-
This commit is contained in:
75
faas/internal/services/auth_service.go
Normal file
75
faas/internal/services/auth_service.go
Normal file
@ -0,0 +1,75 @@
|
||||
package services
|
||||
|
||||
import (
|
||||
"context"
|
||||
"fmt"
|
||||
|
||||
"go.uber.org/zap"
|
||||
|
||||
"github.com/RyanCopley/skybridge/faas/internal/domain"
|
||||
)
|
||||
|
||||
type authService struct {
|
||||
logger *zap.Logger
|
||||
}
|
||||
|
||||
func NewAuthService(logger *zap.Logger) AuthService {
|
||||
return &authService{
|
||||
logger: logger,
|
||||
}
|
||||
}
|
||||
|
||||
// Mock implementation for now - this should integrate with the KMS auth system
|
||||
func (s *authService) GetAuthContext(ctx context.Context) (*domain.AuthContext, error) {
|
||||
// For now, return a mock auth context
|
||||
// In a real implementation, this would extract auth info from the request context
|
||||
// that was set by middleware that validates tokens with the KMS service
|
||||
|
||||
return &domain.AuthContext{
|
||||
UserID: "admin@example.com",
|
||||
AppID: "faas-service",
|
||||
Permissions: []string{"faas.read", "faas.write", "faas.execute", "faas.deploy", "faas.delete"},
|
||||
Claims: map[string]string{
|
||||
"user_type": "admin",
|
||||
},
|
||||
}, nil
|
||||
}
|
||||
|
||||
func (s *authService) HasPermission(ctx context.Context, permission string) bool {
|
||||
authCtx, err := s.GetAuthContext(ctx)
|
||||
if err != nil {
|
||||
s.logger.Warn("Failed to get auth context for permission check", zap.Error(err))
|
||||
return false
|
||||
}
|
||||
|
||||
// Check for exact permission match
|
||||
for _, perm := range authCtx.Permissions {
|
||||
if perm == permission {
|
||||
return true
|
||||
}
|
||||
|
||||
// Check for wildcard permissions (e.g., "faas.*" grants all faas permissions)
|
||||
if len(perm) > 2 && perm[len(perm)-1] == '*' {
|
||||
prefix := perm[:len(perm)-1]
|
||||
if len(permission) >= len(prefix) && permission[:len(prefix)] == prefix {
|
||||
return true
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
s.logger.Debug("Permission denied",
|
||||
zap.String("user_id", authCtx.UserID),
|
||||
zap.String("permission", permission),
|
||||
zap.Strings("user_permissions", authCtx.Permissions))
|
||||
|
||||
return false
|
||||
}
|
||||
|
||||
func (s *authService) ValidatePermissions(ctx context.Context, permissions []string) error {
|
||||
for _, permission := range permissions {
|
||||
if !s.HasPermission(ctx, permission) {
|
||||
return fmt.Errorf("insufficient permission: %s", permission)
|
||||
}
|
||||
}
|
||||
return nil
|
||||
}
|
||||
Reference in New Issue
Block a user