You cannot select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
70 lines
2.3 KiB
Go
70 lines
2.3 KiB
Go
package endpointroles
|
|
|
|
import (
|
|
"context"
|
|
|
|
"go-micro.dev/v4/errors"
|
|
"go-micro.dev/v4/server"
|
|
"jochum.dev/jo-micro/auth2"
|
|
|
|
"github.com/sirupsen/logrus"
|
|
)
|
|
|
|
type EndpointRolesVerifier struct {
|
|
rules map[string]Rule
|
|
endpointnames []string
|
|
options Options
|
|
}
|
|
|
|
func NewVerifier(opts ...Option) *EndpointRolesVerifier {
|
|
options := NewOptions(opts...)
|
|
|
|
return &EndpointRolesVerifier{
|
|
rules: make(map[string]Rule, 0),
|
|
endpointnames: []string{},
|
|
options: options,
|
|
}
|
|
}
|
|
|
|
func (v *EndpointRolesVerifier) AddRules(rules ...Rule) {
|
|
for _, rule := range rules {
|
|
v.endpointnames = append(v.endpointnames, rule.Endpoint)
|
|
v.rules[rule.Endpoint] = rule
|
|
}
|
|
}
|
|
|
|
func (v *EndpointRolesVerifier) logrus() *logrus.Logger {
|
|
if v.options.Logrus == nil {
|
|
return logrus.StandardLogger()
|
|
}
|
|
|
|
return v.options.Logrus
|
|
}
|
|
|
|
func (v *EndpointRolesVerifier) Verify(ctx context.Context, u *auth2.User, req server.Request) (error, bool) {
|
|
if ep, ok := v.rules[req.Endpoint()]; ok {
|
|
if auth2.IntersectsRoles(u, ep.RolesDeny...) {
|
|
v.logrus().WithField("endpoint", req.Endpoint()).WithField("rolesDeny", ep.RolesDeny).WithField("userRoles", u.Roles).Debug("Unauthorized")
|
|
return errors.Unauthorized("auth2/plugins/verifier/endpointroles/EndpointRolesVerifier.Verify|Denied by rule", "Unauthorized"), false
|
|
}
|
|
if auth2.IntersectsRoles(u, ep.RolesAllow...) {
|
|
v.logrus().WithField("endpoint", req.Endpoint()).WithField("rolesAllow", ep.RolesAllow).WithField("userRoles", u.Roles).Trace("Authorized")
|
|
// Allowed by role
|
|
return nil, false
|
|
}
|
|
|
|
if v.options.DefaultDeny {
|
|
v.logrus().WithField("endpoint", req.Endpoint()).WithField("user_roles", u.Roles).WithField("roles_allow", ep.RolesAllow).Debug("DefaultDeny: No matching role")
|
|
return errors.Unauthorized("auth2/plugins/verifier/endpointroles/EndpointRolesVerifier.Verify|No matching role", "Unauthorized"), true
|
|
}
|
|
}
|
|
|
|
if !v.options.DefaultDeny {
|
|
v.logrus().WithField("endpoint", req.Endpoint()).WithField("endpoints", v.endpointnames).Trace("DefaultAllow: No rule")
|
|
return nil, true
|
|
}
|
|
|
|
v.logrus().WithField("endpoint", req.Endpoint()).WithField("endpoints", v.endpointnames).Debug("DefaultDeny: no rule")
|
|
return errors.Unauthorized("auth2/plugins/verifier/endpointroles/EndpointRolesVerifier.Verify|No rule", "Unauthorized"), false
|
|
}
|