security

package
v1.8.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jan 19, 2026 License: Apache-2.0 Imports: 19 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	Default = ""
	Ldap    = "ldap"
	Test    = "test"
	Os      = "os"
)
View Source 
const (
	Testuser  = "testuser"
	Testuser1 = "testuser1"
	Testuser2 = "testuser2"
	Testuser3 = "testuser3"
	Testuser4 = "testuser4"
	Testuser5 = "testuser5"
)

Variables

This section is empty.

Functions

func ValidateSecretValue added in v1.8.0 

func ValidateSecretValue(key, value string) (interface{}, error)

ValidateSecretValue validates a single secret value based on its key

Types

type ACL 

type ACL struct {
	// contains filtered or unexported fields
}

func NewACL 

func NewACL(aclStr string, silence bool) (ACL, error)

create a new ACL from scratch

func (ACL) CheckAccess 

func (a ACL) CheckAccess(userObj UserGroup) bool

Check if the user has access

type ConfigReader added in v1.8.0 

type ConfigReader interface {
	ReadLdapConfig() (*LdapConfig, error)
}

func GetConfigReader added in v1.8.0 

func GetConfigReader() ConfigReader

type LdapAccess added in v1.8.0 

type LdapAccess interface {
	// DialURL establishes a connection to the LDAP server
	DialURL(url string, options ...ldap.DialOpt) (*ldap.Conn, error)

	// Bind authenticates with the LDAP server
	Bind(conn *ldap.Conn, username, password string) error

	// Search performs an LDAP search operation
	Search(conn *ldap.Conn, searchRequest *ldap.SearchRequest) (*ldap.SearchResult, error)

	// Close closes the LDAP connection
	Close(conn *ldap.Conn)
}

LdapAccess defines the interface for LDAP operations

func GetLdapAccess added in v1.8.0 

func GetLdapAccess() LdapAccess

type LdapConfig added in v1.8.0 

type LdapConfig struct {
	Host         string
	Port         int
	BaseDN       string
	Filter       string
	GroupAttr    string
	ReturnAttr   []string
	BindUser     string
	BindPassword string
	Insecure     bool
	// contains filtered or unexported fields
}

LDAPResolverConfig holds the configuration for the LDAP resolver

type LdapLookup added in v1.8.0 

type LdapLookup struct {
	// contains filtered or unexported fields
}

func (LdapLookup) LDAPLookupGroupIds added in v1.8.0 

func (lu LdapLookup) LDAPLookupGroupIds(osUser *user.User) ([]string, error)

func (LdapLookup) LdapLookupGroupID added in v1.8.0 

func (LdapLookup) LdapLookupGroupID(gid string) (*user.Group, error)

func (LdapLookup) LdapLookupUser added in v1.8.0 

func (LdapLookup) LdapLookupUser(userName string) (*user.User, error)

Default linux behaviour: a user is member of the primary group with the same name

type LdapValidator added in v1.8.0 

type LdapValidator struct {
	// contains filtered or unexported fields
}

LdapValidator provides validation for LDAP configuration

func NewLdapValidator added in v1.8.0 

func NewLdapValidator() *LdapValidator

NewLdapValidator creates a new validator instance

func (*LdapValidator) ValidateConfig added in v1.8.0 

func (v *LdapValidator) ValidateConfig(config *LdapConfig) bool

ValidateConfig validates the entire LDAP configuration

type UserGroup 

type UserGroup struct {
	User   string
	Groups []string
	// contains filtered or unexported fields
}

The structure of the entry in the cache.

type UserGroupCache 

type UserGroupCache struct {
	// contains filtered or unexported fields
}

Cache for the user entries.

func GetUserGroupCache 

func GetUserGroupCache(ugr configs.UserGroupResolver, ldapConfigReader ConfigReader, ldapAccess LdapAccess) *UserGroupCache

Get the resolver for the user and group info. Current setup allows three resolvers: * NO resolver: default, no user or group resolution just return the info (k8s use case) * OS resolver: uses the OS libraries to resolve user and group memberships * Test resolver: fake resolution for testing * Ldap resolver: uses the LDAP protocol to resolve user and group memberships

func GetUserGroupCacheLdap added in v1.8.0 

func GetUserGroupCacheLdap(reader ConfigReader, access LdapAccess) *UserGroupCache

func GetUserGroupCacheOS 

func GetUserGroupCacheOS() *UserGroupCache

Get the cache and use that to resolve all user requests

func GetUserGroupCacheTest 

func GetUserGroupCacheTest() *UserGroupCache

Get the cache with a test resolver cleaner runs every second

func GetUserGroupNoResolve 

func GetUserGroupNoResolve() *UserGroupCache

Get the cache without a resolver. In k8shim we currently have internal users to K8s which might not resolve against anything. Just echo the object in the correct format based on the user passed in.

func (*UserGroupCache) ConvertUGI 

func (c *UserGroupCache) ConvertUGI(ugi *si.UserGroupInformation, force bool) (UserGroup, error)

func (*UserGroupCache) GetUserGroup 

func (c *UserGroupCache) GetUserGroup(userName string) (UserGroup, error)

Get the user group information. An error will still return a UserGroup. The Failed flag in the object will be set to true for any failures. The information is cached, negatively and positively.

func (*UserGroupCache) Stop added in v1.5.0 

func (c *UserGroupCache) Stop()

type ValidationIssue added in v1.8.0 

type ValidationIssue struct {
	Field   string
	Message string
	Level   ValidationLevel
}

ValidationIssue represents a single validation problem

type ValidationLevel added in v1.8.0 

type ValidationLevel int

ValidationLevel defines the severity of validation issues 

const (
	// ValidationWarning indicates a non-critical issue that allows operation but might cause problems
	ValidationWarning ValidationLevel = iota
	// ValidationError indicates a critical issue that prevents proper operation
	ValidationError
)

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.