Documentation
¶
Index ¶
- Variables
- func ApplyImpersonationCtx(ctx context.Context) (context.Context, error)
- func ApplyImpersonationFromMessage(ctx context.Context, userId, userName, role string) (context.Context, error)
- func AuthMiddleware(c Config) func(next http.Handler) http.Handler
- func ContextWithAuthInfo(ctx context.Context, info *AuthInfo) context.Context
- func ContextWithFullAccess(ctx context.Context) context.Context
- func ContextWithImpersonatedBy(ctx context.Context, original *AuthInfo) context.Context
- func DetectImpersonation(ctx context.Context) context.Context
- func GenerateToken(privateKey []byte, claims jwt.MapClaims) (string, error)
- func IsFullAccess(ctx context.Context) bool
- func IsImpersonated(ctx context.Context) bool
- func ParsePrivateKey(key []byte) (interface{}, error)
- type AnonymousConfig
- type AnonymousProvider
- type ApiKeyConfig
- type ApiKeyProvider
- type AuthInfo
- type AuthProvider
- type Config
- type CookieExtractor
- type DBApiKey
- type JwtConfig
- type JwtProvider
- type ProviderInfo
- type UserAuthInfoConfig
Constants ¶
This section is empty.
Variables ¶
View Source
var ErrForbidden = errors.New("forbidden")
View Source
var ErrNeedAuth = errors.New("authentication required")
View Source
var ErrSkipAuth = errors.New("skip authentication")
View Source
var ErrTokenExpired = errors.New("token expired")
Functions ¶
func ApplyImpersonationCtx ¶ added in v0.3.21
ApplyImpersonationCtx checks if the context contains an AsUser identity override. If so, verifies the current auth is admin (secret key), overrides AuthInfo, and sets ImpersonatedBy. Returns the context unchanged if no AsUser is present.
func ApplyImpersonationFromMessage ¶ added in v0.3.21
func ApplyImpersonationFromMessage(ctx context.Context, userId, userName, role string) (context.Context, error)
ApplyImpersonationFromMessage applies identity override from IPC message fields. Only allowed when the connection was authenticated via secret key.
func AuthMiddleware ¶
Provide middleware for authentication Checks if api key allowed or token is valid Get user and role from headers or token if request is anonymous, check if it allowed and add role
func ContextWithAuthInfo ¶
func ContextWithImpersonatedBy ¶ added in v0.3.21
ContextWithImpersonatedBy stores the original admin identity when impersonation is active.
func DetectImpersonation ¶ added in v0.3.21
DetectImpersonation checks if the current auth context represents an impersonation via override headers on a secret-key authenticated request. If so, sets the ImpersonatedBy context for audit purposes.
func GenerateToken ¶ added in v0.1.9
func IsFullAccess ¶
func IsImpersonated ¶ added in v0.3.21
IsImpersonated returns true if the current request is running under impersonation.
func ParsePrivateKey ¶ added in v0.1.9
Types ¶
type AnonymousConfig ¶
type AnonymousProvider ¶
type AnonymousProvider struct {
Config AnonymousConfig
}
func NewAnonymous ¶
func NewAnonymous(config AnonymousConfig) *AnonymousProvider
func (*AnonymousProvider) Authenticate ¶
func (p *AnonymousProvider) Authenticate(r *http.Request) (*AuthInfo, error)
func (*AnonymousProvider) Name ¶ added in v0.1.9
func (p *AnonymousProvider) Name() string
func (*AnonymousProvider) Type ¶ added in v0.1.9
func (p *AnonymousProvider) Type() string
type ApiKeyConfig ¶
type ApiKeyConfig struct {
Key string `json:"key" yaml:"key"`
Header string `json:"header" yaml:"header"`
DefaultRole string `json:"default_role" yaml:"default-role"`
Headers UserAuthInfoConfig `json:"headers" yaml:"headers"`
}
type ApiKeyProvider ¶
type ApiKeyProvider struct {
// contains filtered or unexported fields
}
func NewApiKey ¶
func NewApiKey(name string, config ApiKeyConfig) *ApiKeyProvider
func (*ApiKeyProvider) Authenticate ¶
func (p *ApiKeyProvider) Authenticate(r *http.Request) (*AuthInfo, error)
func (*ApiKeyProvider) Name ¶
func (p *ApiKeyProvider) Name() string
func (*ApiKeyProvider) Type ¶ added in v0.1.9
func (p *ApiKeyProvider) Type() string
type AuthInfo ¶
type AuthInfo struct {
Role string
UserId string
UserName string
AuthType string
AuthProvider string
Token string
}
func AuthInfoFromContext ¶
func ImpersonatedByFromContext ¶ added in v0.3.21
ImpersonatedByFromContext returns the original admin identity if impersonation is active.
type AuthProvider ¶
type Config ¶
type Config struct {
Providers []AuthProvider
RedirectLoginPaths []string
LoginUrl string
RedirectUrl string
DBApiKeysEnabled bool
}
func (*Config) Info ¶ added in v0.1.9
func (c *Config) Info() []ProviderInfo
type CookieExtractor ¶ added in v0.1.9
type CookieExtractor string
func (CookieExtractor) ExtractToken ¶ added in v0.1.9
func (c CookieExtractor) ExtractToken(r *http.Request) (string, error)
type DBApiKey ¶ added in v0.1.9
type DBApiKey struct {
// contains filtered or unexported fields
}
func NewDBApiKey ¶ added in v0.1.9
func (*DBApiKey) Authenticate ¶ added in v0.1.9
type JwtConfig ¶
type JwtConfig struct {
Issuer string `json:"issuer" yaml:"issuer"`
PublicKey []byte `json:"public_key" yaml:"public-key"`
CookieName string `json:"cookie_name" yaml:"cookie-name"`
ScopeRolePrefix string `json:"scope_role_prefix" yaml:"scope-role-prefix"`
// RoleHeader is the header to check for role if not in claims than check that scope contains prefix+role (if the many roles a)
RoleHeader string `json:"role_header" yaml:"role-header"`
Claims UserAuthInfoConfig `json:"claims" yaml:"claims"`
}
type JwtProvider ¶
type JwtProvider struct {
Issuer string
// contains filtered or unexported fields
}
func NewJwt ¶
func NewJwt(config *JwtConfig) (*JwtProvider, error)
func (*JwtProvider) Authenticate ¶
func (p *JwtProvider) Authenticate(r *http.Request) (*AuthInfo, error)
func (*JwtProvider) Name ¶ added in v0.1.9
func (p *JwtProvider) Name() string
func (*JwtProvider) Type ¶ added in v0.1.9
func (p *JwtProvider) Type() string
type ProviderInfo ¶ added in v0.1.9
type UserAuthInfoConfig ¶
Source Files
Click to show internal directories.
Click to hide internal directories.