-
Notifications
You must be signed in to change notification settings - Fork 53
/
securityService.go
111 lines (94 loc) · 2.74 KB
/
securityService.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
package application
import (
"context"
"fmt"
"flamingo.me/flamingo/v3/core/security/application/voter"
"flamingo.me/flamingo/v3/core/security/domain"
"flamingo.me/flamingo/v3/framework/web"
)
const (
VoterStrategyAffirmative = "affirmative"
VoterStrategyConsensus = "consensus"
VoterStrategyUnanimous = "unanimous"
)
type (
SecurityService interface {
IsLoggedIn(context.Context, *web.Session) bool
IsLoggedOut(context.Context, *web.Session) bool
IsGranted(context.Context, *web.Session, string, interface{}) bool
}
SecurityServiceImpl struct {
voters []voter.SecurityVoter
voterStrategy string
allowIfAllAbstain bool
}
)
var (
_ SecurityService = &SecurityServiceImpl{}
)
func (s *SecurityServiceImpl) Inject(v []voter.SecurityVoter, cfg *struct {
VoterStrategy string `inject:"config:security.roles.voters.strategy"`
AllowIfAllAbstain bool `inject:"config:security.roles.voters.allowIfAllAbstain"`
}) {
s.voters = v
s.voterStrategy = cfg.VoterStrategy
s.allowIfAllAbstain = cfg.AllowIfAllAbstain
}
func (s *SecurityServiceImpl) IsLoggedIn(ctx context.Context, session *web.Session) bool {
return s.IsGranted(ctx, session, domain.RoleUser.Permission(), nil)
}
func (s *SecurityServiceImpl) IsLoggedOut(ctx context.Context, session *web.Session) bool {
return !s.IsGranted(ctx, session, domain.RoleUser.Permission(), nil)
}
func (s *SecurityServiceImpl) IsGranted(ctx context.Context, session *web.Session, permission string, object interface{}) bool {
var results []int
for index := range s.voters {
results = append(results, s.voters[index].Vote(ctx, session, permission, object))
}
return s.decide(results)
}
func (s *SecurityServiceImpl) decide(results []int) bool {
granted := 0
denied := 0
for _, result := range results {
switch result {
case voter.AccessGranted:
granted++
case voter.AccessDenied:
denied++
}
}
switch s.voterStrategy {
case VoterStrategyAffirmative:
return s.decideAffirmative(granted, denied)
case VoterStrategyConsensus:
return s.decideConsensus(granted, denied)
case VoterStrategyUnanimous:
return s.decideUnanimous(granted, denied)
}
panic(fmt.Sprintf("unrecognized voter strategy: %s", s.voterStrategy))
}
func (s *SecurityServiceImpl) decideAffirmative(granted int, denied int) bool {
if granted > 0 {
return true
} else if denied > 0 {
return false
}
return s.allowIfAllAbstain
}
func (s *SecurityServiceImpl) decideConsensus(granted int, denied int) bool {
if granted > denied {
return true
} else if denied > granted {
return false
}
return s.allowIfAllAbstain
}
func (s *SecurityServiceImpl) decideUnanimous(granted int, denied int) bool {
if denied > 0 {
return false
} else if granted > 0 {
return true
}
return s.allowIfAllAbstain
}