Casbin Authorization for qiangxue/golang-restful-starter-kit

middleware.go

package util

import (
	"net/http"
	"github.com/casbin/casbin"
	"github.com/qiangxue/golang-restful-starter-kit/app"
	"github.com/go-ozzo/ozzo-routing"
)

// Authorizer is a middleware that controls the access to the HTTP service, it is based
// on Casbin, which supports access control models like ACL, RBAC, ABAC.
// The plugin determines whether to allow a request based on (user, path, method).
// user: the authenticated user name.
// path: the URL for the requested resource.
// method: one of HTTP methods like GET, POST, PUT, DELETE.
//
// This middleware should be inserted fairly early in the middleware stack to
// protect subsequent layers. All the denied requests will not go further.
//
// It's notable that this middleware should be behind the authentication (e.g.,
// HTTP basic authentication, OAuth), so this plugin can get the logged-in user name
// to perform the authorization.
func Authorizer(e *casbin.Enforcer) routing.Handler {
	return func(c *routing.Context) error {
		userID:=app.GetRequestScope(c).UserID()
		method := c.Request.Method
		path := c.Request.URL.Path
		if e.Enforce(userID, path, method) {
			return nil
		} else {
			return routing.NewHTTPError(http.StatusUnauthorized, "NOT AUTHORIZED")
		}
	}
}

casbin conf used:

[request_definition]
r = sub, obj, act

[policy_definition]
p = sub, obj, act

[role_definition]
g = _, _

[policy_effect]
e = some(where (p.eft == allow))

[matchers]
m = g(r.sub, p.sub) && keyMatch(r.obj, p.obj) && (r.act == p.act || p.act == "*")