auth

package

v1.16.103 Latest Latest Go to latest Published: Aug 14, 2023 License: MPL-2.0 Imports: 15 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/hernad/consul

Links

Open Source Insights

Documentation ¶

Index ¶

Variables
func BuildTokenDescription(prefix string, meta map[string]string) (string, error)
func IsValidBindName(bindType, bindName string, availableVariables []string) (bool, error)
type ACLCache
type Binder
- func NewBinder(store BinderStateStore, datacenter string) *Binder
- func (b *Binder) Bind(authMethod *structs.ACLAuthMethod, verifiedIdentity *authmethod.Identity) (*Bindings, error)
type BinderStateStore
type Bindings
- func (b *Bindings) None() bool
type Login
- func NewLogin(binder *Binder, writer *TokenWriter) *Login
- func (l *Login) TokenForVerifiedIdentity(identity *authmethod.Identity, authMethod *structs.ACLAuthMethod, ...) (*structs.ACLToken, error)
type MockACLCache
- func NewMockACLCache(t mockConstructorTestingTNewMockACLCache) *MockACLCache
- func (_m *MockACLCache) RemoveIdentityWithSecretToken(secretToken string)
type RaftApplyFn
type TokenWriter
- func NewTokenWriter(cfg TokenWriterConfig) *TokenWriter
- func (w *TokenWriter) Create(token *structs.ACLToken, fromLogin bool) (*structs.ACLToken, error)
- func (w *TokenWriter) Delete(secretID string, fromLogout bool) error
- func (w *TokenWriter) Update(token *structs.ACLToken) (*structs.ACLToken, error)
type TokenWriterConfig
type TokenWriterStore

Constants ¶

This section is empty.

Variables ¶

View Source

var ErrCannotWriteGlobalToken = errors.New("Cannot upsert global tokens within this datacenter")

ErrCannotWriteGlobalToken indicates that writing a token failed because the token is global and this is a non-primary datacenter.

Functions ¶

func BuildTokenDescription ¶

func BuildTokenDescription(prefix string, meta map[string]string) (string, error)

BuildTokenDescription builds a description for an ACLToken by encoding the given meta as JSON and applying the prefix.

func IsValidBindName ¶

func IsValidBindName(bindType, bindName string, availableVariables []string) (bool, error)

IsValidBindName returns whether the given BindName template produces valid results when interpolating the auth method's available variables.

Types ¶

type ACLCache ¶

type ACLCache interface {
	RemoveIdentityWithSecretToken(secretToken string)
}

type Binder ¶

type Binder struct {
	// contains filtered or unexported fields
}

Binder is responsible for collecting the ACL roles, service identities, node identities, and enterprise metadata to be assigned to a token generated as a result of "logging in" via an auth method.

It does so by applying the auth method's configured binding rules and in the case of enterprise, namespace rules.

func NewBinder ¶

func NewBinder(store BinderStateStore, datacenter string) *Binder

NewBinder creates a Binder with the given state store and datacenter.

func (*Binder) Bind ¶

func (b *Binder) Bind(authMethod *structs.ACLAuthMethod, verifiedIdentity *authmethod.Identity) (*Bindings, error)

Bind collects the ACL roles, service identities, etc. to be assigned to the created token.

type BinderStateStore ¶

type BinderStateStore interface {
	ACLBindingRuleList(ws memdb.WatchSet, methodName string, entMeta *acl.EnterpriseMeta) (uint64, structs.ACLBindingRules, error)
	ACLRoleGetByName(ws memdb.WatchSet, roleName string, entMeta *acl.EnterpriseMeta) (uint64, *structs.ACLRole, error)
}

BinderStateStore is the subset of state store methods used by the binder.

type Bindings ¶

type Bindings struct {
	Roles             []structs.ACLTokenRoleLink
	ServiceIdentities []*structs.ACLServiceIdentity
	NodeIdentities    []*structs.ACLNodeIdentity
	EnterpriseMeta    acl.EnterpriseMeta
}

Bindings contains the ACL roles, service identities, node identities and enterprise meta to be assigned to the created token.

func (*Bindings) None ¶

func (b *Bindings) None() bool

None indicates that the resulting bindings would not give the created token access to any resources.

type Login struct {
	// contains filtered or unexported fields
}

Login wraps the process of creating an ACLToken from the identity verified by an auth method.

func NewLogin ¶

func NewLogin(binder *Binder, writer *TokenWriter) *Login

NewLogin returns a new Login with the given binder and writer.

func (l *Login) TokenForVerifiedIdentity(identity *authmethod.Identity, authMethod *structs.ACLAuthMethod, description string) (*structs.ACLToken, error)

TokenForVerifiedIdentity creates an ACLToken for the given identity verified by an auth method.

type MockACLCache ¶

type MockACLCache struct {
	mock.Mock
}

MockACLCache is an autogenerated mock type for the ACLCache type

func NewMockACLCache ¶

func NewMockACLCache(t mockConstructorTestingTNewMockACLCache) *MockACLCache

NewMockACLCache creates a new instance of MockACLCache. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.

func (*MockACLCache) RemoveIdentityWithSecretToken ¶

func (_m *MockACLCache) RemoveIdentityWithSecretToken(secretToken string)

RemoveIdentityWithSecretToken provides a mock function with given fields: secretToken

type RaftApplyFn ¶

type RaftApplyFn func(structs.MessageType, interface{}) (interface{}, error)

type TokenWriter ¶

type TokenWriter struct {
	TokenWriterConfig
}

TokenWriter encapsulates the logic of writing ACL tokens to the state store including validation, cache purging, etc.

func NewTokenWriter ¶

func NewTokenWriter(cfg TokenWriterConfig) *TokenWriter

NewTokenWriter creates a new token writer.

func (*TokenWriter) Create ¶

func (w *TokenWriter) Create(token *structs.ACLToken, fromLogin bool) (*structs.ACLToken, error)

Create a new token. Setting fromLogin to true changes behavior slightly for tokens created by login (as opposed to set manually via the API).

func (*TokenWriter) Delete ¶

func (w *TokenWriter) Delete(secretID string, fromLogout bool) error

Delete the ACL token with the given SecretID from the state store.

func (*TokenWriter) Update ¶

func (w *TokenWriter) Update(token *structs.ACLToken) (*structs.ACLToken, error)

Update an existing token.

type TokenWriterConfig ¶

type TokenWriterConfig struct {
	RaftApply RaftApplyFn
	ACLCache  ACLCache
	Store     TokenWriterStore
	CheckUUID lib.UUIDCheckFunc

	MaxExpirationTTL time.Duration
	MinExpirationTTL time.Duration

	PrimaryDatacenter   string
	InPrimaryDatacenter bool
	LocalTokensEnabled  bool
}

type TokenWriterStore ¶

type TokenWriterStore interface {
	ACLTokenGetByAccessor(ws memdb.WatchSet, accessorID string, entMeta *acl.EnterpriseMeta) (uint64, *structs.ACLToken, error)
	ACLTokenGetBySecret(ws memdb.WatchSet, secretID string, entMeta *acl.EnterpriseMeta) (uint64, *structs.ACLToken, error)
	ACLRoleGetByID(ws memdb.WatchSet, id string, entMeta *acl.EnterpriseMeta) (uint64, *structs.ACLRole, error)
	ACLRoleGetByName(ws memdb.WatchSet, name string, entMeta *acl.EnterpriseMeta) (uint64, *structs.ACLRole, error)
	ACLPolicyGetByID(ws memdb.WatchSet, id string, entMeta *acl.EnterpriseMeta) (uint64, *structs.ACLPolicy, error)
	ACLPolicyGetByName(ws memdb.WatchSet, name string, entMeta *acl.EnterpriseMeta) (uint64, *structs.ACLPolicy, error)
	ACLTokenUpsertValidateEnterprise(token *structs.ACLToken, existing *structs.ACLToken) error
}

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL