access

package
v0.9.13 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Oct 12, 2020 License: GPL-3.0 Imports: 16 Imported by: 0

Documentation

Index

Examples

Constants

View Source 
const (
	// EffectAllow describes a rule that adds permissions
	EffectAllow = Effect("allow")
	// EffectDeny describes a rule that removes permissions
	EffectDeny = Effect("deny")
)

Variables

View Source 
var (
	// ErrAccessDenied is returned by policy enforce
	ErrAccessDenied = fmt.Errorf("access denied")

	// DefaultAccessControlPolicyFilename is the file name for the policy
	// expected file is format yaml
	DefaultAccessControlPolicyFilename = "access_control_policy.yaml"
)
View Source 
var (
	// Timestamp is a replacable function for getting the current time,
	// can be overridden for tests
	Timestamp = func() time.Time { return time.Now() }
	// ErrTokenNotFound is returned by stores that cannot find an access token
	// for a given key
	ErrTokenNotFound = errors.New("access token not found")
	// ErrInvalidToken indicates an access token is invalid
	ErrInvalidToken = errors.New("invalid access token")
	// DefaultTokenTTL is the default
	DefaultTokenTTL = time.Hour * 24 * 14
)

Functions

func CtxWithToken added in v0.9.13 

func CtxWithToken(ctx context.Context, t Token) context.Context

CtxWithToken adds a token value to a context

func ResourceStrFromRef 

func ResourceStrFromRef(ref dsref.Ref) string

ResourceStrFromRef takes a dsref.Ref and returns a string that can be parsed as a resource

Types

type Action 

type Action []string

Action is a description of the action the Subject is attempting to take on the Resource

func MustParseAction 

func MustParseAction(str string) Action

MustParseAction parses a string into an Action. It panics if the string cannot be parsed correctly

func ParseAction 

func ParseAction(str string) (Action, error)

ParseAction parses a string into an Action

func (Action) Contains 

func (a Action) Contains(b Action) bool

Contains determines if the given action is described in the rule's Action it returns true if the action matches using the glob `*` pattern

func (Action) MarshalJSON 

func (a Action) MarshalJSON() ([]byte, error)

MarshalJSON marshals the Action into a string separated by ":"

func (*Action) UnmarshalJSON 

func (a *Action) UnmarshalJSON(data []byte) error

UnmarshalJSON unmarshals the given slice of bytes into an Action

type Actions 

type Actions []Action

Actions is a slice of Action

func (Actions) Contains 

func (as Actions) Contains(b Action) bool

Contains determines if the given action is contained by the Actions

type CtxKey added in v0.9.13 

type CtxKey string

CtxKey defines a distinct type for context keys used by the access package 

const TokenCtxKey CtxKey = "Token"

TokenCtxKey is the key for adding an access token to a context.Context

type Effect 

type Effect string

Effect is the set of outcomes a rule can have

type Policy 

type Policy []Rule

Policy is a set of rules

Example 
const examplePolicy = `
[
	{
		"title": "pull any dataset",
		"effect": "allow",
		"subject": "*",
		"resources": [
			"dataset:*"
		],
		"actions": [
			"remote:pull"
		]
	},
	{
		"title": "push and delete user-owned datasets",
		"effect": "allow",
		"subject": "*",
		"resources": [
			"dataset:_subject:*"
		],
		"actions": [
			"remote:push",
			"remote:remove"
		]
	}
]
`

p := &Policy{}
if err := json.Unmarshal([]byte(examplePolicy), p); err != nil {
	panic(err)
}

bob := &profile.Profile{
	ID:       profile.IDB58DecodeOrEmpty("QmZePf5LeXow3RW5U1AgEiNbW46YnRGhZ7HPvm1UmPFPwt"),
	Peername: "bob",
}

if err := p.Enforce(bob, "dataset:someone_else:world_bank_population", "remote:pull"); err == nil {
	fmt.Println("bob can pull someone_else/world_bank_population")
}
if err := p.Enforce(bob, "dataset:bob:bobs_dataset", "remote:remove"); err == nil {
	fmt.Println("bob can remote-delete his own dataset")
}
if err := p.Enforce(bob, "dataset:someone_else:dataset", "remote:remove"); err == ErrAccessDenied {
	fmt.Println("bob can't remote-delete someone else's dataset")
}

Output:
bob can pull someone_else/world_bank_population
bob can remote-delete his own dataset
bob can't remote-delete someone else's dataset

func (Policy) Enforce 

func (pol Policy) Enforce(subject *profile.Profile, resource, action string) error

Enforce evaluates a request against the policy, returning either nil or ErrAccessDenied

type RawToken added in v0.9.13 

type RawToken struct {
	Key string
	Raw string
}

RawToken is a struct that binds a key to a raw token string

type RawTokens added in v0.9.13 

type RawTokens []RawToken

RawTokens is a list of tokens that implements sorting by keys

func (RawTokens) Len added in v0.9.13 

func (rts RawTokens) Len() int

func (RawTokens) Less added in v0.9.13 

func (rts RawTokens) Less(a, b int) bool

func (RawTokens) Swap added in v0.9.13 

func (rts RawTokens) Swap(i, j int)

type Resource 

type Resource []string

Resource is a stateful thing in qri

func MustParseResource 

func MustParseResource(str string) Resource

MustParseResource wraps ParseResource, panics on error. Useful for tests

func ParseResource 

func ParseResource(str string) (Resource, error)

ParseResource constructs a resource from a string

func (Resource) Contains 

func (r Resource) Contains(b Resource, subjectUsername string) bool

Contains determins if the subject is referenced in the resource returns true if the rule's resource contains the `matchAll` symbol and returns true if the rule's resource contains the `matchSubject` and the subjectUsername is in the given resource (allows us to create rules that say, "only allow subjects to do this action, if the resource matches the subject's name"

func (Resource) MarshalJSON 

func (r Resource) MarshalJSON() ([]byte, error)

MarshalJSON marshals the resource into a string separated by ":"

func (*Resource) UnmarshalJSON 

func (r *Resource) UnmarshalJSON(data []byte) error

UnmarshalJSON unmarshals a slice of bytes into a Resource

type Resources 

type Resources []Resource

Resources is a collection of resoureces

func (Resources) Contains 

func (rs Resources) Contains(b Resource, subjectUsername string) bool

Contains iterates all Resources in the slice, returns true for the first resource that contains the given resource

type Rule 

type Rule struct {
	Title     string    // human-legible title for the rule, informative only
	Subject   string    // User this rule is about
	Resources Resources // Thing being accessed. eg: a dataset,
	Actions   Actions   // Thing user can do
	Effect    Effect    // "allow" or "deny"
}

Rule is a permissions statement. It determines who (subject) can/can't (effect) do something (actions) to things (resources)

func (*Rule) UnmarshalJSON 

func (r *Rule) UnmarshalJSON(d []byte) error

UnmarshalJSON unmarshals the slice of bytes into a Rule

func (*Rule) Validate 

func (r *Rule) Validate() error

Validate returns a descriptive error if the rule is not well-formed

type Token added in v0.9.13 

type Token = jwt.Token

Token abstracts a json web token

func ParseToken added in v0.9.13 

func ParseToken(tokenString string, tokens TokenSource) (*Token, error)

ParseToken will parse, validate and return a token

func TokenFromCtx added in v0.9.13 

func TokenFromCtx(ctx context.Context) *Token

TokenFromCtx extracts the JWT from a given context if one is set, returning nil otherwise

type TokenClaims added in v0.9.13 

type TokenClaims struct {
	*jwt.StandardClaims
	Username string `json:"username"`
}

TokenClaims is a JWT Claims object

type TokenSource added in v0.9.13 

type TokenSource interface {
	CreateToken(pro *profile.Profile, ttl time.Duration) (string, error)
	CreateTokenWithClaims(claims jwt.MapClaims, ttl time.Duration) (string, error)
	// VerifyKey returns the verification key for a given token
	VerificationKey(t *Token) (interface{}, error)
}

TokenSource creates tokens, and provides a verification key for all tokens it creates

implementations of TokenSource must conform to the assertion test defined in the spec subpackage

func NewPrivKeyTokenSource added in v0.9.13 

func NewPrivKeyTokenSource(privKey crypto.PrivKey) (TokenSource, error)

NewPrivKeyTokenSource creates an authentication interface backed by a single private key. Intended for a node running as remote, or providing a public API

type TokenStore added in v0.9.13 

type TokenStore interface {
	PutToken(ctx context.Context, key, rawToken string) error
	RawToken(ctx context.Context, key string) (rawToken string, err error)
	DeleteToken(ctx context.Context, key string) (err error)
	ListTokens(ctx context.Context, offset, limit int) (results []RawToken, err error)
}

TokenStore is a store intended for clients, who need to persist secret jwts given to them by other remotes for API access. It deals in raw, string-formatted json web tokens, which are more useful when working with APIs, but validates the tokens are well-formed when placed in the store

implementations of TokenStore must conform to the assertion test defined in the spec subpackage

func NewTokenStore added in v0.9.13 

func NewTokenStore(filepath string, fs qfs.Filesystem) (TokenStore, error)

NewTokenStore creates a token store with a qfs.Filesystem

Source Files

View all Source files

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.