auth

package
v0.61.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Mar 7, 2022 License: Apache-2.0 Imports: 25 Imported by: 3

Documentation

Index

Constants

View Source 
const (
	InstallationIDKeyName = "installation_id"
	SetupTimestampKeyName = "setup_timestamp"
)
View Source 
const (
	AdminsGroup     = "Admins"
	SuperUsersGroup = "SuperUsers"
	DevelopersGroup = "Developers"
	ViewersGroup    = "Viewers"
)
View Source 
const InvalidUserID = -1

Variables

View Source 
var (
	ErrNotFound                = db.ErrNotFound
	ErrAlreadyExists           = db.ErrAlreadyExists
	ErrNonUnique               = errors.New("more than one user found")
	ErrInvalidArn              = errors.New("invalid ARN")
	ErrInsufficientPermissions = errors.New("insufficient permissions")
	ErrNoField                 = errors.New("no field tagged in struct")
	ErrInvalidAccessKeyID      = errors.New("invalid access key ID")
	ErrInvalidSecretAccessKey  = errors.New("invalid secret access key")
)

Functions

func AddAdminUser 

func AddAdminUser(ctx context.Context, authService Service, user *model.SuperuserConfiguration) (*model.Credential, error)

func ArnMatch 

func ArnMatch(src, dst string) bool

func CreateInitialAdminUser 

func CreateInitialAdminUser(ctx context.Context, authService Service, metadataManger MetadataManager, username string) (*model.Credential, error)

func CreateInitialAdminUserWithKeys 

func CreateInitialAdminUserWithKeys(ctx context.Context, authService Service, metadataManger MetadataManager, username string, accessKeyID *string, secretAccessKey *string) (*model.Credential, error)

func IsValidAccessKeyID added in v0.52.0 

func IsValidAccessKeyID(key string) bool

func ListPaged 

func ListPaged(ctx context.Context, db db.Querier, retType reflect.Type, params *model.PaginationParams, tokenColumnName string, queryBuilder sq.SelectBuilder) (*reflect.Value, *model.Paginator, error)

func SetupAdminUser 

func SetupAdminUser(ctx context.Context, authService Service, superuser *model.SuperuserConfiguration) (*model.Credential, error)

func SetupBaseGroups 

func SetupBaseGroups(ctx context.Context, authService Service, ts time.Time) error

Types

type Arn 

type Arn struct {
	Partition  string
	Service    string
	Region     string
	AccountID  string
	ResourceID string
}

func ParseARN 

func ParseARN(arnString string) (*Arn, error)

type Authenticator added in v0.53.0 

type Authenticator interface {
	// AuthenticateUser authenticates a user matching username and
	// password and returns their ID.
	AuthenticateUser(ctx context.Context, username, password string) (int, error)
}

Authenticator authenticates users returning an identifier for the user. (Currently it handles only username+password single-step authentication. This interface will need to change significantly in order to support challenge-response protocols.)

func NewChainAuthenticator added in v0.53.0 

func NewChainAuthenticator(auth ...Authenticator) Authenticator

NewChainAuthenticator returns an Authenticator that authenticates users by trying each auth in order.

type AuthorizationRequest 

type AuthorizationRequest struct {
	Username            string
	RequiredPermissions permissions.Node
}

type AuthorizationResponse 

type AuthorizationResponse struct {
	Allowed bool
	Error   error
}

type BuiltinAuthenticator added in v0.53.0 

type BuiltinAuthenticator struct {
	// contains filtered or unexported fields
}

BuiltinAuthenticator authenticates users by their access key IDs and passwords stored in the auth service.

func NewBuiltinAuthenticator added in v0.53.0 

func NewBuiltinAuthenticator(service Service) *BuiltinAuthenticator

func (*BuiltinAuthenticator) AuthenticateUser added in v0.53.0 

func (ba *BuiltinAuthenticator) AuthenticateUser(ctx context.Context, username, password string) (int, error)

type Cache 

type Cache interface {
	GetCredential(accessKeyID string, setFn CredentialSetFn) (*model.Credential, error)
	GetUser(username string, setFn UserSetFn) (*model.User, error)
	GetUserByID(userID int, setFn UserSetFn) (*model.User, error)
	GetUserPolicies(userID string, setFn UserPoliciesSetFn) ([]*model.Policy, error)
}

type ChainAuthenticator added in v0.53.0 

type ChainAuthenticator []Authenticator

ChainAuthenticator authenticates users by trying each Authenticator in order, returning the last error in case all fail.

func (ChainAuthenticator) AuthenticateUser added in v0.53.0 

func (ca ChainAuthenticator) AuthenticateUser(ctx context.Context, username, password string) (int, error)

type CheckResult added in v0.53.1 

type CheckResult int

CheckResult - the final result for the authorization is accepted only if it's CheckAllow 

const (
	// CheckAllow Permission allowed
	CheckAllow CheckResult = iota
	// CheckNeutral Permission neither allowed nor denied
	CheckNeutral
	// CheckDeny Permission denied
	CheckDeny
)

type CredentialSetFn 

type CredentialSetFn func() (*model.Credential, error)

type Credentialler added in v0.53.0 

type Credentialler interface {
	GetCredentials(ctx context.Context, accessKeyID string) (*model.Credential, error)
}

Credentialler fetches S3-style credentials for access keys.

type DBAuthService 

type DBAuthService struct {
	// contains filtered or unexported fields
}

func NewDBAuthService 

func NewDBAuthService(db db.Database, secretStore crypt.SecretStore, cacheConf params.ServiceCache) *DBAuthService

func (*DBAuthService) AddCredentials 

func (s *DBAuthService) AddCredentials(ctx context.Context, username, accessKeyID, secretAccessKey string) (*model.Credential, error)

func (*DBAuthService) AddUserToGroup 

func (s *DBAuthService) AddUserToGroup(ctx context.Context, username, groupDisplayName string) error

func (*DBAuthService) AttachPolicyToGroup 

func (s *DBAuthService) AttachPolicyToGroup(ctx context.Context, policyDisplayName, groupDisplayName string) error

func (*DBAuthService) AttachPolicyToUser 

func (s *DBAuthService) AttachPolicyToUser(ctx context.Context, policyDisplayName, username string) error

func (*DBAuthService) Authorize 

func (s *DBAuthService) Authorize(ctx context.Context, req *AuthorizationRequest) (*AuthorizationResponse, error)

func (*DBAuthService) CreateCredentials 

func (s *DBAuthService) CreateCredentials(ctx context.Context, username string) (*model.Credential, error)

func (*DBAuthService) CreateGroup 

func (s *DBAuthService) CreateGroup(ctx context.Context, group *model.Group) error

func (*DBAuthService) CreateUser 

func (s *DBAuthService) CreateUser(ctx context.Context, user *model.User) (int, error)

func (*DBAuthService) DB 

func (s *DBAuthService) DB() db.Database

func (*DBAuthService) DeleteCredentials 

func (s *DBAuthService) DeleteCredentials(ctx context.Context, username, accessKeyID string) error

func (*DBAuthService) DeleteGroup 

func (s *DBAuthService) DeleteGroup(ctx context.Context, groupDisplayName string) error

func (*DBAuthService) DeletePolicy 

func (s *DBAuthService) DeletePolicy(ctx context.Context, policyDisplayName string) error

func (*DBAuthService) DeleteUser 

func (s *DBAuthService) DeleteUser(ctx context.Context, username string) error

func (*DBAuthService) DetachPolicyFromGroup 

func (s *DBAuthService) DetachPolicyFromGroup(ctx context.Context, policyDisplayName, groupDisplayName string) error

func (*DBAuthService) DetachPolicyFromUser 

func (s *DBAuthService) DetachPolicyFromUser(ctx context.Context, policyDisplayName, username string) error

func (*DBAuthService) GetCredentials 

func (s *DBAuthService) GetCredentials(ctx context.Context, accessKeyID string) (*model.Credential, error)

func (*DBAuthService) GetCredentialsForUser 

func (s *DBAuthService) GetCredentialsForUser(ctx context.Context, username, accessKeyID string) (*model.Credential, error)

func (*DBAuthService) GetGroup 

func (s *DBAuthService) GetGroup(ctx context.Context, groupDisplayName string) (*model.Group, error)

func (*DBAuthService) GetPolicy 

func (s *DBAuthService) GetPolicy(ctx context.Context, policyDisplayName string) (*model.Policy, error)

func (*DBAuthService) GetUser 

func (s *DBAuthService) GetUser(ctx context.Context, username string) (*model.User, error)

func (*DBAuthService) GetUserByID 

func (s *DBAuthService) GetUserByID(ctx context.Context, userID int) (*model.User, error)

func (*DBAuthService) ListEffectivePolicies 

func (s *DBAuthService) ListEffectivePolicies(ctx context.Context, username string, params *model.PaginationParams) ([]*model.Policy, *model.Paginator, error)

func (*DBAuthService) ListGroupPolicies 

func (s *DBAuthService) ListGroupPolicies(ctx context.Context, groupDisplayName string, params *model.PaginationParams) ([]*model.Policy, *model.Paginator, error)

func (*DBAuthService) ListGroupUsers 

func (s *DBAuthService) ListGroupUsers(ctx context.Context, groupDisplayName string, params *model.PaginationParams) ([]*model.User, *model.Paginator, error)

func (*DBAuthService) ListGroups 

func (s *DBAuthService) ListGroups(ctx context.Context, params *model.PaginationParams) ([]*model.Group, *model.Paginator, error)

func (*DBAuthService) ListPolicies 

func (s *DBAuthService) ListPolicies(ctx context.Context, params *model.PaginationParams) ([]*model.Policy, *model.Paginator, error)

func (*DBAuthService) ListUserCredentials 

func (s *DBAuthService) ListUserCredentials(ctx context.Context, username string, params *model.PaginationParams) ([]*model.Credential, *model.Paginator, error)

func (*DBAuthService) ListUserGroups 

func (s *DBAuthService) ListUserGroups(ctx context.Context, username string, params *model.PaginationParams) ([]*model.Group, *model.Paginator, error)

func (*DBAuthService) ListUserPolicies 

func (s *DBAuthService) ListUserPolicies(ctx context.Context, username string, params *model.PaginationParams) ([]*model.Policy, *model.Paginator, error)

func (*DBAuthService) ListUsers 

func (s *DBAuthService) ListUsers(ctx context.Context, params *model.PaginationParams) ([]*model.User, *model.Paginator, error)

func (*DBAuthService) RemoveUserFromGroup 

func (s *DBAuthService) RemoveUserFromGroup(ctx context.Context, username, groupDisplayName string) error

func (*DBAuthService) SecretStore 

func (s *DBAuthService) SecretStore() crypt.SecretStore

func (*DBAuthService) WritePolicy 

func (s *DBAuthService) WritePolicy(ctx context.Context, policy *model.Policy) error

type DBMetadataManager 

type DBMetadataManager struct {
	// contains filtered or unexported fields
}

func NewDBMetadataManager 

func NewDBMetadataManager(version string, fixedInstallationID string, database db.Database) *DBMetadataManager

func (*DBMetadataManager) IsInitialized added in v0.43.0 

func (d *DBMetadataManager) IsInitialized(ctx context.Context) (bool, error)

func (*DBMetadataManager) UpdateSetupTimestamp 

func (d *DBMetadataManager) UpdateSetupTimestamp(ctx context.Context, ts time.Time) error

func (*DBMetadataManager) Write 

func (d *DBMetadataManager) Write(ctx context.Context) (map[string]string, error)

type DummyCache 

type DummyCache struct {
}

func (*DummyCache) GetCredential 

func (d *DummyCache) GetCredential(accessKeyID string, setFn CredentialSetFn) (*model.Credential, error)

func (*DummyCache) GetUser 

func (d *DummyCache) GetUser(username string, setFn UserSetFn) (*model.User, error)

func (*DummyCache) GetUserByID 

func (d *DummyCache) GetUserByID(userID int, setFn UserSetFn) (*model.User, error)

func (*DummyCache) GetUserPolicies 

func (d *DummyCache) GetUserPolicies(userID string, setFn UserPoliciesSetFn) ([]*model.Policy, error)

type LDAPAuthenticator added in v0.53.0 

type LDAPAuthenticator struct {
	AuthService Service

	MakeLDAPConn      func(ctx context.Context) (*ldap.Conn, error)
	BindDN            string
	BindPassword      string
	BaseSearchRequest ldap.SearchRequest
	UsernameAttribute string
	DefaultUserGroup  string
	// contains filtered or unexported fields
}

LDAPAuthenticator authenticates users on an LDAP server. It currently supports only simple authentication.

func (*LDAPAuthenticator) AuthenticateUser added in v0.53.0 

func (la *LDAPAuthenticator) AuthenticateUser(ctx context.Context, username, password string) (int, error)

type LRUCache 

type LRUCache struct {
	// contains filtered or unexported fields
}

func NewLRUCache 

func NewLRUCache(size int, expiry, jitter time.Duration) *LRUCache

func (*LRUCache) GetCredential 

func (c *LRUCache) GetCredential(accessKeyID string, setFn CredentialSetFn) (*model.Credential, error)

func (*LRUCache) GetUser 

func (c *LRUCache) GetUser(username string, setFn UserSetFn) (*model.User, error)

func (*LRUCache) GetUserByID 

func (c *LRUCache) GetUserByID(userID int, setFn UserSetFn) (*model.User, error)

func (*LRUCache) GetUserPolicies 

func (c *LRUCache) GetUserPolicies(userID string, setFn UserPoliciesSetFn) ([]*model.Policy, error)

type MetadataManager 

type MetadataManager interface {
	IsInitialized(ctx context.Context) (bool, error)
	UpdateSetupTimestamp(context.Context, time.Time) error
	Write(context.Context) (map[string]string, error)
}

type Service 

type Service interface {
	SecretStore() crypt.SecretStore

	// users
	CreateUser(ctx context.Context, user *model.User) (int, error)
	DeleteUser(ctx context.Context, username string) error
	GetUserByID(ctx context.Context, userID int) (*model.User, error)
	GetUser(ctx context.Context, username string) (*model.User, error)
	ListUsers(ctx context.Context, params *model.PaginationParams) ([]*model.User, *model.Paginator, error)

	// groups
	CreateGroup(ctx context.Context, group *model.Group) error
	DeleteGroup(ctx context.Context, groupDisplayName string) error
	GetGroup(ctx context.Context, groupDisplayName string) (*model.Group, error)
	ListGroups(ctx context.Context, params *model.PaginationParams) ([]*model.Group, *model.Paginator, error)

	// group<->user memberships
	AddUserToGroup(ctx context.Context, username, groupDisplayName string) error
	RemoveUserFromGroup(ctx context.Context, username, groupDisplayName string) error
	ListUserGroups(ctx context.Context, username string, params *model.PaginationParams) ([]*model.Group, *model.Paginator, error)
	ListGroupUsers(ctx context.Context, groupDisplayName string, params *model.PaginationParams) ([]*model.User, *model.Paginator, error)

	// policies
	WritePolicy(ctx context.Context, policy *model.Policy) error
	GetPolicy(ctx context.Context, policyDisplayName string) (*model.Policy, error)
	DeletePolicy(ctx context.Context, policyDisplayName string) error
	ListPolicies(ctx context.Context, params *model.PaginationParams) ([]*model.Policy, *model.Paginator, error)

	// credentials
	CreateCredentials(ctx context.Context, username string) (*model.Credential, error)
	AddCredentials(ctx context.Context, username, accessKeyID, secretAccessKey string) (*model.Credential, error)
	DeleteCredentials(ctx context.Context, username, accessKeyID string) error
	GetCredentialsForUser(ctx context.Context, username, accessKeyID string) (*model.Credential, error)
	GetCredentials(ctx context.Context, accessKeyID string) (*model.Credential, error)
	ListUserCredentials(ctx context.Context, username string, params *model.PaginationParams) ([]*model.Credential, *model.Paginator, error)

	// policy<->user attachments
	AttachPolicyToUser(ctx context.Context, policyDisplayName, username string) error
	DetachPolicyFromUser(ctx context.Context, policyDisplayName, username string) error
	ListUserPolicies(ctx context.Context, username string, params *model.PaginationParams) ([]*model.Policy, *model.Paginator, error)
	ListEffectivePolicies(ctx context.Context, username string, params *model.PaginationParams) ([]*model.Policy, *model.Paginator, error)

	// policy<->group attachments
	AttachPolicyToGroup(ctx context.Context, policyDisplayName, groupDisplayName string) error
	DetachPolicyFromGroup(ctx context.Context, policyDisplayName, groupDisplayName string) error
	ListGroupPolicies(ctx context.Context, groupDisplayName string, params *model.PaginationParams) ([]*model.Policy, *model.Paginator, error)

	// authorize user for an action
	Authorize(ctx context.Context, req *AuthorizationRequest) (*AuthorizationResponse, error)
}

type UserPoliciesSetFn 

type UserPoliciesSetFn func() ([]*model.Policy, error)

type UserSetFn 

type UserSetFn func() (*model.User, error)

Notes

Bugs

  • This parser does not handle resource types. Handling resource types is 

    subtle: they may be separated from resource IDs by a colon OR by a slash. For an
example of a resource type, see ECS[1] (uses only slash separators). That colons
are an acceptable separator appears in [2], so a workaround to this limitation is
to use a slash.

[1] https://docs.aws.amazon.com/AmazonECS/latest/developerguide/security_iam_service-with-iam.html#security_iam_service-with-iam-id-based-policies-resources
[2] https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html#arns-syntax

Source Files

View all Source files

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.