Casbin 认证

Casbin 是面向 Go 的强大、高效开源访问控制库。它支持在多种模型上执行授权：

ACL（Access Control List）
带超级用户的 ACL
无用户的 ACL，适合没有认证或用户登录的系统
无资源的 ACL，面向一类资源（例如 write-article、read-log），而不是单个资源
RBAC（Role-Based Access Control）
带资源角色的 RBAC，用户和资源都可以有角色
带域/租户的 RBAC，用户可以在每个域/租户拥有不同角色集
ABAC（Attribute-Based Access Control）
RESTful
Deny-override，同时支持允许和拒绝规则，拒绝会覆盖允许

详情请参见 API overview 和 Casbin documentation。

依赖

go get github.com/casbin/casbin/v3

import (
  "github.com/casbin/casbin/v3"
)

实现

Echo 不自带 Casbin 中间件；该集成是对 Casbin enforcer 的一层小包装：

// NewCasbinMiddleware returns middleware for Casbin (https://casbin.org/).
func NewCasbinMiddleware(enforcer *casbin.Enforcer, userGetter func(*echo.Context) (string, error)) echo.MiddlewareFunc {
  return func(next echo.HandlerFunc) echo.HandlerFunc {
    return func(c *echo.Context) error {
      username, err := userGetter(c)
      if err != nil {
        return echo.ErrUnauthorized.Wrap(err)
      }
      if pass, err := enforcer.Enforce(username, c.Request().URL.Path, c.Request().Method); err != nil {
        return echo.ErrInternalServerError.Wrap(err)
      } else if !pass {
        return echo.NewHTTPError(http.StatusForbidden, "access denied")
      }
      return next(c)
    }
  }
}

示例

创建 Casbin 模型文件 auth_model.conf：

[request_definition]
r = sub, obj, act

[policy_definition]
p = sub, obj, act

[role_definition]
g = _, _

[policy_effect]
e = some(where (p.eft == allow))

[matchers]
m = g(r.sub, p.sub) && keyMatch(r.obj, p.obj) && (r.act == p.act || p.act == "*")

创建 Casbin 策略文件 auth_policy.csv：

p, 1234567890, /dataset1/*, GET
p, alice, /dataset1/*, GET
p, alice, /dataset1/resource1, POST
p, bob, /dataset2/resource1, *
p, bob, /dataset2/resource2, GET
p, bob, /dataset2/folder1/*, POST
p, dataset1_admin, /dataset1/*, *
g, cathy, dataset1_admin

认证和授权是不同的关注点。使用另一个中间件（如 JWT 或 Basic Auth）认证用户，然后提供 userGetter，使 Casbin 可以为请求授权。

搭配 JWT

e.Use(echojwt.JWT([]byte("secret")))               // JWT middleware does authentication
jwtUser := func(c *echo.Context) (string, error) { // JWT user getter for Casbin authorization
  token, err := echo.ContextGet[*jwt.Token](c, "user")
  if err != nil {
    return "", err
  }
  return token.Claims.GetSubject()
}
e.Use(NewCasbinMiddleware(ce, jwtUser)) // Casbin does authorization

用下面命令尝试：

curl -v "http://localhost:8080/dataset1/any" -H "Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9.TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7HgQ"

搭配 Basic Auth

// BasicAuth middleware does authentication
e.Use(middleware.BasicAuth(func(c *echo.Context, user, password string) (bool, error) {
  return subtle.ConstantTimeCompare([]byte(user), []byte("alice")) == 1 &&
    subtle.ConstantTimeCompare([]byte(password), []byte("password")) == 1, nil
}))
basicAuthUser := func(c *echo.Context) (string, error) { // Basic auth user getter for Casbin authorization
  username, _, _ := c.Request().BasicAuth() // password is verified by the BasicAuth middleware above
  return username, nil
}
e.Use(NewCasbinMiddleware(ce, basicAuthUser)) // Casbin does authorization

用下面命令尝试：

# should pass
curl -v -u "alice:password" http://localhost:8080/dataset1/any
# should fail
curl -v -u "alice:password" http://localhost:8080/dataset2/resource2

完整 Casbin + JWT 示例

package main

import (
  "log/slog"
  "net/http"

  "github.com/casbin/casbin/v3"
  "github.com/golang-jwt/jwt/v5"
  echojwt "github.com/labstack/echo-jwt/v5"
  "github.com/labstack/echo/v5"
)

// NewCasbinMiddleware returns middleware for Casbin (https://casbin.org/).
func NewCasbinMiddleware(enforcer *casbin.Enforcer, userGetter func(*echo.Context) (string, error)) echo.MiddlewareFunc {
  return func(next echo.HandlerFunc) echo.HandlerFunc {
    return func(c *echo.Context) error {
      username, err := userGetter(c)
      if err != nil {
        return echo.ErrUnauthorized.Wrap(err)
      }
      if pass, err := enforcer.Enforce(username, c.Request().URL.Path, c.Request().Method); err != nil {
        return echo.ErrInternalServerError.Wrap(err)
      } else if !pass {
        return echo.NewHTTPError(http.StatusForbidden, "access denied")
      }
      return next(c)
    }
  }
}

func main() {
  e := echo.New()

  ce, err := casbin.NewEnforcer("auth_model.conf", "auth_policy.csv")
  if err != nil {
    slog.Error("failed to initialize Casbin enforcer", "error", err)
  }

  e.Use(echojwt.JWT([]byte("secret")))               // JWT middleware does authentication
  jwtUser := func(c *echo.Context) (string, error) { // JWT user getter for Casbin authorization
    token, err := echo.ContextGet[*jwt.Token](c, "user")
    if err != nil {
      return "", err
    }
    return token.Claims.GetSubject()
  }
  e.Use(NewCasbinMiddleware(ce, jwtUser)) // Casbin does authorization

  e.GET("/*", func(c *echo.Context) error {
    return c.String(http.StatusOK, "Hello, World!")
  })

  if err := e.Start(":8080"); err != nil {
    e.Logger.Error("failed to start server", "error", err)
  }
}