Add Rule to Auth interface

2020-05-20 11:59:01 +01:00 · 2020-05-20 11:59:01 +01:00 · f6d9416a9e
commit f6d9416a9e
parent dc10f88c12
8 changed files with 296 additions and 311 deletions
--- a/auth/auth.go
+++ b/auth/auth.go
@ -7,16 +7,13 @@ import (
 	"time"
 )
 // BearerScheme used for Authorization header
 const BearerScheme = "Bearer "
 var (
-	// ErrNotFound is returned when a resouce cannot be found
+	// ErrInvalidToken is when the token provided is not valid
 	ErrNotFound = errors.New("not found")
 	// ErrEncodingToken is returned when the service encounters an error during encoding
 	ErrEncodingToken = errors.New("error encoding the token")
 	// ErrInvalidToken is returned when the token provided is not valid
 	ErrInvalidToken = errors.New("invalid token provided")
-	// ErrInvalidRole is returned when the role provided was invalid
+	// ErrForbidden is when a user does not have the necessary roles or scoeps to access a resource
 	ErrInvalidRole = errors.New("invalid role")
 	// ErrForbidden is returned when a user does not have the necessary roles to access a resource
 	ErrForbidden = errors.New("resource forbidden")
 )
@ -28,30 +25,22 @@ type Auth interface {
 	Options() Options
 	// Generate a new account
 	Generate(id string, opts ...GenerateOption) (*Account, error)
-	// Grant access to a resource
+	// Verify an account has access to a resource using the rules
 	Grant(role string, res *Resource) error
 	// Revoke access to a resource
 	Revoke(role string, res *Resource) error
 	// Verify an account has access to a resource
 	Verify(acc *Account, res *Resource) error
 	// Inspect a token
 	Inspect(token string) (*Account, error)
-	// Token generated using refresh token
+	// Token generated using refresh token or credentials
 	Token(opts ...TokenOption) (*Token, error)
 	// Grant access to a resource
 	Grant(rule *Rule) error
 	// Revoke access to a resource
 	Revoke(rule *Rule) error
 	// Rules returns all the rules used to verify requests
 	Rules() ([]*Rule, error)
 	// String returns the name of the implementation
 	String() string
 }
 // Resource is an entity such as a user or
 type Resource struct {
 	// Name of the resource
 	Name string `json:"name"`
 	// Type of resource, e.g.
 	Type string `json:"type"`
 	// Endpoint resource e.g NotesService.Create
 	Endpoint string `json:"endpoint"`
 }
 // Account provided by an auth provider
 type Account struct {
 	// ID of the account e.g. email
@ -112,13 +101,47 @@ type Token struct {
 	Expiry time.Time `json:"expiry"`
 }
 // Expired returns a boolean indicating if the token needs to be refreshed
 func (t *Token) Expired() bool {
 	return t.Expiry.Unix() < time.Now().Unix()
 }
 // Resource is an entity such as a user or
 type Resource struct {
 	// Name of the resource, e.g. go.micro.service.notes
 	Name string `json:"name"`
 	// Type of resource, e.g. service
 	Type string `json:"type"`
 	// Endpoint resource e.g NotesService.Create
 	Endpoint string `json:"endpoint"`
 }
 // Access defines the type of access a rule grants
 type Access int
 const (
-	// TokenCookieName is the name of the cookie which stores the auth token
+	// AccessGranted to a resource
-	TokenCookieName = "micro-token"
+	AccessGranted Access = iota
-	// BearerScheme used for Authorization header
+	// AccessDenied to a resource
-	BearerScheme = "Bearer "
+	AccessDenied
 )
 // Rule is used to verify access to a resource
 type Rule struct {
 	// ID of the rule, e.g. "public"
 	ID string
 	// Role the rule requires, a blank role indicates open to the public and * indicates the rule
 	// applies to any valid account
 	Role string
 	// Resource the rule applies to
 	Resource *Resource
 	// Access determines if the rule grants or denies access to the resource
 	Access Access
 	// Priority the rule should take when verifying a request, the higher the value the sooner the
 	// rule will be applied
 	Priority int32
 }
 type accountKey struct{}
 // AccountFromContext gets the account from the context, which
--- a/auth/default.go
+++ b/auth/default.go
@ -58,15 +58,20 @@ func (n *noop) Generate(id string, opts ...GenerateOption) (*Account, error) {
 }
 // Grant access to a resource
-func (n *noop) Grant(role string, res *Resource) error {
+func (n *noop) Grant(rule *Rule) error {
 	return nil
 }
 // Revoke access to a resource
-func (n *noop) Revoke(role string, res *Resource) error {
+func (n *noop) Revoke(rule *Rule) error {
 	return nil
 }
 // Rules used to verify requests
 func (n *noop) Rules() ([]*Rule, error) {
 	return []*Rule{}, nil
 }
 // Verify an account has access to a resource
 func (n *noop) Verify(acc *Account, res *Resource) error {
 	return nil
--- a/auth/jwt/jwt.go
+++ b/auth/jwt/jwt.go
@ -1,11 +1,11 @@
 package jwt
 import (
 	"fmt"
 	"sync"
 	"time"
 	"github.com/micro/go-micro/v2/auth"
 	"github.com/micro/go-micro/v2/auth/rules"
 	"github.com/micro/go-micro/v2/auth/token"
 	jwtToken "github.com/micro/go-micro/v2/auth/token/jwt"
 )
@ -25,7 +25,7 @@ type rule struct {
 type jwt struct {
 	options auth.Options
 	jwt     token.Provider
-	rules   []*rule
+	rules   []*auth.Rule
 	sync.Mutex
 }
@ -77,84 +77,38 @@ func (j *jwt) Generate(id string, opts ...auth.GenerateOption) (*auth.Account, e
 	return account, nil
 }
-func (j *jwt) Grant(role string, res *auth.Resource) error {
+func (j *jwt) Grant(rule *auth.Rule) error {
 	j.Lock()
 	defer j.Unlock()
-	j.rules = append(j.rules, &rule{role, res})
+	j.rules = append(j.rules, rule)
 	return nil
 }
-func (j *jwt) Revoke(role string, res *auth.Resource) error {
+func (j *jwt) Revoke(rule *auth.Rule) error {
 	j.Lock()
 	defer j.Unlock()
-	rules := make([]*rule, 0, len(j.rules))
+	rules := []*auth.Rule{}
 	var ruleFound bool
 	for _, r := range rules {
-		if r.role == role && r.resource == res {
+		if r.ID != rule.ID {
 			ruleFound = true
 		} else {
 			rules = append(rules, r)
 		}
 	}
 	if !ruleFound {
 		return auth.ErrNotFound
 	}
 	j.rules = rules
 	return nil
 }
 func (j *jwt) Verify(acc *auth.Account, res *auth.Resource) error {
 	// check the scope
 	scope := "namespace." + j.options.Namespace
 	if acc != nil && !acc.HasScope(scope) {
 		return fmt.Errorf("Missing required scope: %v", scope)
 	}
 	j.Lock()
-	rules := j.rules
+	defer j.Unlock()
-	j.Unlock()
+	return rules.Verify(j.options.Namespace, j.rules, acc, res)
 }
-	for _, rule := range rules {
+func (j *jwt) Rules() ([]*auth.Rule, error) {
-		// validate the rule applies to the requested resource
+	j.Lock()
-		if rule.resource.Type != "*" && rule.resource.Type != res.Type {
+	defer j.Unlock()
-			continue
+	return j.rules, nil
 		}
 		if rule.resource.Name != "*" && rule.resource.Name != res.Name {
 			continue
 		}
 		if rule.resource.Endpoint != "*" && rule.resource.Endpoint != res.Endpoint {
 			continue
 		}
 		// a blank role indicates anyone can access the resource, even without an account
 		if rule.role == "" {
 			return nil
 		}
 		// all furter checks require an account
 		if acc == nil {
 			continue
 		}
 		// this rule allows any account access, allow the request
 		if rule.role == "*" {
 			return nil
 		}
 		// if the account has the necessary role, allow the request
 		for _, r := range acc.Roles {
 			if r == rule.role {
 				return nil
 			}
 		}
 	}
 	// no rules matched, forbid the request
 	return auth.ErrForbidden
 }
 func (j *jwt) Inspect(token string) (*auth.Account, error) {
--- a/auth/rules/rules.go
+++ b/auth/rules/rules.go
@ -0,0 +1,99 @@
 package rules
 import (
 	"fmt"
 	"sort"
 	"strings"
 	"github.com/micro/go-micro/v2/auth"
 )
 // Verify an account has access to a resource using the rules provided. If the account does not have
 // access an error will be returned. If there are no rules provided which match the resource, an error
 // will be returned
 func Verify(namespace string, rules []*auth.Rule, acc *auth.Account, res *auth.Resource) error {
 	// ensure the account has the necessary scope. Some rules allow for public access so we don't
 	// error if the account is nil.
 	if acc != nil && !acc.HasScope("namespace."+namespace) {
 		return fmt.Errorf("Missing required scope: %v", "namespace."+namespace)
 	}
 	// the rule is only to be applied if the type matches the resource or is catch-all (*)
 	validTypes := []string{"*", res.Type}
 	// the rule is only to be applied if the name matches the resource or is catch-all (*)
 	validNames := []string{"*", res.Name}
 	// rules can have wildcard excludes on endpoints since this can also be a path for web services,
 	// e.g. /foo/* would include /foo/bar. We also want to check for wildcards and the exact endpoint
 	validEndpoints := []string{"*", res.Endpoint}
 	if comps := strings.Split(res.Endpoint, "/"); len(comps) > 1 {
 		for i := 1; i < len(comps); i++ {
 			wildcard := fmt.Sprintf("%v/*", strings.Join(comps[0:i], "/"))
 			validEndpoints = append(validEndpoints, wildcard)
 		}
 	}
 	// filter the rules to the ones which match the criteria above
 	filteredRules := make([]*auth.Rule, 0)
 	for _, rule := range rules {
 		if !include(validTypes, rule.Resource.Type) {
 			continue
 		}
 		if !include(validNames, rule.Resource.Name) {
 			continue
 		}
 		if !include(validEndpoints, rule.Resource.Endpoint) {
 			continue
 		}
 		filteredRules = append(filteredRules, rule)
 	}
 	// sort the filtered rules by priority, highest to lowest
 	sort.SliceStable(filteredRules, func(i, j int) bool {
 		return filteredRules[i].Priority > filteredRules[j].Priority
 	})
 	// loop through the rules and check for a rule which applies to this account
 	for _, rule := range filteredRules {
 		// a blank role indicates the rule applies to everyone, even nil accounts
 		if rule.Role == "" && rule.Access == auth.AccessDenied {
 			return auth.ErrForbidden
 		} else if rule.Role == "" && rule.Access == auth.AccessGranted {
 			return nil
 		}
 		// all furter checks require an account
 		if acc == nil {
 			continue
 		}
 		// this rule applies to any account
 		if rule.Role == "*" && rule.Access == auth.AccessDenied {
 			return auth.ErrForbidden
 		} else if rule.Role == "" && rule.Access == auth.AccessGranted {
 			return nil
 		}
 		// if the account has the necessary role
 		if include(acc.Roles, rule.Role) && rule.Access == auth.AccessDenied {
 			return auth.ErrForbidden
 		} else if rule.Role == "" && rule.Access == auth.AccessGranted {
 			return nil
 		}
 	}
 	// if no rules matched then return forbidden
 	return auth.ErrForbidden
 }
 // include is a helper function which checks to see if the slice contains the value. includes is
 // not case sensitive.
 func include(slice []string, val string) bool {
 	for _, s := range slice {
 		if strings.ToLower(s) == strings.ToLower(val) {
 			return true
 		}
 	}
 	return false
 }
--- a/auth/service/proto/auth.pb.go
+++ b/auth/service/proto/auth.pb.go
@ -861,13 +861,10 @@ func (m *Rule) GetPriority() int32 {
 }
 type CreateRequest struct {
-	Role                 string    `protobuf:"bytes,1,opt,name=role,proto3" json:"role,omitempty"`
+	Rule                 *Rule    `protobuf:"bytes,1,opt,name=rule,proto3" json:"rule,omitempty"`
-	Resource             *Resource `protobuf:"bytes,2,opt,name=resource,proto3" json:"resource,omitempty"`
+	XXX_NoUnkeyedLiteral struct{} `json:"-"`
-	Access               Access    `protobuf:"varint,3,opt,name=access,proto3,enum=go.micro.auth.Access" json:"access,omitempty"`
+	XXX_unrecognized     []byte   `json:"-"`
-	Priority             int32     `protobuf:"varint,4,opt,name=priority,proto3" json:"priority,omitempty"`
+	XXX_sizecache        int32    `json:"-"`
 	XXX_NoUnkeyedLiteral struct{}  `json:"-"`
 	XXX_unrecognized     []byte    `json:"-"`
 	XXX_sizecache        int32     `json:"-"`
 }
 func (m *CreateRequest) Reset()         { *m = CreateRequest{} }
@ -895,34 +892,13 @@ func (m *CreateRequest) XXX_DiscardUnknown() {
 var xxx_messageInfo_CreateRequest proto.InternalMessageInfo
-func (m *CreateRequest) GetRole() string {
+func (m *CreateRequest) GetRule() *Rule {
 	if m != nil {
-		return m.Role
+		return m.Rule
 	}
 	return ""
 }
 func (m *CreateRequest) GetResource() *Resource {
 	if m != nil {
 		return m.Resource
 	}
 	return nil
 }
 func (m *CreateRequest) GetAccess() Access {
 	if m != nil {
 		return m.Access
 	}
 	return Access_UNKNOWN
 }
 func (m *CreateRequest) GetPriority() int32 {
 	if m != nil {
 		return m.Priority
 	}
 	return 0
 }
 type CreateResponse struct {
 	XXX_NoUnkeyedLiteral struct{} `json:"-"`
 	XXX_unrecognized     []byte   `json:"-"`
@ -955,13 +931,10 @@ func (m *CreateResponse) XXX_DiscardUnknown() {
 var xxx_messageInfo_CreateResponse proto.InternalMessageInfo
 type DeleteRequest struct {
-	Role                 string    `protobuf:"bytes,1,opt,name=role,proto3" json:"role,omitempty"`
+	Rule                 *Rule    `protobuf:"bytes,1,opt,name=rule,proto3" json:"rule,omitempty"`
-	Resource             *Resource `protobuf:"bytes,2,opt,name=resource,proto3" json:"resource,omitempty"`
+	XXX_NoUnkeyedLiteral struct{} `json:"-"`
-	Access               Access    `protobuf:"varint,3,opt,name=access,proto3,enum=go.micro.auth.Access" json:"access,omitempty"`
+	XXX_unrecognized     []byte   `json:"-"`
-	Priority             int32     `protobuf:"varint,4,opt,name=priority,proto3" json:"priority,omitempty"`
+	XXX_sizecache        int32    `json:"-"`
 	XXX_NoUnkeyedLiteral struct{}  `json:"-"`
 	XXX_unrecognized     []byte    `json:"-"`
 	XXX_sizecache        int32     `json:"-"`
 }
 func (m *DeleteRequest) Reset()         { *m = DeleteRequest{} }
@ -989,34 +962,13 @@ func (m *DeleteRequest) XXX_DiscardUnknown() {
 var xxx_messageInfo_DeleteRequest proto.InternalMessageInfo
-func (m *DeleteRequest) GetRole() string {
+func (m *DeleteRequest) GetRule() *Rule {
 	if m != nil {
-		return m.Role
+		return m.Rule
 	}
 	return ""
 }
 func (m *DeleteRequest) GetResource() *Resource {
 	if m != nil {
 		return m.Resource
 	}
 	return nil
 }
 func (m *DeleteRequest) GetAccess() Access {
 	if m != nil {
 		return m.Access
 	}
 	return Access_UNKNOWN
 }
 func (m *DeleteRequest) GetPriority() int32 {
 	if m != nil {
 		return m.Priority
 	}
 	return 0
 }
 type DeleteResponse struct {
 	XXX_NoUnkeyedLiteral struct{} `json:"-"`
 	XXX_unrecognized     []byte   `json:"-"`
@ -1149,63 +1101,63 @@ func init() {
 func init() { proto.RegisterFile("auth/service/proto/auth.proto", fileDescriptor_21300bfacc51fc2a) }
 var fileDescriptor_21300bfacc51fc2a = []byte{
-	// 892 bytes of a gzipped FileDescriptorProto
+	// 888 bytes of a gzipped FileDescriptorProto
-	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xcc, 0x56, 0xdd, 0x8e, 0xdb, 0x44,
+	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xac, 0x56, 0xdd, 0x8e, 0xdb, 0x44,
-	0x14, 0x5e, 0xff, 0xc4, 0xc9, 0x9e, 0xc4, 0xd9, 0x68, 0xba, 0x2d, 0x96, 0xcb, 0x96, 0xad, 0x8b,
+	0x14, 0x5e, 0xff, 0xc4, 0xc9, 0x9e, 0xc4, 0xbb, 0xd1, 0x74, 0x5b, 0xac, 0x94, 0x2d, 0x5b, 0x17,
-	0xd0, 0x52, 0x41, 0x16, 0xa5, 0x37, 0x40, 0x6f, 0x58, 0x35, 0x51, 0x68, 0xa1, 0x41, 0x58, 0x45,
+	0xc1, 0x52, 0x41, 0x16, 0xb9, 0x37, 0x0b, 0xbd, 0x61, 0xd5, 0x44, 0xa1, 0x85, 0x06, 0x61, 0x15,
-	0xe5, 0x06, 0x55, 0xc6, 0x39, 0xb0, 0xd6, 0x66, 0x6d, 0x33, 0x33, 0x5e, 0x91, 0x1b, 0x24, 0x5e,
+	0x95, 0x1b, 0x54, 0x19, 0xe7, 0xc0, 0x5a, 0x9b, 0xb5, 0xcd, 0xcc, 0x38, 0x22, 0x37, 0x48, 0xbc,
-	0x80, 0x47, 0xe0, 0x86, 0x3b, 0x9e, 0x89, 0x7b, 0x5e, 0x03, 0x79, 0x7e, 0xbc, 0xb1, 0xe3, 0x54,
+	0x00, 0x8f, 0xc0, 0x03, 0xf0, 0x4c, 0xdc, 0xf3, 0x1a, 0xc8, 0xf3, 0xe3, 0x8d, 0x1d, 0xa7, 0xaa,
-	0x05, 0x7a, 0xd1, 0xbb, 0x39, 0x33, 0x67, 0xce, 0x7c, 0xdf, 0x77, 0x7e, 0x6c, 0x38, 0x8a, 0x0a,
+	0x0a, 0x77, 0x73, 0x66, 0xce, 0xf9, 0xe6, 0x7c, 0xdf, 0x39, 0x73, 0x6c, 0x38, 0x8e, 0x0a, 0x7e,
-	0x7e, 0x7e, 0xca, 0x90, 0x5e, 0x25, 0x31, 0x9e, 0xe6, 0x34, 0xe3, 0xd9, 0x69, 0xb9, 0x35, 0x16,
+	0x79, 0xc6, 0x90, 0xae, 0x92, 0x18, 0xcf, 0x72, 0x9a, 0xf1, 0xec, 0xac, 0xdc, 0x1a, 0x8b, 0x25,
-	0x4b, 0xe2, 0xfe, 0x98, 0x8d, 0x2f, 0x93, 0x98, 0x66, 0xe3, 0x72, 0x33, 0xb8, 0x09, 0x37, 0xbe,
+	0x71, 0x7f, 0xce, 0xc6, 0xd7, 0x49, 0x4c, 0xb3, 0x71, 0xb9, 0xe9, 0xdf, 0x86, 0x5b, 0x5f, 0x27,
-	0x4c, 0x18, 0x3f, 0x8b, 0xe3, 0xac, 0x48, 0x39, 0x0b, 0xf1, 0xa7, 0x02, 0x19, 0x0f, 0x9e, 0xc0,
+	0x8c, 0x5f, 0xc4, 0x71, 0x56, 0xa4, 0x9c, 0x85, 0xf8, 0x4b, 0x81, 0x8c, 0xfb, 0xcf, 0xe0, 0xa8,
-	0x61, 0x7d, 0x9b, 0xe5, 0x59, 0xca, 0x90, 0x4c, 0xa0, 0x17, 0xa9, 0x3d, 0xcf, 0x38, 0xb6, 0x4e,
+	0xbe, 0xcd, 0xf2, 0x2c, 0x65, 0x48, 0x02, 0xe8, 0x45, 0x6a, 0xcf, 0x33, 0x4e, 0xac, 0xd3, 0x7e,
-	0xfa, 0x93, 0x5b, 0xe3, 0x5a, 0xc0, 0xb1, 0xba, 0x12, 0x56, 0x7e, 0xc1, 0xaf, 0x06, 0x74, 0x9e,
+	0x70, 0x67, 0x5c, 0x03, 0x1c, 0xab, 0x90, 0xb0, 0xf2, 0xf3, 0x7f, 0x37, 0xa0, 0xf3, 0x22, 0xbb,
-	0x65, 0x17, 0x98, 0x92, 0xbb, 0x30, 0x88, 0xe2, 0x18, 0x19, 0x7b, 0xc1, 0x4b, 0xdb, 0x33, 0x8e,
+	0xc2, 0x94, 0xdc, 0x87, 0x41, 0x14, 0xc7, 0xc8, 0xd8, 0x2b, 0x5e, 0xda, 0x9e, 0x71, 0x62, 0x9c,
-	0x8d, 0x93, 0xfd, 0xb0, 0x2f, 0xf7, 0xa4, 0xcb, 0x3d, 0x70, 0x29, 0xfe, 0x40, 0x91, 0x9d, 0x2b,
+	0xee, 0x87, 0x7d, 0xb9, 0x27, 0x5d, 0x1e, 0x80, 0x4b, 0xf1, 0x27, 0x8a, 0xec, 0x52, 0xf9, 0x98,
-	0x1f, 0x53, 0xf8, 0x0c, 0xd4, 0xa6, 0x74, 0xf2, 0xa0, 0x1b, 0x53, 0x8c, 0x38, 0x2e, 0x3d, 0xeb,
+	0xc2, 0x67, 0xa0, 0x36, 0xa5, 0x93, 0x07, 0xdd, 0x98, 0x62, 0xc4, 0x71, 0xe1, 0x59, 0x27, 0xc6,
-	0xd8, 0x38, 0xb1, 0x42, 0x6d, 0x92, 0x5b, 0xe0, 0xe0, 0xcf, 0x79, 0x42, 0xd7, 0x9e, 0x2d, 0x0e,
+	0xa9, 0x15, 0x6a, 0x93, 0xdc, 0x01, 0x07, 0x7f, 0xcd, 0x13, 0xba, 0xf6, 0x6c, 0x71, 0xa0, 0x2c,
-	0x94, 0x15, 0xfc, 0x66, 0x42, 0x57, 0x21, 0x23, 0x43, 0x30, 0x93, 0xa5, 0x7a, 0xdb, 0x4c, 0x96,
+	0xff, 0x0f, 0x13, 0xba, 0x2a, 0x33, 0x72, 0x00, 0x66, 0xb2, 0x50, 0x77, 0x9b, 0xc9, 0x82, 0x10,
-	0x84, 0x80, 0xcd, 0xd7, 0x39, 0xaa, 0x97, 0xc4, 0x9a, 0x1c, 0x42, 0x87, 0x66, 0x2b, 0x64, 0x9e,
+	0xb0, 0xf9, 0x3a, 0x47, 0x75, 0x93, 0x58, 0x93, 0x23, 0xe8, 0xd0, 0x6c, 0x89, 0xcc, 0xb3, 0x4e,
-	0x75, 0x6c, 0x9d, 0xec, 0x87, 0xd2, 0x20, 0x9f, 0x41, 0xef, 0x12, 0x79, 0xb4, 0x8c, 0x78, 0xe4,
+	0xac, 0xd3, 0xfd, 0x50, 0x1a, 0xe4, 0x0b, 0xe8, 0x5d, 0x23, 0x8f, 0x16, 0x11, 0x8f, 0x3c, 0x5b,
-	0xd9, 0x82, 0xfd, 0xbb, 0xed, 0xec, 0xc7, 0x4f, 0x95, 0xdb, 0x2c, 0xe5, 0x74, 0x1d, 0x56, 0xb7,
+	0xb0, 0x7f, 0xbf, 0x9d, 0xfd, 0xf8, 0xb9, 0x72, 0x9b, 0xa6, 0x9c, 0xae, 0xc3, 0x2a, 0xaa, 0xcc,
-	0x4a, 0x7c, 0x2c, 0xce, 0x72, 0x64, 0x5e, 0x47, 0x04, 0x56, 0x16, 0xf1, 0xa1, 0x97, 0xd3, 0xec,
+	0x8f, 0xc5, 0x59, 0x8e, 0xcc, 0xeb, 0x08, 0x60, 0x65, 0x91, 0x11, 0xf4, 0x72, 0x9a, 0xad, 0x92,
-	0x2a, 0x59, 0x22, 0xf5, 0x1c, 0x81, 0xa3, 0xb2, 0xc5, 0x1d, 0x8c, 0x29, 0x72, 0xaf, 0x2b, 0x4e,
+	0x05, 0x52, 0xcf, 0x11, 0x79, 0x54, 0xb6, 0x88, 0xc1, 0x98, 0x22, 0xf7, 0xba, 0xe2, 0x44, 0x59,
-	0x94, 0xe5, 0x3f, 0x04, 0xb7, 0xf6, 0x0c, 0x19, 0x81, 0x75, 0x81, 0x6b, 0xc5, 0xac, 0x5c, 0x96,
+	0xa3, 0xc7, 0xe0, 0xd6, 0xae, 0x21, 0x43, 0xb0, 0xae, 0x70, 0xad, 0x98, 0x95, 0xcb, 0x92, 0xc6,
-	0x34, 0xae, 0xa2, 0x55, 0xa1, 0xb9, 0x49, 0xe3, 0x53, 0xf3, 0x63, 0x23, 0x58, 0x40, 0x2f, 0x44,
+	0x2a, 0x5a, 0x16, 0x9a, 0x9b, 0x34, 0x3e, 0x37, 0xcf, 0x0d, 0x7f, 0x0e, 0xbd, 0x10, 0x59, 0x56,
-	0x96, 0x15, 0x34, 0xc6, 0x52, 0x80, 0x34, 0xba, 0x44, 0x75, 0x51, 0xac, 0x5b, 0x45, 0xf1, 0xa1,
+	0xd0, 0x18, 0x4b, 0x01, 0xd2, 0xe8, 0x1a, 0x55, 0xa0, 0x58, 0xb7, 0x8a, 0x32, 0x82, 0x1e, 0xa6,
-	0x87, 0xe9, 0x32, 0xcf, 0x92, 0x94, 0x0b, 0xdd, 0xf7, 0xc3, 0xca, 0x0e, 0x7e, 0x37, 0xe1, 0x60,
+	0x8b, 0x3c, 0x4b, 0x52, 0x2e, 0x74, 0xdf, 0x0f, 0x2b, 0xdb, 0xff, 0xd3, 0x84, 0xc3, 0x19, 0xa6,
-	0x8e, 0x29, 0xd2, 0x88, 0xa3, 0x2a, 0xa2, 0x2d, 0xa1, 0x2b, 0x51, 0xcd, 0x4d, 0x51, 0x3f, 0xdf,
+	0x48, 0x23, 0x8e, 0xaa, 0x89, 0xb6, 0x84, 0xae, 0x44, 0x35, 0x37, 0x45, 0xfd, 0x72, 0x43, 0x54,
-	0x10, 0xd5, 0x12, 0xa2, 0x7e, 0xd0, 0x10, 0xb5, 0x11, 0xf7, 0x15, 0xc4, 0xb5, 0x6b, 0xe2, 0x5e,
+	0x4b, 0x88, 0xfa, 0x71, 0x43, 0xd4, 0x06, 0xee, 0x1b, 0x88, 0x6b, 0xd7, 0xc4, 0xbd, 0x11, 0xb0,
-	0x0b, 0xd8, 0xd9, 0x14, 0xb0, 0xe2, 0xe8, 0xd4, 0x39, 0x56, 0x89, 0xe8, 0xd6, 0x13, 0xf1, 0xff,
+	0xb3, 0x29, 0x60, 0xc5, 0xd1, 0xa9, 0x73, 0xac, 0x0a, 0xd1, 0xad, 0x17, 0xe2, 0xbf, 0x09, 0x3e,
-	0x04, 0x9f, 0xc2, 0xe8, 0x9a, 0x87, 0xea, 0xa6, 0x8f, 0xa0, 0xab, 0xba, 0x44, 0xc4, 0xd8, 0xdd,
+	0x81, 0xe1, 0x0d, 0x0f, 0xf5, 0x9a, 0x3e, 0x85, 0xae, 0x7a, 0x25, 0x02, 0x63, 0xf7, 0x63, 0xd2,
-	0x4c, 0xda, 0x2d, 0x78, 0x0e, 0x83, 0x39, 0x8d, 0x52, 0xae, 0x25, 0x26, 0x60, 0x97, 0x2a, 0xea,
+	0x6e, 0xfe, 0x4b, 0x18, 0xcc, 0x68, 0x94, 0x72, 0x2d, 0x31, 0x01, 0xbb, 0x54, 0x51, 0x97, 0xae,
-	0xd4, 0x95, 0x6b, 0xf2, 0x00, 0x7a, 0x54, 0xa5, 0x56, 0xc0, 0xe8, 0x4f, 0xde, 0x6a, 0x84, 0xd5,
+	0x5c, 0x93, 0x47, 0xd0, 0xa3, 0xaa, 0xb4, 0x22, 0x8d, 0x7e, 0xf0, 0x4e, 0x03, 0x56, 0x57, 0x3e,
-	0x99, 0x0f, 0x2b, 0xc7, 0xe0, 0x00, 0x5c, 0x15, 0x58, 0x62, 0x0b, 0xbe, 0x05, 0x37, 0xc4, 0xab,
+	0xac, 0x1c, 0xfd, 0x43, 0x70, 0x15, 0xb0, 0xcc, 0xcd, 0xff, 0x1e, 0xdc, 0x10, 0x57, 0xd9, 0x15,
-	0xec, 0x02, 0x5f, 0xfb, 0x53, 0x23, 0x18, 0xea, 0xc8, 0xea, 0xad, 0xf7, 0x60, 0xf8, 0x38, 0x65,
+	0xfe, 0xef, 0x57, 0x0d, 0xe1, 0x40, 0x23, 0xab, 0xbb, 0x3e, 0x80, 0x83, 0xa7, 0x29, 0xcb, 0x31,
-	0x39, 0xc6, 0x15, 0xaf, 0x43, 0xe8, 0x6c, 0x8e, 0x08, 0x69, 0x04, 0x8f, 0xe0, 0xa0, 0xf2, 0xfb,
+	0xae, 0x78, 0x1d, 0x41, 0x67, 0x73, 0x44, 0x48, 0xc3, 0x7f, 0x02, 0x87, 0x95, 0xdf, 0x5b, 0x4b,
-	0xcf, 0x12, 0xfe, 0x02, 0x03, 0x31, 0x45, 0x76, 0x55, 0xe9, 0x75, 0xb5, 0x98, 0xb5, 0x6a, 0xd9,
+	0xf8, 0x1b, 0x0c, 0xc4, 0x14, 0xd9, 0xd5, 0xa5, 0x37, 0xdd, 0x62, 0xd6, 0xba, 0x65, 0x6b, 0x32,
-	0x9a, 0x4c, 0x56, 0xcb, 0x64, 0xba, 0x0b, 0x03, 0x71, 0xf8, 0xa2, 0x36, 0x85, 0xfa, 0x62, 0x6f,
+	0x59, 0x2d, 0x93, 0xe9, 0x3e, 0x0c, 0xc4, 0xe1, 0xab, 0xda, 0x14, 0xea, 0x8b, 0xbd, 0xa9, 0x1c,
-	0x26, 0x47, 0xd1, 0x43, 0x70, 0xd5, 0xfb, 0x8a, 0xc2, 0xfd, 0x4d, 0xae, 0xfd, 0xc9, 0x61, 0x83,
+	0x45, 0x8f, 0xc1, 0x55, 0xf7, 0x2b, 0x0a, 0x0f, 0x37, 0xb9, 0xf6, 0x83, 0xa3, 0x06, 0x01, 0xe9,
-	0x80, 0x74, 0x56, 0x0a, 0xfc, 0x69, 0x80, 0x1d, 0x16, 0x2b, 0x6c, 0x1b, 0x62, 0x22, 0x3b, 0xe6,
+	0xac, 0x14, 0xf8, 0xcb, 0x00, 0x3b, 0x2c, 0x96, 0xd8, 0x36, 0xc4, 0x44, 0x75, 0xcc, 0x1d, 0xd5,
-	0x8e, 0xec, 0x58, 0xaf, 0x98, 0x1d, 0xf2, 0x21, 0x38, 0x72, 0x1e, 0x0b, 0xec, 0xc3, 0xc9, 0xcd,
+	0xb1, 0xde, 0xb0, 0x3a, 0xe4, 0x13, 0x70, 0xe4, 0x3c, 0x16, 0xb9, 0x1f, 0x04, 0xb7, 0xb7, 0xf5,
-	0x6d, 0x3d, 0x91, 0xb1, 0x50, 0x39, 0xc9, 0x7e, 0x49, 0x32, 0x9a, 0xf0, 0xb5, 0xe8, 0xae, 0x4e,
+	0x44, 0xc6, 0x42, 0xe5, 0x24, 0xdf, 0x4b, 0x92, 0xd1, 0x84, 0xaf, 0xc5, 0xeb, 0xea, 0x84, 0x95,
-	0x58, 0xd9, 0xc1, 0x1f, 0x06, 0xb8, 0x8f, 0xc4, 0x60, 0x7e, 0xdd, 0x35, 0xb4, 0x81, 0xd2, 0xfa,
+	0xed, 0x9f, 0x83, 0xfb, 0x44, 0xcc, 0x65, 0x2d, 0xf5, 0x87, 0x60, 0xd3, 0x42, 0xb5, 0x50, 0x3f,
-	0xb7, 0x28, 0xed, 0x06, 0xca, 0x11, 0x0c, 0x35, 0x48, 0x55, 0x8e, 0x25, 0xee, 0x29, 0xae, 0xf0,
+	0xb8, 0xd5, 0x4c, 0xa6, 0x58, 0x62, 0x28, 0x1c, 0xca, 0x16, 0xd1, 0x91, 0xaa, 0x45, 0xce, 0xc1,
-	0x8d, 0xc7, 0xad, 0x41, 0x2a, 0xdc, 0x2e, 0xf4, 0xcb, 0x8f, 0xb6, 0xfe, 0x86, 0x7f, 0x02, 0x03,
+	0x9d, 0xe0, 0x12, 0xdf, 0x0e, 0x4b, 0x47, 0x2a, 0x2c, 0x17, 0xfa, 0xe5, 0xc7, 0x4d, 0x7f, 0xeb,
-	0x69, 0xaa, 0x3a, 0x7b, 0x1f, 0x3a, 0xb4, 0x28, 0xc7, 0xaf, 0xfc, 0x70, 0xdf, 0x68, 0xa2, 0x2d,
+	0x3e, 0x83, 0x81, 0x34, 0x55, 0x3d, 0x3e, 0x82, 0x4e, 0x19, 0xa8, 0x3f, 0x70, 0xad, 0xd0, 0xd2,
-	0x56, 0x18, 0x4a, 0x8f, 0xfb, 0x63, 0x70, 0x24, 0x12, 0xd2, 0x87, 0xee, 0x37, 0x8b, 0x2f, 0x16,
+	0xe3, 0xe1, 0x18, 0x1c, 0xa9, 0x07, 0xe9, 0x43, 0xf7, 0xbb, 0xf9, 0x57, 0xf3, 0x6f, 0x5e, 0xce,
-	0x5f, 0x3d, 0x5f, 0x8c, 0xf6, 0x4a, 0x63, 0x1e, 0x9e, 0x2d, 0x9e, 0xcd, 0xa6, 0x23, 0x83, 0x00,
+	0x87, 0x7b, 0xa5, 0x31, 0x0b, 0x2f, 0xe6, 0x2f, 0xa6, 0x93, 0xa1, 0x41, 0x00, 0x9c, 0xc9, 0x74,
-	0x38, 0xd3, 0xd9, 0xe2, 0xf1, 0x6c, 0x3a, 0x32, 0x27, 0x7f, 0x1b, 0x60, 0x9f, 0x15, 0xfc, 0x9c,
+	0xfe, 0x74, 0x3a, 0x19, 0x9a, 0xc1, 0x3f, 0x06, 0xd8, 0x17, 0x05, 0xbf, 0x24, 0xcf, 0xa1, 0xa7,
-	0x3c, 0x85, 0x9e, 0x9e, 0x72, 0xe4, 0xce, 0xcb, 0xc7, 0xb8, 0xff, 0xce, 0xce, 0x73, 0xc5, 0x67,
+	0xa7, 0x01, 0xb9, 0xf7, 0xfa, 0x71, 0x37, 0x7a, 0x6f, 0xe7, 0xb9, 0xe2, 0xb3, 0x47, 0x9e, 0x41,
-	0x8f, 0x3c, 0x81, 0xae, 0x6a, 0x78, 0x72, 0xd4, 0xf0, 0xae, 0x0f, 0x0c, 0xff, 0xce, 0xae, 0xe3,
+	0x57, 0x3d, 0x0c, 0x72, 0xdc, 0xf0, 0xae, 0x3f, 0xac, 0xd1, 0xbd, 0x5d, 0xc7, 0x15, 0xd6, 0x44,
-	0x2a, 0xd6, 0x54, 0xff, 0x85, 0xdc, 0x6e, 0x6d, 0x30, 0x15, 0xe7, 0xed, 0xf6, 0x43, 0x1d, 0x65,
+	0x7f, 0xad, 0xef, 0xb6, 0x36, 0xa2, 0xc2, 0x79, 0xb7, 0xfd, 0x50, 0xa3, 0x04, 0x3f, 0x40, 0x4f,
-	0xf2, 0x1d, 0xf4, 0xf4, 0x4f, 0x11, 0xf9, 0x1a, 0xec, 0x52, 0x60, 0x12, 0x34, 0xee, 0xb4, 0xfc,
+	0xff, 0x3c, 0x90, 0x6f, 0xc1, 0x2e, 0x05, 0x26, 0x7e, 0x23, 0xa6, 0xe5, 0xc7, 0x63, 0xf4, 0xe0,
-	0x50, 0xf9, 0xf7, 0x5e, 0xea, 0x53, 0x85, 0xff, 0xcb, 0x80, 0x4e, 0x99, 0x08, 0x46, 0xe6, 0xe0,
+	0xb5, 0x3e, 0x15, 0xfc, 0xdf, 0x06, 0x74, 0xca, 0x42, 0x30, 0x32, 0x03, 0x47, 0xb6, 0x0a, 0x69,
-	0xc8, 0xb2, 0x24, 0x4d, 0x48, 0xb5, 0x96, 0xf2, 0x8f, 0x76, 0x9c, 0x56, 0xbc, 0xe7, 0xe0, 0xc8,
+	0xa6, 0x54, 0xeb, 0xbd, 0xd1, 0xf1, 0x8e, 0xd3, 0x8a, 0xf7, 0x0c, 0x1c, 0xd9, 0x27, 0x5b, 0x40,
-	0x3a, 0xd9, 0x0a, 0x54, 0xab, 0xf1, 0xad, 0x40, 0x8d, 0xe2, 0xda, 0x23, 0x67, 0x8a, 0xae, 0xdf,
+	0xb5, 0xc6, 0xdb, 0x02, 0x6a, 0x34, 0xd7, 0x1e, 0xb9, 0x50, 0x74, 0x47, 0x2d, 0x54, 0x34, 0xc8,
-	0x42, 0x45, 0x07, 0xb9, 0xdd, 0x7a, 0xa6, 0x43, 0x7c, 0xef, 0x88, 0x7f, 0xd0, 0x07, 0xff, 0x04,
+	0xdd, 0xd6, 0x33, 0x0d, 0xf1, 0xa3, 0x23, 0xfe, 0xd5, 0x1e, 0xfd, 0x1b, 0x00, 0x00, 0xff, 0xff,
-	0x00, 0x00, 0xff, 0xff, 0x60, 0xd4, 0x97, 0x04, 0xa4, 0x0a, 0x00, 0x00,
+	0x7f, 0x20, 0xd5, 0xb8, 0xcc, 0x09, 0x00, 0x00,
 }
 // Reference imports to suppress errors if they are not otherwise used.
--- a/auth/service/proto/auth.proto
+++ b/auth/service/proto/auth.proto
@ -110,19 +110,13 @@ message Rule {
 }
 message CreateRequest {
-	string role = 1;
+	Rule rule = 1;
 	Resource resource = 2;
 	Access access = 3;
 	int32 priority = 4;
 }
 message CreateResponse {}
 message DeleteRequest {
-	string role = 1;
+	Rule rule = 1;
 	Resource resource = 2;
 	Access access = 3;
 	int32 priority = 4;
 }
 message DeleteResponse {}
--- a/auth/service/service.go
+++ b/auth/service/service.go
@ -2,13 +2,12 @@ package service
 import (
 	"context"
 	"fmt"
 	"sort"
 	"strings"
 	"sync"
 	"time"
 	"github.com/micro/go-micro/v2/auth"
 	"github.com/micro/go-micro/v2/auth/rules"
 	pb "github.com/micro/go-micro/v2/auth/service/proto"
 	"github.com/micro/go-micro/v2/auth/token"
 	"github.com/micro/go-micro/v2/auth/token/jwt"
@ -23,8 +22,7 @@ type svc struct {
 	auth    pb.AuthService
 	rule    pb.RulesService
 	jwt     token.Provider
-
+	rules   []*auth.Rule
 	rules []*pb.Rule
 	sync.Mutex
 }
@ -79,84 +77,53 @@ func (s *svc) Generate(id string, opts ...auth.GenerateOption) (*auth.Account, e
 }
 // Grant access to a resource
-func (s *svc) Grant(role string, res *auth.Resource) error {
+func (s *svc) Grant(rule *auth.Rule) error {
 	_, err := s.rule.Create(context.TODO(), &pb.CreateRequest{
-		Role:   role,
+		Rule: &pb.Rule{
-		Access: pb.Access_GRANTED,
+			Id:       rule.ID,
-		Resource: &pb.Resource{
+			Role:     rule.Role,
-			Type:     res.Type,
+			Priority: rule.Priority,
-			Name:     res.Name,
+			Access:   pb.Access_GRANTED,
-			Endpoint: res.Endpoint,
+			Resource: &pb.Resource{
 				Type:     rule.Resource.Type,
 				Name:     rule.Resource.Name,
 				Endpoint: rule.Resource.Endpoint,
 			},
 		},
 	})
 	go s.loadRules()
 	return err
 }
 // Revoke access to a resource
-func (s *svc) Revoke(role string, res *auth.Resource) error {
+func (s *svc) Revoke(rule *auth.Rule) error {
 	_, err := s.rule.Delete(context.TODO(), &pb.DeleteRequest{
-		Role:   role,
+		Rule: &pb.Rule{
-		Access: pb.Access_GRANTED,
+			Id:       rule.ID,
-		Resource: &pb.Resource{
+			Role:     rule.Role,
-			Type:     res.Type,
+			Priority: rule.Priority,
-			Name:     res.Name,
+			Access:   pb.Access_GRANTED,
-			Endpoint: res.Endpoint,
+			Resource: &pb.Resource{
 				Type:     rule.Resource.Type,
 				Name:     rule.Resource.Name,
 				Endpoint: rule.Resource.Endpoint,
 			},
 		},
 	})
 	go s.loadRules()
 	return err
 }
 func (s *svc) Rules() ([]*auth.Rule, error) {
 	return s.rules, nil
 }
 // Verify an account has access to a resource
 func (s *svc) Verify(acc *auth.Account, res *auth.Resource) error {
 	// check the scope
 	scope := "namespace." + s.options.Namespace
 	if acc != nil && !acc.HasScope(scope) {
 		return fmt.Errorf("Missing required scope: %v", scope)
 	}
 	// load the rules if none are loaded
 	s.loadRulesIfEmpty()
-
+	// verify the request using the rules
-	queries := [][]string{
+	return rules.Verify(s.options.Namespace, s.rules, acc, res)
 		{res.Type, res.Name, res.Endpoint}, // check for specific role, e.g. service.foo.ListFoo:admin (role is checked in accessForRule)
 		{res.Type, res.Name, "*"},          // check for wildcard endpoint, e.g. service.foo*
 		{res.Type, "*"},                    // check for wildcard name, e.g. service.*
 		{"*"},                              // check for wildcard type, e.g. *
 	}
 	// endpoint is a url which can have wildcard excludes, e.g.
 	// "/foo/*" will allow "/foo/bar"
 	if comps := strings.Split(res.Endpoint, "/"); len(comps) > 1 {
 		for i := 1; i < len(comps); i++ {
 			wildcard := fmt.Sprintf("%v/*", strings.Join(comps[0:i], "/"))
 			queries = append(queries, []string{res.Type, res.Name, wildcard})
 		}
 	}
 	// set a default account id / namespace to log
 	logID := acc.ID
 	if len(logID) == 0 {
 		logID = "[no account]"
 	}
 	for _, q := range queries {
 		for _, rule := range s.listRules(q...) {
 			switch accessForRule(rule, acc, res) {
 			case pb.Access_UNKNOWN:
 				continue // rule did not specify access, check the next rule
 			case pb.Access_GRANTED:
 				log.Tracef("%v granted access to %v:%v:%v by rule %v", logID, res.Type, res.Name, res.Endpoint, rule.Id)
 				return nil // rule grants the account access to the resource
 			case pb.Access_DENIED:
 				log.Tracef("%v denied access to %v:%v:%v by rule %v", logID, res.Type, res.Name, res.Endpoint, rule.Id)
 				return auth.ErrForbidden // rule denies access to the resource
 			}
 		}
 	}
 	// no rules were found for the resource, default to denying access
 	log.Tracef("%v denied access to %v:%v:%v by lack of rule", logID, res.Type, res.Name, res.Endpoint)
 	return auth.ErrForbidden
 }
 // Inspect a token
@ -221,35 +188,6 @@ func accessForRule(rule *pb.Rule, acc *auth.Account, res *auth.Resource) pb.Acce
 	return pb.Access_UNKNOWN
 }
 // listRules gets all the rules from the store which match the filters.
 // filters are namespace, type, name and then endpoint.
 func (s *svc) listRules(filters ...string) []*pb.Rule {
 	s.Lock()
 	defer s.Unlock()
 	var rules []*pb.Rule
 	for _, r := range s.rules {
 		if len(filters) > 1 && r.Resource.Type != filters[0] {
 			continue
 		}
 		if len(filters) > 2 && r.Resource.Name != filters[1] {
 			continue
 		}
 		if len(filters) > 3 && r.Resource.Endpoint != filters[2] {
 			continue
 		}
 		rules = append(rules, r)
 	}
 	// sort rules by priority
 	sort.Slice(rules, func(i, j int) bool {
 		return rules[i].Priority < rules[j].Priority
 	})
 	return rules
 }
 // loadRules retrieves the rules from the auth service
 func (s *svc) loadRules() {
 	rsp, err := s.rule.List(context.TODO(), &pb.ListRequest{})
@ -261,7 +199,27 @@ func (s *svc) loadRules() {
 		return
 	}
-	s.rules = rsp.Rules
+	s.rules = make([]*auth.Rule, 0, len(rsp.Rules))
 	for _, r := range rsp.Rules {
 		var access auth.Access
 		if r.Access == pb.Access_GRANTED {
 			access = auth.AccessGranted
 		} else {
 			access = auth.AccessDenied
 		}
 		s.rules = append(s.rules, &auth.Rule{
 			ID:       r.Id,
 			Role:     r.Role,
 			Access:   access,
 			Priority: r.Priority,
 			Resource: &auth.Resource{
 				Type:     r.Resource.Type,
 				Name:     r.Resource.Name,
 				Endpoint: r.Resource.Endpoint,
 			},
 		})
 	}
 }
 func (s *svc) loadRulesIfEmpty() {
--- a/util/auth/auth.go
+++ b/util/auth/auth.go
@ -66,7 +66,7 @@ func Generate(id string, name string, a auth.Auth) error {
 			// generate the first token
 			tok, err := a.Token(
-				auth.WithCredentials(accID, accSecret),
+				auth.WithToken(tok.RefreshToken),
 				auth.WithExpiry(time.Minute*10),
 			)
 			if err != nil {