github.com/astaxie/beego@v1.12.3/plugins/authz/authz.go (about) 1 // Copyright 2014 beego Author. All Rights Reserved. 2 // 3 // Licensed under the Apache License, Version 2.0 (the "License"); 4 // you may not use this file except in compliance with the License. 5 // You may obtain a copy of the License at 6 // 7 // http://www.apache.org/licenses/LICENSE-2.0 8 // 9 // Unless required by applicable law or agreed to in writing, software 10 // distributed under the License is distributed on an "AS IS" BASIS, 11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 // See the License for the specific language governing permissions and 13 // limitations under the License. 14 15 // Package authz provides handlers to enable ACL, RBAC, ABAC authorization support. 16 // Simple Usage: 17 // import( 18 // "github.com/astaxie/beego" 19 // "github.com/astaxie/beego/plugins/authz" 20 // "github.com/casbin/casbin" 21 // ) 22 // 23 // func main(){ 24 // // mediate the access for every request 25 // beego.InsertFilter("*", beego.BeforeRouter, authz.NewAuthorizer(casbin.NewEnforcer("authz_model.conf", "authz_policy.csv"))) 26 // beego.Run() 27 // } 28 // 29 // 30 // Advanced Usage: 31 // 32 // func main(){ 33 // e := casbin.NewEnforcer("authz_model.conf", "") 34 // e.AddRoleForUser("alice", "admin") 35 // e.AddPolicy(...) 36 // 37 // beego.InsertFilter("*", beego.BeforeRouter, authz.NewAuthorizer(e)) 38 // beego.Run() 39 // } 40 package authz 41 42 import ( 43 "net/http" 44 45 "github.com/astaxie/beego" 46 "github.com/astaxie/beego/context" 47 "github.com/casbin/casbin" 48 ) 49 50 // NewAuthorizer returns the authorizer. 51 // Use a casbin enforcer as input 52 func NewAuthorizer(e *casbin.Enforcer) beego.FilterFunc { 53 return func(ctx *context.Context) { 54 a := &BasicAuthorizer{enforcer: e} 55 56 if !a.CheckPermission(ctx.Request) { 57 a.RequirePermission(ctx.ResponseWriter) 58 } 59 } 60 } 61 62 // BasicAuthorizer stores the casbin handler 63 type BasicAuthorizer struct { 64 enforcer *casbin.Enforcer 65 } 66 67 // GetUserName gets the user name from the request. 68 // Currently, only HTTP basic authentication is supported 69 func (a *BasicAuthorizer) GetUserName(r *http.Request) string { 70 username, _, _ := r.BasicAuth() 71 return username 72 } 73 74 // CheckPermission checks the user/method/path combination from the request. 75 // Returns true (permission granted) or false (permission forbidden) 76 func (a *BasicAuthorizer) CheckPermission(r *http.Request) bool { 77 user := a.GetUserName(r) 78 method := r.Method 79 path := r.URL.Path 80 return a.enforcer.Enforce(user, path, method) 81 } 82 83 // RequirePermission returns the 403 Forbidden to the client 84 func (a *BasicAuthorizer) RequirePermission(w http.ResponseWriter) { 85 w.WriteHeader(403) 86 w.Write([]byte("403 Forbidden\n")) 87 }