Documentation
¶
Overview ¶
Package auth defines a standard interface for request access controllers.
An access controller has a simple interface with a single `Authorized` method which checks that a given request is authorized to perform one or more actions on one or more resources. This method should return a non-nil error if the requset is not authorized.
An implementation registers its access controller by name with a constructor which accepts an options map for configuring the access controller.
options := map[string]interface{}{"sillySecret": "whysosilly?"}
accessController, _ := auth.GetAccessController("silly", options)
This `accessController` can then be used in a request handler like so:
func updateOrder(w http.ResponseWriter, r *http.Request) {
orderNumber := r.FormValue("orderNumber")
resource := auth.Resource{Type: "customerOrder", Name: orderNumber}
access := auth.Access{Resource: resource, Action: "update"}
if ctx, err := accessController.Authorized(ctx, access); err != nil {
if challenge, ok := err.(auth.Challenge) {
// Let the challenge write the response.
challenge.ServeHTTP(w, r)
} else {
// Some other error.
}
}
}
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func Register ¶
Register is used to register an InitFunc for an AccessController backend with the given name.
Types ¶
type Access ¶
Access describes a specific action that is requested or allowed for a given recource.
type AccessController ¶
type AccessController interface {
// Authorized returns a non-nil error if the context is granted access and
// returns a new authorized context. If one or more Access structs are
// provided, the requested access will be compared with what is available
// to the context. The given context will contain a "http.request" key with
// a `*http.Request` value. If the error is non-nil, access should always
// be denied. The error may be of type Challenge, in which case the caller
// may have the Challenge handle the request or choose what action to take
// based on the Challenge header or response status. The returned context
// object should have a "auth.user" value set to a UserInfo struct.
Authorized(ctx context.Context, access ...Access) (context.Context, error)
}
AccessController controls access to registry resources based on a request and required access levels for a request. Implementations can support both complete denial and http authorization challenges.
func GetAccessController ¶
func GetAccessController(name string, options map[string]interface{}) (AccessController, error)
GetAccessController constructs an AccessController with the given options using the named backend.
type Challenge ¶
type Challenge interface {
error
// ServeHTTP prepares the request to conduct the appropriate challenge
// response. For most implementations, simply calling ServeHTTP should be
// sufficient. Because no body is written, users may write a custom body after
// calling ServeHTTP, but any headers must be written before the call and may
// be overwritten.
ServeHTTP(w http.ResponseWriter, r *http.Request)
}
Challenge is a special error type which is used for HTTP 401 Unauthorized responses and is able to write the response with WWW-Authenticate challenge header values based on the error.
type InitFunc ¶
type InitFunc func(options map[string]interface{}) (AccessController, error)
InitFunc is the type of an AccessController factory function and is used to register the constructor for different AccesController backends.
type Resource ¶
Resource describes a resource by type and name.
Source Files
¶
- auth.go
Directories
¶
| Path | Synopsis |
|---|---|
|
Package silly provides a simple authentication scheme that checks for the existence of an Authorization header and issues access if is present and non-empty.
|
Package silly provides a simple authentication scheme that checks for the existence of an Authorization header and issues access if is present and non-empty. |