github.com/micro/go-micro/v2@v2.9.1/auth/auth.go

github.com/micro/go-micro/v2@v2.9.1/auth/auth.go (about)

     1  // Package auth provides authentication and authorization capability
     2  package auth
     3  
     4  import (
     5  	"context"
     6  	"errors"
     7  	"time"
     8  )
     9  
    10  const (
    11  	// BearerScheme used for Authorization header
    12  	BearerScheme = "Bearer "
    13  	// ScopePublic is the scope applied to a rule to allow access to the public
    14  	ScopePublic = ""
    15  	// ScopeAccount is the scope applied to a rule to limit to users with any valid account
    16  	ScopeAccount = "*"
    17  )
    18  
    19  var (
    20  	// ErrInvalidToken is when the token provided is not valid
    21  	ErrInvalidToken = errors.New("invalid token provided")
    22  	// ErrForbidden is when a user does not have the necessary scope to access a resource
    23  	ErrForbidden = errors.New("resource forbidden")
    24  )
    25  
    26  // Auth provides authentication and authorization
    27  type Auth interface {
    28  	// Init the auth
    29  	Init(opts ...Option)
    30  	// Options set for auth
    31  	Options() Options
    32  	// Generate a new account
    33  	Generate(id string, opts ...GenerateOption) (*Account, error)
    34  	// Verify an account has access to a resource using the rules
    35  	Verify(acc *Account, res *Resource, opts ...VerifyOption) error
    36  	// Inspect a token
    37  	Inspect(token string) (*Account, error)
    38  	// Token generated using refresh token or credentials
    39  	Token(opts ...TokenOption) (*Token, error)
    40  	// Grant access to a resource
    41  	Grant(rule *Rule) error
    42  	// Revoke access to a resource
    43  	Revoke(rule *Rule) error
    44  	// Rules returns all the rules used to verify requests
    45  	Rules(...RulesOption) ([]*Rule, error)
    46  	// String returns the name of the implementation
    47  	String() string
    48  }
    49  
    50  // Account provided by an auth provider
    51  type Account struct {
    52  	// ID of the account e.g. email
    53  	ID string `json:"id"`
    54  	// Type of the account, e.g. service
    55  	Type string `json:"type"`
    56  	// Issuer of the account
    57  	Issuer string `json:"issuer"`
    58  	// Any other associated metadata
    59  	Metadata map[string]string `json:"metadata"`
    60  	// Scopes the account has access to
    61  	Scopes []string `json:"scopes"`
    62  	// Secret for the account, e.g. the password
    63  	Secret string `json:"secret"`
    64  }
    65  
    66  // Token can be short or long lived
    67  type Token struct {
    68  	// The token to be used for accessing resources
    69  	AccessToken string `json:"access_token"`
    70  	// RefreshToken to be used to generate a new token
    71  	RefreshToken string `json:"refresh_token"`
    72  	// Time of token creation
    73  	Created time.Time `json:"created"`
    74  	// Time of token expiry
    75  	Expiry time.Time `json:"expiry"`
    76  }
    77  
    78  // Expired returns a boolean indicating if the token needs to be refreshed
    79  func (t *Token) Expired() bool {
    80  	return t.Expiry.Unix() < time.Now().Unix()
    81  }
    82  
    83  // Resource is an entity such as a user or
    84  type Resource struct {
    85  	// Name of the resource, e.g. go.micro.service.notes
    86  	Name string `json:"name"`
    87  	// Type of resource, e.g. service
    88  	Type string `json:"type"`
    89  	// Endpoint resource e.g NotesService.Create
    90  	Endpoint string `json:"endpoint"`
    91  }
    92  
    93  // Access defines the type of access a rule grants
    94  type Access int
    95  
    96  const (
    97  	// AccessGranted to a resource
    98  	AccessGranted Access = iota
    99  	// AccessDenied to a resource
   100  	AccessDenied
   101  )
   102  
   103  // Rule is used to verify access to a resource
   104  type Rule struct {
   105  	// ID of the rule, e.g. "public"
   106  	ID string
   107  	// Scope the rule requires, a blank scope indicates open to the public and * indicates the rule
   108  	// applies to any valid account
   109  	Scope string
   110  	// Resource the rule applies to
   111  	Resource *Resource
   112  	// Access determines if the rule grants or denies access to the resource
   113  	Access Access
   114  	// Priority the rule should take when verifying a request, the higher the value the sooner the
   115  	// rule will be applied
   116  	Priority int32
   117  }
   118  
   119  type accountKey struct{}
   120  
   121  // AccountFromContext gets the account from the context, which
   122  // is set by the auth wrapper at the start of a call. If the account
   123  // is not set, a nil account will be returned. The error is only returned
   124  // when there was a problem retrieving an account
   125  func AccountFromContext(ctx context.Context) (*Account, bool) {
   126  	acc, ok := ctx.Value(accountKey{}).(*Account)
   127  	return acc, ok
   128  }
   129  
   130  // ContextWithAccount sets the account in the context
   131  func ContextWithAccount(ctx context.Context, account *Account) context.Context {
   132  	return context.WithValue(ctx, accountKey{}, account)
   133  }