Remove roles (replaced with scope)

jakexks · May 21, 2020 · 856c73b · 856c73b
1 parent 4de1980
commit 856c73b
Show file tree

Hide file tree

Showing 13 changed files with 93 additions and 226 deletions.
diff --git a/auth/auth.go b/auth/auth.go
@@ -4,7 +4,6 @@ package auth
 import (
 	"context"
 	"errors"
-	"strings"
 	"time"
 )
 
@@ -14,7 +13,7 @@ const BearerScheme = "Bearer "
 var (
 	// ErrInvalidToken is when the token provided is not valid
 	ErrInvalidToken = errors.New("invalid token provided")
-	// ErrForbidden is when a user does not have the necessary roles or scoeps to access a resource
+	// ErrForbidden is when a user does not have the necessary scope to access a resource
 	ErrForbidden = errors.New("resource forbidden")
 )
 
@@ -50,8 +49,6 @@ type Account struct {
 	Type string `json:"type"`
 	// Provider who issued the account
 	Provider string `json:"provider"`
-	// Roles associated with the Account
-	Roles []string `json:"roles"`
 	// Any other associated metadata
 	Metadata map[string]string `json:"metadata"`
 	// Scopes the account has access to
@@ -60,36 +57,6 @@ type Account struct {
 	Secret string `json:"secret"`
 }
 
-// HasScope returns a boolean indicating if the account has the given scope
-func (a *Account) HasScope(scopes ...string) bool {
-	if a.Scopes == nil {
-		return false
-	}
-
-	for _, s := range a.Scopes {
-		if s == strings.Join(scopes, ".") {
-			return true
-		}
-	}
-
-	return false
-}
-
-// HasRole returns a boolean indicating if the account has the given role
-func (a *Account) HasRole(role string) bool {
-	if a.Roles == nil {
-		return false
-	}
-
-	for _, r := range a.Roles {
-		if r == role {
-			return true
-		}
-	}
-
-	return false
-}
-
 // Token can be short or long lived
 type Token struct {
 	// The token to be used for accessing resources
@@ -131,9 +98,9 @@ const (
 type Rule struct {
 	// ID of the rule, e.g. "public"
 	ID string
-	// Role the rule requires, a blank role indicates open to the public and * indicates the rule
+	// Scope the rule requires, a blank scope indicates open to the public and * indicates the rule
 	// applies to any valid account
-	Role string
+	Scope string
 	// Resource the rule applies to
 	Resource *Resource
 	// Access determines if the rule grants or denies access to the resource

diff --git a/auth/auth_test.go b/auth/auth_test.go
diff --git a/auth/default.go b/auth/default.go
@@ -50,7 +50,6 @@ func (n *noop) Generate(id string, opts ...GenerateOption) (*Account, error) {
 
 	return &Account{
 		ID:       id,
-		Roles:    options.Roles,
 		Secret:   options.Secret,
 		Metadata: options.Metadata,
 		Scopes:   options.Scopes,

diff --git a/auth/jwt/jwt.go b/auth/jwt/jwt.go
@@ -17,11 +17,6 @@ func NewAuth(opts ...auth.Option) auth.Auth {
 	return j
 }
 
-type rule struct {
-	role     string
-	resource *auth.Resource
-}
-
 type jwt struct {
 	options auth.Options
 	jwt     token.Provider
@@ -59,7 +54,6 @@ func (j *jwt) Generate(id string, opts ...auth.GenerateOption) (*auth.Account, e
 	account := &auth.Account{
 		ID:       id,
 		Type:     options.Type,
-		Roles:    options.Roles,
 		Scopes:   options.Scopes,
 		Provider: options.Provider,
 		Metadata: options.Metadata,

diff --git a/auth/options.go b/auth/options.go
@@ -121,8 +121,6 @@ func WithClient(c client.Client) Option {
 type GenerateOptions struct {
 	// Metadata associated with the account
 	Metadata map[string]string
-	// Roles/scopes associated with the account
-	Roles []string
 	// Scopes the account has access too
 	Scopes []string
 	// Provider of the account, e.g. oauth
@@ -156,13 +154,6 @@ func WithMetadata(md map[string]string) GenerateOption {
 	}
 }
 
-// WithRoles for the generated account
-func WithRoles(rs ...string) GenerateOption {
-	return func(o *GenerateOptions) {
-		o.Roles = rs
-	}
-}
-
 // WithScopes for the generated account
 func WithScopes(s ...string) GenerateOption {
 	return func(o *GenerateOptions) {

diff --git a/auth/rules/rules.go b/auth/rules/rules.go
@@ -50,29 +50,29 @@ func Verify(namespace string, rules []*auth.Rule, acc *auth.Account, res *auth.R
 
 	// loop through the rules and check for a rule which applies to this account
 	for _, rule := range filteredRules {
-		// a blank role indicates the rule applies to everyone, even nil accounts
-		if rule.Role == "" && rule.Access == auth.AccessDenied {
+		// a blank scope indicates the rule applies to everyone, even nil accounts
+		if rule.Scope == "" && rule.Access == auth.AccessDenied {
 			return auth.ErrForbidden
-		} else if rule.Role == "" && rule.Access == auth.AccessGranted {
+		} else if rule.Scope == "" && rule.Access == auth.AccessGranted {
 			return nil
 		}
 
-		// all further checks require an account within the current scope
-		if acc == nil || !acc.HasScope("namespace", namespace) {
+		// all further checks require an account
+		if acc == nil {
 			continue
 		}
 
 		// this rule applies to any account
-		if rule.Role == "*" && rule.Access == auth.AccessDenied {
+		if rule.Scope == "*" && rule.Access == auth.AccessDenied {
 			return auth.ErrForbidden
-		} else if rule.Role == "" && rule.Access == auth.AccessGranted {
+		} else if rule.Scope == "" && rule.Access == auth.AccessGranted {
 			return nil
 		}
 
-		// if the account has the necessary role
-		if include(acc.Roles, rule.Role) && rule.Access == auth.AccessDenied {
+		// if the account has the necessary scope
+		if include(acc.Scopes, rule.Scope) && rule.Access == auth.AccessDenied {
 			return auth.ErrForbidden
-		} else if rule.Role == "" && rule.Access == auth.AccessGranted {
+		} else if rule.Scope == "" && rule.Access == auth.AccessGranted {
 			return nil
 		}
 	}