gopherpolicy

package
v0.0.0-...-034b497 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Mar 12, 2026 License: Apache-2.0 Imports: 18 Imported by: 6

Documentation

Overview

Package gopherpolicy provides integration between goslo.policy and Gophercloud for services that need to validate OpenStack tokens and check permissions.

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func DeserializeCompactContextFromJSON 

func DeserializeCompactContextFromJSON(buf []byte) (policy.Context, error)

DeserializeCompactContextFromJSON is the inverse of SerializeCompactContextToJSON.

func SerializeCompactContextToJSON 

func SerializeCompactContextToJSON(c policy.Context) ([]byte, error)

SerializeCompactContextToJSON takes a policy.Context constructed by this package, and compresses its Auth and Roles fields into an extremely compact form. This format is intended for serialization in places where every last byte counts, e.g. in JWT payloads.

Its inverse is DeserializeCompactContextFromJSON.

Types

type Cacher 

type Cacher interface {
	// StoreTokenPayload attempts to store the token payload corresponding to the
	// given credentials in the cache. Implementations shall treat `credentials`
	// as an opaque string and only use it as a cache key.
	StoreTokenPayload(ctx context.Context, credentials string, payload []byte)
	// LoadTokenPayload attempts to retrieve the payload for the given credentials
	// from the cache. If there nothing cached for these credentials, or if the
	// retrieval fails, nil shall be returned.
	LoadTokenPayload(ctx context.Context, credentials string) []byte
}

Cacher is the generic interface for a token cache.

func InMemoryCacher 

func InMemoryCacher() Cacher

InMemoryCacher builds a Cacher that stores token payloads in memory. At most 256 token payloads will be cached, so this will never use more than 4-8 MiB of memory.

type Enforcer 

type Enforcer interface {
	Enforce(rule string, c policy.Context) bool
}

Enforcer contains the Enforce method that struct Token requires to check access permissions. This interface is satisfied by struct Enforcer from goslo.policy.

type Token 

type Token struct {
	// The enforcer that checks access permissions for this client token. Usually
	// an instance of struct Enforcer from goslo.policy. Usually inherited from
	// struct TokenValidator.
	Enforcer Enforcer
	// When AuthN succeeds, contains information about the client token which can
	// be used to check access permissions.
	Context policy.Context
	// When AuthN succeeds, contains a fully-initialized ProviderClient with which
	// this process can use the OpenStack API on behalf of the authenticated user.
	ProviderClient *gophercloud.ProviderClient
	// When AuthN fails, contains the deferred AuthN error.
	Err error
	// contains filtered or unexported fields
}

Token represents a validated Keystone v3 token. It is returned from Validator.CheckToken().

func (*Token) ApplicationCredentialID 

func (t *Token) ApplicationCredentialID() string

ApplicationCredentialID returns the ID of the application credential that was used to create this token, or "" if the token was created through a different authentication method.

func (*Token) AsInitiator 

func (t *Token) AsInitiator(host cadf.Host) cadf.Resource

AsInitiator implements the audittools.UserInfo interface.

func (*Token) Check 

func (t *Token) Check(rule string) bool

Check is like Require, but does not write error responses.

func (*Token) DomainScopeName 

func (t *Token) DomainScopeName() string

DomainScopeName returns the name of this token's domain scope, or "" if the token is invalid or not scoped to a domain.

func (*Token) DomainScopeUUID 

func (t *Token) DomainScopeUUID() string

DomainScopeUUID returns the UUID of this token's domain scope, or "" if the token is invalid or not scoped to a domain.

func (*Token) IsAdminProject 

func (t *Token) IsAdminProject() bool

IsAdminProject returns whether the token is scoped to the project that is designated for cloud administrators within Keystone (if any).

func (*Token) ProjectScopeDomainName 

func (t *Token) ProjectScopeDomainName() string

ProjectScopeDomainName returns the name of this token's project scope domain, or "" if the token is invalid or not scoped to a project.

func (*Token) ProjectScopeDomainUUID 

func (t *Token) ProjectScopeDomainUUID() string

ProjectScopeDomainUUID returns the UUID of this token's project scope domain, or "" if the token is invalid or not scoped to a project.

func (*Token) ProjectScopeName 

func (t *Token) ProjectScopeName() string

ProjectScopeName returns the name of this token's project scope, or "" if the token is invalid or not scoped to a project.

func (*Token) ProjectScopeUUID 

func (t *Token) ProjectScopeUUID() string

ProjectScopeUUID returns the UUID of this token's project scope, or "" if the token is invalid or not scoped to a project.

func (*Token) Require 

func (t *Token) Require(w http.ResponseWriter, rule string) bool

Require checks if the given token has the given permission according to the policy.json that is in effect. If not, an error response is written and false is returned.

func (*Token) UserDomainName 

func (t *Token) UserDomainName() string

UserDomainName returns the name of the domain containing the user for whom this token was issued, or "" if the token was invalid.

func (*Token) UserDomainUUID 

func (t *Token) UserDomainUUID() string

UserDomainUUID returns the UUID of the domain containing the user for whom this token was issued, or "" if the token was invalid.

func (*Token) UserName 

func (t *Token) UserName() string

UserName returns the name of the user for whom this token was issued, or "" if the token was invalid.

func (*Token) UserUUID 

func (t *Token) UserUUID() string

UserUUID returns the UUID of the user for whom this token was issued, or "" if the token was invalid.

type TokenResult 

type TokenResult interface {
	ExtractInto(value any) error
	Extract() (*tokens.Token, error)
	ExtractServiceCatalog() (*tokens.ServiceCatalog, error)
}

TokenResult is the interface type for the argument of TokenValidator.TokenFromGophercloudResult().

Notable implementors are tokens.CreateResult or tokens.GetResult from package github.com/gophercloud/gophercloud/v2/openstack/identity/v3/tokens.

type TokenValidator 

type TokenValidator struct {
	IdentityV3 *gophercloud.ServiceClient
	// Enforcer can also be initialized with the LoadPolicyFile method.
	Enforcer Enforcer
	// Cacher can be used to cache validated tokens.
	Cacher Cacher
}

TokenValidator combines an Identity v3 client to validate tokens (AuthN), and a policy.Enforcer to check access permissions (AuthZ).

func (*TokenValidator) CheckCredentials 

func (v *TokenValidator) CheckCredentials(ctx context.Context, cacheKey string, check func() TokenResult) *Token

CheckCredentials is a more generic version of CheckToken that can also be used when the user supplies credentials instead of a Keystone token.

The `check` argument contains the logic for actually checking the user's credentials, usually by calling tokens.Create() or tokens.Get() from package github.com/gophercloud/gophercloud/v2/openstack/identity/v3/tokens.

The `cacheKey` argument shall be a string that identifies the given credentials. This key is used for caching the TokenResult in `v.Cacher` if that is non-nil.

func (*TokenValidator) CheckToken 

func (v *TokenValidator) CheckToken(r *http.Request) *Token

CheckToken checks the validity of the request's X-Auth-Token in Keystone, and returns a Token instance for checking authorization. Any errors that occur during this function are deferred until Require() is called.

func (*TokenValidator) LoadPolicyFile 

func (v *TokenValidator) LoadPolicyFile(path string, yamlUnmarshal func(in []byte, out any) error) error

LoadPolicyFile creates v.Enforcer from the given policy file.

The second argument must be set to `yaml.Unmarshal` if you want to support policy.yaml files. This explicit dependency injection slot allows you to choose whether to use gopkg.in/yaml.v2 or gopkg.in/yaml.v3 or anything else.

If `yamlUnmarshal` is given as nil, `json.Unmarshal` from the standard library will be used, so only policy.json files will be understood.

func (*TokenValidator) TokenFromGophercloudResult 

func (v *TokenValidator) TokenFromGophercloudResult(result TokenResult) *Token

TokenFromGophercloudResult creates a Token instance from a gophercloud Result from the tokens.Create() or tokens.Get() requests from package github.com/gophercloud/gophercloud/v2/openstack/identity/v3/tokens.

type Validator 

type Validator interface {
	// CheckToken checks the validity of the request's X-Auth-Token in Keystone, and
	// returns a Token instance for checking authorization. Any errors that occur
	// during this function are deferred until Token.Require() is called.
	CheckToken(r *http.Request) *Token
}

Validator is the interface provided by TokenValidator. Application code should prefer to reference this interface to allow for substitution by a test double (such as type mock.Validator).

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.