137 lines
3.8 KiB
Go
137 lines
3.8 KiB
Go
// Package auth provides authentication and authorization capability
|
|
package auth
|
|
|
|
import (
|
|
"context"
|
|
"errors"
|
|
"time"
|
|
)
|
|
|
|
var (
|
|
// ErrNotFound is returned when a resouce cannot be found
|
|
ErrNotFound = errors.New("not found")
|
|
// ErrEncodingToken is returned when the service encounters an error during encoding
|
|
ErrEncodingToken = errors.New("error encoding the token")
|
|
// ErrInvalidToken is returned when the token provided is not valid
|
|
ErrInvalidToken = errors.New("invalid token provided")
|
|
// ErrInvalidRole is returned when the role provided was invalid
|
|
ErrInvalidRole = errors.New("invalid role")
|
|
// ErrForbidden is returned when a user does not have the necessary roles to access a resource
|
|
ErrForbidden = errors.New("resource forbidden")
|
|
)
|
|
|
|
// Auth providers authentication and authorization
|
|
type Auth interface {
|
|
// Init the auth
|
|
Init(opts ...Option)
|
|
// Options set for auth
|
|
Options() Options
|
|
// Generate a new account
|
|
Generate(id string, opts ...GenerateOption) (*Account, error)
|
|
// Grant access to a resource
|
|
Grant(role string, res *Resource) error
|
|
// Revoke access to a resource
|
|
Revoke(role string, res *Resource) error
|
|
// Verify an account has access to a resource
|
|
Verify(acc *Account, res *Resource) error
|
|
// Inspect a token
|
|
Inspect(token string) (*Account, error)
|
|
// Token generated using refresh token
|
|
Token(opts ...TokenOption) (*Token, error)
|
|
// String returns the name of the implementation
|
|
String() string
|
|
}
|
|
|
|
// Resource is an entity such as a user or
|
|
type Resource struct {
|
|
// Name of the resource
|
|
Name string `json:"name"`
|
|
// Type of resource, e.g.
|
|
Type string `json:"type"`
|
|
// Endpoint resource e.g NotesService.Create
|
|
Endpoint string `json:"endpoint"`
|
|
}
|
|
|
|
// Account provided by an auth provider
|
|
type Account struct {
|
|
// ID of the account e.g. email
|
|
ID string `json:"id"`
|
|
// Type of the account, e.g. service
|
|
Type string `json:"type"`
|
|
// Provider who issued the account
|
|
Provider string `json:"provider"`
|
|
// Roles associated with the Account
|
|
Roles []string `json:"roles"`
|
|
// Any other associated metadata
|
|
Metadata map[string]string `json:"metadata"`
|
|
// Scopes the account has access to
|
|
Scopes []string `json:"scopes"`
|
|
// Secret for the account, e.g. the password
|
|
Secret string `json:"secret"`
|
|
}
|
|
|
|
// HasScope returns a boolean indicating if the account has the given scope
|
|
func (a *Account) HasScope(scope string) bool {
|
|
if a.Scopes == nil {
|
|
return false
|
|
}
|
|
|
|
for _, s := range a.Scopes {
|
|
if s == scope {
|
|
return true
|
|
}
|
|
}
|
|
|
|
return false
|
|
}
|
|
|
|
// HasRole returns a boolean indicating if the account has the given role
|
|
func (a *Account) HasRole(role string) bool {
|
|
if a.Roles == nil {
|
|
return false
|
|
}
|
|
|
|
for _, r := range a.Roles {
|
|
if r == role {
|
|
return true
|
|
}
|
|
}
|
|
|
|
return false
|
|
}
|
|
|
|
// Token can be short or long lived
|
|
type Token struct {
|
|
// The token to be used for accessing resources
|
|
AccessToken string `json:"access_token"`
|
|
// RefreshToken to be used to generate a new token
|
|
RefreshToken string `json:"refresh_token"`
|
|
// Time of token creation
|
|
Created time.Time `json:"created"`
|
|
// Time of token expiry
|
|
Expiry time.Time `json:"expiry"`
|
|
}
|
|
|
|
const (
|
|
// TokenCookieName is the name of the cookie which stores the auth token
|
|
TokenCookieName = "micro-token"
|
|
// BearerScheme used for Authorization header
|
|
BearerScheme = "Bearer "
|
|
)
|
|
|
|
type accountKey struct{}
|
|
|
|
// AccountFromContext gets the account from the context, which
|
|
// is set by the auth wrapper at the start of a call. If the account
|
|
// is not set, a nil account will be returned. The error is only returned
|
|
// when there was a problem retrieving an account
|
|
func AccountFromContext(ctx context.Context) (*Account, bool) {
|
|
acc, ok := ctx.Value(accountKey{}).(*Account)
|
|
return acc, ok
|
|
}
|
|
|
|
// ContextWithAccount sets the account in the context
|
|
func ContextWithAccount(ctx context.Context, account *Account) context.Context {
|
|
return context.WithValue(ctx, accountKey{}, account)
|
|
}
|