID, res.Type, res.Name, res.Endpoint, rule.Id) - return auth.ErrForbidden // rule denies access to the resource - } - } - } - - // no rules were found for the resource, default to denying access - log.Tracef("%v denied access to %v:%v:%v by lack of rule", logID, res.Type, res.Name, res.Endpoint) - return auth.ErrForbidden + // verify the request using the rules + return rules.Verify(s.options.Namespace, s.rules, acc, res) } // Inspect a token @@ -221,35 +188,6 @@ func accessForRule(rule *pb.Rule, acc *auth.Account, res *auth.Resource) pb.Acce return pb.Access_UNKNOWN } -// listRules gets all the rules from the store which match the filters. -// filters are namespace, type, name and then endpoint. -func (s *svc) listRules(filters ...string) []*pb.Rule { - s.Lock() - defer s.Unlock() - - var rules []*pb.Rule - for _, r := range s.rules { - if len(filters) > 1 && r.Resource.Type != filters[0] { - continue - } - if len(filters) > 2 && r.Resource.Name != filters[1] { - continue - } - if len(filters) > 3 && r.Resource.Endpoint != filters[2] { - continue - } - - rules = append(rules, r) - } - - // sort rules by priority - sort.Slice(rules, func(i, j int) bool { - return rules[i].Priority < rules[j].Priority - }) - - return rules -} - // loadRules retrieves the rules from the auth service func (s *svc) loadRules() { rsp, err := s.rule.List(context.TODO(), &pb.ListRequest{}) @@ -261,7 +199,27 @@ func (s *svc) loadRules() { return } - s.rules = rsp.Rules + s.rules = make([]*auth.Rule, 0, len(rsp.Rules)) + for _, r := range rsp.Rules { + var access auth.Access + if r.Access == pb.Access_GRANTED { + access = auth.AccessGranted + } else { + access = auth.AccessDenied + } + + s.rules = append(s.rules, &auth.Rule{ + ID: r.Id, + Role: r.Role, + Access: access, + Priority: r.Priority, + Resource: &auth.Resource{ + Type: r.Resource.Type, + Name: r.Resource.Name, + Endpoint: r.Resource.Endpoint, + }, + }) + } } func (s *svc) loadRulesIfEmpty() { diff --git a/util/auth/auth.go b/util/auth/auth.go index b0fdeb5b..ef69f45c 100644 --- a/util/auth/auth.go +++ b/util/auth/auth.go @@ -66,7 +66,7 @@ func Generate(id string, name string, a auth.Auth) error { // generate the first token tok, err := a.Token( - auth.WithCredentials(accID, accSecret), + auth.WithToken(tok.RefreshToken), auth.WithExpiry(time.Minute*10), ) if err != nil {