func (m *Middleware) IsAuthorized(resource, permission string, environment *middleware.Env) func(chd.ContextHandler) chd.ContextHandler { return func(next chd.ContextHandler) chd.ContextHandler { return chd.ContextHandlerFunc(func(ctx context.Context, rw http.ResponseWriter, req *http.Request) { if environment == nil { environment = middleware.NewEnv(req) } policies, err := authcon.PoliciesFromContext(ctx) if err != nil { log.WithFields(log.Fields{ "authorization": "forbidden", "error": err, }).Warnf(`Policy extraction failed.`) pkg.HttpError(rw, errors.New("Forbidden"), http.StatusForbidden) return } subject, err := authcon.SubjectFromContext(ctx) if err != nil { log.WithFields(log.Fields{ "authorization": "forbidden", "error": err, }).Warnf(`Subject extraction failed.`) pkg.HttpError(rw, errors.New("Forbidden"), http.StatusForbidden) return } ok, err := guard.IsGranted(resource, permission, subject, policies, environment.Ctx()) if err != nil || !ok { log.WithFields(log.Fields{ "authorization": "forbidden", "error": err, "valid": ok, "subject": subject, "permission": permission, "resource": resource, }).Warnf(`Subject is not allowed perform this action on this resource.`) pkg.HttpError(rw, errors.New("Forbidden"), http.StatusForbidden) return } log.WithFields(log.Fields{ "authorization": "success", "subject": subject, "permission": permission, "resource": resource, }).Infof(`Access granted.`) next.ServeHTTPContext(ctx, rw, req) }) } }
func (m *Middleware) IsAuthorized(resource, permission string, environment *middleware.Env) func(chd.ContextHandler) chd.ContextHandler { return func(next chd.ContextHandler) chd.ContextHandler { return chd.ContextHandlerFunc(func(ctx context.Context, rw http.ResponseWriter, req *http.Request) { if environment == nil { environment = middleware.NewEnv(req) } bearer := osin.CheckBearerAuth(req) if allowed, err := m.Client.IsAllowed(&AuthorizeRequest{ Resource: resource, Permission: permission, Context: environment.Ctx(), Token: bearer.Code, }); err != nil { log.WithFields(log.Fields{ "authorization": "forbidden", "error": err, "valid": allowed, "permission": permission, "resource": resource, }).Warnf(`Subject is not allowed perform this action on this resource.`) rw.WriteHeader(http.StatusForbidden) return } else if !allowed { log.WithFields(log.Fields{ "authorization": "forbidden", "error": nil, "valid": allowed, "permission": permission, "resource": resource, }).Warnf(`Subject is not allowed perform this action on this resource.`) rw.WriteHeader(http.StatusForbidden) return } log.WithFields(log.Fields{"authorization": "success"}).Info(`Allowed!`) next.ServeHTTPContext(ctx, rw, req) }) } }