1
0
mirror of https://github.com/go-micro/go-micro.git synced 2024-12-18 08:26:38 +02:00
go-micro/auth/auth.go

138 lines
4.1 KiB
Go
Raw Normal View History

2019-11-25 11:30:26 +02:00
// Package auth provides authentication and authorization capability
package auth
2019-11-25 11:33:30 +02:00
import (
2020-03-04 11:54:52 +02:00
"context"
"errors"
2019-11-25 11:33:30 +02:00
"time"
)
2020-05-22 12:37:12 +02:00
const (
2022-09-30 16:27:07 +02:00
// BearerScheme used for Authorization header.
2020-05-22 12:37:12 +02:00
BearerScheme = "Bearer "
2022-09-30 16:27:07 +02:00
// ScopePublic is the scope applied to a rule to allow access to the public.
2020-05-22 12:37:12 +02:00
ScopePublic = ""
2022-09-30 16:27:07 +02:00
// ScopeAccount is the scope applied to a rule to limit to users with any valid account.
2020-05-22 12:37:12 +02:00
ScopeAccount = "*"
)
2020-05-20 12:59:01 +02:00
var (
2022-09-30 16:27:07 +02:00
// ErrInvalidToken is when the token provided is not valid.
ErrInvalidToken = errors.New("invalid token provided")
2022-09-30 16:27:07 +02:00
// ErrForbidden is when a user does not have the necessary scope to access a resource.
ErrForbidden = errors.New("resource forbidden")
)
2022-09-30 16:27:07 +02:00
// Auth provides authentication and authorization.
2019-11-25 11:30:26 +02:00
type Auth interface {
// Init the auth
Init(opts ...Option)
// Options set for auth
Options() Options
// Generate a new account
2020-04-01 18:20:02 +02:00
Generate(id string, opts ...GenerateOption) (*Account, error)
// Inspect a token
Inspect(token string) (*Account, error)
2020-05-20 12:59:01 +02:00
// Token generated using refresh token or credentials
2020-04-01 15:25:00 +02:00
Token(opts ...TokenOption) (*Token, error)
2020-12-12 22:08:39 +02:00
// String returns the name of the implementation
String() string
}
2022-09-30 16:27:07 +02:00
// Rules manages access to resources.
2020-12-12 22:08:39 +02:00
type Rules interface {
// Verify an account has access to a resource using the rules
Verify(acc *Account, res *Resource, opts ...VerifyOption) error
2020-05-20 12:59:01 +02:00
// Grant access to a resource
Grant(rule *Rule) error
// Revoke access to a resource
Revoke(rule *Rule) error
2020-12-12 22:08:39 +02:00
// List returns all the rules used to verify requests
List(...ListOption) ([]*Rule, error)
2019-12-17 23:27:05 +02:00
}
2022-09-30 16:27:07 +02:00
// Account provided by an auth provider.
type Account struct {
2023-04-26 02:16:34 +02:00
// Any other associated metadata
Metadata map[string]string `json:"metadata"`
2020-03-31 18:01:51 +02:00
// ID of the account e.g. email
ID string `json:"id"`
// Type of the account, e.g. service
Type string `json:"type"`
2020-05-21 17:41:55 +02:00
// Issuer of the account
Issuer string `json:"issuer"`
2020-03-31 19:17:01 +02:00
// Secret for the account, e.g. the password
Secret string `json:"secret"`
2023-04-26 02:16:34 +02:00
// Scopes the account has access to
Scopes []string `json:"scopes"`
}
2022-09-30 16:27:07 +02:00
// Token can be short or long lived.
type Token struct {
// Time of token creation
2019-11-25 11:30:26 +02:00
Created time.Time `json:"created"`
// Time of token expiry
2019-11-25 11:30:26 +02:00
Expiry time.Time `json:"expiry"`
2023-04-26 02:16:34 +02:00
// The token to be used for accessing resources
AccessToken string `json:"access_token"`
// RefreshToken to be used to generate a new token
RefreshToken string `json:"refresh_token"`
2019-11-25 11:30:26 +02:00
}
2020-03-04 11:54:52 +02:00
2022-09-30 16:27:07 +02:00
// Expired returns a boolean indicating if the token needs to be refreshed.
2020-05-20 12:59:01 +02:00
func (t *Token) Expired() bool {
return t.Expiry.Unix() < time.Now().Unix()
}
2022-09-30 16:27:07 +02:00
// Resource is an entity such as a user or.
2020-05-20 12:59:01 +02:00
type Resource struct {
// Name of the resource, e.g. go.micro.service.notes
Name string `json:"name"`
// Type of resource, e.g. service
Type string `json:"type"`
// Endpoint resource e.g NotesService.Create
Endpoint string `json:"endpoint"`
}
2022-09-30 16:27:07 +02:00
// Access defines the type of access a rule grants.
2020-05-20 12:59:01 +02:00
type Access int
2020-03-04 11:54:52 +02:00
const (
2022-09-30 16:27:07 +02:00
// AccessGranted to a resource.
2020-05-20 12:59:01 +02:00
AccessGranted Access = iota
2022-09-30 16:27:07 +02:00
// AccessDenied to a resource.
2020-05-20 12:59:01 +02:00
AccessDenied
2020-03-04 11:54:52 +02:00
)
2022-09-30 16:27:07 +02:00
// Rule is used to verify access to a resource.
2020-05-20 12:59:01 +02:00
type Rule struct {
2023-04-26 02:16:34 +02:00
// Resource the rule applies to
Resource *Resource
2020-05-20 12:59:01 +02:00
// ID of the rule, e.g. "public"
ID string
2020-05-21 15:56:17 +02:00
// Scope the rule requires, a blank scope indicates open to the public and * indicates the rule
2020-05-20 12:59:01 +02:00
// applies to any valid account
2020-05-21 15:56:17 +02:00
Scope string
2020-05-20 12:59:01 +02:00
// Access determines if the rule grants or denies access to the resource
Access Access
// Priority the rule should take when verifying a request, the higher the value the sooner the
// rule will be applied
Priority int32
}
type accountKey struct{}
2020-03-04 11:54:52 +02:00
// AccountFromContext gets the account from the context, which
// is set by the auth wrapper at the start of a call. If the account
// is not set, a nil account will be returned. The error is only returned
2022-09-30 16:27:07 +02:00
// when there was a problem retrieving an account.
func AccountFromContext(ctx context.Context) (*Account, bool) {
acc, ok := ctx.Value(accountKey{}).(*Account)
return acc, ok
2020-03-04 11:54:52 +02:00
}
2022-09-30 16:27:07 +02:00
// ContextWithAccount sets the account in the context.
func ContextWithAccount(ctx context.Context, account *Account) context.Context {
return context.WithValue(ctx, accountKey{}, account)
2020-03-04 11:54:52 +02:00
}