Skip to content

Add Casbin AuthZ middleware example #22

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Add Casbin AuthZ middleware example #22

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
20 changes: 20 additions & 0 deletions authz-casbin/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
# Casbin Authz

Demonstrate how to setup an [Casbin](https://github.com/casbin/casbin) authorization (AuthZ) middleware based on AuthBasicMiddleware.

curl demo:
```
curl -i -u alice:123 http://127.0.0.1:8080/dataset1/1
curl -i -u alice:123 http://127.0.0.1:8080/dataset2/1
```

## How to control the access

The authorization determines a request based on ``{subject, object, action}``, which means what ``subject`` can perform what ``action`` on what ``object``. In this plugin, the meanings are:

1. ``subject``: the logged-on user name
2. ``object``: the URL path for the web resource like "dataset1/item1"
3. ``action``: HTTP method like GET, POST, PUT, DELETE, or the high-level actions you defined like "read-file", "write-blog"


For how to write authorization policy and other details, please refer to [the Casbin's documentation](https://github.com/casbin/casbin).
14 changes: 14 additions & 0 deletions authz-casbin/authz_model.conf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
[request_definition]
r = sub, obj, act

[policy_definition]
p = sub, obj, act

[role_definition]
g = _, _

[policy_effect]
e = some(where (p.eft == allow))

[matchers]
m = g(r.sub, p.sub) && keyMatch(r.obj, p.obj) && (r.act == p.act || p.act == "*")
8 changes: 8 additions & 0 deletions authz-casbin/authz_policy.csv
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
p, alice, /dataset1/*, GET
p, alice, /dataset1/resource1, POST
p, bob, /dataset2/resource1, *
p, bob, /dataset2/resource2, GET
p, bob, /dataset2/folder1/*, POST
p, dataset1_admin, /dataset1/*, *
p, alice, /v2/*, GET
g, cathy, dataset1_admin
39 changes: 39 additions & 0 deletions authz-casbin/main.go
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,39 @@
package main

import (
"github.com/ant0ine/go-json-rest/rest"
"github.com/casbin/casbin"

"log"
"net/http"
)

func main() {
e := casbin.NewEnforcer("authz-casbin/authz_model.conf", "authz-casbin/authz_policy.csv")

api := rest.NewApi()
api.Use(rest.DefaultDevStack...)
api.Use(&rest.AuthBasicMiddleware{
Realm: "test zone",
Authenticator: func(userId string, password string) bool {
if userId == "alice" && password == "123" {
return true
} else if userId == "bob" && password == "123" {
return true
} else if userId == "cathy" && password == "123" {
return true
}
return false
},
Authorizator: func(userId string, request *rest.Request) bool {
method := request.Method
path := request.URL.Path

return e.Enforce(userId, path, method)
},
})
api.SetApp(rest.AppSimple(func(w rest.ResponseWriter, r *rest.Request) {
w.WriteJson(map[string]string{"Body": "Hello World!"})
}))
log.Fatal(http.ListenAndServe(":8080", api.MakeHandler()))
}