migrate common part from https://github.com/apache/servicecomb-service-center/tree/master/pkg/rbacframe

Author: tianxiaoliang

.github/workflows/static_check.yml

@@ -0,0 +1,16 @@
+name: Merge check
+on: [push, pull_request]
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+    - name: Set up Go 1.16
+      uses: actions/setup-go@v1
+      with:
+        go-version: 1.16
+      id: go
+    - name: Check out code into the Go module directory
+      uses: actions/checkout@v1
+    - name: UT
+      run: |
+        go test ./...

.gitignore

@@ -13,3 +13,4 @@
 
 # Dependency directories (remove the comment below to include it)
 # vendor/
+.idea

go.mod

@@ -3,6 +3,7 @@ module github.com/go-chassis/cari
 go 1.13
 
 require (
+	github.com/deckarep/golang-set v1.7.1
 	github.com/gogo/protobuf v1.3.1
 	github.com/stretchr/testify v1.6.1
 )

go.sum

@@ -0,0 +1,18 @@
+github.com/davecgh/go-spew v1.1.0 h1:ZDRjVQ15GmhC3fiQ8ni8+OwkZQO4DARzQgrnXU1Liz8=
+github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/deckarep/golang-set v1.7.1 h1:SCQV0S6gTtp6itiFrTqI+pfmJ4LN85S1YzhDf9rTHJQ=
+github.com/deckarep/golang-set v1.7.1/go.mod h1:93vsz/8Wt4joVM7c2AVqh+YRMiUSc14yDtF28KmMOgQ=
+github.com/gogo/protobuf v1.3.1 h1:DqDEcV5aeaTmdFBePNpYsp3FlcVH/2ISVVM9Qf8PSls=
+github.com/gogo/protobuf v1.3.1/go.mod h1:SlYgWuQ5SjCEi6WLHjHCa1yvBfUnHcTbrrZtXPKa29o=
+github.com/kisielk/errcheck v1.2.0/go.mod h1:/BMXB+zMLi60iA8Vv6Ksmxu/1UDYcXs4uQLJ+jE2L00=
+github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
+github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
+github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
+github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
+github.com/stretchr/testify v1.6.1 h1:hDPOHmpOpP40lSULcqw7IrRb/u7w6RpDC9399XyoNd0=
+github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
+golang.org/x/tools v0.0.0-20181030221726-6c7e314b6563/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
+gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM=
+gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c h1:dUUwHk2QECo/6vqA44rthZ8ie2QXMNeKRTHCNY2nXvo=
+gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=

rbac/api.go

@@ -0,0 +1,90 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+// Package rbac extract common functions to help component to implement a auth system
+package rbac
+
+import (
+	"context"
+	mapset "github.com/deckarep/golang-set"
+)
+
+const (
+	ClaimsUser  = "account"
+	ClaimsRoles = "roles"
+)
+
+var whiteAPIList = mapset.NewSet()
+
+func AccountFromContext(ctx context.Context) (*Account, error) {
+	m, err := FromContext(ctx)
+	if err != nil {
+		return nil, err
+	}
+	accountNameI := m[ClaimsUser]
+	a, ok := accountNameI.(string)
+	if !ok {
+		return nil, ErrConvert
+	}
+	roles := m[ClaimsRoles]
+	roleList, err := GetRolesList(roles)
+	if err != nil {
+		return nil, ErrConvert
+	}
+	account := &Account{Name: a, Roles: roleList}
+	return account, nil
+}
+
+// RoleFromContext only return role name
+func RoleFromContext(ctx context.Context) (string, error) {
+	m, err := FromContext(ctx)
+	if err != nil {
+		return "", err
+	}
+	roleI := m[ClaimsRoles]
+	role, ok := roleI.(string)
+	if !ok {
+		return "", ErrConvert
+	}
+	return role, nil
+}
+
+// GetRolesList return role list string
+func GetRolesList(v interface{}) ([]string, error) {
+	s, ok := v.([]interface{})
+	if !ok {
+		return nil, ErrConvert
+	}
+	rolesList := make([]string, 0)
+	for _, v := range s {
+		role, ok := v.(string)
+		if !ok {
+			return nil, ErrConvert
+		}
+		rolesList = append(rolesList, role)
+	}
+	return rolesList, nil
+}
+
+func Add2WhiteAPIList(path ...string) {
+	for _, p := range path {
+		whiteAPIList.Add(p)
+	}
+}
+func MustAuth(pattern string) bool {
+	return !whiteAPIList.Contains(pattern)
+}

rbac/api_test.go

@@ -0,0 +1,56 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package rbac_test
+
+import (
+	"context"
+	"github.com/go-chassis/cari/rbac"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestFromContext(t *testing.T) {
+	ctx := rbac.NewContext(context.TODO(), map[string]interface{}{
+		rbac.ClaimsUser:  "root",
+		rbac.ClaimsRoles: []interface{}{},
+	})
+
+	claims, _ := rbac.FromContext(ctx)
+	u := claims[rbac.ClaimsUser]
+	r := claims[rbac.ClaimsRoles]
+	assert.Equal(t, "root", u)
+	assert.Equal(t, []interface{}{}, r)
+
+	a, err := rbac.AccountFromContext(ctx)
+	assert.NoError(t, err)
+	assert.Equal(t, "root", a.Name)
+	assert.Equal(t, []string{}, a.Roles)
+}
+
+func TestMustAuth(t *testing.T) {
+	rbac.Add2WhiteAPIList("/test")
+	rbac.Add2WhiteAPIList("/test1")
+	assert.False(t, rbac.MustAuth("/test"))
+	assert.False(t, rbac.MustAuth("/test1"))
+	assert.True(t, rbac.MustAuth("/auth"))
+	assert.True(t, rbac.MustAuth("/version"))
+	assert.True(t, rbac.MustAuth("/v4/a/registry/version"))
+	assert.True(t, rbac.MustAuth("/health"))
+	assert.True(t, rbac.MustAuth("/v4/a/registry/health"))
+}

rbac/context.go

@@ -0,0 +1,47 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package rbac
+
+import (
+	"context"
+)
+
+// key is an unexported type for keys defined in this package.
+// This prevents collisions with keys defined in other packages.
+type key string
+
+// accountKey is the key for claim values in Contexts. It is
+// unexported; clients use NewContext and FromContext
+// instead of using this key directly.
+var accountKey key
+
+// NewContext returns a new Context that carries value claims.
+// claims include roles and account name
+func NewContext(ctx context.Context, claims map[string]interface{}) context.Context {
+	return context.WithValue(ctx, accountKey, claims)
+}
+
+// FromContext returns the account claims stored in ctx.
+func FromContext(ctx context.Context) (map[string]interface{}, error) {
+	claims := ctx.Value(accountKey)
+	m, ok := claims.(map[string]interface{})
+	if !ok {
+		return nil, ErrInvalidCtx
+	}
+	return m, nil
+}

rbac/error.go

@@ -0,0 +1,29 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package rbac
+
+import (
+	"errors"
+)
+
+var (
+	ErrInvalidHeader = errors.New("invalid auth header")
+	ErrNoHeader      = errors.New("should provide Authorization header")
+	ErrInvalidCtx    = errors.New("invalid context")
+	ErrConvert       = errors.New("type convert error")
+)

rbac/resource_map.go

@@ -0,0 +1,37 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package rbac
+
+//as a user, he only understand resource of this system,
+//but to decouple authorization code from business code,
+//a middleware should handle all the authorization logic, and this middleware only understand rest API,
+//a resource mapping helps to maintain relations between api and resource.
+var resourceMap = map[string]string{}
+
+func GetResource(api string) string {
+	r, ok := resourceMap[api]
+	if !ok {
+		return resourceMap["*"]
+	}
+	return r
+}
+
+// MapResource save the mapping from api to resource
+func MapResource(api, resource string) {
+	resourceMap[api] = resource
+}

rbac/resource_map_test.go

@@ -0,0 +1,41 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package rbac_test
+
+import (
+	"github.com/go-chassis/cari/rbac"
+	"github.com/stretchr/testify/assert"
+	"testing"
+)
+
+func TestGetResource(t *testing.T) {
+	t.Run("given empty mapping,return empty resource", func(t *testing.T) {
+		res := rbac.GetResource("/test")
+		assert.Empty(t, res)
+	})
+	t.Run("add api and resource mapping,return resource", func(t *testing.T) {
+		rbac.MapResource("/v1/order/1", "order")
+		res := rbac.GetResource("/v1/order/1")
+		assert.NotEmpty(t, res)
+	})
+	t.Run("add api and resource mapping,return empty resource", func(t *testing.T) {
+		rbac.MapResource("/v1/item/1", "order")
+		res := rbac.GetResource("/v1/a/1")
+		assert.Empty(t, res)
+	})
+}