50 lines
1.2 KiB
Go
50 lines
1.2 KiB
Go
package casbinauthz
|
|
|
|
import (
|
|
"net/http"
|
|
|
|
"github.com/casbin/casbin"
|
|
"github.com/revel/revel"
|
|
)
|
|
|
|
type CasbinModule struct {
|
|
enforcer *casbin.Enforcer
|
|
}
|
|
|
|
func NewCasbinModule(enforcer *casbin.Enforcer) *CasbinModule {
|
|
cm := &CasbinModule{}
|
|
cm.enforcer = enforcer
|
|
return cm
|
|
}
|
|
|
|
// AuthzFilter enables the authorization based on Casbin.
|
|
//
|
|
// Usage:
|
|
// 1) Add `casbin.AuthzFilter` to the app's filters (it must come after the authentication).
|
|
// 2) Init the Casbin enforcer.
|
|
func (cm *CasbinModule) AuthzFilter(c *revel.Controller, fc []revel.Filter) {
|
|
if !CheckPermission(cm.enforcer, c.Request) {
|
|
c.Result = c.Forbidden("Access denied by the Authz plugin.")
|
|
return
|
|
} else {
|
|
fc[0](c, fc[1:])
|
|
}
|
|
}
|
|
|
|
// GetUserName gets the user name from the request.
|
|
// Currently, only HTTP basic authentication is supported
|
|
func GetUserName(r *revel.Request) string {
|
|
req := r.In.GetRaw().(*http.Request)
|
|
username, _, _ := req.BasicAuth()
|
|
return username
|
|
}
|
|
|
|
// CheckPermission checks the user/method/path combination from the request.
|
|
// Returns true (permission granted) or false (permission forbidden)
|
|
func CheckPermission(e *casbin.Enforcer, r *revel.Request) bool {
|
|
user := GetUserName(r)
|
|
method := r.Method
|
|
path := r.URL.Path
|
|
return e.Enforce(user, path, method)
|
|
}
|