Merge pull request #11 from Comcast/default-authorize

Default authorize
xmidt-org · Apr 11, 2019 · f2c8d76 · f2c8d76
2 parents 3fd9069 + 9705427
commit f2c8d76
Show file tree

Hide file tree

Showing 3 changed files with 72 additions and 8 deletions.
diff --git a/bascule/basculehttp/enforcer.go b/bascule/basculehttp/enforcer.go
@@ -6,8 +6,19 @@ import (
 	"github.com/Comcast/comcast-bascule/bascule"
 )
 
+//go:generate stringer -type=NotFoundBehavior
+
+type NotFoundBehavior int
+
+// Behavior on not found
+const (
+	Forbid NotFoundBehavior = iota
+	Allow
+)
+
 type enforcer struct {
-	rules map[bascule.Authorization]bascule.Validators
+	notFoundBehavior NotFoundBehavior
+	rules            map[bascule.Authorization]bascule.Validators
 }
 
 func (e *enforcer) decorate(next http.Handler) http.Handler {
@@ -20,20 +31,35 @@ func (e *enforcer) decorate(next http.Handler) http.Handler {
 		}
 		rules, ok := e.rules[auth.Authorization]
 		if !ok {
-			response.WriteHeader(http.StatusForbidden)
-			return
-		}
-		err := rules.Check(ctx, auth.Token)
-		if err != nil {
-			WriteResponse(response, http.StatusUnauthorized, err)
-			return
+			switch e.notFoundBehavior {
+			case Forbid:
+				response.WriteHeader(http.StatusForbidden)
+				return
+			case Allow:
+				// continue
+			default:
+				response.WriteHeader(http.StatusForbidden)
+				return
+			}
+		} else {
+			err := rules.Check(ctx, auth.Token)
+			if err != nil {
+				WriteResponse(response, http.StatusUnauthorized, err)
+				return
+			}
 		}
 		next.ServeHTTP(response, request)
 	})
 }
 
 type EOption func(*enforcer)
 
+func WithNotFoundBehavior(behavior NotFoundBehavior) EOption {
+	return func(e *enforcer) {
+		e.notFoundBehavior = behavior
+	}
+}
+
 func WithRules(key bascule.Authorization, v bascule.Validators) EOption {
 	return func(e *enforcer) {
 		e.rules[key] = v

diff --git a/bascule/basculehttp/notfoundbehavior_string.go b/bascule/basculehttp/notfoundbehavior_string.go
diff --git a/bascule/checks.go b/bascule/checks.go
@@ -12,6 +12,12 @@ const (
 	capabilitiesKey = "capabilities"
 )
 
+func CreateAllowAllCheck() ValidatorFunc {
+	return func(_ context.Context, _ Token) error {
+		return nil
+	}
+}
+
 func CreateValidTypeCheck(validTypes []string) ValidatorFunc {
 	return func(_ context.Context, token Token) error {
 		tt := token.Type()
@@ -65,3 +71,19 @@ func CreateListAttributeCheck(key string, checks ...func(context.Context, []inte
 		return errs
 	}
 }
+
+func NonEmptyStringListCheck(ctx context.Context, vals []interface{}) error {
+	if len(vals) == 0 {
+		return errors.New("expected at least one value")
+	}
+	for _, val := range vals {
+		str, ok := val.(string)
+		if !ok {
+			return errors.New("expected value to be a string")
+		}
+		if len(str) == 0 {
+			return errors.New("expected string to be nonempty")
+		}
+	}
+	return nil
+}