auth

package

v0.9.15 Latest Latest Go to latest Published: Mar 3, 2021 License: Apache-2.0 Imports: 24 Imported by: 1

Documentation ¶

Overview ¶

Package auth contains authorization check wrapper for handlers. Example: h, err := auth.WithAuth(handler, checker, Requirement{ClientID: true, ClientSecret: true, Role: Admin} if err != nil { ... } r.HandleFunc("/path", h)

Index ¶

Constants
Variables
func AccessTokenCacheKey(issuer, token string) string
func MustWithAuth(handler func(http.ResponseWriter, *http.Request), checker *Checker, ...) func(http.ResponseWriter, *http.Request)
func WithAuth(handler func(http.ResponseWriter, *http.Request), checker *Checker, ...) (func(http.ResponseWriter, *http.Request), error)
type Checker
- func NewChecker(logger *logging.Client, issuer string, permissions *permissions.Permissions, ...) *Checker
type Context
- func FromContext(ctx context.Context) (*Context, error)
type Require
type Role

Constants ¶

View Source

const (

	// UserAuthorizationHeader is the standard user authorization request header as a bearer token.
	UserAuthorizationHeader = "Authorization"
	// LinkAuthorizationHeader is an additional auth token in the request header for linking accounts.
	LinkAuthorizationHeader = "X-Link-Authorization"
)

Variables ¶

View Source

var (
	// RequireNone -> requires nothing for authorization
	RequireNone = Require{Nothing: true}
	// RequireClientID -> only require client id
	RequireClientID = Require{ClientID: true, ClientSecret: false, Role: None}
	// RequireClientIDAndSecret -> require client id and matched secret
	RequireClientIDAndSecret = Require{ClientID: true, ClientSecret: true, Role: None}
	// RequireAdminTokenClientCredential -> require an admin token, also the client id and secret
	RequireAdminTokenClientCredential = Require{ClientID: true, ClientSecret: true, Role: Admin, AllowIssuerInAudOrAzp: true, AllowAzp: true}
	// RequireUserTokenClientCredential -> require an user token, also the client id and secret
	RequireUserTokenClientCredential = Require{ClientID: true, ClientSecret: true, Role: User, AllowIssuerInAudOrAzp: true, AllowAzp: true}
	// RequireAccountAdminUserTokenCredential -> require a user token, client id & secret, and non-admins require "account_admin" scope for edits methods
	RequireAccountAdminUserTokenCredential = Require{ClientID: true, ClientSecret: true, Role: User, EditScopes: []string{"account_admin"}, AllowIssuerInAudOrAzp: true, AllowAzp: true}
)

View Source

var (
	// HTTPClient used for external calls.
	HTTPClient *http.Client = nil
)

Functions ¶

func AccessTokenCacheKey ¶ added in v0.9.13

func AccessTokenCacheKey(issuer, token string) string

AccessTokenCacheKey creates the caching key of access token.

func MustWithAuth ¶

func MustWithAuth(handler func(http.ResponseWriter, *http.Request), checker *Checker, require Require) func(http.ResponseWriter, *http.Request)

MustWithAuth wraps the handler func with authorization check includes client credentials, bearer token validation and role in token. function will cause fatal if passed in invalid requirement. This is cleaner when calling in main.

func WithAuth ¶

func WithAuth(handler func(http.ResponseWriter, *http.Request), checker *Checker, require Require) (func(http.ResponseWriter, *http.Request), error)

WithAuth wraps the handler func with authorization check includes client credentials, bearer token validation and role in token. function will return error if passed in invalid requirement.

Types ¶

type Checker ¶

type Checker struct {
	// contains filtered or unexported fields
}

Checker stores information and functions for authorization check.

func NewChecker ¶ added in v0.9.4

func NewChecker(logger *logging.Client, issuer string, permissions *permissions.Permissions, fetchClientSecrets func() (map[string]string, error), transformIdentity func(*ga4gh.Identity) *ga4gh.Identity, useUserinfoVerifyToken bool, cache func() cache.Client) *Checker

NewChecker creates checker for authorization check. ctx: used to creates oidc token verifier, may store httpclient for mock. logger: audit log logger. issuer: accepted oidc issuer url. permissions: contains method to check if user admin permission. fetchClientSecrets: fetches client id and client secret. transformIdentity: transform as needed, will run just after token convert to identity.

type Context ¶ added in v0.8.6

type Context struct {
	ID           *ga4gh.Identity
	LinkedID     *ga4gh.Identity
	ClientID     string
	ClientSecret string
	IsAdmin      bool
}

Context (i.e. auth.Context) is authorization information that is stored within the request context.

func FromContext ¶ added in v0.8.6

func FromContext(ctx context.Context) (*Context, error)

FromContext (i.e. auth.FromContext) returns auth information from the request context. Example within a request handler: a, err := auth.FromContext(r.Context())

type Require ¶

type Require struct {
	Nothing      bool
	ClientID     bool
	ClientSecret bool
	// Roles current supports "user" and "admin". Check will check the role inside the bearer token.
	// not requirement bearer token if "Role" is empty.
	Role       Role
	EditScopes []string
	// client id of self
	SelfClientID string
	// allow using issuer as aud or azp
	AllowIssuerInAudOrAzp bool
	// allow azp
	AllowAzp bool
}

Require defines the Authorization Requirement.

type Role ¶

type Role string

Role requirement of access.

const (
	// None -> no bearer token required
	None Role = ""
	// User -> requires any valid bearer token, need to match {user} in path
	User Role = "user"
	// Admin -> requires bearer token with admin permission
	Admin Role = "admin"
)

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL