README
¶
scopes
The scopes package encapsulates the part of the auth system that defines access gates and controls which users can open them.
It stores a unique identifier for the access type, a list of default scopes, and whether a user, a client, or both most be whitelisted to use the scope (and if so, it is in charge of maintaining those whitelists).
Implementation
Scopes consist of an ID, a user policy, a client policy, and whether the scope is a default scope. The ID must uniquely identify the type of access, and should be formatted as a URI. The user policy and client policy are specific strings; for the moment, only DENY_ALL, DEFAULT_DENY, DEFAULT_ALLOW, and ALLOW_ALL are used, but that may be expanded in the future.
DENY_ALL will deny attempts to use that scope by an client/user. This is useful for deprecated scopes. DEFAULT_DENY will deny any request to use the scope by any client/user not in the scope's list, but will allow those in the list to use the scope. DEFAULT_ALLOW will deny any request to use the scope by any client/user in the scope's list, but will allow those not in the list to use the scope. ALLOW_ALL will allow every client/user to request the scope.
If the scope is marked as a default scope, it will be returned in the list of scopes provided when no scopes are requested.
Scope
scopes is solely responsible for managing the list of scopes and the ACL it needs to determine who and what have the appropriate rights to request a certain scope.
The questions scopes is meant to answer for the system include:
- Are these scopes valid?
- Which of these scopes can this user grant?
- Which of these scopes can be granted to this client?
- What scopes should we grant if none are requested?
The things scopes is explicitly not expected to do include:
- Actually controlling access to anything.
- Authenticating users.
- Authenticating clients.
- Remembering which users have granted which scopes to which clients.
Documentation
¶
Index ¶
Constants ¶
const ( // PolicyDenyAll defines a string to use to deny all access. PolicyDenyAll = "DENY_ALL" // PolicyDefaultDeny defines a string to use to deny access by default, with exceptions. PolicyDefaultDeny = "DEFAULT_DENY" // PolicyAllowAll defines a string to use to allow all access. PolicyAllowAll = "ALLOW_ALL" // PolicyDefaultAllow defines a string to use to allow access by default, with exceptions. PolicyDefaultAllow = "DEFAULT_ALLOW" )
Variables ¶
var ( // ErrScopeAlreadyExists is returned when attempting to create a Scope that already exists. ErrScopeAlreadyExists = errors.New("scope already exists") )
Functions ¶
func ByID ¶
func ByID(scopes []Scope)
ByID sorts the passed Scopes in place lexicographically by their IDs.
func ClientCanUseScope ¶
ClientCanUseScope returns true if the client specified by `client` can use `scope`.
func IsValidPolicy ¶
IsValidPolicy returns whether a string is a valid policy or not.
Types ¶
type Change ¶
type Change struct {
UserPolicy *string
UserExceptions *[]string
ClientPolicy *string
ClientExceptions *[]string
IsDefault *bool
}
Change represents a change to a Scope.
type Dependencies ¶
type Dependencies struct {
Storer Storer
}
Dependencies holds the common dependencies that will be used throughout the package.
type Scope ¶
type Scope struct {
ID string
UserPolicy string
UserExceptions []string
ClientPolicy string
ClientExceptions []string
IsDefault bool
}
Scope defines a scope of access to user data that users can grant.
type Storer ¶
type Storer interface {
Create(ctx context.Context, scope Scope) error
GetMulti(ctx context.Context, ids []string) (map[string]Scope, error)
ListDefault(ctx context.Context) ([]Scope, error)
Update(ctx context.Context, id string, change Change) error
Delete(ctx context.Context, id string) error
}
Storer is an interface for storing and retrieving Scopes and the metadata surrounding them.
Source Files
Directories