123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123 |
- package auth_jwt
- import (
- "context"
- "github.com/gogf/gf/frame/g"
- "github.com/gogf/gf/os/glog"
- "google.golang.org/grpc"
- "google.golang.org/grpc/codes"
- "google.golang.org/grpc/metadata"
- "google.golang.org/grpc/status"
- "sort"
- )
- // AuthInterceptor is a server interceptor for authentication and authorization
- type AuthInterceptor struct {
- jwtManager *JWTManager
- accessibleRoles map[string][]string
- }
- // NewAuthInterceptor returns a new auth interceptor
- func NewAuthInterceptor(jwtManager *JWTManager, accessibleRoles map[string][]string) *AuthInterceptor {
- return &AuthInterceptor{jwtManager, accessibleRoles}
- }
- // Unary returns a server interceptor function to authenticate and authorize unary RPC
- func (interceptor *AuthInterceptor) Unary() grpc.UnaryServerInterceptor {
- return func(
- ctx context.Context,
- req interface{},
- info *grpc.UnaryServerInfo,
- handler grpc.UnaryHandler,
- ) (interface{}, error) {
- enableJWT := g.Config().GetBool("system.enableJWT")
- if !enableJWT {
- return handler(ctx, req)
- }
- //glog.Info("--> unary interceptor: ", info.FullMethod)
- noAuthenticationList := g.Config().GetStrings("system.noAuthenticationList")
- if IsContains(info.FullMethod, noAuthenticationList) {
- return handler(ctx, req)
- }
- err := interceptor.authorize(ctx, info.FullMethod)
- if err != nil {
- glog.Error(err)
- return nil, err
- }
- return handler(ctx, req)
- }
- }
- // Stream returns a server interceptor function to authenticate and authorize stream RPC
- func (interceptor *AuthInterceptor) Stream() grpc.StreamServerInterceptor {
- return func(
- srv interface{},
- stream grpc.ServerStream,
- info *grpc.StreamServerInfo,
- handler grpc.StreamHandler,
- ) error {
- glog.Info("--> stream interceptor: ", info.FullMethod)
- enableJWT := g.Config().GetBool("system.enableJWT")
- if !enableJWT {
- return handler(srv, stream)
- }
- err := interceptor.authorize(stream.Context(), info.FullMethod)
- if err != nil {
- glog.Error(err)
- return err
- }
- return handler(srv, stream)
- }
- }
- func (interceptor *AuthInterceptor) authorize(ctx context.Context, method string) error {
- accessibleRoles, ok := interceptor.accessibleRoles[method]
- md, ok := metadata.FromIncomingContext(ctx)
- if !ok {
- return status.Errorf(codes.Unauthenticated, "没有提供metadata")
- }
- values := md["authorization"]
- if len(values) == 0 {
- return status.Errorf(codes.Unauthenticated, "不是授权的token")
- }
- accessToken := values[0]
- claims, err := interceptor.jwtManager.Verify(accessToken)
- if err != nil {
- return status.Errorf(codes.Unauthenticated, err.Error())
- }
- //TODO:角色处理
- glog.Info("claims====", claims)
- glog.Info("accessibleRoles====", accessibleRoles)
- //for _, roles := range accessibleRoles {
- // glog.Info(roles)
- // //if roles == claims.Roles {
- // return nil
- // //}
- //}
- return nil
- //return status.Error(codes.PermissionDenied, "没有访问的权限")
- }
- // IsContains 查找值val是否在数组array中存在
- func IsContains(target string, str_array []string) bool {
- sort.Strings(str_array)
- index := sort.SearchStrings(str_array, target)
- if index < len(str_array) && str_array[index] == target {
- return true
- }
- return false
- }
|