Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Not working #4

Closed
theobouwman opened this issue Sep 20, 2018 · 6 comments
Closed

Not working #4

theobouwman opened this issue Sep 20, 2018 · 6 comments
Assignees
@hsluoyz
Labels
question

Comments

@theobouwman
Copy link
Contributor

When I added the middleware:

r.Use(authz.NewAuthorizer(enforcer))

I get do get a 403 response but the request is not ended:

[GIN-debug] [WARNING] Headers were already written. Wanted to override status code 403 with 200[GIN] 2018/09/20 - 23:56:55 | 200 |    7.113914ms |             ::1 | POST     /auth/
@hsluoyz
Copy link
Collaborator

hsluoyz commented Sep 21, 2018

Can you try to run this test: https://github.com/gin-contrib/authz/blob/master/authz_test.go ? The test actually uses the authz middleware and can get correct result (200 or 403).

@hsluoyz hsluoyz self-assigned this Sep 21, 2018
@theobouwman
Copy link
Contributor Author

theobouwman commented Sep 21, 2018
edited
Loading 

theos-mbp:github.com theobouwman$ cd gin-contrib/authz/
theos-mbp:authz theobouwman$ go test
[GIN-debug] [WARNING] Running in "debug" mode. Switch to "release" mode in production.
 - using env:	export GIN_MODE=release
 - using code:	gin.SetMode(gin.ReleaseMode)

2018/09/21 17:33:19 Model:
2018/09/21 17:33:19 r.r: sub, obj, act
2018/09/21 17:33:19 p.p: sub, obj, act
2018/09/21 17:33:19 e.e: some(where (p_eft == allow))
2018/09/21 17:33:19 m.m: g(r_sub, p_sub) && keyMatch(r_obj, p_obj) && (r_act == p_act || p_act == "*")
2018/09/21 17:33:19 g.g: _, _
2018/09/21 17:33:19 Policy:
2018/09/21 17:33:19 p: sub, obj, act: [[alice /dataset1/* GET] [alice /dataset1/resource1 POST] [bob /dataset2/resource1 *] [bob /dataset2/resource2 GET] [bob /dataset2/folder1/* POST] [dataset1_admin /dataset1/* *]]
2018/09/21 17:33:19 g: _, _: [[cathy dataset1_admin]]
2018/09/21 17:33:19 Role links for: g
2018/09/21 17:33:19 cathy < dataset1_admin
[GIN-debug] GET    /*anypath                 --> github.com/gin-contrib/authz.TestBasic.func1 (2 handlers)
[GIN-debug] POST   /*anypath                 --> github.com/gin-contrib/authz.TestBasic.func1 (2 handlers)
[GIN-debug] PUT    /*anypath                 --> github.com/gin-contrib/authz.TestBasic.func1 (2 handlers)
[GIN-debug] PATCH  /*anypath                 --> github.com/gin-contrib/authz.TestBasic.func1 (2 handlers)
[GIN-debug] HEAD   /*anypath                 --> github.com/gin-contrib/authz.TestBasic.func1 (2 handlers)
[GIN-debug] OPTIONS /*anypath                 --> github.com/gin-contrib/authz.TestBasic.func1 (2 handlers)
[GIN-debug] DELETE /*anypath                 --> github.com/gin-contrib/authz.TestBasic.func1 (2 handlers)
[GIN-debug] CONNECT /*anypath                 --> github.com/gin-contrib/authz.TestBasic.func1 (2 handlers)
[GIN-debug] TRACE  /*anypath                 --> github.com/gin-contrib/authz.TestBasic.func1 (2 handlers)
2018/09/21 17:33:19 Request: alice, /dataset1/resource1, GET ---> true
2018/09/21 17:33:19 Request: alice, /dataset1/resource1, POST ---> true
2018/09/21 17:33:19 Request: alice, /dataset1/resource2, GET ---> true
2018/09/21 17:33:19 Request: alice, /dataset1/resource2, POST ---> false
[GIN-debug] [WARNING] Headers were already written. Wanted to override status code 403 with 200[GIN-debug] [WARNING] Running in "debug" mode. Switch to "release" mode in production.
 - using env:	export GIN_MODE=release
 - using code:	gin.SetMode(gin.ReleaseMode)

2018/09/21 17:33:19 Model:
2018/09/21 17:33:19 p.p: sub, obj, act
2018/09/21 17:33:19 e.e: some(where (p_eft == allow))
2018/09/21 17:33:19 m.m: g(r_sub, p_sub) && keyMatch(r_obj, p_obj) && (r_act == p_act || p_act == "*")
2018/09/21 17:33:19 g.g: _, _
2018/09/21 17:33:19 r.r: sub, obj, act
2018/09/21 17:33:19 Policy:
2018/09/21 17:33:19 p: sub, obj, act: [[alice /dataset1/* GET] [alice /dataset1/resource1 POST] [bob /dataset2/resource1 *] [bob /dataset2/resource2 GET] [bob /dataset2/folder1/* POST] [dataset1_admin /dataset1/* *]]
2018/09/21 17:33:19 g: _, _: [[cathy dataset1_admin]]
2018/09/21 17:33:19 Role links for: g
2018/09/21 17:33:19 cathy < dataset1_admin
[GIN-debug] GET    /*anypath                 --> github.com/gin-contrib/authz.TestPathWildcard.func1 (2 handlers)
[GIN-debug] POST   /*anypath                 --> github.com/gin-contrib/authz.TestPathWildcard.func1 (2 handlers)
[GIN-debug] PUT    /*anypath                 --> github.com/gin-contrib/authz.TestPathWildcard.func1 (2 handlers)
[GIN-debug] PATCH  /*anypath                 --> github.com/gin-contrib/authz.TestPathWildcard.func1 (2 handlers)
[GIN-debug] HEAD   /*anypath                 --> github.com/gin-contrib/authz.TestPathWildcard.func1 (2 handlers)
[GIN-debug] OPTIONS /*anypath                 --> github.com/gin-contrib/authz.TestPathWildcard.func1 (2 handlers)
[GIN-debug] DELETE /*anypath                 --> github.com/gin-contrib/authz.TestPathWildcard.func1 (2 handlers)
[GIN-debug] CONNECT /*anypath                 --> github.com/gin-contrib/authz.TestPathWildcard.func1 (2 handlers)
[GIN-debug] TRACE  /*anypath                 --> github.com/gin-contrib/authz.TestPathWildcard.func1 (2 handlers)
2018/09/21 17:33:19 Request: bob, /dataset2/resource1, GET ---> true
2018/09/21 17:33:19 Request: bob, /dataset2/resource1, POST ---> true
2018/09/21 17:33:19 Request: bob, /dataset2/resource1, DELETE ---> true
2018/09/21 17:33:19 Request: bob, /dataset2/resource2, GET ---> true
2018/09/21 17:33:19 Request: bob, /dataset2/resource2, POST ---> false
[GIN-debug] [WARNING] Headers were already written. Wanted to override status code 403 with 2002018/09/21 17:33:19 Request: bob, /dataset2/resource2, DELETE ---> false
[GIN-debug] [WARNING] Headers were already written. Wanted to override status code 403 with 2002018/09/21 17:33:19 Request: bob, /dataset2/folder1/item1, GET ---> false
[GIN-debug] [WARNING] Headers were already written. Wanted to override status code 403 with 2002018/09/21 17:33:19 Request: bob, /dataset2/folder1/item1, POST ---> true
2018/09/21 17:33:19 Request: bob, /dataset2/folder1/item1, DELETE ---> false
[GIN-debug] [WARNING] Headers were already written. Wanted to override status code 403 with 2002018/09/21 17:33:19 Request: bob, /dataset2/folder1/item2, GET ---> false
[GIN-debug] [WARNING] Headers were already written. Wanted to override status code 403 with 2002018/09/21 17:33:19 Request: bob, /dataset2/folder1/item2, POST ---> true
2018/09/21 17:33:19 Request: bob, /dataset2/folder1/item2, DELETE ---> false
[GIN-debug] [WARNING] Headers were already written. Wanted to override status code 403 with 200[GIN-debug] [WARNING] Running in "debug" mode. Switch to "release" mode in production.
 - using env:	export GIN_MODE=release
 - using code:	gin.SetMode(gin.ReleaseMode)

2018/09/21 17:33:19 Model:
2018/09/21 17:33:19 m.m: g(r_sub, p_sub) && keyMatch(r_obj, p_obj) && (r_act == p_act || p_act == "*")
2018/09/21 17:33:19 g.g: _, _
2018/09/21 17:33:19 r.r: sub, obj, act
2018/09/21 17:33:19 p.p: sub, obj, act
2018/09/21 17:33:19 e.e: some(where (p_eft == allow))
2018/09/21 17:33:19 Policy:
2018/09/21 17:33:19 p: sub, obj, act: [[alice /dataset1/* GET] [alice /dataset1/resource1 POST] [bob /dataset2/resource1 *] [bob /dataset2/resource2 GET] [bob /dataset2/folder1/* POST] [dataset1_admin /dataset1/* *]]
2018/09/21 17:33:19 g: _, _: [[cathy dataset1_admin]]
2018/09/21 17:33:19 Role links for: g
2018/09/21 17:33:19 cathy < dataset1_admin
[GIN-debug] GET    /*anypath                 --> github.com/gin-contrib/authz.TestRBAC.func1 (2 handlers)
[GIN-debug] POST   /*anypath                 --> github.com/gin-contrib/authz.TestRBAC.func1 (2 handlers)
[GIN-debug] PUT    /*anypath                 --> github.com/gin-contrib/authz.TestRBAC.func1 (2 handlers)
[GIN-debug] PATCH  /*anypath                 --> github.com/gin-contrib/authz.TestRBAC.func1 (2 handlers)
[GIN-debug] HEAD   /*anypath                 --> github.com/gin-contrib/authz.TestRBAC.func1 (2 handlers)
[GIN-debug] OPTIONS /*anypath                 --> github.com/gin-contrib/authz.TestRBAC.func1 (2 handlers)
[GIN-debug] DELETE /*anypath                 --> github.com/gin-contrib/authz.TestRBAC.func1 (2 handlers)
[GIN-debug] CONNECT /*anypath                 --> github.com/gin-contrib/authz.TestRBAC.func1 (2 handlers)
[GIN-debug] TRACE  /*anypath                 --> github.com/gin-contrib/authz.TestRBAC.func1 (2 handlers)
2018/09/21 17:33:19 Request: cathy, /dataset1/item, GET ---> true
2018/09/21 17:33:19 Request: cathy, /dataset1/item, POST ---> true
2018/09/21 17:33:19 Request: cathy, /dataset1/item, DELETE ---> true
2018/09/21 17:33:19 Request: cathy, /dataset2/item, GET ---> false
[GIN-debug] [WARNING] Headers were already written. Wanted to override status code 403 with 2002018/09/21 17:33:19 Request: cathy, /dataset2/item, POST ---> false
[GIN-debug] [WARNING] Headers were already written. Wanted to override status code 403 with 2002018/09/21 17:33:19 Request: cathy, /dataset2/item, DELETE ---> false
[GIN-debug] [WARNING] Headers were already written. Wanted to override status code 403 with 2002018/09/21 17:33:19 Role links for: g
2018/09/21 17:33:19 
2018/09/21 17:33:19 Request: cathy, /dataset1/item, GET ---> false
[GIN-debug] [WARNING] Headers were already written. Wanted to override status code 403 with 2002018/09/21 17:33:19 Request: cathy, /dataset1/item, POST ---> false
[GIN-debug] [WARNING] Headers were already written. Wanted to override status code 403 with 2002018/09/21 17:33:19 Request: cathy, /dataset1/item, DELETE ---> false
[GIN-debug] [WARNING] Headers were already written. Wanted to override status code 403 with 2002018/09/21 17:33:19 Request: cathy, /dataset2/item, GET ---> false
[GIN-debug] [WARNING] Headers were already written. Wanted to override status code 403 with 2002018/09/21 17:33:19 Request: cathy, /dataset2/item, POST ---> false
[GIN-debug] [WARNING] Headers were already written. Wanted to override status code 403 with 2002018/09/21 17:33:19 Request: cathy, /dataset2/item, DELETE ---> false
[GIN-debug] [WARNING] Headers were already written. Wanted to override status code 403 with 200PASS
ok  	github.com/gin-contrib/authz	0.022s
theos-mbp:authz theobouwman$

They are being overwritten every time

@theobouwman theobouwman mentioned this issue Sep 21, 2018
Merged
@hsluoyz
Copy link
Collaborator

hsluoyz commented Sep 21, 2018

Thanks for the PR!

@hsluoyz hsluoyz closed this as completed Sep 21, 2018
@theobouwman
Copy link
Contributor Author

One question, how can I allow all requests to a particular route?

@hsluoyz
Copy link
Collaborator

hsluoyz commented Sep 21, 2018

The following example allows any user to perform any action (GET, POST, etc.) on /login. This is just one way to do it. You can also make * as a special role that every user has, or hack a new role manager to allow the use of *. Or you can hard-code /login, /logoff, /signup into the matcher or in a custom function.

Model:

[request_definition]
r = sub, obj, act

[policy_definition]
p = sub, obj, act

[role_definition]
g = _, _

[policy_effect]
e = some(where (p.eft == allow))

[matchers]
m = (g(r.sub, p.sub) || p.sub == "*") && keyMatch(r.obj, p.obj) && (r.act == p.act || p.act == "*")

Policy:

p, *, /login, *

@theobouwman
Copy link
Contributor Author

@hsluoyz thanks

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@hsluoyz hsluoyz

Labels
question
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@hsluoyz @theobouwman