package store import ( "fmt" "strings" "github.com/micro/go-micro/v2/auth" "github.com/micro/go-micro/v2/auth/token" "github.com/micro/go-micro/v2/auth/token/basic" "github.com/micro/go-micro/v2/store" memStore "github.com/micro/go-micro/v2/store/memory" ) // NewAuth returns a new default registry which is store func NewAuth(opts ...auth.Option) auth.Auth { var s Store s.Init(opts...) return &s } // Store implementation of auth type Store struct { secretProvider token.Provider tokenProvider token.Provider opts auth.Options } // String returns store func (s *Store) String() string { return "store" } // Init the auth func (s *Store) Init(opts ...auth.Option) { for _, o := range opts { o(&s.opts) } // use the default store as a fallback if s.opts.Store == nil { s.opts.Store = store.DefaultStore } // noop will not work for auth if s.opts.Store.String() == "noop" { s.opts.Store = memStore.NewStore() } if s.tokenProvider == nil { s.tokenProvider = basic.NewTokenProvider(token.WithStore(s.opts.Store)) } if s.secretProvider == nil { s.secretProvider = basic.NewTokenProvider(token.WithStore(s.opts.Store)) } } // Options returns the options func (s *Store) Options() auth.Options { return s.opts } // Generate a new account func (s *Store) Generate(id string, opts ...auth.GenerateOption) (*auth.Account, error) { // parse the options options := auth.NewGenerateOptions(opts...) // Generate a long-lived secret secretOpts := []token.GenerateOption{ token.WithExpiry(options.SecretExpiry), token.WithMetadata(options.Metadata), token.WithRoles(options.Roles), } secret, err := s.secretProvider.Generate(id, secretOpts...) if err != nil { return nil, err } // return the account return &auth.Account{ ID: id, Roles: options.Roles, Metadata: options.Metadata, Secret: secret, }, nil } // Grant access to a resource func (s *Store) Grant(role string, res *auth.Resource) error { r := Rule{role, res} return s.opts.Store.Write(&store.Record{Key: r.Key(), Value: r.Bytes()}) } // Revoke access to a resource func (s *Store) Revoke(role string, res *auth.Resource) error { r := Rule{role, res} err := s.opts.Store.Delete(r.Key()) if err == store.ErrNotFound { return auth.ErrNotFound } return err } // Verify an account has access to a resource func (s *Store) Verify(acc *auth.Account, res *auth.Resource) error { queries := [][]string{ {res.Type, "*"}, // check for wildcard resource type, e.g. service.* {res.Type, res.Name, "*"}, // check for wildcard name, e.g. service.foo* {res.Type, res.Name, res.Endpoint, "*"}, // check for wildcard endpoints, e.g. service.foo.ListFoo:* {res.Type, res.Name, res.Endpoint}, // check for specific role, e.g. service.foo.ListFoo:admin } // endpoint is a url which can have wildcard excludes, e.g. // "/foo/*" will allow "/foo/bar" if comps := strings.Split(res.Endpoint, "/"); len(comps) > 1 { for i := 1; i < len(comps); i++ { wildcard := fmt.Sprintf("%v/*", strings.Join(comps[0:i], "/")) queries = append(queries, []string{res.Type, res.Name, wildcard}) } } for _, q := range queries { rules, err := s.listRules(q...) if err != nil { return err } for _, rule := range rules { if isValidRule(rule, acc, res) { return nil } } } return auth.ErrForbidden } // Inspect a token func (s *Store) Inspect(t string) (*auth.Account, error) { tok, err := s.tokenProvider.Inspect(t) if err == token.ErrInvalidToken || err == token.ErrNotFound { return nil, auth.ErrInvalidToken } else if err != nil { return nil, err } return &auth.Account{ ID: tok.Subject, Roles: tok.Roles, Metadata: tok.Metadata, }, nil } // Refresh an account using a secret func (s *Store) Refresh(secret string, opts ...auth.RefreshOption) (*auth.Token, error) { sec, err := s.secretProvider.Inspect(secret) if err == token.ErrInvalidToken || err == token.ErrNotFound { return nil, auth.ErrInvalidToken } else if err != nil { return nil, err } options := auth.NewRefreshOptions(opts...) return s.tokenProvider.Generate(sec.Subject, token.WithExpiry(options.TokenExpiry), token.WithMetadata(sec.Metadata), token.WithRoles(sec.Roles), ) }