ProcessRBAC

Marko Tikvić
1 parent 052f8a3a63
Showing 1 changed file with 32 additions and 1 deletions Show diff stats
auth_utility.go
@@ -140,7 +140,7 @@ func RefreshAuthToken(req *http.Request) (TokenClaims, error) {
 	return CreateAuthToken(claims.Username, Role{claims.Role, claims.RoleID})
 }
  
-// RbacCheck returns true if role that made HTTP request is authorized to
+// RbacCheck returns true if user that made HTTP request is authorized to
 // access the resource it is targeting.
 // It exctracts user's role from the JWT token located in Authorization header of
 // http.Request and then compares it with the list of supplied roles and returns
@@ -172,6 +172,37 @@ func RbacCheck(req *http.Request, authRoles []string) bool {
 	return false
 }
  
+// ProcessRBAC returns token claims and boolean value based on user's rights to access resource specified in req.
+// It exctracts user's role from the JWT token located in Authorization header of
+// http.Request and then compares it with the list of supplied roles and returns
+// true if there's a match, if "*" is provided or if the authRoles is nil.
+// Otherwise it returns false.
+func ProcessRBAC(req *http.Request, authRoles []string) (*TokenClaims, bool) {
+	if authRoles == nil {
+		return nil, true
+	}
+
+	// validate token and check expiration date
+	claims, err := GetTokenClaims(req)
+	if err != nil {
+		return claims, false
+	}
+	// check if token has expired
+	if claims.ExpiresAt < (time.Now()).Unix() {
+		return claims, false
+	}
+
+	// check if role extracted from token matches
+	// any of the provided (allowed) ones
+	for _, r := range authRoles {
+		if claims.Role == r || r == "*" {
+			return claims, true
+		}
+	}
+
+	return claims, false
+}
+
 // GetTokenClaims extracts JWT claims from Authorization header of the request.
 // Returns token claims or an error.
 func GetTokenClaims(req *http.Request) (*TokenClaims, error) {
...	...	@@ -140,7 +140,7 @@ func RefreshAuthToken(req *http.Request) (TokenClaims, error) {
140	140	return CreateAuthToken(claims.Username, Role{claims.Role, claims.RoleID})
141	141	}
142	142
143		-// RbacCheck returns true if role that made HTTP request is authorized to
	143	+// RbacCheck returns true if user that made HTTP request is authorized to
144	144	// access the resource it is targeting.
145	145	// It exctracts user's role from the JWT token located in Authorization header of
146	146	// http.Request and then compares it with the list of supplied roles and returns
...	...	@@ -172,6 +172,37 @@ func RbacCheck(req *http.Request, authRoles []string) bool {
172	172	return false
173	173	}
174	174
	175	+// ProcessRBAC returns token claims and boolean value based on user's rights to access resource specified in req.
	176	+// It exctracts user's role from the JWT token located in Authorization header of
	177	+// http.Request and then compares it with the list of supplied roles and returns
	178	+// true if there's a match, if "*" is provided or if the authRoles is nil.
	179	+// Otherwise it returns false.
	180	+func ProcessRBAC(req http.Request, authRoles []string) (TokenClaims, bool) {
	181	+ if authRoles == nil {
	182	+ return nil, true
	183	+ }
	184	+
	185	+ // validate token and check expiration date
	186	+ claims, err := GetTokenClaims(req)
	187	+ if err != nil {
	188	+ return claims, false
	189	+ }
	190	+ // check if token has expired
	191	+ if claims.ExpiresAt < (time.Now()).Unix() {
	192	+ return claims, false
	193	+ }
	194	+
	195	+ // check if role extracted from token matches
	196	+ // any of the provided (allowed) ones
	197	+ for _, r := range authRoles {
	198	+ if claims.Role == r \|\| r == "*" {
	199	+ return claims, true
	200	+ }
	201	+ }
	202	+
	203	+ return claims, false
	204	+}
	205	+
175	206	// GetTokenClaims extracts JWT claims from Authorization header of the request.
176	207	// Returns token claims or an error.
177	208	func GetTokenClaims(req http.Request) (TokenClaims, error) {
...	...