The highest tagged major version is v2.

basculechecks

package

v1.11.1 Latest Latest Go to latest Published: Oct 7, 2020 License: Apache-2.0 Imports: 14 Imported by: 1

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/xmidt-org/webpa-common

Links

Open Source Insights

Documentation ¶

Index ¶

Constants
Variables
func DeterminePartnerMetric(partners []string) string
func Metrics() []xmetrics.Metric
func PartnerKeys() []string
func ProvideMetrics() fx.Option
type AuthCapabilityCheckMeasures
- func NewAuthCapabilityCheckMeasures(p provider.Provider) *AuthCapabilityCheckMeasures
type CapabilitiesChecker
type CapabilitiesValidator
- func (c CapabilitiesValidator) Check(auth bascule.Authentication) (string, error)
- func (c CapabilitiesValidator) CreateValidator(errorOut bool) bascule.ValidatorFunc
type CapabilityChecker
type ConstCheck
- func (c ConstCheck) Authorized(capability, _, _ string) bool
type EndpointRegexCheck
- func NewEndpointRegexCheck(prefix string, acceptAllMethod string) (EndpointRegexCheck, error)
- func (e EndpointRegexCheck) Authorized(capability string, urlToMatch string, methodToMatch string) bool
type MetricValidator
- func (m MetricValidator) CreateValidator(errorOut bool) bascule.ValidatorFunc

Constants ¶

View Source

const (
	OutcomeLabel   = "outcome"
	ReasonLabel    = "reason"
	ClientIDLabel  = "clientid"
	EndpointLabel  = "endpoint"
	PartnerIDLabel = "partnerid"
)

labels

View Source

const (
	RejectedOutcome = "rejected"
	AcceptedOutcome = "accepted"
	// reasons
	TokenMissing             = "auth_missing"
	UndeterminedPartnerID    = "undetermined_partner_ID"
	UndeterminedCapabilities = "undetermined_capabilities"
	EmptyCapabilitiesList    = "empty_capabilities_list"
	TokenMissingValues       = "auth_is_missing_values"
	NoCapabilitiesMatch      = "no_capabilities_match"
)

outcomes

View Source

const (
	AuthCapabilityCheckOutcome = "auth_capability_check"
)

Names for our metrics

View Source

const (
	CapabilityKey = "capabilities"
)

Variables ¶

View Source

var (
	ErrNoVals                 = errors.New("expected at least one value")
	ErrNoAuth                 = errors.New("couldn't get request info: authorization not found")
	ErrNoToken                = errors.New("no token found in Auth")
	ErrNoValidCapabilityFound = errors.New("no valid capability for endpoint")
	ErrNilAttributes          = errors.New("nil attributes interface")
	ErrNoURL                  = errors.New("invalid URL found in Auth")
)

Functions ¶

func DeterminePartnerMetric ¶ added in v1.11.0

func DeterminePartnerMetric(partners []string) string

DeterminePartnerMetric takes a list of partners and decides what the partner metric label should be.

func Metrics ¶

func Metrics() []xmetrics.Metric

Metrics returns the Metrics relevant to this package

func PartnerKeys ¶ added in v1.11.1

func PartnerKeys() []string

func ProvideMetrics ¶ added in v1.10.2

func ProvideMetrics() fx.Option

Types ¶

type AuthCapabilityCheckMeasures ¶ added in v1.6.2

type AuthCapabilityCheckMeasures struct {
	fx.In

	CapabilityCheckOutcome metrics.Counter `name:"auth_capability_check"`
}

AuthCapabilityCheckMeasures describes the defined metrics that will be used by clients

func NewAuthCapabilityCheckMeasures ¶ added in v1.6.2

func NewAuthCapabilityCheckMeasures(p provider.Provider) *AuthCapabilityCheckMeasures

NewAuthCapabilityCheckMeasures realizes desired metrics

type CapabilitiesChecker ¶ added in v1.11.0

type CapabilitiesChecker interface {
	Check(auth bascule.Authentication) (string, error)
}

CapabilitiesChecker is an object that can determine if a request is authorized given a bascule.Authentication object. If it's not authorized, a reason and error are given for logging and metrics.

type CapabilitiesValidator ¶ added in v1.11.0

type CapabilitiesValidator struct {
	Checker CapabilityChecker
}

CapabilitiesValidator checks the capabilities provided in a bascule.Authentication object to determine if a request is authorized. It can also provide a function to be used in authorization middleware that pulls the Authentication object from a context before checking it.

func (CapabilitiesValidator) Check ¶ added in v1.11.0

func (c CapabilitiesValidator) Check(auth bascule.Authentication) (string, error)

Check takes the needed values out of the given Authentication object in order to determine if a request is authorized. It determines this through iterating through each capability and calling the CapabilityChecker. If no capability authorizes the client for the given endpoint and method, it is unauthorized.

func (CapabilitiesValidator) CreateValidator ¶ added in v1.11.0

func (c CapabilitiesValidator) CreateValidator(errorOut bool) bascule.ValidatorFunc

CreateValidator creates a function that determines whether or not a client is authorized to make a request to an endpoint. It uses the bascule.Authentication from the context to get the information needed by the CapabilityChecker to determine authorization.

type CapabilityChecker ¶ added in v1.11.0

type CapabilityChecker interface {
	Authorized(string, string, string) bool
}

CapabilityChecker is an object that can determine if a capability provides authorization to the endpoint.

type ConstCheck ¶ added in v1.11.0

type ConstCheck string

ConstCheck is a basic capability checker that determines a capability is authorized if it matches the ConstCheck's string.

func (ConstCheck) Authorized ¶ added in v1.11.0

func (c ConstCheck) Authorized(capability, _, _ string) bool

Authorized validates the capability provided against the stored string.

type EndpointRegexCheck ¶ added in v1.11.0

type EndpointRegexCheck struct {
	// contains filtered or unexported fields
}

EndpointRegexCheck uses a regular expression to validate an endpoint and method provided in a capability against the endpoint hit and method used for the request.

func NewEndpointRegexCheck ¶ added in v1.11.0

func NewEndpointRegexCheck(prefix string, acceptAllMethod string) (EndpointRegexCheck, error)

NewEndpointRegexCheck creates an object that implements the CapabilityChecker interface. It takes a prefix that is expected at the beginning of a capability and a string that, if provided in the capability, authorizes all methods for that endpoint. After the prefix, the EndpointRegexCheck expects there to be an endpoint regular expression and an http method - separated by a colon. The expected format of a capability is: <prefix><endpoint regex>:<method>

func (EndpointRegexCheck) Authorized ¶ added in v1.11.0

func (e EndpointRegexCheck) Authorized(capability string, urlToMatch string, methodToMatch string) bool

Authorized checks the capability against the endpoint hit and method used. If the capability has the correct prefix and is meant to be used with the method provided to access the endpoint provided, it is authorized.

type MetricValidator ¶ added in v1.11.0

type MetricValidator struct {
	C         CapabilitiesChecker
	Measures  *AuthCapabilityCheckMeasures
	Endpoints []*regexp.Regexp
}

MetricValidator determines if a request is authorized and then updates a metric to show those results.

func (MetricValidator) CreateValidator ¶ added in v1.11.0

func (m MetricValidator) CreateValidator(errorOut bool) bascule.ValidatorFunc

CreateValidator provides a function for authorization middleware. The function parses the information needed for the CapabilitiesChecker, calls it to determine if the request is authorized, and maintains the results in a metric. The function can actually mark the request as unauthorized or just update the metric and allow the request, depending on configuration. This allows for monitoring before being more strict with authorization.

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL