Affected by GO-2022-0375 and 7 other vulnerabilities

GO-2022-0375: Improper Access Control in github.com/treeverse/lakefs

GO-2022-1019: lakeFS vulnerable to authenticated users deleting files they are not authorized to delete in github.com/treeverse/lakefs

GO-2023-2012: lakeFS vulnerable to Arbitrary JavaScript Injection via Direct Link to HTML Files in github.com/treeverse/lakefs

GO-2023-2397: User with permission to write actions can impersonate another user when auth token is configured in environment variable in github.com/treeverse/lakefs

GO-2023-2398: lakeFS logs S3 credentials in plain text in github.com/treeverse/lakefs

GO-2024-3291: Re-creating a deleted user in lakeFS will re-enable previous user credentials that existed prior to its deletion in github.com/treeverse/lakefs

GO-2025-3479: lakeFS allows an authenticated user to cause a crash by exhausting server memory in github.com/treeverse/lakefs

GO-2025-4090: lakeFS affected by unauthenticated access to API usage metrics in github.com/treeverse/lakefs

auth

package

v0.16.0 Latest Latest Go to latest Published: Nov 12, 2020 License: Apache-2.0 Imports: 21 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/treeverse/lakefs

Links

Open Source Insights

Documentation ¶

Index ¶

Constants
Variables
func AddAdminUser(authService Service, user *model.User) (*model.Credential, error)
func ArnMatch(src, dst string) bool
func Base64StringGenerator(bytes int) string
func HexStringGenerator(bytes int) string
func KeyGenerator(length int) string
func ListPaged(db db.Database, retType reflect.Type, params *model.PaginationParams, ...) (*reflect.Value, *model.Paginator, error)
func SetupAdminUser(authService Service, user *model.User) (*model.Credential, error)
func SetupBaseGroups(authService Service, ts time.Time) error
type Arn
- func ParseARN(arnString string) (*Arn, error)
type AuthorizationRequest
type AuthorizationResponse
type Cache
type CredentialSetFn
type DBAuthService
- func NewDBAuthService(db db.Database, secretStore crypt.SecretStore, cacheConf params.ServiceCache) *DBAuthService
- func (s *DBAuthService) AddUserToGroup(username, groupDisplayName string) error
- func (s *DBAuthService) AttachPolicyToGroup(policyDisplayName, groupDisplayName string) error
- func (s *DBAuthService) AttachPolicyToUser(policyDisplayName, username string) error
- func (s *DBAuthService) Authorize(req *AuthorizationRequest) (*AuthorizationResponse, error)
- func (s *DBAuthService) CreateCredentials(username string) (*model.Credential, error)
- func (s *DBAuthService) CreateGroup(group *model.Group) error
- func (s *DBAuthService) CreateUser(user *model.User) error
- func (s *DBAuthService) DB() db.Database
- func (s *DBAuthService) DeleteCredentials(username, accessKeyID string) error
- func (s *DBAuthService) DeleteGroup(groupDisplayName string) error
- func (s *DBAuthService) DeletePolicy(policyDisplayName string) error
- func (s *DBAuthService) DeleteUser(username string) error
- func (s *DBAuthService) DetachPolicyFromGroup(policyDisplayName, groupDisplayName string) error
- func (s *DBAuthService) DetachPolicyFromUser(policyDisplayName, username string) error
- func (s *DBAuthService) GetCredentials(accessKeyID string) (*model.Credential, error)
- func (s *DBAuthService) GetCredentialsForUser(username, accessKeyID string) (*model.Credential, error)
- func (s *DBAuthService) GetGroup(groupDisplayName string) (*model.Group, error)
- func (s *DBAuthService) GetPolicy(policyDisplayName string) (*model.Policy, error)
- func (s *DBAuthService) GetUser(username string) (*model.User, error)
- func (s *DBAuthService) GetUserByID(userID int) (*model.User, error)
- func (s *DBAuthService) ListEffectivePolicies(username string, params *model.PaginationParams) ([]*model.Policy, *model.Paginator, error)
- func (s *DBAuthService) ListGroupPolicies(groupDisplayName string, params *model.PaginationParams) ([]*model.Policy, *model.Paginator, error)
- func (s *DBAuthService) ListGroupUsers(groupDisplayName string, params *model.PaginationParams) ([]*model.User, *model.Paginator, error)
- func (s *DBAuthService) ListGroups(params *model.PaginationParams) ([]*model.Group, *model.Paginator, error)
- func (s *DBAuthService) ListPolicies(params *model.PaginationParams) ([]*model.Policy, *model.Paginator, error)
- func (s *DBAuthService) ListUserCredentials(username string, params *model.PaginationParams) ([]*model.Credential, *model.Paginator, error)
- func (s *DBAuthService) ListUserGroups(username string, params *model.PaginationParams) ([]*model.Group, *model.Paginator, error)
- func (s *DBAuthService) ListUserPolicies(username string, params *model.PaginationParams) ([]*model.Policy, *model.Paginator, error)
- func (s *DBAuthService) ListUsers(params *model.PaginationParams) ([]*model.User, *model.Paginator, error)
- func (s *DBAuthService) RemoveUserFromGroup(username, groupDisplayName string) error
- func (s *DBAuthService) SecretStore() crypt.SecretStore
- func (s *DBAuthService) WritePolicy(policy *model.Policy) error
type DBMetadataManager
- func NewDBMetadataManager(version string, database db.Database) *DBMetadataManager
- func (d *DBMetadataManager) SetupTimestamp() (time.Time, error)
- func (d *DBMetadataManager) UpdateSetupTimestamp(ts time.Time) error
- func (d *DBMetadataManager) Write() (map[string]string, error)
type DummyCache
- func (d *DummyCache) GetCredential(accessKeyID string, setFn CredentialSetFn) (*model.Credential, error)
- func (d *DummyCache) GetUser(username string, setFn UserSetFn) (*model.User, error)
- func (d *DummyCache) GetUserByID(userID int, setFn UserSetFn) (*model.User, error)
- func (d *DummyCache) GetUserPolicies(userID string, setFn UserPoliciesSetFn) ([]*model.Policy, error)
type LRUCache
- func NewLRUCache(size int, expiry, jitter time.Duration) *LRUCache
- func (c *LRUCache) GetCredential(accessKeyID string, setFn CredentialSetFn) (*model.Credential, error)
- func (c *LRUCache) GetUser(username string, setFn UserSetFn) (*model.User, error)
- func (c *LRUCache) GetUserByID(userID int, setFn UserSetFn) (*model.User, error)
- func (c *LRUCache) GetUserPolicies(userID string, setFn UserPoliciesSetFn) ([]*model.Policy, error)
type MetadataManager
type Service
type UserPoliciesSetFn
type UserSetFn

Constants ¶

View Source

const (
	InstallationIDKeyName = "installation_id"
	SetupTimestampKeyName = "setup_timestamp"
)

View Source

const AkiaAlphabet = "ABCDEFGHIJKLMNOPQRSTUVWXYZ234567" // Amazon AKIA alphabet is weird.

Variables ¶

View Source

var (
	ErrInvalidArn              = errors.New("invalid ARN")
	ErrInsufficientPermissions = errors.New("insufficient permissions")
)

Functions ¶

func AddAdminUser ¶ added in v0.15.0

func AddAdminUser(authService Service, user *model.User) (*model.Credential, error)

func ArnMatch ¶

func ArnMatch(src, dst string) bool

func Base64StringGenerator ¶

func Base64StringGenerator(bytes int) string

func HexStringGenerator ¶

func HexStringGenerator(bytes int) string

func KeyGenerator ¶

func KeyGenerator(length int) string

func ListPaged ¶ added in v0.9.0

func ListPaged(db db.Database, retType reflect.Type, params *model.PaginationParams, tokenColumnName string, queryBuilder sq.SelectBuilder) (*reflect.Value, *model.Paginator, error)

func SetupAdminUser ¶

func SetupAdminUser(authService Service, user *model.User) (*model.Credential, error)

func SetupBaseGroups ¶

func SetupBaseGroups(authService Service, ts time.Time) error

Types ¶

type Arn ¶

type Arn struct {
	Partition  string
	Service    string
	Region     string
	AccountID  string
	ResourceID string
}

func ParseARN ¶

func ParseARN(arnString string) (*Arn, error)

type AuthorizationRequest ¶

type AuthorizationRequest struct {
	Username            string
	RequiredPermissions []permissions.Permission
}

type AuthorizationResponse ¶

type AuthorizationResponse struct {
	Allowed bool
	Error   error
}

type Cache ¶

type Cache interface {
	GetCredential(accessKeyID string, setFn CredentialSetFn) (*model.Credential, error)
	GetUser(username string, setFn UserSetFn) (*model.User, error)
	GetUserByID(userID int, setFn UserSetFn) (*model.User, error)
	GetUserPolicies(userID string, setFn UserPoliciesSetFn) ([]*model.Policy, error)
}

type CredentialSetFn ¶

type CredentialSetFn func() (*model.Credential, error)

type DBAuthService ¶

type DBAuthService struct {
	// contains filtered or unexported fields
}

func NewDBAuthService ¶

func NewDBAuthService(db db.Database, secretStore crypt.SecretStore, cacheConf params.ServiceCache) *DBAuthService

func (*DBAuthService) AddUserToGroup ¶

func (s *DBAuthService) AddUserToGroup(username, groupDisplayName string) error

func (*DBAuthService) AttachPolicyToGroup ¶

func (s *DBAuthService) AttachPolicyToGroup(policyDisplayName, groupDisplayName string) error

func (*DBAuthService) AttachPolicyToUser ¶

func (s *DBAuthService) AttachPolicyToUser(policyDisplayName, username string) error

func (*DBAuthService) Authorize ¶

func (s *DBAuthService) Authorize(req *AuthorizationRequest) (*AuthorizationResponse, error)

func (*DBAuthService) CreateCredentials ¶

func (s *DBAuthService) CreateCredentials(username string) (*model.Credential, error)

func (*DBAuthService) CreateGroup ¶

func (s *DBAuthService) CreateGroup(group *model.Group) error

func (*DBAuthService) CreateUser ¶

func (s *DBAuthService) CreateUser(user *model.User) error

func (*DBAuthService) DB ¶

func (s *DBAuthService) DB() db.Database

func (*DBAuthService) DeleteCredentials ¶

func (s *DBAuthService) DeleteCredentials(username, accessKeyID string) error

func (*DBAuthService) DeleteGroup ¶

func (s *DBAuthService) DeleteGroup(groupDisplayName string) error

func (*DBAuthService) DeletePolicy ¶

func (s *DBAuthService) DeletePolicy(policyDisplayName string) error

func (*DBAuthService) DeleteUser ¶

func (s *DBAuthService) DeleteUser(username string) error

func (*DBAuthService) DetachPolicyFromGroup ¶

func (s *DBAuthService) DetachPolicyFromGroup(policyDisplayName, groupDisplayName string) error

func (*DBAuthService) DetachPolicyFromUser ¶

func (s *DBAuthService) DetachPolicyFromUser(policyDisplayName, username string) error

func (*DBAuthService) GetCredentials ¶

func (s *DBAuthService) GetCredentials(accessKeyID string) (*model.Credential, error)

func (*DBAuthService) GetCredentialsForUser ¶

func (s *DBAuthService) GetCredentialsForUser(username, accessKeyID string) (*model.Credential, error)

func (*DBAuthService) GetGroup ¶

func (s *DBAuthService) GetGroup(groupDisplayName string) (*model.Group, error)

func (*DBAuthService) GetPolicy ¶

func (s *DBAuthService) GetPolicy(policyDisplayName string) (*model.Policy, error)

func (*DBAuthService) GetUser ¶

func (s *DBAuthService) GetUser(username string) (*model.User, error)

func (*DBAuthService) GetUserByID ¶

func (s *DBAuthService) GetUserByID(userID int) (*model.User, error)

func (*DBAuthService) ListEffectivePolicies ¶

func (s *DBAuthService) ListEffectivePolicies(username string, params *model.PaginationParams) ([]*model.Policy, *model.Paginator, error)

func (*DBAuthService) ListGroupPolicies ¶

func (s *DBAuthService) ListGroupPolicies(groupDisplayName string, params *model.PaginationParams) ([]*model.Policy, *model.Paginator, error)

func (*DBAuthService) ListGroupUsers ¶

func (s *DBAuthService) ListGroupUsers(groupDisplayName string, params *model.PaginationParams) ([]*model.User, *model.Paginator, error)

func (*DBAuthService) ListGroups ¶

func (s *DBAuthService) ListGroups(params *model.PaginationParams) ([]*model.Group, *model.Paginator, error)

func (*DBAuthService) ListPolicies ¶

func (s *DBAuthService) ListPolicies(params *model.PaginationParams) ([]*model.Policy, *model.Paginator, error)

func (*DBAuthService) ListUserCredentials ¶

func (s *DBAuthService) ListUserCredentials(username string, params *model.PaginationParams) ([]*model.Credential, *model.Paginator, error)

func (*DBAuthService) ListUserGroups ¶

func (s *DBAuthService) ListUserGroups(username string, params *model.PaginationParams) ([]*model.Group, *model.Paginator, error)

func (*DBAuthService) ListUserPolicies ¶

func (s *DBAuthService) ListUserPolicies(username string, params *model.PaginationParams) ([]*model.Policy, *model.Paginator, error)

func (*DBAuthService) ListUsers ¶

func (s *DBAuthService) ListUsers(params *model.PaginationParams) ([]*model.User, *model.Paginator, error)

func (*DBAuthService) RemoveUserFromGroup ¶

func (s *DBAuthService) RemoveUserFromGroup(username, groupDisplayName string) error

func (*DBAuthService) SecretStore ¶

func (s *DBAuthService) SecretStore() crypt.SecretStore

func (*DBAuthService) WritePolicy ¶

func (s *DBAuthService) WritePolicy(policy *model.Policy) error

type DBMetadataManager ¶

type DBMetadataManager struct {
	// contains filtered or unexported fields
}

func NewDBMetadataManager ¶

func NewDBMetadataManager(version string, database db.Database) *DBMetadataManager

func (*DBMetadataManager) SetupTimestamp ¶ added in v0.9.0

func (d *DBMetadataManager) SetupTimestamp() (time.Time, error)

func (*DBMetadataManager) UpdateSetupTimestamp ¶ added in v0.9.0

func (d *DBMetadataManager) UpdateSetupTimestamp(ts time.Time) error

func (*DBMetadataManager) Write ¶

func (d *DBMetadataManager) Write() (map[string]string, error)

type DummyCache ¶

type DummyCache struct {
}

func (*DummyCache) GetCredential ¶

func (d *DummyCache) GetCredential(accessKeyID string, setFn CredentialSetFn) (*model.Credential, error)

func (*DummyCache) GetUser ¶

func (d *DummyCache) GetUser(username string, setFn UserSetFn) (*model.User, error)

func (*DummyCache) GetUserByID ¶

func (d *DummyCache) GetUserByID(userID int, setFn UserSetFn) (*model.User, error)

func (*DummyCache) GetUserPolicies ¶

func (d *DummyCache) GetUserPolicies(userID string, setFn UserPoliciesSetFn) ([]*model.Policy, error)

type LRUCache ¶

type LRUCache struct {
	// contains filtered or unexported fields
}

func NewLRUCache ¶

func NewLRUCache(size int, expiry, jitter time.Duration) *LRUCache

func (*LRUCache) GetCredential ¶

func (c *LRUCache) GetCredential(accessKeyID string, setFn CredentialSetFn) (*model.Credential, error)

func (*LRUCache) GetUser ¶

func (c *LRUCache) GetUser(username string, setFn UserSetFn) (*model.User, error)

func (*LRUCache) GetUserByID ¶

func (c *LRUCache) GetUserByID(userID int, setFn UserSetFn) (*model.User, error)

func (*LRUCache) GetUserPolicies ¶

func (c *LRUCache) GetUserPolicies(userID string, setFn UserPoliciesSetFn) ([]*model.Policy, error)

type MetadataManager ¶

type MetadataManager interface {
	SetupTimestamp() (time.Time, error)
	UpdateSetupTimestamp(time.Time) error
	Write() (map[string]string, error)
}

type Service ¶

type Service interface {
	SecretStore() crypt.SecretStore

	// users
	CreateUser(user *model.User) error
	DeleteUser(username string) error
	GetUserByID(userID int) (*model.User, error)
	GetUser(username string) (*model.User, error)
	ListUsers(params *model.PaginationParams) ([]*model.User, *model.Paginator, error)

	// groups
	CreateGroup(group *model.Group) error
	DeleteGroup(groupDisplayName string) error
	GetGroup(groupDisplayName string) (*model.Group, error)
	ListGroups(params *model.PaginationParams) ([]*model.Group, *model.Paginator, error)

	// group<->user memberships
	AddUserToGroup(username, groupDisplayName string) error
	RemoveUserFromGroup(username, groupDisplayName string) error
	ListUserGroups(username string, params *model.PaginationParams) ([]*model.Group, *model.Paginator, error)
	ListGroupUsers(groupDisplayName string, params *model.PaginationParams) ([]*model.User, *model.Paginator, error)

	// policies
	WritePolicy(policy *model.Policy) error
	GetPolicy(policyDisplayName string) (*model.Policy, error)
	DeletePolicy(policyDisplayName string) error
	ListPolicies(params *model.PaginationParams) ([]*model.Policy, *model.Paginator, error)

	// credentials
	CreateCredentials(username string) (*model.Credential, error)
	DeleteCredentials(username, accessKeyID string) error
	GetCredentialsForUser(username, accessKeyID string) (*model.Credential, error)
	GetCredentials(accessKeyID string) (*model.Credential, error)
	ListUserCredentials(username string, params *model.PaginationParams) ([]*model.Credential, *model.Paginator, error)

	// policy<->user attachments
	AttachPolicyToUser(policyDisplayName, username string) error
	DetachPolicyFromUser(policyDisplayName, username string) error
	ListUserPolicies(username string, params *model.PaginationParams) ([]*model.Policy, *model.Paginator, error)
	ListEffectivePolicies(username string, params *model.PaginationParams) ([]*model.Policy, *model.Paginator, error)

	// policy<->group attachments
	AttachPolicyToGroup(policyDisplayName, groupDisplayName string) error
	DetachPolicyFromGroup(policyDisplayName, groupDisplayName string) error
	ListGroupPolicies(groupDisplayName string, params *model.PaginationParams) ([]*model.Policy, *model.Paginator, error)

	// authorize user for an action
	Authorize(req *AuthorizationRequest) (*AuthorizationResponse, error)
}

type UserPoliciesSetFn ¶

type UserPoliciesSetFn func() ([]*model.Policy, error)

type UserSetFn ¶

type UserSetFn func() (*model.User, error)

Source Files ¶

View all Source files

Directories ¶

Path	Synopsis
crypt
model
params
wildcard

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL