in syncer/rpc/auth.go [19:63]
func auth(ctx context.Context) error {
if !config.GetConfig().Sync.RbacEnabled {
return nil
}
md, ok := metadata.FromIncomingContext(ctx)
if !ok {
return rbac.NewError(rbac.ErrNoAuthHeader, "")
}
authHeader := md.Get(restful.HeaderAuth)
if len(authHeader) == 0 {
return rbac.NewError(rbac.ErrNoAuthHeader, fmt.Sprintf("header %s not found nor content empty", restful.HeaderAuth))
}
s := strings.Split(authHeader[0], " ")
if len(s) != 2 {
return rbac.ErrInvalidHeader
}
to := s[1]
claims, err := authr.Authenticate(ctx, to)
if err != nil {
return err
}
m, ok := claims.(map[string]interface{})
if !ok {
log.Error("claims convert failed", rbac.ErrConvert)
return rbac.ErrConvert
}
account, err := rbac.GetAccount(m)
if err != nil {
log.Error("get account from token failed", err)
return err
}
if account.Name != RbacAllowedAccountName {
return errWrongAccountNorRole
}
for _, role := range account.Roles {
if role == RbacAllowedRoleName {
return nil
}
}
return errWrongAccountNorRole
}