github.com/astaxie/beego@v1.12.3/plugins/authz/authz.go (about)

     1  // Copyright 2014 beego Author. All Rights Reserved.
     2  //
     3  // Licensed under the Apache License, Version 2.0 (the "License");
     4  // you may not use this file except in compliance with the License.
     5  // You may obtain a copy of the License at
     6  //
     7  //      http://www.apache.org/licenses/LICENSE-2.0
     8  //
     9  // Unless required by applicable law or agreed to in writing, software
    10  // distributed under the License is distributed on an "AS IS" BASIS,
    11  // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    12  // See the License for the specific language governing permissions and
    13  // limitations under the License.
    14  
    15  // Package authz provides handlers to enable ACL, RBAC, ABAC authorization support.
    16  // Simple Usage:
    17  //	import(
    18  //		"github.com/astaxie/beego"
    19  //		"github.com/astaxie/beego/plugins/authz"
    20  //		"github.com/casbin/casbin"
    21  //	)
    22  //
    23  //	func main(){
    24  //		// mediate the access for every request
    25  //		beego.InsertFilter("*", beego.BeforeRouter, authz.NewAuthorizer(casbin.NewEnforcer("authz_model.conf", "authz_policy.csv")))
    26  //		beego.Run()
    27  //	}
    28  //
    29  //
    30  // Advanced Usage:
    31  //
    32  //	func main(){
    33  //		e := casbin.NewEnforcer("authz_model.conf", "")
    34  //		e.AddRoleForUser("alice", "admin")
    35  //		e.AddPolicy(...)
    36  //
    37  //		beego.InsertFilter("*", beego.BeforeRouter, authz.NewAuthorizer(e))
    38  //		beego.Run()
    39  //	}
    40  package authz
    41  
    42  import (
    43  	"net/http"
    44  
    45  	"github.com/astaxie/beego"
    46  	"github.com/astaxie/beego/context"
    47  	"github.com/casbin/casbin"
    48  )
    49  
    50  // NewAuthorizer returns the authorizer.
    51  // Use a casbin enforcer as input
    52  func NewAuthorizer(e *casbin.Enforcer) beego.FilterFunc {
    53  	return func(ctx *context.Context) {
    54  		a := &BasicAuthorizer{enforcer: e}
    55  
    56  		if !a.CheckPermission(ctx.Request) {
    57  			a.RequirePermission(ctx.ResponseWriter)
    58  		}
    59  	}
    60  }
    61  
    62  // BasicAuthorizer stores the casbin handler
    63  type BasicAuthorizer struct {
    64  	enforcer *casbin.Enforcer
    65  }
    66  
    67  // GetUserName gets the user name from the request.
    68  // Currently, only HTTP basic authentication is supported
    69  func (a *BasicAuthorizer) GetUserName(r *http.Request) string {
    70  	username, _, _ := r.BasicAuth()
    71  	return username
    72  }
    73  
    74  // CheckPermission checks the user/method/path combination from the request.
    75  // Returns true (permission granted) or false (permission forbidden)
    76  func (a *BasicAuthorizer) CheckPermission(r *http.Request) bool {
    77  	user := a.GetUserName(r)
    78  	method := r.Method
    79  	path := r.URL.Path
    80  	return a.enforcer.Enforce(user, path, method)
    81  }
    82  
    83  // RequirePermission returns the 403 Forbidden to the client
    84  func (a *BasicAuthorizer) RequirePermission(w http.ResponseWriter) {
    85  	w.WriteHeader(403)
    86  	w.Write([]byte("403 Forbidden\n"))
    87  }