initial commit
This commit is contained in:
commit
b56a8fabba
9 changed files with 635 additions and 0 deletions
11
.gitignore
vendored
Normal file
11
.gitignore
vendored
Normal file
|
@ -0,0 +1,11 @@
|
||||||
|
/target
|
||||||
|
/classes
|
||||||
|
/checkouts
|
||||||
|
pom.xml
|
||||||
|
pom.xml.asc
|
||||||
|
*.jar
|
||||||
|
*.class
|
||||||
|
/.lein-*
|
||||||
|
/.nrepl-port
|
||||||
|
.hgignore
|
||||||
|
.hg/
|
24
CHANGELOG.md
Normal file
24
CHANGELOG.md
Normal file
|
@ -0,0 +1,24 @@
|
||||||
|
# Change Log
|
||||||
|
All notable changes to this project will be documented in this file. This change log follows the conventions of [keepachangelog.com](http://keepachangelog.com/).
|
||||||
|
|
||||||
|
## [Unreleased]
|
||||||
|
### Changed
|
||||||
|
- Add a new arity to `make-widget-async` to provide a different widget shape.
|
||||||
|
|
||||||
|
## [0.1.1] - 2017-11-03
|
||||||
|
### Changed
|
||||||
|
- Documentation on how to make the widgets.
|
||||||
|
|
||||||
|
### Removed
|
||||||
|
- `make-widget-sync` - we're all async, all the time.
|
||||||
|
|
||||||
|
### Fixed
|
||||||
|
- Fixed widget maker to keep working when daylight savings switches over.
|
||||||
|
|
||||||
|
## 0.1.0 - 2017-11-03
|
||||||
|
### Added
|
||||||
|
- Files from the new template.
|
||||||
|
- Widget maker public API - `make-widget-sync`.
|
||||||
|
|
||||||
|
[Unreleased]: https://github.com/your-name/ring-homogeneous-auth-middleware/compare/0.1.1...HEAD
|
||||||
|
[0.1.1]: https://github.com/your-name/ring-homogeneous-auth-middleware/compare/0.1.0...0.1.1
|
214
LICENSE
Normal file
214
LICENSE
Normal file
|
@ -0,0 +1,214 @@
|
||||||
|
THE ACCOMPANYING PROGRAM IS PROVIDED UNDER THE TERMS OF THIS ECLIPSE PUBLIC
|
||||||
|
LICENSE ("AGREEMENT"). ANY USE, REPRODUCTION OR DISTRIBUTION OF THE PROGRAM
|
||||||
|
CONSTITUTES RECIPIENT'S ACCEPTANCE OF THIS AGREEMENT.
|
||||||
|
|
||||||
|
1. DEFINITIONS
|
||||||
|
|
||||||
|
"Contribution" means:
|
||||||
|
|
||||||
|
a) in the case of the initial Contributor, the initial code and
|
||||||
|
documentation distributed under this Agreement, and
|
||||||
|
|
||||||
|
b) in the case of each subsequent Contributor:
|
||||||
|
|
||||||
|
i) changes to the Program, and
|
||||||
|
|
||||||
|
ii) additions to the Program;
|
||||||
|
|
||||||
|
where such changes and/or additions to the Program originate from and are
|
||||||
|
distributed by that particular Contributor. A Contribution 'originates' from
|
||||||
|
a Contributor if it was added to the Program by such Contributor itself or
|
||||||
|
anyone acting on such Contributor's behalf. Contributions do not include
|
||||||
|
additions to the Program which: (i) are separate modules of software
|
||||||
|
distributed in conjunction with the Program under their own license
|
||||||
|
agreement, and (ii) are not derivative works of the Program.
|
||||||
|
|
||||||
|
"Contributor" means any person or entity that distributes the Program.
|
||||||
|
|
||||||
|
"Licensed Patents" mean patent claims licensable by a Contributor which are
|
||||||
|
necessarily infringed by the use or sale of its Contribution alone or when
|
||||||
|
combined with the Program.
|
||||||
|
|
||||||
|
"Program" means the Contributions distributed in accordance with this
|
||||||
|
Agreement.
|
||||||
|
|
||||||
|
"Recipient" means anyone who receives the Program under this Agreement,
|
||||||
|
including all Contributors.
|
||||||
|
|
||||||
|
2. GRANT OF RIGHTS
|
||||||
|
|
||||||
|
a) Subject to the terms of this Agreement, each Contributor hereby grants
|
||||||
|
Recipient a non-exclusive, worldwide, royalty-free copyright license to
|
||||||
|
reproduce, prepare derivative works of, publicly display, publicly perform,
|
||||||
|
distribute and sublicense the Contribution of such Contributor, if any, and
|
||||||
|
such derivative works, in source code and object code form.
|
||||||
|
|
||||||
|
b) Subject to the terms of this Agreement, each Contributor hereby grants
|
||||||
|
Recipient a non-exclusive, worldwide, royalty-free patent license under
|
||||||
|
Licensed Patents to make, use, sell, offer to sell, import and otherwise
|
||||||
|
transfer the Contribution of such Contributor, if any, in source code and
|
||||||
|
object code form. This patent license shall apply to the combination of the
|
||||||
|
Contribution and the Program if, at the time the Contribution is added by the
|
||||||
|
Contributor, such addition of the Contribution causes such combination to be
|
||||||
|
covered by the Licensed Patents. The patent license shall not apply to any
|
||||||
|
other combinations which include the Contribution. No hardware per se is
|
||||||
|
licensed hereunder.
|
||||||
|
|
||||||
|
c) Recipient understands that although each Contributor grants the licenses
|
||||||
|
to its Contributions set forth herein, no assurances are provided by any
|
||||||
|
Contributor that the Program does not infringe the patent or other
|
||||||
|
intellectual property rights of any other entity. Each Contributor disclaims
|
||||||
|
any liability to Recipient for claims brought by any other entity based on
|
||||||
|
infringement of intellectual property rights or otherwise. As a condition to
|
||||||
|
exercising the rights and licenses granted hereunder, each Recipient hereby
|
||||||
|
assumes sole responsibility to secure any other intellectual property rights
|
||||||
|
needed, if any. For example, if a third party patent license is required to
|
||||||
|
allow Recipient to distribute the Program, it is Recipient's responsibility
|
||||||
|
to acquire that license before distributing the Program.
|
||||||
|
|
||||||
|
d) Each Contributor represents that to its knowledge it has sufficient
|
||||||
|
copyright rights in its Contribution, if any, to grant the copyright license
|
||||||
|
set forth in this Agreement.
|
||||||
|
|
||||||
|
3. REQUIREMENTS
|
||||||
|
|
||||||
|
A Contributor may choose to distribute the Program in object code form under
|
||||||
|
its own license agreement, provided that:
|
||||||
|
|
||||||
|
a) it complies with the terms and conditions of this Agreement; and
|
||||||
|
|
||||||
|
b) its license agreement:
|
||||||
|
|
||||||
|
i) effectively disclaims on behalf of all Contributors all warranties and
|
||||||
|
conditions, express and implied, including warranties or conditions of title
|
||||||
|
and non-infringement, and implied warranties or conditions of merchantability
|
||||||
|
and fitness for a particular purpose;
|
||||||
|
|
||||||
|
ii) effectively excludes on behalf of all Contributors all liability for
|
||||||
|
damages, including direct, indirect, special, incidental and consequential
|
||||||
|
damages, such as lost profits;
|
||||||
|
|
||||||
|
iii) states that any provisions which differ from this Agreement are offered
|
||||||
|
by that Contributor alone and not by any other party; and
|
||||||
|
|
||||||
|
iv) states that source code for the Program is available from such
|
||||||
|
Contributor, and informs licensees how to obtain it in a reasonable manner on
|
||||||
|
or through a medium customarily used for software exchange.
|
||||||
|
|
||||||
|
When the Program is made available in source code form:
|
||||||
|
|
||||||
|
a) it must be made available under this Agreement; and
|
||||||
|
|
||||||
|
b) a copy of this Agreement must be included with each copy of the Program.
|
||||||
|
|
||||||
|
Contributors may not remove or alter any copyright notices contained within
|
||||||
|
the Program.
|
||||||
|
|
||||||
|
Each Contributor must identify itself as the originator of its Contribution,
|
||||||
|
if any, in a manner that reasonably allows subsequent Recipients to identify
|
||||||
|
the originator of the Contribution.
|
||||||
|
|
||||||
|
4. COMMERCIAL DISTRIBUTION
|
||||||
|
|
||||||
|
Commercial distributors of software may accept certain responsibilities with
|
||||||
|
respect to end users, business partners and the like. While this license is
|
||||||
|
intended to facilitate the commercial use of the Program, the Contributor who
|
||||||
|
includes the Program in a commercial product offering should do so in a
|
||||||
|
manner which does not create potential liability for other Contributors.
|
||||||
|
Therefore, if a Contributor includes the Program in a commercial product
|
||||||
|
offering, such Contributor ("Commercial Contributor") hereby agrees to defend
|
||||||
|
and indemnify every other Contributor ("Indemnified Contributor") against any
|
||||||
|
losses, damages and costs (collectively "Losses") arising from claims,
|
||||||
|
lawsuits and other legal actions brought by a third party against the
|
||||||
|
Indemnified Contributor to the extent caused by the acts or omissions of such
|
||||||
|
Commercial Contributor in connection with its distribution of the Program in
|
||||||
|
a commercial product offering. The obligations in this section do not apply
|
||||||
|
to any claims or Losses relating to any actual or alleged intellectual
|
||||||
|
property infringement. In order to qualify, an Indemnified Contributor must:
|
||||||
|
a) promptly notify the Commercial Contributor in writing of such claim, and
|
||||||
|
b) allow the Commercial Contributor to control, and cooperate with the
|
||||||
|
Commercial Contributor in, the defense and any related settlement
|
||||||
|
negotiations. The Indemnified Contributor may participate in any such claim
|
||||||
|
at its own expense.
|
||||||
|
|
||||||
|
For example, a Contributor might include the Program in a commercial product
|
||||||
|
offering, Product X. That Contributor is then a Commercial Contributor. If
|
||||||
|
that Commercial Contributor then makes performance claims, or offers
|
||||||
|
warranties related to Product X, those performance claims and warranties are
|
||||||
|
such Commercial Contributor's responsibility alone. Under this section, the
|
||||||
|
Commercial Contributor would have to defend claims against the other
|
||||||
|
Contributors related to those performance claims and warranties, and if a
|
||||||
|
court requires any other Contributor to pay any damages as a result, the
|
||||||
|
Commercial Contributor must pay those damages.
|
||||||
|
|
||||||
|
5. NO WARRANTY
|
||||||
|
|
||||||
|
EXCEPT AS EXPRESSLY SET FORTH IN THIS AGREEMENT, THE PROGRAM IS PROVIDED ON
|
||||||
|
AN "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, EITHER
|
||||||
|
EXPRESS OR IMPLIED INCLUDING, WITHOUT LIMITATION, ANY WARRANTIES OR
|
||||||
|
CONDITIONS OF TITLE, NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A
|
||||||
|
PARTICULAR PURPOSE. Each Recipient is solely responsible for determining the
|
||||||
|
appropriateness of using and distributing the Program and assumes all risks
|
||||||
|
associated with its exercise of rights under this Agreement , including but
|
||||||
|
not limited to the risks and costs of program errors, compliance with
|
||||||
|
applicable laws, damage to or loss of data, programs or equipment, and
|
||||||
|
unavailability or interruption of operations.
|
||||||
|
|
||||||
|
6. DISCLAIMER OF LIABILITY
|
||||||
|
|
||||||
|
EXCEPT AS EXPRESSLY SET FORTH IN THIS AGREEMENT, NEITHER RECIPIENT NOR ANY
|
||||||
|
CONTRIBUTORS SHALL HAVE ANY LIABILITY FOR ANY DIRECT, INDIRECT, INCIDENTAL,
|
||||||
|
SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING WITHOUT LIMITATION
|
||||||
|
LOST PROFITS), HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
|
||||||
|
CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
|
||||||
|
ARISING IN ANY WAY OUT OF THE USE OR DISTRIBUTION OF THE PROGRAM OR THE
|
||||||
|
EXERCISE OF ANY RIGHTS GRANTED HEREUNDER, EVEN IF ADVISED OF THE POSSIBILITY
|
||||||
|
OF SUCH DAMAGES.
|
||||||
|
|
||||||
|
7. GENERAL
|
||||||
|
|
||||||
|
If any provision of this Agreement is invalid or unenforceable under
|
||||||
|
applicable law, it shall not affect the validity or enforceability of the
|
||||||
|
remainder of the terms of this Agreement, and without further action by the
|
||||||
|
parties hereto, such provision shall be reformed to the minimum extent
|
||||||
|
necessary to make such provision valid and enforceable.
|
||||||
|
|
||||||
|
If Recipient institutes patent litigation against any entity (including a
|
||||||
|
cross-claim or counterclaim in a lawsuit) alleging that the Program itself
|
||||||
|
(excluding combinations of the Program with other software or hardware)
|
||||||
|
infringes such Recipient's patent(s), then such Recipient's rights granted
|
||||||
|
under Section 2(b) shall terminate as of the date such litigation is filed.
|
||||||
|
|
||||||
|
All Recipient's rights under this Agreement shall terminate if it fails to
|
||||||
|
comply with any of the material terms or conditions of this Agreement and
|
||||||
|
does not cure such failure in a reasonable period of time after becoming
|
||||||
|
aware of such noncompliance. If all Recipient's rights under this Agreement
|
||||||
|
terminate, Recipient agrees to cease use and distribution of the Program as
|
||||||
|
soon as reasonably practicable. However, Recipient's obligations under this
|
||||||
|
Agreement and any licenses granted by Recipient relating to the Program shall
|
||||||
|
continue and survive.
|
||||||
|
|
||||||
|
Everyone is permitted to copy and distribute copies of this Agreement, but in
|
||||||
|
order to avoid inconsistency the Agreement is copyrighted and may only be
|
||||||
|
modified in the following manner. The Agreement Steward reserves the right to
|
||||||
|
publish new versions (including revisions) of this Agreement from time to
|
||||||
|
time. No one other than the Agreement Steward has the right to modify this
|
||||||
|
Agreement. The Eclipse Foundation is the initial Agreement Steward. The
|
||||||
|
Eclipse Foundation may assign the responsibility to serve as the Agreement
|
||||||
|
Steward to a suitable separate entity. Each new version of the Agreement will
|
||||||
|
be given a distinguishing version number. The Program (including
|
||||||
|
Contributions) may always be distributed subject to the version of the
|
||||||
|
Agreement under which it was received. In addition, after a new version of
|
||||||
|
the Agreement is published, Contributor may elect to distribute the Program
|
||||||
|
(including its Contributions) under the new version. Except as expressly
|
||||||
|
stated in Sections 2(a) and 2(b) above, Recipient receives no rights or
|
||||||
|
licenses to the intellectual property of any Contributor under this
|
||||||
|
Agreement, whether expressly, by implication, estoppel or otherwise. All
|
||||||
|
rights in the Program not expressly granted under this Agreement are
|
||||||
|
reserved.
|
||||||
|
|
||||||
|
This Agreement is governed by the laws of the State of New York and the
|
||||||
|
intellectual property laws of the United States of America. No party to this
|
||||||
|
Agreement will bring a legal action under this Agreement more than one year
|
||||||
|
after the cause of action arose. Each party waives its rights to a jury trial
|
||||||
|
in any resulting litigation.
|
155
README.md
Normal file
155
README.md
Normal file
|
@ -0,0 +1,155 @@
|
||||||
|
# ring-homogeneous-auth-middleware
|
||||||
|
|
||||||
|
A Clojure library designed to homogenise many different auth middleware.
|
||||||
|
|
||||||
|
## Usage
|
||||||
|
|
||||||
|
Generally each auth middleware add the auth informations to the ring-request
|
||||||
|
hash-map.
|
||||||
|
|
||||||
|
So for example a ring-jwt-auth middleware will add a `:jwt` field
|
||||||
|
containing some informations about the identity and auth details.
|
||||||
|
|
||||||
|
Another middleware could also be used, for example one might want
|
||||||
|
to accept JWT and long term API keys. The other middleware could then
|
||||||
|
add a `:api-key-infos` field to the hash-map whose value could be
|
||||||
|
some other kind of information.
|
||||||
|
|
||||||
|
This middleware is a simple way to merge all those different informations
|
||||||
|
in a centralized and normalized way.
|
||||||
|
The middelware takes multiple _extractors_ as parameters.
|
||||||
|
An extractor is a function that given a ring-request extract an `IdentityInfo` or nil.
|
||||||
|
|
||||||
|
An `IdentityInfo` is defined as:
|
||||||
|
|
||||||
|
```clojure
|
||||||
|
(s/defschema User
|
||||||
|
"An User should be understood as a unique entity able to be identified.
|
||||||
|
An user must have an unique id and also a name.
|
||||||
|
|
||||||
|
An user could also contain many meta fields that could be provided as meta
|
||||||
|
data by some authentication layer. Typically, an email, a phone number, etc...
|
||||||
|
"
|
||||||
|
(st/merge
|
||||||
|
{:id s/Str
|
||||||
|
:name s/Str}
|
||||||
|
;; could contain other meta datas (email, address, phone number, etc...)
|
||||||
|
{s/Keyword s/Any}))
|
||||||
|
|
||||||
|
(s/defschema Group
|
||||||
|
"A Group can be understood as a Community of People, an Organization, a
|
||||||
|
Business, etc...
|
||||||
|
|
||||||
|
Mainly this should provide a way to filter document for an organization.
|
||||||
|
|
||||||
|
A group must have an unique identifier and a name.
|
||||||
|
|
||||||
|
A group could also have some meta informations. For example, a physical
|
||||||
|
address, an Identity Provider URL, etc.."
|
||||||
|
(st/merge
|
||||||
|
{:id s/Str
|
||||||
|
:name s/Str}
|
||||||
|
;; could contain other meta datas (Identity Provider URL, etc...)
|
||||||
|
{s/Keyword s/Any}))
|
||||||
|
|
||||||
|
(def Role
|
||||||
|
"What are the roles of the user.
|
||||||
|
|
||||||
|
Mainly this should provide a way to filter route access.
|
||||||
|
|
||||||
|
Typical values are: :admin :user :read-only etc... "
|
||||||
|
s/Keyword)
|
||||||
|
|
||||||
|
(s/defschema IdentityInfo
|
||||||
|
"An IdentityInfo provide the information to identify and determine the
|
||||||
|
permissions relative to some request.
|
||||||
|
|
||||||
|
It provide an user, a set of groups and a set of roles.
|
||||||
|
|
||||||
|
It is important to note that roles aren't associated to an user but to an
|
||||||
|
IdentityInfo. This enable the same user to provide different roles via
|
||||||
|
different API-Key for example.
|
||||||
|
|
||||||
|
An IdentityInfo while having some mandatory informations could also contains
|
||||||
|
some other informations generally for dealing with technical details and ease
|
||||||
|
the debugging."
|
||||||
|
(st/merge
|
||||||
|
{:user User
|
||||||
|
:groups #{Group}
|
||||||
|
:roles #{Role}}
|
||||||
|
{s/Keyword s/Any}))
|
||||||
|
```
|
||||||
|
|
||||||
|
Then the middleware will passe the ring request through all extractors and the
|
||||||
|
first return successful extractor will add an `:identity-info` field to the ring
|
||||||
|
request.
|
||||||
|
|
||||||
|
It is used that way:
|
||||||
|
|
||||||
|
```clojure
|
||||||
|
(def extractors [jwt-extractor api-key-extractor])
|
||||||
|
|
||||||
|
(let [app ((wrap-fn extractors) handler)]
|
||||||
|
...)
|
||||||
|
```
|
||||||
|
|
||||||
|
Where here are some example of extractors:
|
||||||
|
|
||||||
|
```clojure
|
||||||
|
;; Extractor code example for some JWT
|
||||||
|
|
||||||
|
(s/defn extract-identity-infos :- IdentityInfo
|
||||||
|
[jwt-info]
|
||||||
|
{:id {:id (:sub jwt-info)
|
||||||
|
:name (:sub jwt-info)}
|
||||||
|
:groups #{{:id (:org_guid jwt-info)
|
||||||
|
:name (:org_name jwt-info)}}
|
||||||
|
:roles (if (= "true"
|
||||||
|
;; this test handle the case when :user_admin is a string
|
||||||
|
;; and when its a boolean
|
||||||
|
(str (:user_admin jwt-info)))
|
||||||
|
#{:admin :user}
|
||||||
|
#{:user})
|
||||||
|
:auth-type :jwt})
|
||||||
|
|
||||||
|
(s/defn jwt-extractor :- (s/maybe IdentityInfo)
|
||||||
|
[req]
|
||||||
|
(some-> req
|
||||||
|
:jwt
|
||||||
|
extract-identity-infos))
|
||||||
|
|
||||||
|
;; Extractor code example for API Key considering thay :api-key-info field
|
||||||
|
;; already contains an IdentityInfo
|
||||||
|
|
||||||
|
(s/defn api-key-extractor :- (s/maybe IdentityInfo)
|
||||||
|
[req]
|
||||||
|
(some-> req
|
||||||
|
:api-key-infos
|
||||||
|
(assoc :auth-type :api-key)))
|
||||||
|
```
|
||||||
|
|
||||||
|
Furthermore this middleware also provides the ability to destructure information
|
||||||
|
if you use compojure-api.
|
||||||
|
Typically you could:
|
||||||
|
|
||||||
|
~~~clojure
|
||||||
|
(GET "/foo" []
|
||||||
|
:identity-info [id-info]
|
||||||
|
(... do something with id-info ...))
|
||||||
|
~~~
|
||||||
|
|
||||||
|
and also
|
||||||
|
|
||||||
|
~~~clojure
|
||||||
|
;; only user with the role :admin could access this route
|
||||||
|
(GET "/foo" []
|
||||||
|
:roles-filter #{:admin}
|
||||||
|
...)
|
||||||
|
~~~
|
||||||
|
|
||||||
|
## License
|
||||||
|
|
||||||
|
Copyright © 2017 Cisco
|
||||||
|
|
||||||
|
Distributed under the Eclipse Public License either version 1.0 or (at
|
||||||
|
your option) any later version.
|
3
doc/intro.md
Normal file
3
doc/intro.md
Normal file
|
@ -0,0 +1,3 @@
|
||||||
|
# Introduction to ring-homogeneous-auth-middleware
|
||||||
|
|
||||||
|
TODO: write [great documentation](http://jacobian.org/writing/what-to-write/)
|
11
project.clj
Normal file
11
project.clj
Normal file
|
@ -0,0 +1,11 @@
|
||||||
|
(defproject threatgrid/ring-homogeneous-auth-middleware "0.0.1"
|
||||||
|
:description "A simple middleware to deal with multiple auth middlewares"
|
||||||
|
:url "http://github.com/threatgrid/ring-homogeneous-auth-middleware"
|
||||||
|
:license {:name "Eclipse Public License - v 1.0"
|
||||||
|
:url "http://www.eclipse.org/legal/epl-v10.html"
|
||||||
|
:distribution :repo}
|
||||||
|
:dependencies [[org.clojure/clojure "1.8.0"]
|
||||||
|
[metosin/ring-http-response "0.8.2"]
|
||||||
|
[metosin/compojure-api "1.1.9"]
|
||||||
|
[metosin/schema-tools "0.9.1"]
|
||||||
|
[prismatic/schema "1.1.3"]])
|
77
src/ring_homogeneous_auth_middleware/core.clj
Normal file
77
src/ring_homogeneous_auth_middleware/core.clj
Normal file
|
@ -0,0 +1,77 @@
|
||||||
|
(ns ring-homogeneous-auth-middleware.core
|
||||||
|
"This ns provide a middleware that could be used to merge potentially multiple
|
||||||
|
auth middleware effects.
|
||||||
|
|
||||||
|
Given a list of functions taking a ring request and returning a (s/maybe IdentityInfo)
|
||||||
|
The `wrap-auths-fn` returns a middleware the add the first non nil response
|
||||||
|
from those functions in the :identity-info key of the ring-request.
|
||||||
|
|
||||||
|
Some helpers are also provided for compojure-api usage.
|
||||||
|
"
|
||||||
|
(:require [ring-homogeneous-auth-middleware.schemas :refer [IdentityInfo]]
|
||||||
|
[clojure.set :as set]
|
||||||
|
[compojure.api.meta :as meta]
|
||||||
|
[schema.core :as s]))
|
||||||
|
|
||||||
|
(s/defn get-identity-info :- (s/maybe IdentityInfo)
|
||||||
|
"Given a ring request and and a couple auth-key auth-info->identity-info.
|
||||||
|
We return the identity-info if possible"
|
||||||
|
[request
|
||||||
|
[auth-key auth-infos->identity-info]]
|
||||||
|
(when-let [auth-infos (get request auth-key)]
|
||||||
|
(auth-infos->identity-info auth-infos)))
|
||||||
|
|
||||||
|
(s/defn wrap-auths-fn
|
||||||
|
"You should provide a list of [[AuthExtractor]]s your ring request should have
|
||||||
|
a :auth key in them."
|
||||||
|
[auth-extractors]
|
||||||
|
(fn [handler]
|
||||||
|
(fn [request]
|
||||||
|
(let [identity-info
|
||||||
|
(->> auth-extractors
|
||||||
|
(map #(% request))
|
||||||
|
(remove nil?)
|
||||||
|
first)
|
||||||
|
new-request (if identity-info
|
||||||
|
(assoc request :identity-info identity-info)
|
||||||
|
request)]
|
||||||
|
(handler new-request)))))
|
||||||
|
|
||||||
|
;; COMPOJURE-API Restructuring
|
||||||
|
|
||||||
|
;; Add the :identity-info in the route description
|
||||||
|
(defmethod meta/restructure-param
|
||||||
|
:identity-info [_ id-infos acc]
|
||||||
|
(let [schema (meta/fnk-schema id-infos)
|
||||||
|
new-letks [id-infos (meta/src-coerce! schema :identity-info :string)]]
|
||||||
|
(update-in acc [:letks] into new-letks)))
|
||||||
|
|
||||||
|
;; Add the :roles-filter
|
||||||
|
;; to compojure api params
|
||||||
|
;; it should contains a set of hash-maps
|
||||||
|
;; example:
|
||||||
|
;;
|
||||||
|
;; ~~~
|
||||||
|
;; (POST "/foo" [] :roles-filter #{:admin})
|
||||||
|
;; ~~~
|
||||||
|
;;
|
||||||
|
;; Will be accepted only for requests having a role in the authorized set.
|
||||||
|
|
||||||
|
(defn check-roles-filter!
|
||||||
|
[authorized-roles request-roles]
|
||||||
|
(when-not (set? authorized-roles)
|
||||||
|
(throw (ex-info ":roles-filter argument in compojure-api must be a set!" {})))
|
||||||
|
(when-not (and (set? request-roles)
|
||||||
|
(set/intersection authorized-roles request-roles))
|
||||||
|
(ring.util.http-response/unauthorized!
|
||||||
|
{:msg "You don't have the required credentials to access this route"})))
|
||||||
|
|
||||||
|
(defmethod compojure.api.meta/restructure-param
|
||||||
|
:roles-filter [_ authorized acc]
|
||||||
|
(update-in
|
||||||
|
acc
|
||||||
|
[:lets]
|
||||||
|
into
|
||||||
|
['_ `(check-roles-filter!
|
||||||
|
~authorized
|
||||||
|
(:identity-info ~'+compojure-api-request+))]))
|
60
src/ring_homogeneous_auth_middleware/schemas.clj
Normal file
60
src/ring_homogeneous_auth_middleware/schemas.clj
Normal file
|
@ -0,0 +1,60 @@
|
||||||
|
(ns ring-homogeneous-auth-middleware.schemas
|
||||||
|
(:require [schema.core :as s]
|
||||||
|
[schema-tools.core :as st]))
|
||||||
|
|
||||||
|
|
||||||
|
(s/defschema User
|
||||||
|
"An User should be understood as a unique entity able to be identified.
|
||||||
|
An user must have an unique id and also a name.
|
||||||
|
|
||||||
|
An user could also contain many meta fields that could be provided as meta
|
||||||
|
data by some authentication layer. Typically, an email, a phone number, etc...
|
||||||
|
"
|
||||||
|
(st/merge
|
||||||
|
{:id s/Str
|
||||||
|
:name s/Str}
|
||||||
|
;; could contain other meta datas (email, address, phone number, etc...)
|
||||||
|
{s/Keyword s/Any}))
|
||||||
|
|
||||||
|
(s/defschema Group
|
||||||
|
"A Group can be understood as a Community of People, an Organization, a
|
||||||
|
Business, etc...
|
||||||
|
|
||||||
|
Mainly this should provide a way to filter document for an organization.
|
||||||
|
|
||||||
|
A group must have an unique identifier and a name.
|
||||||
|
|
||||||
|
A group could also have some meta informations. For example, a physical
|
||||||
|
address, an Identity Provider URL, etc.."
|
||||||
|
(st/merge
|
||||||
|
{:id s/Str
|
||||||
|
:name s/Str}
|
||||||
|
;; could contain other meta datas (Identity Provider URL, etc...)
|
||||||
|
{s/Keyword s/Any}))
|
||||||
|
|
||||||
|
(def Role
|
||||||
|
"What are the roles of the user.
|
||||||
|
|
||||||
|
Mainly this should provide a way to filter route access.
|
||||||
|
|
||||||
|
Typical values are: :admin :user :read-only etc... "
|
||||||
|
s/Keyword)
|
||||||
|
|
||||||
|
(s/defschema IdentityInfo
|
||||||
|
"An IdentityInfo provide the information to identify and determine the
|
||||||
|
permissions relative to some request.
|
||||||
|
|
||||||
|
It provide an user, a set of groups and a set of roles.
|
||||||
|
|
||||||
|
It is important to note that roles aren't associated to an user but to an
|
||||||
|
IdentityInfo. This enable the same user to provide different roles via
|
||||||
|
different API-Key for example.
|
||||||
|
|
||||||
|
An IdentityInfo while having some mandatory informations could also contains
|
||||||
|
some other informations generally for dealing with technical details and ease
|
||||||
|
the debugging."
|
||||||
|
(st/merge
|
||||||
|
{:user User
|
||||||
|
:groups #{Group}
|
||||||
|
:roles #{Role}}
|
||||||
|
{s/Keyword s/Any}))
|
80
test/ring_homogeneous_auth_middleware/core_test.clj
Normal file
80
test/ring_homogeneous_auth_middleware/core_test.clj
Normal file
|
@ -0,0 +1,80 @@
|
||||||
|
(ns ring-homogeneous-auth-middleware.core-test
|
||||||
|
(:require [ring-homogeneous-auth-middleware.core :as sut]
|
||||||
|
[ring-homogeneous-auth-middleware.schemas :refer [IdentityInfo]]
|
||||||
|
[clojure.test :as t :refer [is use-fixtures]]
|
||||||
|
[schema.test :refer [deftest]]
|
||||||
|
[schema.core :as s]))
|
||||||
|
|
||||||
|
(use-fixtures :once schema.test/validate-schemas)
|
||||||
|
|
||||||
|
;; Extractor code example for some JWT
|
||||||
|
|
||||||
|
(s/defn extract-identity-info :- IdentityInfo
|
||||||
|
[jwt-info]
|
||||||
|
{:user {:id (:sub jwt-info)
|
||||||
|
:name (:sub jwt-info)}
|
||||||
|
:groups #{{:id (:org_guid jwt-info)
|
||||||
|
:name (:org_name jwt-info)}}
|
||||||
|
:roles (if (= "true"
|
||||||
|
;; this test handle the case when :admin is a string
|
||||||
|
;; and when its a boolean
|
||||||
|
(str (:admin jwt-info)))
|
||||||
|
#{:admin :user}
|
||||||
|
#{:user})
|
||||||
|
:auth-type :jwt
|
||||||
|
:jwt jwt-info})
|
||||||
|
|
||||||
|
(s/defn jwt-extractor :- (s/maybe IdentityInfo)
|
||||||
|
[req]
|
||||||
|
(some-> req
|
||||||
|
:jwt
|
||||||
|
extract-identity-info))
|
||||||
|
|
||||||
|
;; Extractor code example for API Key
|
||||||
|
|
||||||
|
(s/defn api-key-extractor :- (s/maybe IdentityInfo)
|
||||||
|
[req]
|
||||||
|
(some-> req
|
||||||
|
:api-key-infos
|
||||||
|
(assoc :auth-type :api-key)))
|
||||||
|
|
||||||
|
;; Tests
|
||||||
|
|
||||||
|
(deftest wrap-auths-test
|
||||||
|
(let [base-request {:server-port 8080
|
||||||
|
:server-name "localhost"
|
||||||
|
:remote-addr "127.0.0.1"
|
||||||
|
:uri "/"
|
||||||
|
:scheme :http
|
||||||
|
:request-method :get
|
||||||
|
:protocol "HTTP/1.1"
|
||||||
|
:headers {}}
|
||||||
|
|
||||||
|
jwt {:admin true
|
||||||
|
:sub "testuser@cisco.com"
|
||||||
|
:org_name "IROH Testing"
|
||||||
|
:org_guid "00000000-0000-0000-00000000000000000"
|
||||||
|
:nbf 1487167750
|
||||||
|
:jti "aaaaaaaa-aaaa-aaaa-aaaaaaaaaaaaaaaaa"
|
||||||
|
:iat 1487168050
|
||||||
|
:exp 1487772850}
|
||||||
|
|
||||||
|
id-info {:user {:id "testuser@cisco.com"
|
||||||
|
:name "testuser@cisco.com"}
|
||||||
|
:groups #{{:id "00000000-0000-0000-00000000000000000"
|
||||||
|
:name "IROH Testing"}}
|
||||||
|
:roles #{:admin :user}
|
||||||
|
:auth-type :jwt
|
||||||
|
:jwt jwt}
|
||||||
|
|
||||||
|
request-jwt (assoc base-request :jwt jwt)
|
||||||
|
request-api-key (assoc base-request :api-key-infos id-info)
|
||||||
|
app ((sut/wrap-auths-fn [jwt-extractor api-key-extractor]) identity)]
|
||||||
|
(is (nil? (:identity-info (app base-request)))
|
||||||
|
"without any :jwt nor :api-key there shouldnt be any identity-info")
|
||||||
|
(is (= (:identity-info (app request-jwt))
|
||||||
|
id-info)
|
||||||
|
"Should provide identity-info from a jwt field")
|
||||||
|
(is (= (:identity-info (app request-api-key))
|
||||||
|
(assoc id-info :auth-type :api-key))
|
||||||
|
"Should provide identity-info from a api-key field")))
|
Loading…
Reference in a new issue