Auth load rules (#1397)

* WithRoles variadic args

* Load Rules

* Timer => Ticker

Co-authored-by: Ben Toogood <ben@micro.mu>

auth/service/proto/auth.pb.go

@@ -20,6 +20,61 @@ var _ = math.Inf
 // proto package needs to be updated.
 const _ = proto.ProtoPackageIsVersion3 // please upgrade the proto package
 
+type Rule struct {
+	Id                   string    `protobuf:"bytes,1,opt,name=id,proto3" json:"id,omitempty"`
+	Role                 string    `protobuf:"bytes,2,opt,name=role,proto3" json:"role,omitempty"`
+	Resource             *Resource `protobuf:"bytes,3,opt,name=resource,proto3" json:"resource,omitempty"`
+	XXX_NoUnkeyedLiteral struct{}  `json:"-"`
+	XXX_unrecognized     []byte    `json:"-"`
+	XXX_sizecache        int32     `json:"-"`
+}
+
+func (m *Rule) Reset()         { *m = Rule{} }
+func (m *Rule) String() string { return proto.CompactTextString(m) }
+func (*Rule) ProtoMessage()    {}
+func (*Rule) Descriptor() ([]byte, []int) {
+	return fileDescriptor_21300bfacc51fc2a, []int{0}
+}
+
+func (m *Rule) XXX_Unmarshal(b []byte) error {
+	return xxx_messageInfo_Rule.Unmarshal(m, b)
+}
+func (m *Rule) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
+	return xxx_messageInfo_Rule.Marshal(b, m, deterministic)
+}
+func (m *Rule) XXX_Merge(src proto.Message) {
+	xxx_messageInfo_Rule.Merge(m, src)
+}
+func (m *Rule) XXX_Size() int {
+	return xxx_messageInfo_Rule.Size(m)
+}
+func (m *Rule) XXX_DiscardUnknown() {
+	xxx_messageInfo_Rule.DiscardUnknown(m)
+}
+
+var xxx_messageInfo_Rule proto.InternalMessageInfo
+
+func (m *Rule) GetId() string {
+	if m != nil {
+		return m.Id
+	}
+	return ""
+}
+
+func (m *Rule) GetRole() string {
+	if m != nil {
+		return m.Role
+	}
+	return ""
+}
+
+func (m *Rule) GetResource() *Resource {
+	if m != nil {
+		return m.Resource
+	}
+	return nil
+}
+
 type Token struct {
 	Token                string            `protobuf:"bytes,1,opt,name=token,proto3" json:"token,omitempty"`
 	Type                 string            `protobuf:"bytes,2,opt,name=type,proto3" json:"type,omitempty"`
@@ -37,7 +92,7 @@ func (m *Token) Reset()         { *m = Token{} }
 func (m *Token) String() string { return proto.CompactTextString(m) }
 func (*Token) ProtoMessage()    {}
 func (*Token) Descriptor() ([]byte, []int) {
-	return fileDescriptor_21300bfacc51fc2a, []int{0}
+	return fileDescriptor_21300bfacc51fc2a, []int{1}
 }
 
 func (m *Token) XXX_Unmarshal(b []byte) error {
@@ -121,7 +176,7 @@ func (m *Account) Reset()         { *m = Account{} }
 func (m *Account) String() string { return proto.CompactTextString(m) }
 func (*Account) ProtoMessage()    {}
 func (*Account) Descriptor() ([]byte, []int) {
-	return fileDescriptor_21300bfacc51fc2a, []int{1}
+	return fileDescriptor_21300bfacc51fc2a, []int{2}
 }
 
 func (m *Account) XXX_Unmarshal(b []byte) error {
@@ -183,7 +238,7 @@ func (m *Resource) Reset()         { *m = Resource{} }
 func (m *Resource) String() string { return proto.CompactTextString(m) }
 func (*Resource) ProtoMessage()    {}
 func (*Resource) Descriptor() ([]byte, []int) {
-	return fileDescriptor_21300bfacc51fc2a, []int{2}
+	return fileDescriptor_21300bfacc51fc2a, []int{3}
 }
 
 func (m *Resource) XXX_Unmarshal(b []byte) error {
@@ -239,7 +294,7 @@ func (m *GenerateRequest) Reset()         { *m = GenerateRequest{} }
 func (m *GenerateRequest) String() string { return proto.CompactTextString(m) }
 func (*GenerateRequest) ProtoMessage()    {}
 func (*GenerateRequest) Descriptor() ([]byte, []int) {
-	return fileDescriptor_21300bfacc51fc2a, []int{3}
+	return fileDescriptor_21300bfacc51fc2a, []int{4}
 }
 
 func (m *GenerateRequest) XXX_Unmarshal(b []byte) error {
@@ -299,7 +354,7 @@ func (m *GenerateResponse) Reset()         { *m = GenerateResponse{} }
 func (m *GenerateResponse) String() string { return proto.CompactTextString(m) }
 func (*GenerateResponse) ProtoMessage()    {}
 func (*GenerateResponse) Descriptor() ([]byte, []int) {
-	return fileDescriptor_21300bfacc51fc2a, []int{4}
+	return fileDescriptor_21300bfacc51fc2a, []int{5}
 }
 
 func (m *GenerateResponse) XXX_Unmarshal(b []byte) error {
@@ -339,7 +394,7 @@ func (m *GrantRequest) Reset()         { *m = GrantRequest{} }
 func (m *GrantRequest) String() string { return proto.CompactTextString(m) }
 func (*GrantRequest) ProtoMessage()    {}
 func (*GrantRequest) Descriptor() ([]byte, []int) {
-	return fileDescriptor_21300bfacc51fc2a, []int{5}
+	return fileDescriptor_21300bfacc51fc2a, []int{6}
 }
 
 func (m *GrantRequest) XXX_Unmarshal(b []byte) error {
@@ -384,7 +439,7 @@ func (m *GrantResponse) Reset()         { *m = GrantResponse{} }
 func (m *GrantResponse) String() string { return proto.CompactTextString(m) }
 func (*GrantResponse) ProtoMessage()    {}
 func (*GrantResponse) Descriptor() ([]byte, []int) {
-	return fileDescriptor_21300bfacc51fc2a, []int{6}
+	return fileDescriptor_21300bfacc51fc2a, []int{7}
 }
 
 func (m *GrantResponse) XXX_Unmarshal(b []byte) error {
@@ -405,84 +460,6 @@ func (m *GrantResponse) XXX_DiscardUnknown() {
 
 var xxx_messageInfo_GrantResponse proto.InternalMessageInfo
 
-type VerifyRequest struct {
-	Account              *Account  `protobuf:"bytes,1,opt,name=account,proto3" json:"account,omitempty"`
-	Resource             *Resource `protobuf:"bytes,2,opt,name=resource,proto3" json:"resource,omitempty"`
-	XXX_NoUnkeyedLiteral struct{}  `json:"-"`
-	XXX_unrecognized     []byte    `json:"-"`
-	XXX_sizecache        int32     `json:"-"`
-}
-
-func (m *VerifyRequest) Reset()         { *m = VerifyRequest{} }
-func (m *VerifyRequest) String() string { return proto.CompactTextString(m) }
-func (*VerifyRequest) ProtoMessage()    {}
-func (*VerifyRequest) Descriptor() ([]byte, []int) {
-	return fileDescriptor_21300bfacc51fc2a, []int{7}
-}
-
-func (m *VerifyRequest) XXX_Unmarshal(b []byte) error {
-	return xxx_messageInfo_VerifyRequest.Unmarshal(m, b)
-}
-func (m *VerifyRequest) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	return xxx_messageInfo_VerifyRequest.Marshal(b, m, deterministic)
-}
-func (m *VerifyRequest) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_VerifyRequest.Merge(m, src)
-}
-func (m *VerifyRequest) XXX_Size() int {
-	return xxx_messageInfo_VerifyRequest.Size(m)
-}
-func (m *VerifyRequest) XXX_DiscardUnknown() {
-	xxx_messageInfo_VerifyRequest.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_VerifyRequest proto.InternalMessageInfo
-
-func (m *VerifyRequest) GetAccount() *Account {
-	if m != nil {
-		return m.Account
-	}
-	return nil
-}
-
-func (m *VerifyRequest) GetResource() *Resource {
-	if m != nil {
-		return m.Resource
-	}
-	return nil
-}
-
-type VerifyResponse struct {
-	XXX_NoUnkeyedLiteral struct{} `json:"-"`
-	XXX_unrecognized     []byte   `json:"-"`
-	XXX_sizecache        int32    `json:"-"`
-}
-
-func (m *VerifyResponse) Reset()         { *m = VerifyResponse{} }
-func (m *VerifyResponse) String() string { return proto.CompactTextString(m) }
-func (*VerifyResponse) ProtoMessage()    {}
-func (*VerifyResponse) Descriptor() ([]byte, []int) {
-	return fileDescriptor_21300bfacc51fc2a, []int{8}
-}
-
-func (m *VerifyResponse) XXX_Unmarshal(b []byte) error {
-	return xxx_messageInfo_VerifyResponse.Unmarshal(m, b)
-}
-func (m *VerifyResponse) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	return xxx_messageInfo_VerifyResponse.Marshal(b, m, deterministic)
-}
-func (m *VerifyResponse) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_VerifyResponse.Merge(m, src)
-}
-func (m *VerifyResponse) XXX_Size() int {
-	return xxx_messageInfo_VerifyResponse.Size(m)
-}
-func (m *VerifyResponse) XXX_DiscardUnknown() {
-	xxx_messageInfo_VerifyResponse.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_VerifyResponse proto.InternalMessageInfo
-
 type RevokeRequest struct {
 	Role                 string    `protobuf:"bytes,1,opt,name=role,proto3" json:"role,omitempty"`
 	Resource             *Resource `protobuf:"bytes,2,opt,name=resource,proto3" json:"resource,omitempty"`
@@ -495,7 +472,7 @@ func (m *RevokeRequest) Reset()         { *m = RevokeRequest{} }
 func (m *RevokeRequest) String() string { return proto.CompactTextString(m) }
 func (*RevokeRequest) ProtoMessage()    {}
 func (*RevokeRequest) Descriptor() ([]byte, []int) {
-	return fileDescriptor_21300bfacc51fc2a, []int{9}
+	return fileDescriptor_21300bfacc51fc2a, []int{8}
 }
 
 func (m *RevokeRequest) XXX_Unmarshal(b []byte) error {
@@ -540,7 +517,7 @@ func (m *RevokeResponse) Reset()         { *m = RevokeResponse{} }
 func (m *RevokeResponse) String() string { return proto.CompactTextString(m) }
 func (*RevokeResponse) ProtoMessage()    {}
 func (*RevokeResponse) Descriptor() ([]byte, []int) {
-	return fileDescriptor_21300bfacc51fc2a, []int{10}
+	return fileDescriptor_21300bfacc51fc2a, []int{9}
 }
 
 func (m *RevokeResponse) XXX_Unmarshal(b []byte) error {
@@ -572,7 +549,7 @@ func (m *InspectRequest) Reset()         { *m = InspectRequest{} }
 func (m *InspectRequest) String() string { return proto.CompactTextString(m) }
 func (*InspectRequest) ProtoMessage()    {}
 func (*InspectRequest) Descriptor() ([]byte, []int) {
-	return fileDescriptor_21300bfacc51fc2a, []int{11}
+	return fileDescriptor_21300bfacc51fc2a, []int{10}
 }
 
 func (m *InspectRequest) XXX_Unmarshal(b []byte) error {
@@ -611,7 +588,7 @@ func (m *InspectResponse) Reset()         { *m = InspectResponse{} }
 func (m *InspectResponse) String() string { return proto.CompactTextString(m) }
 func (*InspectResponse) ProtoMessage()    {}
 func (*InspectResponse) Descriptor() ([]byte, []int) {
-	return fileDescriptor_21300bfacc51fc2a, []int{12}
+	return fileDescriptor_21300bfacc51fc2a, []int{11}
 }
 
 func (m *InspectResponse) XXX_Unmarshal(b []byte) error {
@@ -651,7 +628,7 @@ func (m *RefreshRequest) Reset()         { *m = RefreshRequest{} }
 func (m *RefreshRequest) String() string { return proto.CompactTextString(m) }
 func (*RefreshRequest) ProtoMessage()    {}
 func (*RefreshRequest) Descriptor() ([]byte, []int) {
-	return fileDescriptor_21300bfacc51fc2a, []int{13}
+	return fileDescriptor_21300bfacc51fc2a, []int{12}
 }
 
 func (m *RefreshRequest) XXX_Unmarshal(b []byte) error {
@@ -697,7 +674,7 @@ func (m *RefreshResponse) Reset()         { *m = RefreshResponse{} }
 func (m *RefreshResponse) String() string { return proto.CompactTextString(m) }
 func (*RefreshResponse) ProtoMessage()    {}
 func (*RefreshResponse) Descriptor() ([]byte, []int) {
-	return fileDescriptor_21300bfacc51fc2a, []int{14}
+	return fileDescriptor_21300bfacc51fc2a, []int{13}
 }
 
 func (m *RefreshResponse) XXX_Unmarshal(b []byte) error {
@@ -725,7 +702,78 @@ func (m *RefreshResponse) GetToken() *Token {
 	return nil
 }
 
+type ListRulesRequest struct {
+	XXX_NoUnkeyedLiteral struct{} `json:"-"`
+	XXX_unrecognized     []byte   `json:"-"`
+	XXX_sizecache        int32    `json:"-"`
+}
+
+func (m *ListRulesRequest) Reset()         { *m = ListRulesRequest{} }
+func (m *ListRulesRequest) String() string { return proto.CompactTextString(m) }
+func (*ListRulesRequest) ProtoMessage()    {}
+func (*ListRulesRequest) Descriptor() ([]byte, []int) {
+	return fileDescriptor_21300bfacc51fc2a, []int{14}
+}
+
+func (m *ListRulesRequest) XXX_Unmarshal(b []byte) error {
+	return xxx_messageInfo_ListRulesRequest.Unmarshal(m, b)
+}
+func (m *ListRulesRequest) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
+	return xxx_messageInfo_ListRulesRequest.Marshal(b, m, deterministic)
+}
+func (m *ListRulesRequest) XXX_Merge(src proto.Message) {
+	xxx_messageInfo_ListRulesRequest.Merge(m, src)
+}
+func (m *ListRulesRequest) XXX_Size() int {
+	return xxx_messageInfo_ListRulesRequest.Size(m)
+}
+func (m *ListRulesRequest) XXX_DiscardUnknown() {
+	xxx_messageInfo_ListRulesRequest.DiscardUnknown(m)
+}
+
+var xxx_messageInfo_ListRulesRequest proto.InternalMessageInfo
+
+type ListRulesResponse struct {
+	Rules                []*Rule  `protobuf:"bytes,1,rep,name=rules,proto3" json:"rules,omitempty"`
+	XXX_NoUnkeyedLiteral struct{} `json:"-"`
+	XXX_unrecognized     []byte   `json:"-"`
+	XXX_sizecache        int32    `json:"-"`
+}
+
+func (m *ListRulesResponse) Reset()         { *m = ListRulesResponse{} }
+func (m *ListRulesResponse) String() string { return proto.CompactTextString(m) }
+func (*ListRulesResponse) ProtoMessage()    {}
+func (*ListRulesResponse) Descriptor() ([]byte, []int) {
+	return fileDescriptor_21300bfacc51fc2a, []int{15}
+}
+
+func (m *ListRulesResponse) XXX_Unmarshal(b []byte) error {
+	return xxx_messageInfo_ListRulesResponse.Unmarshal(m, b)
+}
+func (m *ListRulesResponse) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
+	return xxx_messageInfo_ListRulesResponse.Marshal(b, m, deterministic)
+}
+func (m *ListRulesResponse) XXX_Merge(src proto.Message) {
+	xxx_messageInfo_ListRulesResponse.Merge(m, src)
+}
+func (m *ListRulesResponse) XXX_Size() int {
+	return xxx_messageInfo_ListRulesResponse.Size(m)
+}
+func (m *ListRulesResponse) XXX_DiscardUnknown() {
+	xxx_messageInfo_ListRulesResponse.DiscardUnknown(m)
+}
+
+var xxx_messageInfo_ListRulesResponse proto.InternalMessageInfo
+
+func (m *ListRulesResponse) GetRules() []*Rule {
+	if m != nil {
+		return m.Rules
+	}
+	return nil
+}
+
 func init() {
+	proto.RegisterType((*Rule)(nil), "go.micro.auth.Rule")
 	proto.RegisterType((*Token)(nil), "go.micro.auth.Token")
 	proto.RegisterMapType((map[string]string)(nil), "go.micro.auth.Token.MetadataEntry")
 	proto.RegisterType((*Account)(nil), "go.micro.auth.Account")
@@ -736,60 +784,62 @@ func init() {
 	proto.RegisterType((*GenerateResponse)(nil), "go.micro.auth.GenerateResponse")
 	proto.RegisterType((*GrantRequest)(nil), "go.micro.auth.GrantRequest")
 	proto.RegisterType((*GrantResponse)(nil), "go.micro.auth.GrantResponse")
-	proto.RegisterType((*VerifyRequest)(nil), "go.micro.auth.VerifyRequest")
-	proto.RegisterType((*VerifyResponse)(nil), "go.micro.auth.VerifyResponse")
 	proto.RegisterType((*RevokeRequest)(nil), "go.micro.auth.RevokeRequest")
 	proto.RegisterType((*RevokeResponse)(nil), "go.micro.auth.RevokeResponse")
 	proto.RegisterType((*InspectRequest)(nil), "go.micro.auth.InspectRequest")
 	proto.RegisterType((*InspectResponse)(nil), "go.micro.auth.InspectResponse")
 	proto.RegisterType((*RefreshRequest)(nil), "go.micro.auth.RefreshRequest")
 	proto.RegisterType((*RefreshResponse)(nil), "go.micro.auth.RefreshResponse")
+	proto.RegisterType((*ListRulesRequest)(nil), "go.micro.auth.ListRulesRequest")
+	proto.RegisterType((*ListRulesResponse)(nil), "go.micro.auth.ListRulesResponse")
 }
 
 func init() { proto.RegisterFile("auth/service/proto/auth.proto", fileDescriptor_21300bfacc51fc2a) }
 
 var fileDescriptor_21300bfacc51fc2a = []byte{
-	// 663 bytes of a gzipped FileDescriptorProto
+	// 696 bytes of a gzipped FileDescriptorProto
-	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xb4, 0x55, 0xdd, 0x6e, 0xd3, 0x4c,
+	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xb4, 0x55, 0xdb, 0x6e, 0xd3, 0x40,
-	0x10, 0xad, 0xed, 0xfc, 0x75, 0x52, 0x27, 0xd1, 0xaa, 0xea, 0x67, 0xf9, 0xa3, 0x25, 0x18, 0x84,
+	0x10, 0xad, 0xed, 0xdc, 0x3a, 0x69, 0x9a, 0xb0, 0x54, 0xc5, 0x32, 0x6d, 0x09, 0x06, 0xa1, 0x82,
-	0x2a, 0x54, 0xb9, 0x28, 0xbd, 0x41, 0x20, 0x10, 0x15, 0xad, 0xca, 0x8f, 0xca, 0x85, 0x85, 0x80,
+	0xaa, 0x14, 0xa5, 0x2f, 0x08, 0x44, 0x45, 0x45, 0xab, 0x72, 0x2b, 0x42, 0x16, 0x12, 0xbc, 0x55,
-	0x3b, 0xe4, 0x3a, 0x53, 0x6a, 0xd2, 0xd8, 0x66, 0xbd, 0x8e, 0xc8, 0x5b, 0xf0, 0x52, 0xbc, 0x05,
+	0xae, 0x33, 0x50, 0xd3, 0xd4, 0x36, 0xeb, 0x75, 0x45, 0xfe, 0x82, 0x2f, 0xe3, 0x0b, 0x78, 0xe3,
-	0x77, 0xbc, 0x08, 0xda, 0xf5, 0xae, 0x6b, 0x3b, 0x09, 0x12, 0x05, 0xee, 0x76, 0x76, 0x66, 0xcf,
+	0x47, 0xd0, 0xae, 0x77, 0xb7, 0x8e, 0x13, 0x23, 0xc4, 0xe5, 0x6d, 0x77, 0x76, 0x7c, 0xce, 0xcc,
-	0x99, 0x39, 0x73, 0xe2, 0xc0, 0xb6, 0x9f, 0xb1, 0x8b, 0xfd, 0x14, 0xe9, 0x2c, 0x0c, 0x70, 0x3f,
+	0x99, 0x33, 0x09, 0xac, 0xfb, 0x19, 0x3b, 0xdd, 0x4e, 0x91, 0x5e, 0x84, 0x01, 0x6e, 0x27, 0x34,
-	0xa1, 0x31, 0x8b, 0xf7, 0xf9, 0x95, 0x2b, 0x8e, 0xc4, 0xfc, 0x18, 0xbb, 0xd3, 0x30, 0xa0, 0xb1,
+	0x66, 0xf1, 0x36, 0x0f, 0x0d, 0xc4, 0x91, 0x74, 0x3e, 0xc6, 0x83, 0xf3, 0x30, 0xa0, 0xf1, 0x80,
-	0xcb, 0x2f, 0x9d, 0xaf, 0x3a, 0x34, 0xdf, 0xc4, 0x13, 0x8c, 0xc8, 0x26, 0x34, 0x19, 0x3f, 0x58,
+	0x07, 0xdd, 0x63, 0xa8, 0x79, 0xd9, 0x18, 0xc9, 0x32, 0x98, 0xe1, 0xc8, 0x36, 0xfa, 0xc6, 0xe6,
-	0xda, 0x50, 0xdb, 0x5d, 0xf7, 0xf2, 0x80, 0x10, 0x68, 0xb0, 0x79, 0x82, 0x96, 0x2e, 0x2e, 0xc5,
+	0xa2, 0x67, 0x86, 0x23, 0x42, 0xa0, 0x46, 0xe3, 0x31, 0xda, 0xa6, 0x88, 0x88, 0x33, 0xd9, 0x81,
-	0x99, 0x58, 0xd0, 0x0e, 0x28, 0xfa, 0x0c, 0xc7, 0x96, 0x31, 0xd4, 0x76, 0x0d, 0x4f, 0x85, 0x64,
+	0x16, 0xc5, 0x34, 0xce, 0x68, 0x80, 0xb6, 0xd5, 0x37, 0x36, 0xdb, 0xc3, 0x6b, 0x83, 0x29, 0xb4,
-	0x0b, 0x5a, 0xf8, 0x25, 0x09, 0xe9, 0xdc, 0x6a, 0x88, 0x84, 0x8c, 0xf8, 0x8b, 0x34, 0x3b, 0xfb,
+	0x81, 0x27, 0x9f, 0x3d, 0x9d, 0xe8, 0x7e, 0x35, 0xa1, 0xfe, 0x36, 0x3e, 0xc3, 0x88, 0xac, 0x40,
-	0x84, 0x01, 0xb3, 0x9a, 0x02, 0x48, 0x85, 0x9c, 0x95, 0xc6, 0x97, 0x98, 0x5a, 0xad, 0xa1, 0xc1,
+	0x9d, 0xf1, 0x83, 0x64, 0xc9, 0x2f, 0x9c, 0x88, 0x4d, 0x12, 0x4d, 0xc4, 0xcf, 0xc4, 0x86, 0x66,
-	0x59, 0x45, 0x40, 0x9e, 0x40, 0x67, 0x8a, 0xcc, 0x1f, 0xfb, 0xcc, 0xb7, 0xda, 0x43, 0x63, 0xb7,
+	0x40, 0xd1, 0x67, 0x38, 0x12, 0x3c, 0x96, 0xa7, 0xae, 0x64, 0x15, 0x1a, 0xf8, 0x25, 0x09, 0xe9,
-	0x3b, 0x72, 0xdc, 0x4a, 0xdf, 0xae, 0xe8, 0xd9, 0x3d, 0x95, 0x45, 0xc7, 0x11, 0xa3, 0x73, 0xaf,
+	0xc4, 0xae, 0x89, 0x07, 0x79, 0xe3, 0x5f, 0xa4, 0xd9, 0xc9, 0x27, 0x0c, 0x98, 0x5d, 0x17, 0x40,
-	0x78, 0x63, 0x3f, 0x02, 0xb3, 0x92, 0x22, 0x03, 0x30, 0x26, 0x38, 0x97, 0xa3, 0xf1, 0x23, 0x27,
+	0xea, 0xca, 0x59, 0x79, 0xf1, 0xa9, 0xdd, 0xe8, 0x5b, 0x9c, 0x55, 0x5c, 0xc8, 0x2e, 0xb4, 0xce,
-	0x9e, 0xf9, 0x97, 0x99, 0x9a, 0x2c, 0x0f, 0x1e, 0xea, 0x0f, 0x34, 0xe7, 0xbb, 0x06, 0xed, 0xc3,
+	0x91, 0xf9, 0x23, 0x9f, 0xf9, 0x76, 0xb3, 0x6f, 0x6d, 0xb6, 0x87, 0x6e, 0xa9, 0x15, 0x51, 0xf3,
-	0x20, 0x88, 0xb3, 0x88, 0x91, 0x1e, 0xe8, 0xe1, 0x58, 0x3e, 0xd3, 0xc3, 0x31, 0xd9, 0x83, 0x56,
+	0xe0, 0x48, 0x26, 0x1d, 0x44, 0x8c, 0x4e, 0x3c, 0xfd, 0x8d, 0xf3, 0x08, 0x3a, 0x53, 0x4f, 0xa4,
-	0x8a, 0x01, 0x45, 0x26, 0x9e, 0x75, 0x47, 0x9b, 0xcb, 0xda, 0xf2, 0x64, 0xcd, 0xd5, 0x70, 0x46,
+	0x07, 0xd6, 0x19, 0x4e, 0x64, 0x6b, 0xfc, 0xc8, 0x89, 0x2f, 0xfc, 0x71, 0xa6, 0x3a, 0xcb, 0x2f,
-	0x79, 0xb8, 0xa7, 0xa5, 0xe1, 0x1a, 0x62, 0xb8, 0x3b, 0x35, 0x14, 0xc9, 0xfe, 0x6f, 0xc6, 0x7b,
+	0x0f, 0xcd, 0x07, 0x86, 0xfb, 0xdd, 0x80, 0xe6, 0x5e, 0x10, 0xc4, 0x59, 0xc4, 0x66, 0x74, 0xdf,
-	0x0d, 0x1d, 0x0f, 0xd3, 0x38, 0xa3, 0x01, 0xf2, 0xed, 0x46, 0xfe, 0x14, 0xe5, 0x43, 0x71, 0x5e,
+	0x82, 0x46, 0x8a, 0x01, 0x45, 0x26, 0x3e, 0x6b, 0x0f, 0x57, 0xe6, 0x95, 0xe5, 0xc9, 0x9c, 0xcb,
-	0xba, 0x71, 0x1b, 0x3a, 0x18, 0x8d, 0x93, 0x38, 0x8c, 0x98, 0x58, 0xf9, 0xba, 0x57, 0xc4, 0xce,
+	0xe6, 0xac, 0x62, 0x73, 0x4f, 0x0a, 0xcd, 0xd5, 0x44, 0x73, 0xb7, 0x4b, 0x28, 0x92, 0xfd, 0xff,
-	0x0f, 0x0d, 0xfa, 0x27, 0x18, 0x21, 0xf5, 0x19, 0x7a, 0xf8, 0x39, 0xc3, 0x74, 0x51, 0xb6, 0x42,
+	0xb4, 0xf7, 0x1a, 0x5a, 0xca, 0x07, 0x7c, 0xba, 0x91, 0x7f, 0x8e, 0xf2, 0x43, 0x71, 0x9e, 0x3b,
-	0x08, 0xbd, 0x2c, 0xc4, 0xf3, 0x92, 0x10, 0x86, 0x10, 0x62, 0xaf, 0x26, 0x44, 0x0d, 0x77, 0x95,
+	0x71, 0x07, 0x5a, 0x18, 0x8d, 0x92, 0x38, 0x8c, 0x98, 0x18, 0xf9, 0xa2, 0xa7, 0xef, 0xee, 0x0f,
-	0x20, 0xe4, 0x36, 0x98, 0xb9, 0xe4, 0x1f, 0x2a, 0xf6, 0xdb, 0xc8, 0x2f, 0x8f, 0xc5, 0xdd, 0x9f,
+	0x03, 0xba, 0x87, 0x18, 0x21, 0xf5, 0x19, 0x7a, 0xf8, 0x39, 0xc3, 0x74, 0x56, 0x36, 0x2d, 0x84,
-	0xa9, 0x76, 0x04, 0x83, 0xab, 0x66, 0xd2, 0x24, 0x8e, 0x52, 0x24, 0xf7, 0xa1, 0xed, 0xe7, 0x9b,
+	0x59, 0x14, 0xe2, 0x59, 0x41, 0x08, 0x4b, 0x08, 0xb1, 0x55, 0x12, 0xa2, 0x84, 0x5b, 0x25, 0x08,
-	0x12, 0x18, 0xdd, 0xd1, 0xd6, 0xf2, 0x3d, 0x7a, 0xaa, 0xcc, 0x79, 0x07, 0x1b, 0x27, 0xd4, 0x8f,
+	0xb9, 0x05, 0x9d, 0x5c, 0xf2, 0xe3, 0x29, 0xfb, 0x2d, 0xe5, 0xc1, 0x03, 0x11, 0xfb, 0x3b, 0xd5,
-	0x98, 0xd2, 0x89, 0x40, 0x83, 0x4b, 0xa1, 0xf4, 0xe7, 0x67, 0x72, 0x00, 0x1d, 0x2a, 0xf7, 0x23,
+	0xf6, 0xa1, 0x77, 0x59, 0x4c, 0x9a, 0xc4, 0x51, 0x8a, 0xe4, 0x3e, 0x34, 0xfd, 0x7c, 0x52, 0x02,
-	0x4d, 0xf6, 0x5f, 0x0d, 0x56, 0xad, 0xcf, 0x2b, 0x0a, 0x9d, 0x3e, 0x98, 0x12, 0x38, 0xef, 0xcd,
+	0xa3, 0x3d, 0x5c, 0x9d, 0x3f, 0x47, 0x4f, 0xa5, 0xb9, 0xef, 0x60, 0xe9, 0x90, 0xfa, 0x11, 0x53,
-	0x99, 0x81, 0xf9, 0x16, 0x69, 0x78, 0x3e, 0x57, 0x54, 0xbf, 0xdd, 0xec, 0xf5, 0x1a, 0x19, 0x40,
+	0x3a, 0xa9, 0x35, 0x36, 0x2a, 0xd6, 0xd8, 0xfc, 0xdd, 0x35, 0xee, 0x42, 0x47, 0x02, 0xe7, 0xb5,
-	0x4f, 0xf1, 0xca, 0x4e, 0xde, 0x83, 0xe9, 0xe1, 0x2c, 0x9e, 0xe0, 0x5f, 0x1f, 0x7a, 0x00, 0x3d,
+	0xb9, 0xef, 0xa1, 0xe3, 0xe1, 0x45, 0x7c, 0x86, 0xff, 0x9c, 0xaa, 0x07, 0xcb, 0x0a, 0x59, 0x72,
-	0x85, 0x2c, 0xb9, 0xee, 0x42, 0xef, 0x45, 0x94, 0x26, 0x18, 0x14, 0x0a, 0x2f, 0xfd, 0xaa, 0x39,
+	0xdd, 0x81, 0xe5, 0xe7, 0x51, 0x9a, 0x60, 0xa0, 0xfb, 0x9a, 0xfb, 0x5b, 0xe2, 0x3e, 0x85, 0xae,
-	0xcf, 0xa0, 0x5f, 0xd4, 0x5d, 0x7b, 0x99, 0xaf, 0x38, 0xfd, 0x39, 0xc5, 0xf4, 0x42, 0x91, 0x6d,
+	0xce, 0xfb, 0x63, 0x09, 0x5f, 0x72, 0xfa, 0x0f, 0x14, 0xd3, 0x53, 0x45, 0xb6, 0xaa, 0x77, 0x32,
-	0x15, 0x5f, 0x87, 0x9c, 0x4d, 0x7d, 0x07, 0x6e, 0xc1, 0x86, 0xe0, 0x55, 0xee, 0xd4, 0x85, 0x3b,
+	0x67, 0x53, 0xdb, 0x77, 0x13, 0x96, 0x04, 0xaf, 0xf2, 0x84, 0x29, 0x3c, 0xd1, 0x16, 0xb1, 0xdc,
-	0xbb, 0xe2, 0x2e, 0x37, 0xa7, 0xf3, 0x18, 0xfa, 0x05, 0x98, 0xec, 0xe8, 0x5e, 0xb9, 0xf5, 0x55,
+	0x12, 0xee, 0x63, 0xe8, 0x6a, 0x30, 0x59, 0xd1, 0xbd, 0x62, 0xe9, 0x55, 0x0b, 0x2e, 0x1b, 0x22,
-	0x9f, 0x9a, 0xbc, 0x64, 0xf4, 0xcd, 0x80, 0xc6, 0x61, 0xc6, 0x2e, 0xc8, 0x29, 0x74, 0x94, 0x4f,
+	0xd0, 0x7b, 0x15, 0xa6, 0x8c, 0xff, 0x42, 0xa7, 0xb2, 0x1a, 0x77, 0x17, 0xae, 0x14, 0x62, 0x12,
-	0xc9, 0xce, 0xaf, 0x7f, 0x4d, 0xf6, 0xcd, 0x95, 0x79, 0x29, 0xe7, 0x1a, 0x39, 0x82, 0xa6, 0xf0,
+	0xf4, 0x2e, 0xd4, 0x29, 0x0f, 0xd8, 0x86, 0xb0, 0xf9, 0xd5, 0xb2, 0xca, 0xd9, 0x18, 0xbd, 0x3c,
-	0x15, 0xf9, 0xbf, 0x5e, 0x5b, 0xb2, 0xb1, 0x7d, 0x63, 0x79, 0xb2, 0x40, 0x39, 0x81, 0x56, 0x6e,
+	0x63, 0xf8, 0xcd, 0x82, 0xda, 0x5e, 0xc6, 0x4e, 0xc9, 0x11, 0xb4, 0x94, 0xe3, 0xc8, 0xc6, 0xaf,
-	0x0a, 0x52, 0xaf, 0xac, 0x78, 0xd4, 0xde, 0x5e, 0x91, 0x2d, 0x03, 0xe5, 0x1b, 0x5f, 0x00, 0xaa,
+	0xf7, 0xc2, 0xb9, 0x51, 0xf9, 0x2e, 0x47, 0xb4, 0x40, 0xf6, 0xa1, 0x2e, 0x1c, 0x42, 0xae, 0x97,
-	0x58, 0x6c, 0x01, 0xa8, 0x66, 0x93, 0x35, 0xf2, 0x12, 0xda, 0xd2, 0x00, 0xa4, 0x5e, 0x5b, 0x35,
+	0x73, 0x0b, 0x86, 0x74, 0xd6, 0xe6, 0x3f, 0x6a, 0x94, 0x43, 0x68, 0xe4, 0xc3, 0x27, 0x6b, 0x33,
-	0x90, 0xbd, 0xb3, 0x2a, 0x5d, 0xc6, 0x92, 0xab, 0x23, 0x8b, 0xbc, 0x65, 0x7f, 0x2c, 0x60, 0xd5,
+	0x4e, 0x29, 0xb8, 0xcd, 0x59, 0xaf, 0x78, 0xd5, 0x40, 0x2f, 0xa0, 0x29, 0xbd, 0x40, 0xca, 0xb9,
-	0x36, 0xee, 0xac, 0x9d, 0xb5, 0xc4, 0x9f, 0xf4, 0xc1, 0xcf, 0x00, 0x00, 0x00, 0xff, 0xff, 0xb7,
+	0xd3, 0x5e, 0x72, 0x36, 0xaa, 0x9e, 0x8b, 0x58, 0x72, 0x8a, 0x64, 0x96, 0xb7, 0x68, 0x95, 0x19,
-	0xf8, 0x55, 0xb6, 0xc5, 0x07, 0x00, 0x00,
+	0xac, 0xd2, 0xf0, 0xdd, 0x05, 0xf2, 0x06, 0x16, 0xf5, 0xf8, 0x48, 0x59, 0xd6, 0xf2, 0xb0, 0x9d,
+	0x7e, 0x75, 0x82, 0x42, 0x3c, 0x69, 0x88, 0x3f, 0xf6, 0x9d, 0x9f, 0x01, 0x00, 0x00, 0xff, 0xff,
+	0x91, 0x77, 0xf2, 0xa6, 0xf9, 0x07, 0x00, 0x00,
 }

auth/service/proto/auth.pb.micro.go

@@ -36,10 +36,10 @@ var _ server.Option
 type AuthService interface {
 	Generate(ctx context.Context, in *GenerateRequest, opts ...client.CallOption) (*GenerateResponse, error)
 	Grant(ctx context.Context, in *GrantRequest, opts ...client.CallOption) (*GrantResponse, error)
-	Verify(ctx context.Context, in *VerifyRequest, opts ...client.CallOption) (*VerifyResponse, error)
 	Revoke(ctx context.Context, in *RevokeRequest, opts ...client.CallOption) (*RevokeResponse, error)
 	Inspect(ctx context.Context, in *InspectRequest, opts ...client.CallOption) (*InspectResponse, error)
 	Refresh(ctx context.Context, in *RefreshRequest, opts ...client.CallOption) (*RefreshResponse, error)
+	ListRules(ctx context.Context, in *ListRulesRequest, opts ...client.CallOption) (*ListRulesResponse, error)
 }
 
 type authService struct {
@@ -74,16 +74,6 @@ func (c *authService) Grant(ctx context.Context, in *GrantRequest, opts ...clien
 	return out, nil
 }
 
-func (c *authService) Verify(ctx context.Context, in *VerifyRequest, opts ...client.CallOption) (*VerifyResponse, error) {
-	req := c.c.NewRequest(c.name, "Auth.Verify", in)
-	out := new(VerifyResponse)
-	err := c.c.Call(ctx, req, out, opts...)
-	if err != nil {
-		return nil, err
-	}
-	return out, nil
-}
-
 func (c *authService) Revoke(ctx context.Context, in *RevokeRequest, opts ...client.CallOption) (*RevokeResponse, error) {
 	req := c.c.NewRequest(c.name, "Auth.Revoke", in)
 	out := new(RevokeResponse)
@@ -114,25 +104,35 @@ func (c *authService) Refresh(ctx context.Context, in *RefreshRequest, opts ...c
 	return out, nil
 }
 
+func (c *authService) ListRules(ctx context.Context, in *ListRulesRequest, opts ...client.CallOption) (*ListRulesResponse, error) {
+	req := c.c.NewRequest(c.name, "Auth.ListRules", in)
+	out := new(ListRulesResponse)
+	err := c.c.Call(ctx, req, out, opts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
 // Server API for Auth service
 
 type AuthHandler interface {
 	Generate(context.Context, *GenerateRequest, *GenerateResponse) error
 	Grant(context.Context, *GrantRequest, *GrantResponse) error
-	Verify(context.Context, *VerifyRequest, *VerifyResponse) error
 	Revoke(context.Context, *RevokeRequest, *RevokeResponse) error
 	Inspect(context.Context, *InspectRequest, *InspectResponse) error
 	Refresh(context.Context, *RefreshRequest, *RefreshResponse) error
+	ListRules(context.Context, *ListRulesRequest, *ListRulesResponse) error
 }
 
 func RegisterAuthHandler(s server.Server, hdlr AuthHandler, opts ...server.HandlerOption) error {
 	type auth interface {
 		Generate(ctx context.Context, in *GenerateRequest, out *GenerateResponse) error
 		Grant(ctx context.Context, in *GrantRequest, out *GrantResponse) error
-		Verify(ctx context.Context, in *VerifyRequest, out *VerifyResponse) error
 		Revoke(ctx context.Context, in *RevokeRequest, out *RevokeResponse) error
 		Inspect(ctx context.Context, in *InspectRequest, out *InspectResponse) error
 		Refresh(ctx context.Context, in *RefreshRequest, out *RefreshResponse) error
+		ListRules(ctx context.Context, in *ListRulesRequest, out *ListRulesResponse) error
 	}
 	type Auth struct {
 		auth
@@ -153,10 +153,6 @@ func (h *authHandler) Grant(ctx context.Context, in *GrantRequest, out *GrantRes
 	return h.AuthHandler.Grant(ctx, in, out)
 }
 
-func (h *authHandler) Verify(ctx context.Context, in *VerifyRequest, out *VerifyResponse) error {
-	return h.AuthHandler.Verify(ctx, in, out)
-}
-
 func (h *authHandler) Revoke(ctx context.Context, in *RevokeRequest, out *RevokeResponse) error {
 	return h.AuthHandler.Revoke(ctx, in, out)
 }
@@ -168,3 +164,7 @@ func (h *authHandler) Inspect(ctx context.Context, in *InspectRequest, out *Insp
 func (h *authHandler) Refresh(ctx context.Context, in *RefreshRequest, out *RefreshResponse) error {
 	return h.AuthHandler.Refresh(ctx, in, out)
 }
+
+func (h *authHandler) ListRules(ctx context.Context, in *ListRulesRequest, out *ListRulesResponse) error {
+	return h.AuthHandler.ListRules(ctx, in, out)
+}

auth/service/proto/auth.proto

@@ -5,10 +5,16 @@ package go.micro.auth;
 service Auth {
 	rpc Generate(GenerateRequest) returns (GenerateResponse) {};
 	rpc Grant(GrantRequest) returns (GrantResponse) {};
-	rpc Verify(VerifyRequest) returns (VerifyResponse) {};
 	rpc Revoke(RevokeRequest)  returns (RevokeResponse) {};
 	rpc Inspect(InspectRequest)  returns (InspectResponse) {};		
 	rpc Refresh(RefreshRequest)  returns (RefreshResponse) {};
+	rpc ListRules(ListRulesRequest) returns (ListRulesResponse) {};
+}
+
+message Rule {
+	string id = 1;
+	string role = 2;
+	Resource resource = 3;
 }
 
 message Token {
@@ -52,13 +58,6 @@ message GrantRequest {
 
 message GrantResponse {}
 
-message VerifyRequest {
-	Account account = 1;
-	Resource resource = 2;
-}
-
-message VerifyResponse {}
-
 message RevokeRequest {
 	string role = 1;
 	Resource resource = 2;
@@ -81,4 +80,11 @@ message RefreshRequest {
 
 message RefreshResponse {
 	Token token = 1;
-}
+}
+
+message ListRulesRequest {
+}
+
+message ListRulesResponse {
+	repeated Rule rules = 1;
+}

auth/service/service.go

@@ -2,7 +2,9 @@ package service
 
 import (
 	"context"
+	"fmt"
 	"strings"
+	"sync"
 	"time"
 
 	"github.com/micro/go-micro/v2/auth"
@@ -10,6 +12,7 @@ import (
 	"github.com/micro/go-micro/v2/auth/token"
 	"github.com/micro/go-micro/v2/auth/token/jwt"
 	"github.com/micro/go-micro/v2/client"
+	log "github.com/micro/go-micro/v2/logger"
 )
 
 // NewAuth returns a new instance of the Auth service
@@ -24,6 +27,9 @@ type svc struct {
 	options auth.Options
 	auth    pb.AuthService
 	jwt     token.Provider
+	rules   []*pb.Rule
+
+	sync.Mutex
 }
 
 func (s *svc) String() string {
@@ -44,6 +50,13 @@ func (s *svc) Init(opts ...auth.Option) {
 	if key := s.options.PublicKey; len(key) > 0 {
 		s.jwt = jwt.NewTokenProvider(token.WithPublicKey(key))
 	}
+
+	// load rules periodically from the auth service
+	timer := time.NewTicker(time.Second * 30)
+	go func() {
+		s.loadRules()
+		<-timer.C
+	}()
 }
 
 func (s *svc) Options() auth.Options {
@@ -95,18 +108,31 @@ func (s *svc) Revoke(role string, res *auth.Resource) error {
 
 // Verify an account has access to a resource
 func (s *svc) Verify(acc *auth.Account, res *auth.Resource) error {
-	_, err := s.auth.Verify(context.TODO(), &pb.VerifyRequest{
+	queries := [][]string{
-		Account: &pb.Account{
+		{res.Type, "*"},                         // check for wildcard resource type, e.g. service.*
-			Id:    acc.ID,
+		{res.Type, res.Name, "*"},               // check for wildcard name, e.g. service.foo*
-			Roles: acc.Roles,
+		{res.Type, res.Name, res.Endpoint, "*"}, // check for wildcard endpoints, e.g. service.foo.ListFoo:*
-		},
+		{res.Type, res.Name, res.Endpoint},      // check for specific role, e.g. service.foo.ListFoo:admin
-		Resource: &pb.Resource{
+	}
-			Type:     res.Type,
+
-			Name:     res.Name,
+	// endpoint is a url which can have wildcard excludes, e.g.
-			Endpoint: res.Endpoint,
+	// "/foo/*" will allow "/foo/bar"
-		},
+	if comps := strings.Split(res.Endpoint, "/"); len(comps) > 1 {
-	})
+		for i := 1; i < len(comps); i++ {
-	return err
+			wildcard := fmt.Sprintf("%v/*", strings.Join(comps[0:i], "/"))
+			queries = append(queries, []string{res.Type, res.Name, wildcard})
+		}
+	}
+
+	for _, q := range queries {
+		for _, rule := range s.listRules(q...) {
+			if isValidRule(rule, acc, res) {
+				return nil
+			}
+		}
+	}
+
+	return auth.ErrForbidden
 }
 
 // Inspect a token
@@ -150,6 +176,62 @@ func (s *svc) Refresh(secret string, opts ...auth.RefreshOption) (*auth.Token, e
 	return serializeToken(rsp.Token), nil
 }
 
+var ruleJoinKey = ":"
+
+// isValidRule returns a bool, indicating if a rule permits access to a
+// resource for a given account
+func isValidRule(rule *pb.Rule, acc *auth.Account, res *auth.Resource) bool {
+	if rule.Role == "*" {
+		return true
+	}
+
+	for _, role := range acc.Roles {
+		if rule.Role == role {
+			return true
+		}
+
+		// allow user.anything if role is user.*
+		if strings.HasSuffix(rule.Role, ".*") && strings.HasPrefix(rule.Role, role+".") {
+			return true
+		}
+	}
+
+	return false
+}
+
+// listRules gets all the rules from the store which have an id
+// prefix matching the filters
+func (s *svc) listRules(filters ...string) []*pb.Rule {
+	s.Lock()
+	defer s.Unlock()
+
+	prefix := strings.Join(filters, ruleJoinKey)
+
+	var rules []*pb.Rule
+	for _, r := range s.rules {
+		if strings.HasPrefix(r.Id, prefix) {
+			rules = append(rules, r)
+		}
+	}
+
+	return rules
+}
+
+// loadRules retrieves the rules from the auth service
+func (s *svc) loadRules() {
+	rsp, err := s.auth.ListRules(context.TODO(), &pb.ListRulesRequest{}, client.WithRetries(3))
+	s.Lock()
+	defer s.Unlock()
+
+	if err != nil {
+		log.Errorf("Error listing rules: %v", err)
+		s.rules = []*pb.Rule{}
+		return
+	}
+
+	s.rules = rsp.Rules
+}
+
 func serializeToken(t *pb.Token) *auth.Token {
 	return &auth.Token{
 		Token:    t.Token,

auth/store/rules.go

@@ -1,74 +0,0 @@
-package store
-
-import (
-	"encoding/json"
-	"strings"
-
-	"github.com/micro/go-micro/v2/auth"
-	"github.com/micro/go-micro/v2/store"
-)
-
-// Rule is an access control rule
-type Rule struct {
-	Role     string         `json:"rule"`
-	Resource *auth.Resource `json:"resource"`
-}
-
-var joinKey = ":"
-
-// Key to be used when written to the store
-func (r *Rule) Key() string {
-	comps := []string{r.Resource.Type, r.Resource.Name, r.Resource.Endpoint, r.Role}
-	return strings.Join(comps, joinKey)
-}
-
-// Bytes returns json encoded bytes
-func (r *Rule) Bytes() []byte {
-	bytes, _ := json.Marshal(r)
-	return bytes
-}
-
-// isValidRule returns a bool, indicating if a rule permits access to a
-// resource for a given account
-func isValidRule(rule Rule, acc *auth.Account, res *auth.Resource) bool {
-	if rule.Role == "*" {
-		return true
-	}
-
-	for _, role := range acc.Roles {
-		if rule.Role == role {
-			return true
-		}
-
-		// allow user.anything if role is user.*
-		if strings.HasSuffix(rule.Role, ".*") && strings.HasPrefix(rule.Role, role+".") {
-			return true
-		}
-	}
-
-	return false
-}
-
-// listRules gets all the rules from the store which have a key
-// prefix matching the filters
-func (s *Store) listRules(filters ...string) ([]Rule, error) {
-	// get the records from the store
-	prefix := strings.Join(filters, joinKey)
-	recs, err := s.opts.Store.Read(prefix, store.ReadPrefix())
-	if err != nil {
-		return nil, err
-	}
-
-	// unmarshal the records
-	rules := make([]Rule, 0, len(recs))
-	for _, rec := range recs {
-		var r Rule
-		if err := json.Unmarshal(rec.Value, &r); err != nil {
-			return nil, err
-		}
-		rules = append(rules, r)
-	}
-
-	// return the rules
-	return rules, nil
-}

auth/store/store.go

@@ -1,171 +0,0 @@
-package store
-
-import (
-	"fmt"
-	"strings"
-
-	"github.com/micro/go-micro/v2/auth"
-	"github.com/micro/go-micro/v2/auth/token"
-	"github.com/micro/go-micro/v2/auth/token/basic"
-	"github.com/micro/go-micro/v2/store"
-	memStore "github.com/micro/go-micro/v2/store/memory"
-)
-
-// NewAuth returns a new default registry which is store
-func NewAuth(opts ...auth.Option) auth.Auth {
-	var s Store
-	s.Init(opts...)
-	return &s
-}
-
-// Store implementation of auth
-type Store struct {
-	secretProvider token.Provider
-	tokenProvider  token.Provider
-	opts           auth.Options
-}
-
-// String returns store
-func (s *Store) String() string {
-	return "store"
-}
-
-// Init the auth
-func (s *Store) Init(opts ...auth.Option) {
-	for _, o := range opts {
-		o(&s.opts)
-	}
-
-	// use the default store as a fallback
-	if s.opts.Store == nil {
-		s.opts.Store = store.DefaultStore
-	}
-
-	// noop will not work for auth
-	if s.opts.Store.String() == "noop" {
-		s.opts.Store = memStore.NewStore()
-	}
-
-	if s.tokenProvider == nil {
-		s.tokenProvider = basic.NewTokenProvider(token.WithStore(s.opts.Store))
-	}
-	if s.secretProvider == nil {
-		s.secretProvider = basic.NewTokenProvider(token.WithStore(s.opts.Store))
-	}
-}
-
-// Options returns the options
-func (s *Store) Options() auth.Options {
-	return s.opts
-}
-
-// Generate a new account
-func (s *Store) Generate(id string, opts ...auth.GenerateOption) (*auth.Account, error) {
-	// parse the options
-	options := auth.NewGenerateOptions(opts...)
-
-	// Generate a long-lived secret
-	secretOpts := []token.GenerateOption{
-		token.WithExpiry(options.SecretExpiry),
-		token.WithMetadata(options.Metadata),
-		token.WithRoles(options.Roles...),
-	}
-	secret, err := s.secretProvider.Generate(id, secretOpts...)
-	if err != nil {
-		return nil, err
-	}
-
-	// return the account
-	return &auth.Account{
-		ID:       id,
-		Roles:    options.Roles,
-		Metadata: options.Metadata,
-		Secret:   secret,
-	}, nil
-}
-
-// Grant access to a resource
-func (s *Store) Grant(role string, res *auth.Resource) error {
-	r := Rule{role, res}
-	return s.opts.Store.Write(&store.Record{Key: r.Key(), Value: r.Bytes()})
-}
-
-// Revoke access to a resource
-func (s *Store) Revoke(role string, res *auth.Resource) error {
-	r := Rule{role, res}
-
-	err := s.opts.Store.Delete(r.Key())
-	if err == store.ErrNotFound {
-		return auth.ErrNotFound
-	}
-
-	return err
-}
-
-// Verify an account has access to a resource
-func (s *Store) Verify(acc *auth.Account, res *auth.Resource) error {
-	queries := [][]string{
-		{res.Type, "*"},                         // check for wildcard resource type, e.g. service.*
-		{res.Type, res.Name, "*"},               // check for wildcard name, e.g. service.foo*
-		{res.Type, res.Name, res.Endpoint, "*"}, // check for wildcard endpoints, e.g. service.foo.ListFoo:*
-		{res.Type, res.Name, res.Endpoint},      // check for specific role, e.g. service.foo.ListFoo:admin
-	}
-
-	// endpoint is a url which can have wildcard excludes, e.g.
-	// "/foo/*" will allow "/foo/bar"
-	if comps := strings.Split(res.Endpoint, "/"); len(comps) > 1 {
-		for i := 1; i < len(comps); i++ {
-			wildcard := fmt.Sprintf("%v/*", strings.Join(comps[0:i], "/"))
-			queries = append(queries, []string{res.Type, res.Name, wildcard})
-		}
-	}
-
-	for _, q := range queries {
-		rules, err := s.listRules(q...)
-		if err != nil {
-			return err
-		}
-
-		for _, rule := range rules {
-			if isValidRule(rule, acc, res) {
-				return nil
-			}
-		}
-	}
-
-	return auth.ErrForbidden
-}
-
-// Inspect a token
-func (s *Store) Inspect(t string) (*auth.Account, error) {
-	tok, err := s.tokenProvider.Inspect(t)
-	if err == token.ErrInvalidToken || err == token.ErrNotFound {
-		return nil, auth.ErrInvalidToken
-	} else if err != nil {
-		return nil, err
-	}
-
-	return &auth.Account{
-		ID:       tok.Subject,
-		Roles:    tok.Roles,
-		Metadata: tok.Metadata,
-	}, nil
-}
-
-// Refresh an account using a secret
-func (s *Store) Refresh(secret string, opts ...auth.RefreshOption) (*auth.Token, error) {
-	sec, err := s.secretProvider.Inspect(secret)
-	if err == token.ErrInvalidToken || err == token.ErrNotFound {
-		return nil, auth.ErrInvalidToken
-	} else if err != nil {
-		return nil, err
-	}
-
-	options := auth.NewRefreshOptions(opts...)
-
-	return s.tokenProvider.Generate(sec.Subject,
-		token.WithExpiry(options.TokenExpiry),
-		token.WithMetadata(sec.Metadata),
-		token.WithRoles(sec.Roles...),
-	)
-}

auth/store/store_test.go

@@ -1,308 +0,0 @@
-package store
-
-import (
-	"log"
-	"testing"
-
-	"github.com/micro/go-micro/v2/auth"
-	memStore "github.com/micro/go-micro/v2/store/memory"
-)
-
-func TestGenerate(t *testing.T) {
-	s := memStore.NewStore()
-	a := NewAuth(auth.Store(s))
-
-	id := "test"
-	roles := []string{"admin"}
-	metadata := map[string]string{"foo": "bar"}
-
-	opts := []auth.GenerateOption{
-		auth.WithRoles(roles...),
-		auth.WithMetadata(metadata),
-	}
-
-	// generate the account
-	acc, err := a.Generate(id, opts...)
-	if err != nil {
-		t.Fatalf("Generate returned an error: %v, expected nil", err)
-	}
-	// validate the account attributes were set correctly
-	if acc.ID != id {
-		t.Errorf("Generate returned %v as the ID, expected %v", acc.ID, id)
-	}
-	if len(acc.Roles) != len(roles) {
-		t.Errorf("Generate returned %v as the roles, expected %v", acc.Roles, roles)
-	}
-	if len(acc.Metadata) != len(metadata) {
-		t.Errorf("Generate returned %v as the metadata, expected %v", acc.Metadata, metadata)
-	}
-
-	// validate the secret is valid
-	if _, err := a.Refresh(acc.Secret.Token); err != nil {
-		t.Errorf("Generate returned an invalid secret, error: %v", err)
-	}
-}
-
-func TestGrant(t *testing.T) {
-	s := memStore.NewStore()
-	a := NewAuth(auth.Store(s))
-
-	res := &auth.Resource{Type: "service", Name: "Test", Endpoint: "Foo.Bar"}
-	if err := a.Grant("users.*", res); err != nil {
-		t.Fatalf("Grant returned an error: %v, expected nil", err)
-	}
-
-	recs, err := s.List()
-	if err != nil {
-		t.Fatalf("Could not read from the store: %v", err)
-	}
-	if len(recs) != 1 {
-		t.Errorf("Expected Grant to write 1 record, actually wrote %v", len(recs))
-	}
-}
-
-func TestRevoke(t *testing.T) {
-	s := memStore.NewStore()
-	a := NewAuth(auth.Store(s))
-
-	res := &auth.Resource{Type: "service", Name: "Test", Endpoint: "Foo.Bar"}
-	if err := a.Grant("users.*", res); err != nil {
-		t.Fatalf("Grant returned an error: %v, expected nil", err)
-	}
-
-	recs, err := s.List()
-	if err != nil {
-		t.Fatalf("Could not read from the store: %v", err)
-	}
-	if len(recs) != 1 {
-		t.Fatalf("Expected Grant to write 1 record, actually wrote %v", len(recs))
-	}
-
-	if err := a.Revoke("users.*", res); err != nil {
-		t.Fatalf("Revoke returned an error: %v, expected nil", err)
-	}
-
-	recs, err = s.List()
-	if err != nil {
-		t.Fatalf("Could not read from the store: %v", err)
-	}
-	if len(recs) != 0 {
-		t.Fatalf("Expected Revoke to delete 1 record, actually deleted %v", 1-len(recs))
-	}
-}
-
-func TestInspect(t *testing.T) {
-	a := NewAuth()
-
-	t.Run("Valid Token", func(t *testing.T) {
-		id := "test"
-		roles := []string{"admin"}
-		metadata := map[string]string{"foo": "bar"}
-
-		opts := []auth.GenerateOption{
-			auth.WithRoles(roles...),
-			auth.WithMetadata(metadata),
-		}
-
-		// generate and inspect the token
-		acc, err := a.Generate("test", opts...)
-		if err != nil {
-			log.Fatalf("Generate returned an error: %v, expected nil", err)
-		}
-		tok, err := a.Refresh(acc.Secret.Token)
-		if err != nil {
-			log.Fatalf("Refresh returned an error: %v, expected nil", err)
-		}
-		acc2, err := a.Inspect(tok.Token)
-		if err != nil {
-			log.Fatalf("Inspect returned an error: %v, expected nil", err)
-		}
-
-		// validate the account attributes were retrieved correctly
-		if acc2.ID != id {
-			t.Errorf("Generate returned %v as the ID, expected %v", acc.ID, id)
-		}
-		if len(acc2.Roles) != len(roles) {
-			t.Errorf("Generate returned %v as the roles, expected %v", acc.Roles, roles)
-		}
-		if len(acc2.Metadata) != len(metadata) {
-			t.Errorf("Generate returned %v as the metadata, expected %v", acc.Metadata, metadata)
-		}
-	})
-
-	t.Run("Invalid Token", func(t *testing.T) {
-		_, err := a.Inspect("invalid token")
-		if err != auth.ErrInvalidToken {
-			t.Errorf("Inspect returned %v error, expected %v", err, auth.ErrInvalidToken)
-		}
-	})
-}
-
-func TestRefresh(t *testing.T) {
-	a := NewAuth()
-
-	t.Run("Valid Secret", func(t *testing.T) {
-		roles := []string{"admin"}
-		metadata := map[string]string{"foo": "bar"}
-
-		opts := []auth.GenerateOption{
-			auth.WithRoles(roles...),
-			auth.WithMetadata(metadata),
-		}
-
-		// generate the account
-		acc, err := a.Generate("test", opts...)
-		if err != nil {
-			log.Fatalf("Generate returned an error: %v, expected nil", err)
-		}
-
-		// refresh the token
-		tok, err := a.Refresh(acc.Secret.Token)
-		if err != nil {
-			log.Fatalf("Refresh returned an error: %v, expected nil", err)
-		}
-
-		// validate the account attributes were set correctly
-		if acc.ID != tok.Subject {
-			t.Errorf("Refresh returned %v as the ID, expected %v", acc.ID, tok.Subject)
-		}
-		if len(acc.Roles) != len(tok.Roles) {
-			t.Errorf("Refresh returned %v as the roles, expected %v", acc.Roles, tok.Subject)
-		}
-		if len(acc.Metadata) != len(tok.Metadata) {
-			t.Errorf("Refresh returned %v as the metadata, expected %v", acc.Metadata, tok.Metadata)
-		}
-	})
-
-	t.Run("Invalid Secret", func(t *testing.T) {
-		_, err := a.Refresh("invalid secret")
-		if err != auth.ErrInvalidToken {
-			t.Errorf("Inspect returned %v error, expected %v", err, auth.ErrInvalidToken)
-		}
-	})
-}
-
-func TestVerify(t *testing.T) {
-	testRules := []struct {
-		Role     string
-		Resource *auth.Resource
-	}{
-		{
-			Role:     "*",
-			Resource: &auth.Resource{Type: "service", Name: "go.micro.apps", Endpoint: "Apps.PublicList"},
-		},
-		{
-			Role:     "*",
-			Resource: &auth.Resource{Type: "service", Name: "go.micro.web", Endpoint: "/foo"},
-		},
-		{
-			Role:     "*",
-			Resource: &auth.Resource{Type: "service", Name: "go.micro.web", Endpoint: "/bar/*"},
-		},
-		{
-			Role:     "user.*",
-			Resource: &auth.Resource{Type: "service", Name: "go.micro.apps", Endpoint: "Apps.List"},
-		},
-		{
-			Role:     "user.developer",
-			Resource: &auth.Resource{Type: "service", Name: "go.micro.apps", Endpoint: "Apps.Update"},
-		},
-		{
-			Role:     "admin",
-			Resource: &auth.Resource{Type: "service", Name: "go.micro.apps", Endpoint: "Apps.Delete"},
-		},
-		{
-			Role:     "admin",
-			Resource: &auth.Resource{Type: "service", Name: "*", Endpoint: "*"},
-		},
-	}
-
-	a := NewAuth()
-	for _, r := range testRules {
-		if err := a.Grant(r.Role, r.Resource); err != nil {
-			t.Fatalf("Grant returned an error: %v, expected nil", err)
-		}
-	}
-
-	testTable := []struct {
-		Name     string
-		Roles    []string
-		Resource *auth.Resource
-		Error    error
-	}{
-		{
-			Name:     "An account with no roles accessing a public endpoint",
-			Resource: &auth.Resource{Type: "service", Name: "go.micro.apps", Endpoint: "Apps.PublicList"},
-		},
-		{
-			Name:     "An account with no roles accessing a private endpoint",
-			Resource: &auth.Resource{Type: "service", Name: "go.micro.apps", Endpoint: "Apps.Update"},
-			Error:    auth.ErrForbidden,
-		},
-		{
-			Name:     "An account with the user role accessing a user* endpoint",
-			Roles:    []string{"user"},
-			Resource: &auth.Resource{Type: "service", Name: "go.micro.apps", Endpoint: "Apps.List"},
-		},
-		{
-			Name:     "An account with the user role accessing a user.admin endpoint",
-			Roles:    []string{"user"},
-			Resource: &auth.Resource{Type: "service", Name: "go.micro.apps", Endpoint: "Apps.Delete"},
-			Error:    auth.ErrForbidden,
-		},
-		{
-			Name:     "An account with the developer role accessing a user.developer endpoint",
-			Roles:    []string{"user.developer"},
-			Resource: &auth.Resource{Type: "service", Name: "go.micro.apps", Endpoint: "Apps.Update"},
-		},
-		{
-			Name:     "An account with the developer role accessing an admin endpoint",
-			Roles:    []string{"user.developer"},
-			Resource: &auth.Resource{Type: "service", Name: "go.micro.apps", Endpoint: "Apps.Delete"},
-			Error:    auth.ErrForbidden,
-		},
-		{
-			Name:     "An admin account accessing an admin endpoint",
-			Roles:    []string{"admin"},
-			Resource: &auth.Resource{Type: "service", Name: "go.micro.apps", Endpoint: "Apps.Delete"},
-		},
-		{
-			Name:     "An admin account accessing a generic service endpoint",
-			Roles:    []string{"admin"},
-			Resource: &auth.Resource{Type: "service", Name: "go.micro.foo", Endpoint: "Foo.Bar"},
-		},
-		{
-			Name:     "An admin account accessing an unauthorised endpoint",
-			Roles:    []string{"admin"},
-			Resource: &auth.Resource{Type: "infra", Name: "go.micro.foo", Endpoint: "Foo.Bar"},
-			Error:    auth.ErrForbidden,
-		},
-		{
-			Name:     "A account with no roles accessing an unauthorised endpoint",
-			Resource: &auth.Resource{Type: "infra", Name: "go.micro.foo", Endpoint: "Foo.Bar"},
-			Error:    auth.ErrForbidden,
-		},
-		{
-			Name:     "Accessing a public web path",
-			Resource: &auth.Resource{Type: "service", Name: "go.micro.web", Endpoint: "/foo"},
-		},
-		{
-			Name:     "Accessing a public web path with an invalid wildcard endpoint",
-			Resource: &auth.Resource{Type: "service", Name: "go.micro.web", Endpoint: "/foo/foo"},
-			Error:    auth.ErrForbidden,
-		},
-		{
-			Name:     "Accessing a public web path with wildcard endpoint",
-			Resource: &auth.Resource{Type: "service", Name: "go.micro.web", Endpoint: "/bar/foo"},
-		},
-	}
-
-	for _, tc := range testTable {
-		t.Run(tc.Name, func(t *testing.T) {
-			acc := &auth.Account{Roles: tc.Roles}
-			if err := a.Verify(acc, tc.Resource); err != tc.Error {
-				t.Errorf("Verify returned %v error, expected %v", err, tc.Error)
-			}
-		})
-	}
-}

config/cmd/cmd.go

@@ -71,7 +71,6 @@ import (
 
 	// auth
 	svcAuth "github.com/micro/go-micro/v2/auth/service"
-	storeAuth "github.com/micro/go-micro/v2/auth/store"
 
 	// auth providers
 	"github.com/micro/go-micro/v2/auth/provider/basic"
@@ -360,7 +359,6 @@ var (
 
 	DefaultAuths = map[string]func(...auth.Option) auth.Auth{
 		"service": svcAuth.NewAuth,
-		"store":   storeAuth.NewAuth,
 	}
 
 	DefaultAuthProviders = map[string]func(...provider.Option) provider.Provider{