Comments (6)
The following example allows any user to perform any action (GET, POST, etc.) on /login
. This is just one way to do it. You can also make *
as a special role that every user has, or hack a new role manager to allow the use of *
. Or you can hard-code /login, /logoff, /signup
into the matcher or in a custom function.
Model:
[request_definition]
r = sub, obj, act
[policy_definition]
p = sub, obj, act
[role_definition]
g = _, _
[policy_effect]
e = some(where (p.eft == allow))
[matchers]
m = (g(r.sub, p.sub) || p.sub == "*") && keyMatch(r.obj, p.obj) && (r.act == p.act || p.act == "*")
Policy:
p, *, /login, *
from authz.
Can you try to run this test: https://github.com/gin-contrib/authz/blob/master/authz_test.go ? The test actually uses the authz middleware and can get correct result (200
or 403
).
from authz.
theos-mbp:github.com theobouwman$ cd gin-contrib/authz/
theos-mbp:authz theobouwman$ go test
[GIN-debug] [WARNING] Running in "debug" mode. Switch to "release" mode in production.
- using env: export GIN_MODE=release
- using code: gin.SetMode(gin.ReleaseMode)
2018/09/21 17:33:19 Model:
2018/09/21 17:33:19 r.r: sub, obj, act
2018/09/21 17:33:19 p.p: sub, obj, act
2018/09/21 17:33:19 e.e: some(where (p_eft == allow))
2018/09/21 17:33:19 m.m: g(r_sub, p_sub) && keyMatch(r_obj, p_obj) && (r_act == p_act || p_act == "*")
2018/09/21 17:33:19 g.g: _, _
2018/09/21 17:33:19 Policy:
2018/09/21 17:33:19 p: sub, obj, act: [[alice /dataset1/* GET] [alice /dataset1/resource1 POST] [bob /dataset2/resource1 *] [bob /dataset2/resource2 GET] [bob /dataset2/folder1/* POST] [dataset1_admin /dataset1/* *]]
2018/09/21 17:33:19 g: _, _: [[cathy dataset1_admin]]
2018/09/21 17:33:19 Role links for: g
2018/09/21 17:33:19 cathy < dataset1_admin
[GIN-debug] GET /*anypath --> github.com/gin-contrib/authz.TestBasic.func1 (2 handlers)
[GIN-debug] POST /*anypath --> github.com/gin-contrib/authz.TestBasic.func1 (2 handlers)
[GIN-debug] PUT /*anypath --> github.com/gin-contrib/authz.TestBasic.func1 (2 handlers)
[GIN-debug] PATCH /*anypath --> github.com/gin-contrib/authz.TestBasic.func1 (2 handlers)
[GIN-debug] HEAD /*anypath --> github.com/gin-contrib/authz.TestBasic.func1 (2 handlers)
[GIN-debug] OPTIONS /*anypath --> github.com/gin-contrib/authz.TestBasic.func1 (2 handlers)
[GIN-debug] DELETE /*anypath --> github.com/gin-contrib/authz.TestBasic.func1 (2 handlers)
[GIN-debug] CONNECT /*anypath --> github.com/gin-contrib/authz.TestBasic.func1 (2 handlers)
[GIN-debug] TRACE /*anypath --> github.com/gin-contrib/authz.TestBasic.func1 (2 handlers)
2018/09/21 17:33:19 Request: alice, /dataset1/resource1, GET ---> true
2018/09/21 17:33:19 Request: alice, /dataset1/resource1, POST ---> true
2018/09/21 17:33:19 Request: alice, /dataset1/resource2, GET ---> true
2018/09/21 17:33:19 Request: alice, /dataset1/resource2, POST ---> false
[GIN-debug] [WARNING] Headers were already written. Wanted to override status code 403 with 200[GIN-debug] [WARNING] Running in "debug" mode. Switch to "release" mode in production.
- using env: export GIN_MODE=release
- using code: gin.SetMode(gin.ReleaseMode)
2018/09/21 17:33:19 Model:
2018/09/21 17:33:19 p.p: sub, obj, act
2018/09/21 17:33:19 e.e: some(where (p_eft == allow))
2018/09/21 17:33:19 m.m: g(r_sub, p_sub) && keyMatch(r_obj, p_obj) && (r_act == p_act || p_act == "*")
2018/09/21 17:33:19 g.g: _, _
2018/09/21 17:33:19 r.r: sub, obj, act
2018/09/21 17:33:19 Policy:
2018/09/21 17:33:19 p: sub, obj, act: [[alice /dataset1/* GET] [alice /dataset1/resource1 POST] [bob /dataset2/resource1 *] [bob /dataset2/resource2 GET] [bob /dataset2/folder1/* POST] [dataset1_admin /dataset1/* *]]
2018/09/21 17:33:19 g: _, _: [[cathy dataset1_admin]]
2018/09/21 17:33:19 Role links for: g
2018/09/21 17:33:19 cathy < dataset1_admin
[GIN-debug] GET /*anypath --> github.com/gin-contrib/authz.TestPathWildcard.func1 (2 handlers)
[GIN-debug] POST /*anypath --> github.com/gin-contrib/authz.TestPathWildcard.func1 (2 handlers)
[GIN-debug] PUT /*anypath --> github.com/gin-contrib/authz.TestPathWildcard.func1 (2 handlers)
[GIN-debug] PATCH /*anypath --> github.com/gin-contrib/authz.TestPathWildcard.func1 (2 handlers)
[GIN-debug] HEAD /*anypath --> github.com/gin-contrib/authz.TestPathWildcard.func1 (2 handlers)
[GIN-debug] OPTIONS /*anypath --> github.com/gin-contrib/authz.TestPathWildcard.func1 (2 handlers)
[GIN-debug] DELETE /*anypath --> github.com/gin-contrib/authz.TestPathWildcard.func1 (2 handlers)
[GIN-debug] CONNECT /*anypath --> github.com/gin-contrib/authz.TestPathWildcard.func1 (2 handlers)
[GIN-debug] TRACE /*anypath --> github.com/gin-contrib/authz.TestPathWildcard.func1 (2 handlers)
2018/09/21 17:33:19 Request: bob, /dataset2/resource1, GET ---> true
2018/09/21 17:33:19 Request: bob, /dataset2/resource1, POST ---> true
2018/09/21 17:33:19 Request: bob, /dataset2/resource1, DELETE ---> true
2018/09/21 17:33:19 Request: bob, /dataset2/resource2, GET ---> true
2018/09/21 17:33:19 Request: bob, /dataset2/resource2, POST ---> false
[GIN-debug] [WARNING] Headers were already written. Wanted to override status code 403 with 2002018/09/21 17:33:19 Request: bob, /dataset2/resource2, DELETE ---> false
[GIN-debug] [WARNING] Headers were already written. Wanted to override status code 403 with 2002018/09/21 17:33:19 Request: bob, /dataset2/folder1/item1, GET ---> false
[GIN-debug] [WARNING] Headers were already written. Wanted to override status code 403 with 2002018/09/21 17:33:19 Request: bob, /dataset2/folder1/item1, POST ---> true
2018/09/21 17:33:19 Request: bob, /dataset2/folder1/item1, DELETE ---> false
[GIN-debug] [WARNING] Headers were already written. Wanted to override status code 403 with 2002018/09/21 17:33:19 Request: bob, /dataset2/folder1/item2, GET ---> false
[GIN-debug] [WARNING] Headers were already written. Wanted to override status code 403 with 2002018/09/21 17:33:19 Request: bob, /dataset2/folder1/item2, POST ---> true
2018/09/21 17:33:19 Request: bob, /dataset2/folder1/item2, DELETE ---> false
[GIN-debug] [WARNING] Headers were already written. Wanted to override status code 403 with 200[GIN-debug] [WARNING] Running in "debug" mode. Switch to "release" mode in production.
- using env: export GIN_MODE=release
- using code: gin.SetMode(gin.ReleaseMode)
2018/09/21 17:33:19 Model:
2018/09/21 17:33:19 m.m: g(r_sub, p_sub) && keyMatch(r_obj, p_obj) && (r_act == p_act || p_act == "*")
2018/09/21 17:33:19 g.g: _, _
2018/09/21 17:33:19 r.r: sub, obj, act
2018/09/21 17:33:19 p.p: sub, obj, act
2018/09/21 17:33:19 e.e: some(where (p_eft == allow))
2018/09/21 17:33:19 Policy:
2018/09/21 17:33:19 p: sub, obj, act: [[alice /dataset1/* GET] [alice /dataset1/resource1 POST] [bob /dataset2/resource1 *] [bob /dataset2/resource2 GET] [bob /dataset2/folder1/* POST] [dataset1_admin /dataset1/* *]]
2018/09/21 17:33:19 g: _, _: [[cathy dataset1_admin]]
2018/09/21 17:33:19 Role links for: g
2018/09/21 17:33:19 cathy < dataset1_admin
[GIN-debug] GET /*anypath --> github.com/gin-contrib/authz.TestRBAC.func1 (2 handlers)
[GIN-debug] POST /*anypath --> github.com/gin-contrib/authz.TestRBAC.func1 (2 handlers)
[GIN-debug] PUT /*anypath --> github.com/gin-contrib/authz.TestRBAC.func1 (2 handlers)
[GIN-debug] PATCH /*anypath --> github.com/gin-contrib/authz.TestRBAC.func1 (2 handlers)
[GIN-debug] HEAD /*anypath --> github.com/gin-contrib/authz.TestRBAC.func1 (2 handlers)
[GIN-debug] OPTIONS /*anypath --> github.com/gin-contrib/authz.TestRBAC.func1 (2 handlers)
[GIN-debug] DELETE /*anypath --> github.com/gin-contrib/authz.TestRBAC.func1 (2 handlers)
[GIN-debug] CONNECT /*anypath --> github.com/gin-contrib/authz.TestRBAC.func1 (2 handlers)
[GIN-debug] TRACE /*anypath --> github.com/gin-contrib/authz.TestRBAC.func1 (2 handlers)
2018/09/21 17:33:19 Request: cathy, /dataset1/item, GET ---> true
2018/09/21 17:33:19 Request: cathy, /dataset1/item, POST ---> true
2018/09/21 17:33:19 Request: cathy, /dataset1/item, DELETE ---> true
2018/09/21 17:33:19 Request: cathy, /dataset2/item, GET ---> false
[GIN-debug] [WARNING] Headers were already written. Wanted to override status code 403 with 2002018/09/21 17:33:19 Request: cathy, /dataset2/item, POST ---> false
[GIN-debug] [WARNING] Headers were already written. Wanted to override status code 403 with 2002018/09/21 17:33:19 Request: cathy, /dataset2/item, DELETE ---> false
[GIN-debug] [WARNING] Headers were already written. Wanted to override status code 403 with 2002018/09/21 17:33:19 Role links for: g
2018/09/21 17:33:19
2018/09/21 17:33:19 Request: cathy, /dataset1/item, GET ---> false
[GIN-debug] [WARNING] Headers were already written. Wanted to override status code 403 with 2002018/09/21 17:33:19 Request: cathy, /dataset1/item, POST ---> false
[GIN-debug] [WARNING] Headers were already written. Wanted to override status code 403 with 2002018/09/21 17:33:19 Request: cathy, /dataset1/item, DELETE ---> false
[GIN-debug] [WARNING] Headers were already written. Wanted to override status code 403 with 2002018/09/21 17:33:19 Request: cathy, /dataset2/item, GET ---> false
[GIN-debug] [WARNING] Headers were already written. Wanted to override status code 403 with 2002018/09/21 17:33:19 Request: cathy, /dataset2/item, POST ---> false
[GIN-debug] [WARNING] Headers were already written. Wanted to override status code 403 with 2002018/09/21 17:33:19 Request: cathy, /dataset2/item, DELETE ---> false
[GIN-debug] [WARNING] Headers were already written. Wanted to override status code 403 with 200PASS
ok github.com/gin-contrib/authz 0.022s
theos-mbp:authz theobouwman$
They are being overwritten every time
from authz.
Thanks for the PR!
from authz.
One question, how can I allow all requests to a particular route?
from authz.
@hsluoyz thanks
from authz.
Related Issues (8)
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from authz.