-
Notifications
You must be signed in to change notification settings - Fork 1
/
auth_subject.go
91 lines (83 loc) · 2.58 KB
/
auth_subject.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
package gcloudcx
import (
"github.com/gildas/go-logger"
"github.com/google/uuid"
)
// AuthorizationSubject describes the roles and permissions of a Subject
type AuthorizationSubject struct {
ID uuid.UUID `json:"id"`
SelfUri string `json:"selfUri"`
Name string `json:"name"`
Grants []AuthorizationGrant `json:"grants"`
Version int `json:"version"`
logger *logger.Logger `json:"-"`
}
// Initialize initializes the object
//
// accepted parameters: *gcloudcx.Client, *logger.Logger
//
// implements Initializable
func (subject *AuthorizationSubject) Initialize(parameters ...interface{}) {
for _, raw := range parameters {
switch parameter := raw.(type) {
case uuid.UUID:
subject.ID = parameter
case *logger.Logger:
subject.logger = parameter.Child("authorization_subject", "authorization_subject", "id", subject.ID)
}
}
if subject.logger == nil {
subject.logger = logger.Create("gcloudcx", &logger.NilStream{})
}
}
// GetID gets the identifier
//
// implements core.Identifiable
func (subject AuthorizationSubject) GetID() uuid.UUID {
return subject.ID
}
// GetURI gets the URI of this
//
// implements Addressable
func (subject AuthorizationSubject) GetURI(ids ...uuid.UUID) URI {
if len(ids) > 0 {
return NewURI("/api/v2/authorization/subjects/%s", ids[0])
}
if subject.ID != uuid.Nil {
return NewURI("/api/v2/authorization/subjects/%s", subject.ID)
}
return URI("/api/v2/authorization/subjects/")
}
// CheckScopes checks if the subject allows or denies the given scopes
//
// See https://developer.genesys.cloud/authorization/platform-auth/scopes#scope-descriptions
func (subject AuthorizationSubject) CheckScopes(scopes ...string) (permitted []string, denied []string) {
log := subject.logger.Child(nil, "check_scopes")
for _, scope := range scopes {
authScope := AuthorizationScope{}.With(scope)
granted := false
for _, grant := range subject.Grants {
var policy AuthorizationGrantPolicy
log.Tracef("Checking against grant %s", grant)
if policy, granted = grant.CheckScope(authScope); granted {
log.Debugf("Scope %s permitted by Grant %s (policy: %s)", authScope, grant, policy)
permitted = append(permitted, scope)
break
}
}
if !granted {
log.Warnf("Scope %s is denied by all Grants", authScope)
denied = append(denied, scope)
}
}
return
}
// String returns a string representation of the AuthorizationSubject
//
// implements fmt.Stringer
func (subject AuthorizationSubject) String() string {
if len(subject.Name) > 0 {
return subject.Name
}
return subject.ID.String()
}