package api // Auth can be used by http middleware to // 1) consult required roles in @Auth.Required // 2) update active roles in @Auth.Active type Auth struct { // required roles for this request // - the first dimension of the array reads as a OR // - the second dimension reads as a AND // // Example: // [ [A, B], [C, D] ] reads: roles (A and B) or (C and D) are required // // Warning: must not be mutated Required [][]string // active roles to be updated by authentication // procedures (e.g. jwt) Active []string } // Granted returns whether the authorization is granted // i.e. Auth.Active fulfills Auth.Required func (a *Auth) Granted() bool { var nothingRequired = true // first dimension: OR ; at least one is valid for _, required := range a.Required { // empty list if len(required) < 1 { continue } nothingRequired = false // second dimension: AND ; all required must be fulfilled if a.fulfills(required) { return true } } return nothingRequired } // returns whether Auth.Active fulfills (contains) all @required roles func (a *Auth) fulfills(required []string) bool { for _, requiredRole := range required { var found = false for _, activeRole := range a.Active { if activeRole == requiredRole { found = true break } } // missing role -> fail if !found { return false } } // all @required are fulfilled return true }