示例#1
0
func (m *Middleware) IsAuthorized(resource, permission string, environment *middleware.Env) func(chd.ContextHandler) chd.ContextHandler {
	return func(next chd.ContextHandler) chd.ContextHandler {
		return chd.ContextHandlerFunc(func(ctx context.Context, rw http.ResponseWriter, req *http.Request) {
			if environment == nil {
				environment = middleware.NewEnv(req)
			}

			policies, err := authcon.PoliciesFromContext(ctx)
			if err != nil {
				log.WithFields(log.Fields{
					"authorization": "forbidden",
					"error":         err,
				}).Warnf(`Policy extraction failed.`)
				pkg.HttpError(rw, errors.New("Forbidden"), http.StatusForbidden)
				return
			}

			subject, err := authcon.SubjectFromContext(ctx)
			if err != nil {
				log.WithFields(log.Fields{
					"authorization": "forbidden",
					"error":         err,
				}).Warnf(`Subject extraction failed.`)
				pkg.HttpError(rw, errors.New("Forbidden"), http.StatusForbidden)
				return
			}

			ok, err := guard.IsGranted(resource, permission, subject, policies, environment.Ctx())
			if err != nil || !ok {
				log.WithFields(log.Fields{
					"authorization": "forbidden",
					"error":         err,
					"valid":         ok,
					"subject":       subject,
					"permission":    permission,
					"resource":      resource,
				}).Warnf(`Subject is not allowed perform this action on this resource.`)
				pkg.HttpError(rw, errors.New("Forbidden"), http.StatusForbidden)
				return
			}

			log.WithFields(log.Fields{
				"authorization": "success",
				"subject":       subject,
				"permission":    permission,
				"resource":      resource,
			}).Infof(`Access granted.`)
			next.ServeHTTPContext(ctx, rw, req)
		})
	}
}
示例#2
0
func (m *Middleware) IsAuthorized(resource, permission string, environment *middleware.Env) func(chd.ContextHandler) chd.ContextHandler {
	return func(next chd.ContextHandler) chd.ContextHandler {
		return chd.ContextHandlerFunc(func(ctx context.Context, rw http.ResponseWriter, req *http.Request) {
			if environment == nil {
				environment = middleware.NewEnv(req)
			}

			bearer := osin.CheckBearerAuth(req)
			if allowed, err := m.Client.IsAllowed(&AuthorizeRequest{
				Resource:   resource,
				Permission: permission,
				Context:    environment.Ctx(),
				Token:      bearer.Code,
			}); err != nil {
				log.WithFields(log.Fields{
					"authorization": "forbidden",
					"error":         err,
					"valid":         allowed,
					"permission":    permission,
					"resource":      resource,
				}).Warnf(`Subject is not allowed perform this action on this resource.`)
				rw.WriteHeader(http.StatusForbidden)
				return
			} else if !allowed {
				log.WithFields(log.Fields{
					"authorization": "forbidden",
					"error":         nil,
					"valid":         allowed,
					"permission":    permission,
					"resource":      resource,
				}).Warnf(`Subject is not allowed perform this action on this resource.`)
				rw.WriteHeader(http.StatusForbidden)
				return
			}

			log.WithFields(log.Fields{"authorization": "success"}).Info(`Allowed!`)
			next.ServeHTTPContext(ctx, rw, req)
		})
	}
}