/
main.go
71 lines (60 loc) · 1.86 KB
/
main.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
package main
import (
"context"
"fmt"
"log"
"net/http"
"os"
"github.com/julienschmidt/httprouter"
"github.com/ory/hydra/firewall"
"github.com/ory/hydra/sdk"
)
var h *sdk.Client
func main() {
var err error
if h, err = sdk.Connect(
sdk.ClientID("client-id"),
sdk.ClientSecret("client-secret"),
sdk.ClusterURL("https://localhost:4444"),
); err != nil {
log.Fatalf("Could not connect to host: %s", err)
}
r := httprouter.New()
r.GET("/protected", handleProtectedEndpoint)
listen := fmt.Sprintf("%s:%s", os.Getenv("HOST"), os.Getenv("PORT"))
if err := http.ListenAndServe(listen, r); err != nil {
log.Fatalf("Could not listen on %s becase %s", listen, err)
}
}
func handleProtectedEndpoint(w http.ResponseWriter, r *http.Request, _ httprouter.Params) {
token := h.Warden.TokenFromRequest(r)
// Access control using only access token.
if status, err := h.Introspection.IntrospectToken(context.Background(), token, "some-scope"); err != nil {
w.WriteHeader(http.StatusForbidden)
w.Write([]byte(err.Error()))
return
} else {
log.Printf("Token is allowed to perform action, state lookup gave: %v", status)
}
// Access control using access token and access control policies.
if status, err := h.Warden.TokenAllowed(context.Background(), token, &firewall.TokenAccessRequest{
Resource: "some:resource-name",
Action: "some-action",
}, "some-scope"); err != nil {
w.WriteHeader(http.StatusForbidden)
w.Write([]byte(err.Error()))
return
} else {
log.Printf("Token is allowed to perform action, state lookup gave: %v", status)
}
// Access control using access control policies only.
if err := h.Warden.IsAllowed(context.Background(), &firewall.AccessRequest{
Resource: "some:resource-name",
Action: "some-action",
Subject: "some-user",
}); err != nil {
w.WriteHeader(http.StatusForbidden)
w.Write([]byte(err.Error()))
return
}
}