Documentation
¶
Index ¶
- func AuthorizedResourceControlCreation(resourceControl *dockm.ResourceControl, context *RestrictedRequestContext) bool
- func AuthorizedResourceControlDeletion(resourceControl *dockm.ResourceControl, context *RestrictedRequestContext) bool
- func AuthorizedResourceControlUpdate(resourceControl *dockm.ResourceControl, context *RestrictedRequestContext) bool
- func AuthorizedTeamManagement(teamID dockm.TeamID, context *RestrictedRequestContext) bool
- func AuthorizedUserManagement(userID dockm.UserID, context *RestrictedRequestContext) bool
- func FilterEndpoints(endpoints []dockm.Endpoint, context *RestrictedRequestContext) ([]dockm.Endpoint, error)
- func FilterLeaderTeams(teams []dockm.Team, context *RestrictedRequestContext) []dockm.Team
- func FilterRegistries(registries []dockm.Registry, context *RestrictedRequestContext) ([]dockm.Registry, error)
- func FilterUserTeams(teams []dockm.Team, context *RestrictedRequestContext) []dockm.Team
- func FilterUsers(users []dockm.User, context *RestrictedRequestContext) []dockm.User
- func RetrieveTokenData(request *http.Request) (*dockm.TokenData, error)
- type RequestBouncer
- func (bouncer *RequestBouncer) AdministratorAccess(h http.Handler) http.Handler
- func (bouncer *RequestBouncer) AuthenticatedAccess(h http.Handler) http.Handler
- func (bouncer *RequestBouncer) PublicAccess(h http.Handler) http.Handler
- func (bouncer *RequestBouncer) RestrictedAccess(h http.Handler) http.Handler
- type RestrictedRequestContext
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func AuthorizedResourceControlCreation ¶
func AuthorizedResourceControlCreation(resourceControl *dockm.ResourceControl, context *RestrictedRequestContext) bool
AuthorizedResourceControlCreation ensure that the user can create a resource control object. A non-administrator user cannot create a resource control where: * the AdministratorsOnly flag is set * he wants to add more than one user in the user accesses * he wants to add a team he is not a member of
func AuthorizedResourceControlDeletion ¶
func AuthorizedResourceControlDeletion(resourceControl *dockm.ResourceControl, context *RestrictedRequestContext) bool
AuthorizedResourceControlDeletion ensure that the user can delete a resource control object. A non-administrator user cannot delete a resource control where: * the AdministratorsOnly flag is set * he is not one of the users in the user accesses * he is not a member of any team within the team accesses
func AuthorizedResourceControlUpdate ¶
func AuthorizedResourceControlUpdate(resourceControl *dockm.ResourceControl, context *RestrictedRequestContext) bool
AuthorizedResourceControlUpdate ensure that the user can update a resource control object. It reuses the creation restrictions and adds extra checks. A non-administrator user cannot update a resource control where: * he wants to put one or more user in the user accesses
func AuthorizedTeamManagement ¶
func AuthorizedTeamManagement(teamID dockm.TeamID, context *RestrictedRequestContext) bool
AuthorizedTeamManagement ensure that access to the management of the specified team is granted. It will check if the user is either administrator or leader of that team.
func AuthorizedUserManagement ¶
func AuthorizedUserManagement(userID dockm.UserID, context *RestrictedRequestContext) bool
AuthorizedUserManagement ensure that access to the management of the specified user is granted. It will check if the user is either administrator or the owner of the user account.
func FilterEndpoints ¶
func FilterEndpoints(endpoints []dockm.Endpoint, context *RestrictedRequestContext) ([]dockm.Endpoint, error)
FilterEndpoints filters endpoints based on user role and team memberships. Non administrator users only have access to authorized endpoints.
func FilterLeaderTeams ¶
func FilterLeaderTeams(teams []dockm.Team, context *RestrictedRequestContext) []dockm.Team
FilterLeaderTeams filters teams based on user role. Team leaders only have access to team they lead.
func FilterRegistries ¶
func FilterRegistries(registries []dockm.Registry, context *RestrictedRequestContext) ([]dockm.Registry, error)
FilterRegistries filters registries based on user role and team memberships. Non administrator users only have access to authorized endpoints.
func FilterUserTeams ¶
func FilterUserTeams(teams []dockm.Team, context *RestrictedRequestContext) []dockm.Team
FilterUserTeams filters teams based on user role. non-administrator users only have access to team they are member of.
func FilterUsers ¶
func FilterUsers(users []dockm.User, context *RestrictedRequestContext) []dockm.User
FilterUsers filters users based on user role. Non-administrator users only have access to non-administrator users.
func RetrieveTokenData ¶
RetrieveTokenData returns the TokenData object stored in the request context.
Types ¶
type RequestBouncer ¶
type RequestBouncer struct {
// contains filtered or unexported fields
}
RequestBouncer represents an entity that manages API request accesses
func NewRequestBouncer ¶
func NewRequestBouncer(jwtService dockm.JWTService, teamMembershipService dockm.TeamMembershipService, authDisabled bool) *RequestBouncer
NewRequestBouncer initializes a new RequestBouncer
func (*RequestBouncer) AdministratorAccess ¶
func (bouncer *RequestBouncer) AdministratorAccess(h http.Handler) http.Handler
AdministratorAccess defines a chain of middleware for restricted endpoints. Authentication as well as administrator role are required to access these endpoints.
func (*RequestBouncer) AuthenticatedAccess ¶
func (bouncer *RequestBouncer) AuthenticatedAccess(h http.Handler) http.Handler
AuthenticatedAccess defines a security check for private endpoints. Authentication is required to access these endpoints.
func (*RequestBouncer) PublicAccess ¶
func (bouncer *RequestBouncer) PublicAccess(h http.Handler) http.Handler
PublicAccess defines a security check for public endpoints. No authentication is required to access these endpoints.
func (*RequestBouncer) RestrictedAccess ¶
func (bouncer *RequestBouncer) RestrictedAccess(h http.Handler) http.Handler
RestrictedAccess defines a security check for restricted endpoints. Authentication is required to access these endpoints. The request context will be enhanced with a RestrictedRequestContext object that might be used later to authorize/filter access to resources.
type RestrictedRequestContext ¶
type RestrictedRequestContext struct {
IsAdmin bool
IsTeamLeader bool
UserID dockm.UserID
UserMemberships []dockm.TeamMembership
}
RestrictedRequestContext is a data structure containing information used in RestrictedAccess
func RetrieveRestrictedRequestContext ¶
func RetrieveRestrictedRequestContext(request *http.Request) (*RestrictedRequestContext, error)
RetrieveRestrictedRequestContext returns the RestrictedRequestContext object stored in the request context.
Source Files