go/go-micro
1
0
Fork 0
mirror of https://github.com/go-micro/go-micro.git synced 2025-04-17 11:06:19 +02:00
Code Issues Releases Activity

move rules

Browse Source
This commit is contained in:
Asim Aslam 2020-12-12 19:08:36 +00:00
parent d07de3751e
commit 19ac4fbcaf
3 changed files with 94 additions and 99 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
auth/jwt/jwt.go
View File

@ -5,7 +5,6 @@ import (
"time"
"github.com/micro/go-micro/v2/auth"
"github.com/micro/go-micro/v2/auth/rules"
"github.com/micro/go-micro/v2/auth/token"
jwtToken "github.com/micro/go-micro/v2/auth/token/jwt"
)
@ -102,7 +101,7 @@ func (j *jwt) Verify(acc *auth.Account, res *auth.Resource, opts ...auth.VerifyO
o(&options)
}
return rules.Verify(j.rules, acc, res)
return auth.Verify(j.rules, acc, res)
}
func (j *jwt) Rules(opts ...auth.RulesOption) ([]*auth.Rule, error) {

28
auth/rules/rules.go → auth/rules.go
View File

@ -1,17 +1,15 @@
package rules
package auth
import (
"fmt"
"sort"
"strings"
"github.com/micro/go-micro/v2/auth"
)
// Verify an account has access to a resource using the rules provided. If the account does not have
// access an error will be returned. If there are no rules provided which match the resource, an error
// will be returned
func Verify(rules []*auth.Rule, acc *auth.Account, res *auth.Resource) error {
func Verify(rules []*Rule, acc *Account, res *Resource) error {
// the rule is only to be applied if the type matches the resource or is catch-all (*)
validTypes := []string{"*", res.Type}
@ -29,7 +27,7 @@ func Verify(rules []*auth.Rule, acc *auth.Account, res *auth.Resource) error {
}
// filter the rules to the ones which match the criteria above
filteredRules := make([]*auth.Rule, 0)
filteredRules := make([]*Rule, 0)
for _, rule := range rules {
if !include(validTypes, rule.Resource.Type) {
continue
@ -51,9 +49,9 @@ func Verify(rules []*auth.Rule, acc *auth.Account, res *auth.Resource) error {
// loop through the rules and check for a rule which applies to this account
for _, rule := range filteredRules {
// a blank scope indicates the rule applies to everyone, even nil accounts
if rule.Scope == auth.ScopePublic && rule.Access == auth.AccessDenied {
return auth.ErrForbidden
} else if rule.Scope == auth.ScopePublic && rule.Access == auth.AccessGranted {
if rule.Scope == ScopePublic && rule.Access == AccessDenied {
return ErrForbidden
} else if rule.Scope == ScopePublic && rule.Access == AccessGranted {
return nil
}
@ -63,22 +61,22 @@ func Verify(rules []*auth.Rule, acc *auth.Account, res *auth.Resource) error {
}
// this rule applies to any account
if rule.Scope == auth.ScopeAccount && rule.Access == auth.AccessDenied {
return auth.ErrForbidden
} else if rule.Scope == auth.ScopeAccount && rule.Access == auth.AccessGranted {
if rule.Scope == ScopeAccount && rule.Access == AccessDenied {
return ErrForbidden
} else if rule.Scope == ScopeAccount && rule.Access == AccessGranted {
return nil
}
// if the account has the necessary scope
if include(acc.Scopes, rule.Scope) && rule.Access == auth.AccessDenied {
return auth.ErrForbidden
} else if include(acc.Scopes, rule.Scope) && rule.Access == auth.AccessGranted {
if include(acc.Scopes, rule.Scope) && rule.Access == AccessDenied {
return ErrForbidden
} else if include(acc.Scopes, rule.Scope) && rule.Access == AccessGranted {
return nil
}
}
// if no rules matched then return forbidden
return auth.ErrForbidden
return ErrForbidden
}
// include is a helper function which checks to see if the slice contains the value. includes is

162
auth/rules/rules_test.go → auth/rules_test.go
View File

@ -1,25 +1,23 @@
package rules
package auth
import (
"testing"
"github.com/micro/go-micro/v2/auth"
)
func TestVerify(t *testing.T) {
srvResource := &auth.Resource{
srvResource := &Resource{
Type: "service",
Name: "go.micro.service.foo",
Endpoint: "Foo.Bar",
}
webResource := &auth.Resource{
webResource := &Resource{
Type: "service",
Name: "go.micro.web.foo",
Endpoint: "/foo/bar",
}
catchallResource := &auth.Resource{
catchallResource := &Resource{
Type: "*",
Name: "*",
Endpoint: "*",
@ -27,24 +25,24 @@ func TestVerify(t *testing.T) {
tt := []struct {
Name string
Rules []*auth.Rule
Account *auth.Account
Resource *auth.Resource
Rules []*Rule
Account *Account
Resource *Resource
Error error
}{
{
Name: "NoRules",
Rules: []*auth.Rule{},
Rules: []*Rule{},
Account: nil,
Resource: srvResource,
Error: auth.ErrForbidden,
Error: ErrForbidden,
},
{
Name: "CatchallPublicAccount",
Account: &auth.Account{},
Account: &Account{},
Resource: srvResource,
Rules: []*auth.Rule{
&auth.Rule{
Rules: []*Rule{
&Rule{
Scope: "",
Resource: catchallResource,
},
@ -53,8 +51,8 @@ func TestVerify(t *testing.T) {
{
Name: "CatchallPublicNoAccount",
Resource: srvResource,
Rules: []*auth.Rule{
&auth.Rule{
Rules: []*Rule{
&Rule{
Scope: "",
Resource: catchallResource,
},
@ -62,10 +60,10 @@ func TestVerify(t *testing.T) {
},
{
Name: "CatchallPrivateAccount",
Account: &auth.Account{},
Account: &Account{},
Resource: srvResource,
Rules: []*auth.Rule{
&auth.Rule{
Rules: []*Rule{
&Rule{
Scope: "*",
Resource: catchallResource,
},
@ -74,22 +72,22 @@ func TestVerify(t *testing.T) {
{
Name: "CatchallPrivateNoAccount",
Resource: srvResource,
Rules: []*auth.Rule{
&auth.Rule{
Rules: []*Rule{
&Rule{
Scope: "*",
Resource: catchallResource,
},
},
Error: auth.ErrForbidden,
Error: ErrForbidden,
},
{
Name: "CatchallServiceRuleMatch",
Resource: srvResource,
Account: &auth.Account{},
Rules: []*auth.Rule{
&auth.Rule{
Account: &Account{},
Rules: []*Rule{
&Rule{
Scope: "*",
Resource: &auth.Resource{
Resource: &Resource{
Type: srvResource.Type,
Name: srvResource.Name,
Endpoint: "*",
@ -100,27 +98,27 @@ func TestVerify(t *testing.T) {
{
Name: "CatchallServiceRuleNoMatch",
Resource: srvResource,
Account: &auth.Account{},
Rules: []*auth.Rule{
&auth.Rule{
Account: &Account{},
Rules: []*Rule{
&Rule{
Scope: "*",
Resource: &auth.Resource{
Resource: &Resource{
Type: srvResource.Type,
Name: "wrongname",
Endpoint: "*",
},
},
},
Error: auth.ErrForbidden,
Error: ErrForbidden,
},
{
Name: "ExactRuleValidScope",
Resource: srvResource,
Account: &auth.Account{
Account: &Account{
Scopes: []string{"neededscope"},
},
Rules: []*auth.Rule{
&auth.Rule{
Rules: []*Rule{
&Rule{
Scope: "neededscope",
Resource: srvResource,
},
@ -129,58 +127,58 @@ func TestVerify(t *testing.T) {
{
Name: "ExactRuleInvalidScope",
Resource: srvResource,
Account: &auth.Account{
Account: &Account{
Scopes: []string{"neededscope"},
},
Rules: []*auth.Rule{
&auth.Rule{
Rules: []*Rule{
&Rule{
Scope: "invalidscope",
Resource: srvResource,
},
},
Error: auth.ErrForbidden,
Error: ErrForbidden,
},
{
Name: "CatchallDenyWithAccount",
Resource: srvResource,
Account: &auth.Account{},
Rules: []*auth.Rule{
&auth.Rule{
Account: &Account{},
Rules: []*Rule{
&Rule{
Scope: "*",
Resource: catchallResource,
Access: auth.AccessDenied,
Access: AccessDenied,
},
},
Error: auth.ErrForbidden,
Error: ErrForbidden,
},
{
Name: "CatchallDenyWithNoAccount",
Resource: srvResource,
Account: &auth.Account{},
Rules: []*auth.Rule{
&auth.Rule{
Account: &Account{},
Rules: []*Rule{
&Rule{
Scope: "*",
Resource: catchallResource,
Access: auth.AccessDenied,
Access: AccessDenied,
},
},
Error: auth.ErrForbidden,
Error: ErrForbidden,
},
{
Name: "RulePriorityGrantFirst",
Resource: srvResource,
Account: &auth.Account{},
Rules: []*auth.Rule{
&auth.Rule{
Account: &Account{},
Rules: []*Rule{
&Rule{
Scope: "*",
Resource: catchallResource,
Access: auth.AccessGranted,
Access: AccessGranted,
Priority: 1,
},
&auth.Rule{
&Rule{
Scope: "*",
Resource: catchallResource,
Access: auth.AccessDenied,
Access: AccessDenied,
Priority: 0,
},
},
@ -188,29 +186,29 @@ func TestVerify(t *testing.T) {
{
Name: "RulePriorityDenyFirst",
Resource: srvResource,
Account: &auth.Account{},
Rules: []*auth.Rule{
&auth.Rule{
Account: &Account{},
Rules: []*Rule{
&Rule{
Scope: "*",
Resource: catchallResource,
Access: auth.AccessGranted,
Access: AccessGranted,
Priority: 0,
},
&auth.Rule{
&Rule{
Scope: "*",
Resource: catchallResource,
Access: auth.AccessDenied,
Access: AccessDenied,
Priority: 1,
},
},
Error: auth.ErrForbidden,
Error: ErrForbidden,
},
{
Name: "WebExactEndpointValid",
Resource: webResource,
Account: &auth.Account{},
Rules: []*auth.Rule{
&auth.Rule{
Account: &Account{},
Rules: []*Rule{
&Rule{
Scope: "*",
Resource: webResource,
},
@ -219,27 +217,27 @@ func TestVerify(t *testing.T) {
{
Name: "WebExactEndpointInalid",
Resource: webResource,
Account: &auth.Account{},
Rules: []*auth.Rule{
&auth.Rule{
Account: &Account{},
Rules: []*Rule{
&Rule{
Scope: "*",
Resource: &auth.Resource{
Resource: &Resource{
Type: webResource.Type,
Name: webResource.Name,
Endpoint: "invalidendpoint",
},
},
},
Error: auth.ErrForbidden,
Error: ErrForbidden,
},
{
Name: "WebWildcardEndpoint",
Resource: webResource,
Account: &auth.Account{},
Rules: []*auth.Rule{
&auth.Rule{
Account: &Account{},
Rules: []*Rule{
&Rule{
Scope: "*",
Resource: &auth.Resource{
Resource: &Resource{
Type: webResource.Type,
Name: webResource.Name,
Endpoint: "*",
@ -250,11 +248,11 @@ func TestVerify(t *testing.T) {
{
Name: "WebWildcardPathEndpointValid",
Resource: webResource,
Account: &auth.Account{},
Rules: []*auth.Rule{
&auth.Rule{
Account: &Account{},
Rules: []*Rule{
&Rule{
Scope: "*",
Resource: &auth.Resource{
Resource: &Resource{
Type: webResource.Type,
Name: webResource.Name,
Endpoint: "/foo/*",
@ -265,18 +263,18 @@ func TestVerify(t *testing.T) {
{
Name: "WebWildcardPathEndpointInvalid",
Resource: webResource,
Account: &auth.Account{},
Rules: []*auth.Rule{
&auth.Rule{
Account: &Account{},
Rules: []*Rule{
&Rule{
Scope: "*",
Resource: &auth.Resource{
Resource: &Resource{
Type: webResource.Type,
Name: webResource.Name,
Endpoint: "/bar/*",
},
},
},
Error: auth.ErrForbidden,
Error: ErrForbidden,
},
}