-
Notifications
You must be signed in to change notification settings - Fork 1
/
auth.go
85 lines (69 loc) · 2.35 KB
/
auth.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
package middleware
import (
"context"
"fmt"
"net/http"
"github.com/unanet/go/pkg/auth"
"github.com/casbin/casbin/v2"
"github.com/go-chi/jwtauth/v5"
"github.com/go-chi/render"
"github.com/golang-jwt/jwt"
"go.uber.org/zap"
"github.com/unanet/go/pkg/errors"
"github.com/unanet/go/pkg/identity"
)
func extractRoles(ctx context.Context, claims jwt.MapClaims) []interface{} {
Log(ctx).Debug("extract role from incoming claims", zap.Any("claims", claims))
if ra, ok := claims["realm_access"].(map[string]interface{}); ok {
if roles, ok := ra["roles"].([]interface{}); ok {
Log(ctx).Debug("incoming claim roles slice found", zap.Any("role", roles))
return roles
}
}
Log(ctx).Debug("unknown role extracted")
return []interface{}{}
}
func AuthenticationMiddleware(adminToken string, idv *identity.Validator, enforcer *casbin.Enforcer) func(http.Handler) http.Handler {
return func(next http.Handler) http.Handler {
hfn := func(w http.ResponseWriter, r *http.Request) {
ctx := r.Context()
// Admin token, you shall PASS!!!
if jwtauth.TokenFromHeader(r) == adminToken {
ctx = auth.CtxWithClaims(ctx, map[string]interface{}{
"sub": "admin",
})
next.ServeHTTP(w, r.WithContext(ctx))
return
}
claims, err := idv.Validate(r)
if err != nil {
Log(ctx).Debug("failed token verification", zap.Error(err))
render.Respond(w, r, err)
return
}
Log(ctx).Debug("incoming auth claims", zap.Any("claims", claims))
var grantedAccess bool
Log(ctx).Debug(fmt.Sprintf("checking auth for URL = %s, Method = %s", r.URL.Path, r.Method))
// Range over the roles to see if we have access to the resource
for _, role := range extractRoles(ctx, claims) {
grantedAccess, err = enforcer.Enforce(role, r.URL.Path, r.Method)
if err != nil {
Log(ctx).Error("casbin enforced resulted in an error", zap.Error(err))
render.Status(r, 500)
return
}
if grantedAccess {
Log(ctx).Debug(fmt.Sprintf("access granted. Role = %s, URL = %s, Method = %s", role, r.URL.Path, r.Method))
break
}
}
if !grantedAccess {
Log(ctx).Debug(fmt.Sprintf("not authorized. URL = %s, Method = %s", r.URL.Path, r.Method))
render.Respond(w, r, errors.NewRestError(403, "Forbidden"))
return
}
next.ServeHTTP(w, r.WithContext(auth.CtxWithClaims(ctx, claims)))
}
return http.HandlerFunc(hfn)
}
}