Merge pull request #15 from AccelByte/AB-718-separate-aud-scope-valid…

…ation AB-718 separate audience and scope validation
AccelByte · Jul 25, 2019 · 5be26e7 · 5be26e7
2 parents 6018671 + bccb83e
commit 5be26e7
Show file tree

Hide file tree

Showing 4 changed files with 32 additions and 14 deletions.
diff --git a/go.mod b/go.mod
@@ -4,7 +4,7 @@ go 1.12
 
 require (
 	github.com/AccelByte/go-jose v2.1.4+incompatible
-	github.com/AccelByte/iam-go-sdk v1.0.4
+	github.com/AccelByte/iam-go-sdk v1.0.6
 	github.com/emicklei/go-restful v2.9.3+incompatible
 	github.com/fatih/structs v1.1.0
 	github.com/json-iterator/go v1.1.6 // indirect

diff --git a/go.sum b/go.sum
@@ -12,6 +12,8 @@ github.com/AccelByte/iam-go-sdk v1.0.4-0.20190720063329-3e8a066cb0d6 h1:uBCe+8AP
 github.com/AccelByte/iam-go-sdk v1.0.4-0.20190720063329-3e8a066cb0d6/go.mod h1:oW6iG/HJuNSaTI5La/FL40s3N6pafeP8B8sLu/KrvEg=
 github.com/AccelByte/iam-go-sdk v1.0.4 h1:j5XSRJJ/iYA5hELDGP1m4fV9OWRjD5YvrWZEXI+TDhk=
 github.com/AccelByte/iam-go-sdk v1.0.4/go.mod h1:oW6iG/HJuNSaTI5La/FL40s3N6pafeP8B8sLu/KrvEg=
+github.com/AccelByte/iam-go-sdk v1.0.6 h1:CRUfLZ6l2C4EmeKDHhJndvTf7B4oUbjPXmAxAL0RxCg=
+github.com/AccelByte/iam-go-sdk v1.0.6/go.mod h1:d+GVzVA+ZrXHyux6zVEv9GOWAKDglMmED//QMC0CfBc=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
@@ -56,12 +58,15 @@ golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACk
 golang.org/x/crypto v0.0.0-20190701094942-4def268fd1a4 h1:HuIa8hRrWRSrqYzx1qI49NNxhdi2PrY7gxVSq1JjLDc=
 golang.org/x/crypto v0.0.0-20190701094942-4def268fd1a4/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
+golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33 h1:I6FyU15t786LL7oL/hn43zqTuEGr4PN7F4XJ1p4E3Y8=
 golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a h1:1BGLXjeY4akVXGgbC9HugT3Jv3hCI0z56oJR5vAMgBU=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190412213103-97732733099d h1:+R4KGOnez64A81RvjARKc4UT5/tI9ujCIVX+P5KiHuI=
 golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
+golang.org/x/tools v0.0.0-20190723021737-8bb11ff117ca/go.mod h1:jcCCGcm9btYwXyDqrUWc6MKQKKGJCWEQ3AfLSRIbEuI=
 gopkg.in/DataDog/dd-trace-go.v1 v1.12.1 h1:zkyLw+Uq6BvGwy5hFeLVI1ePgOkqJswFPL1uOx6SSA4=
 gopkg.in/DataDog/dd-trace-go.v1 v1.12.1/go.mod h1:DVp8HmDh8PuTu2Z0fVVlBsyWaC++fzwVCaGWylTe3tg=
diff --git a/pkg/auth/iam/event.go b/pkg/auth/iam/event.go
@@ -5,13 +5,14 @@
 package iam
 
 const (
-	EIDWithValidUserNonUserAccessToken              = 1154001
-	EIDWithPermissionUnableValidatePermission       = 1155001
-	EIDWithPermissionInsufficientPermission         = 1154002
-	EIDWithRoleUnableValidateRole                   = 1155002
-	EIDWithRoleInsufficientPermission               = 1154003
-	EIDWithVerifiedEmailUnableValidateEmailStatus   = 1155003
-	EIDWithVerifiedEmailInsufficientPermission      = 1154004
-	EIDWithValidAudienceScopeInvalidAudienceOrScope = 1154005
-	UnableToMarshalErrorResponse                    = 1155004
+	EIDWithValidUserNonUserAccessToken            = 1154001
+	EIDWithPermissionUnableValidatePermission     = 1155001
+	EIDWithPermissionInsufficientPermission       = 1154002
+	EIDWithRoleUnableValidateRole                 = 1155002
+	EIDWithRoleInsufficientPermission             = 1154003
+	EIDWithVerifiedEmailUnableValidateEmailStatus = 1155003
+	EIDWithVerifiedEmailInsufficientPermission    = 1154004
+	EIDWithValidAudienceInvalidAudience           = 1154005
+	EIDWithValidScopeInvalidScope                 = 1154006
+	UnableToMarshalErrorResponse                  = 1155004
 )
diff --git a/pkg/auth/iam/iam.go b/pkg/auth/iam/iam.go
@@ -164,12 +164,24 @@ func WithVerifiedEmail() FilterOption {
 	}
 }
 
-// WithValidAudienceScope filters request from a user with verified audience and scope only
-func WithValidAudienceScope(scope string) FilterOption {
+// WithValidAudience filters request from a user with verified audience
+func WithValidAudience(scope string) FilterOption {
 	return func(req *restful.Request, iamClient iam.Client, claims *iam.JWTClaims) error {
-		err := iamClient.ValidateAudienceScope(claims, scope)
+		err := iamClient.ValidateAudience(claims)
 		if err != nil {
-			return respondError(http.StatusUnauthorized, EIDWithValidAudienceScopeInvalidAudienceOrScope,
+			return respondError(http.StatusUnauthorized, EIDWithValidAudienceInvalidAudience,
+				fmt.Sprintf("access forbidden : %s", err.Error()))
+		}
+		return nil
+	}
+}
+
+// WithValidScope filters request from a user with verified scope
+func WithValidScope(scope string) FilterOption {
+	return func(req *restful.Request, iamClient iam.Client, claims *iam.JWTClaims) error {
+		err := iamClient.ValidateScope(claims, scope)
+		if err != nil {
+			return respondError(http.StatusUnauthorized, EIDWithValidScopeInvalidScope,
 				fmt.Sprintf("access forbidden : %s", err.Error()))
 		}
 		return nil