-
Notifications
You must be signed in to change notification settings - Fork 48
/
securityService.go
124 lines (106 loc) · 3.55 KB
/
securityService.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
package application
import (
"context"
"flamingo.me/flamingo/v3/core/security/application/role"
"fmt"
"flamingo.me/flamingo/v3/core/security/application/voter"
"flamingo.me/flamingo/v3/core/security/domain"
"flamingo.me/flamingo/v3/framework/web"
)
const (
// VoterStrategyAffirmative allows access if there is a positive vote
VoterStrategyAffirmative = "affirmative"
// VoterStrategyConsensus allows access if there are more positive votes
VoterStrategyConsensus = "consensus"
// VoterStrategyUnanimous allows access if there are no negative votes
VoterStrategyUnanimous = "unanimous"
)
type (
// SecurityService decides if a user is logged in/out, or granted a certain permission
// todo name arguments
SecurityService interface {
IsLoggedIn(context.Context, *web.Session) bool
IsLoggedOut(context.Context, *web.Session) bool
IsGranted(context.Context, *web.Session, string, interface{}) bool
}
// SecurityServiceImpl default implementation of the SecurityService
SecurityServiceImpl struct {
voters []voter.SecurityVoter
roleService role.Service
voterStrategy string
allowIfAllAbstain bool
}
)
var _ SecurityService = &SecurityServiceImpl{}
// Inject dependencies
func (s *SecurityServiceImpl) Inject(v []voter.SecurityVoter, r role.Service, cfg *struct {
VoterStrategy string `inject:"config:security.roles.voters.strategy"`
AllowIfAllAbstain bool `inject:"config:security.roles.voters.allowIfAllAbstain"`
}) {
s.voters = v
s.roleService = r
s.voterStrategy = cfg.VoterStrategy
s.allowIfAllAbstain = cfg.AllowIfAllAbstain
}
// IsLoggedIn checks if the user is granted login permission
func (s *SecurityServiceImpl) IsLoggedIn(ctx context.Context, session *web.Session) bool {
return s.IsGranted(ctx, session, domain.PermissionAuthorized, nil)
}
// IsLoggedOut checks if the user is not granted login permission
func (s *SecurityServiceImpl) IsLoggedOut(ctx context.Context, session *web.Session) bool {
return !s.IsGranted(ctx, session, domain.PermissionAuthorized, nil)
}
// IsGranted checks for a specific permission of the user
func (s *SecurityServiceImpl) IsGranted(ctx context.Context, session *web.Session, desiredPermission string, object interface{}) bool {
allPermissions := s.roleService.AllPermissions(ctx, session)
var results []voter.AccessDecision
for index := range s.voters {
results = append(results, s.voters[index].Vote(allPermissions, desiredPermission, object))
}
return s.decide(results)
}
func (s *SecurityServiceImpl) decide(results []voter.AccessDecision) bool {
granted := 0
denied := 0
for _, result := range results {
switch result {
case voter.AccessGranted:
granted++
case voter.AccessDenied:
denied++
}
}
switch s.voterStrategy {
case VoterStrategyAffirmative:
return s.decideAffirmative(granted, denied)
case VoterStrategyConsensus:
return s.decideConsensus(granted, denied)
case VoterStrategyUnanimous:
return s.decideUnanimous(granted, denied)
}
panic(fmt.Sprintf("unrecognized voter strategy: %s", s.voterStrategy))
}
func (s *SecurityServiceImpl) decideAffirmative(granted int, denied int) bool {
if granted > 0 {
return true
} else if denied > 0 {
return false
}
return s.allowIfAllAbstain
}
func (s *SecurityServiceImpl) decideConsensus(granted int, denied int) bool {
if granted > denied {
return true
} else if denied > granted {
return false
}
return s.allowIfAllAbstain
}
func (s *SecurityServiceImpl) decideUnanimous(granted int, denied int) bool {
if denied > 0 {
return false
} else if granted > 0 {
return true
}
return s.allowIfAllAbstain
}