service/internal/auth/authn.go

            
                      Original file line number
                      Diff line number
                      Diff line change
                  
    @@ -70,7 +70,14 @@ var (
  
    	}

    )

    const refreshInterval = 15 * time.Minute

    const (

    	refreshInterval = 15 * time.Minute

    	ActionRead      = "read"

    	ActionWrite     = "write"

    	ActionDelete    = "delete"

    	ActionUnsafe    = "unsafe"

    	ActionOther     = "other"

    )

    // Authentication holds a jwks cache and information about the openid configuration

    type Authentication struct {

    @@ -230,13 +237,13 @@ func (a Authentication) MuxHandler(handler http.Handler) http.Handler {
  
    		var action string

    		switch r.Method {

    		case http.MethodGet:

    			action = "read"

    			action = ActionRead

    		case http.MethodPost, http.MethodPut, http.MethodPatch:

    			action = "write"

    			action = ActionWrite

    		case http.MethodDelete:

    			action = "delete"

    			action = ActionDelete

    		default:

    			action = "unsafe"

    			action = ActionUnsafe

    		}

    		if allow, err := a.enforcer.Enforce(accessTok, r.URL.Path, action); err != nil {

    			if err.Error() == "permission denied" {

    @@ -280,19 +287,7 @@ func (a Authentication) UnaryServerInterceptor(ctx context.Context, req any, inf
  
    	// parse the rpc method

    	p := strings.Split(info.FullMethod, "/")

    	resource := p[1] + "/" + p[2]

    	var action string

    	switch {

    	case strings.HasPrefix(p[2], "List") || strings.HasPrefix(p[2], "Get"):

    		action = "read"

    	case strings.HasPrefix(p[2], "Create") || strings.HasPrefix(p[2], "Update"):

    		action = "write"

    	case strings.HasPrefix(p[2], "Delete"):

    		action = "delete"

    	case strings.HasPrefix(p[2], "Unsafe"):

    		action = "unsafe"

    	default:

    		action = "other"

    	}

    	action := getAction(p[2])

    	token, newCtx, err := a.checkToken(

    		ctx,

    @@ -322,6 +317,21 @@ func (a Authentication) UnaryServerInterceptor(ctx context.Context, req any, inf
  
    	return handler(newCtx, req)

    }

    // getAction returns the action based on the rpc name

    func getAction(method string) string {

    	switch {

    	case strings.HasPrefix(method, "List") || strings.HasPrefix(method, "Get"):

    		return ActionRead

    	case strings.HasPrefix(method, "Create") || strings.HasPrefix(method, "Update") || strings.HasPrefix(method, "Assign"):

    		return ActionWrite

    	case strings.HasPrefix(method, "Delete") || strings.HasPrefix(method, "Remove") || strings.HasPrefix(method, "Deactivate"):

    		return ActionDelete

    	case strings.HasPrefix(method, "Unsafe"):

    		return ActionUnsafe

    	}

    	return ActionOther

    }

    // checkToken is a helper function to verify the token.

    func (a Authentication) checkToken(ctx context.Context, authHeader []string, dpopInfo receiverInfo, dpopHeader []string) (jwt.Token, context.Context, error) {

    	var tokenRaw string

service/internal/auth/authn_test.go

-Original file line number
+Diff line change
@@ Expand Up / @@ -658,3 +658,27 @@ func (s *AuthSuite) Test_PublicPath_Matches() { @@
     	s.Require().False(slices.ContainsFunc(s.auth.publicRoutes, s.auth.isPublicRoute("/private")))
     	s.Require().False(slices.ContainsFunc(s.auth.publicRoutes, s.auth.isPublicRoute("/public2/test/fail")))
     }
+    func (s *AuthSuite) Test_GetAction() {
+    	cases := []struct {
+    		method   string
+    		expected string
+    	}{
+    		{"GetSomething", ActionRead},
+    		{"CreateSomething", ActionWrite},
+    		{"UpdateSomething", ActionWrite},
+    		{"AssignSomething", ActionWrite},
+    		{"DeleteSomething", ActionDelete},
+    		{"RemoveSomething", ActionDelete},
+    		{"DeactivateSomething", ActionDelete},
+    		{"ListSomething", ActionRead},
+    		{"UnsafeDelete", ActionUnsafe},
+    		{"UnsafeUpdate", ActionUnsafe},
+    		{"UnsafeActivate", ActionUnsafe},
+    		{"UnsafeReactivate", ActionUnsafe},
+    		{"DoSomething", ActionOther},
+    	}
+    	for _, c := range cases {
+    		s.Equal(c.expected, getAction(c.method))
+    	}
+    }

fix(core): casbin policy should support assign/remove/deactivate rpc naming #1298

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged

jakedoublev merged 5 commits into main from fix/kas-grants

Aug 12, 2024

-Original file line number
+Diff line change
@@ Expand Up / @@ -658,3 +658,27 @@ func (s *AuthSuite) Test_PublicPath_Matches() { @@
     	s.Require().False(slices.ContainsFunc(s.auth.publicRoutes, s.auth.isPublicRoute("/private")))
     	s.Require().False(slices.ContainsFunc(s.auth.publicRoutes, s.auth.isPublicRoute("/public2/test/fail")))
     }
+    func (s *AuthSuite) Test_GetAction() {
+    	cases := []struct {
+    		method   string
+    		expected string
+    	}{
+    		{"GetSomething", ActionRead},
+    		{"CreateSomething", ActionWrite},
+    		{"UpdateSomething", ActionWrite},
+    		{"AssignSomething", ActionWrite},
+    		{"DeleteSomething", ActionDelete},
+    		{"RemoveSomething", ActionDelete},
+    		{"DeactivateSomething", ActionDelete},
+    		{"ListSomething", ActionRead},
+    		{"UnsafeDelete", ActionUnsafe},
+    		{"UnsafeUpdate", ActionUnsafe},
+    		{"UnsafeActivate", ActionUnsafe},
+    		{"UnsafeReactivate", ActionUnsafe},
+    		{"DoSomething", ActionOther},
+    	}
+    	for _, c := range cases {
+    		s.Equal(c.expected, getAction(c.method))
+    	}
+    }

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

fix(core): casbin policy should support assign/remove/deactivate rpc naming #1298

Uh oh!

Diff view

Diff view

There are no files selected for viewing