-
Notifications
You must be signed in to change notification settings - Fork 1k
/
auth.go
66 lines (57 loc) · 2.27 KB
/
auth.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
package server
import (
"context"
"strings"
"github.com/micro/micro/v3/service/auth"
"github.com/micro/micro/v3/service/context/metadata"
"github.com/micro/micro/v3/service/errors"
"github.com/micro/micro/v3/service/server"
inauth "github.com/micro/micro/v3/util/auth"
"github.com/micro/micro/v3/util/auth/namespace"
)
// authHandler wraps a server handler to perform auth
func authHandler() server.HandlerWrapper {
return func(h server.HandlerFunc) server.HandlerFunc {
return func(ctx context.Context, req server.Request, rsp interface{}) error {
// Extract the token if the header is present. We will inspect the token regardless of if it's
// present or not since noop auth will return a blank account upon Inspecting a blank token.
var token string
if header, ok := metadata.Get(ctx, "Authorization"); ok {
// Ensure the correct scheme is being used
if !strings.HasPrefix(header, inauth.BearerScheme) {
return errors.Unauthorized(req.Service(), "invalid authorization header. expected Bearer schema")
}
// Strip the bearer scheme prefix
token = strings.TrimPrefix(header, inauth.BearerScheme)
}
// Inspect the token and decode an account
account, _ := auth.Inspect(token)
// Extract the namespace header
ns, ok := metadata.Get(ctx, "Micro-Namespace")
if !ok && account != nil {
ns = account.Issuer
ctx = metadata.Set(ctx, "Micro-Namespace", ns)
} else if !ok {
ns = namespace.DefaultNamespace
ctx = metadata.Set(ctx, "Micro-Namespace", ns)
}
// construct the resource
res := &auth.Resource{
Type: "service",
Name: req.Service(),
Endpoint: req.Endpoint(),
}
// Verify the caller has access to the resource.
err := auth.Verify(account, res, auth.VerifyNamespace(ns))
if err == auth.ErrForbidden && account != nil {
return errors.Forbidden(req.Service(), "Forbidden call made to %v:%v by %v", req.Service(), req.Endpoint(), account.ID)
} else if err == auth.ErrForbidden {
return errors.Unauthorized(req.Service(), "Unauthorized call made to %v:%v", req.Service(), req.Endpoint())
} else if err != nil {
return errors.InternalServerError("proxy", "Error authorizing request: %v", err)
}
// The user is authorised, allow the call
return h(ctx, req, rsp)
}
}
}