Documentation ¶
Overview ¶
Package rpcauth provides OPA policy authorization for Sansshell RPCs.
Index ¶
- Constants
- Variables
- func AddPeerToContext(ctx context.Context, p *PeerAuthInput) context.Context
- type Authorizer
- func (g *Authorizer) Authorize(ctx context.Context, req interface{}, info *grpc.UnaryServerInfo, ...) (interface{}, error)
- func (g *Authorizer) AuthorizeClient(ctx context.Context, method string, req, reply interface{}, ...) error
- func (g *Authorizer) AuthorizeClientStream(ctx context.Context, desc *grpc.StreamDesc, cc *grpc.ClientConn, method string, ...) (grpc.ClientStream, error)
- func (g *Authorizer) AuthorizeStream(srv interface{}, ss grpc.ServerStream, info *grpc.StreamServerInfo, ...) error
- func (g *Authorizer) Eval(ctx context.Context, input *RPCAuthInput) error
- type CertAuthInput
- type EnvironmentInput
- type HookPredicate
- type HostAuthInput
- type NetAuthInput
- type PeerAuthInput
- type PrincipalAuthInput
- type RPCAuthInput
- type RPCAuthzHook
- type RPCAuthzHookFunc
Constants ¶
const ( // ReqJustKey is the key name that must exist in the incoming // context metadata if client side provided justification is required. ReqJustKey = "sansshell-justification" )
Variables ¶
var ( // ErrJustification is the error returned for missing justification. ErrJustification = status.Error(codes.FailedPrecondition, "missing justification") )
Functions ¶
func AddPeerToContext ¶ added in v1.25.0
func AddPeerToContext(ctx context.Context, p *PeerAuthInput) context.Context
AddPeerToContext adds a PeerAuthInput to the context. This is typically added by the rpcauth grpc interceptors.
Types ¶
type Authorizer ¶
type Authorizer struct {
// contains filtered or unexported fields
}
An Authorizer performs authorization of Sanshsell RPCs based on an OPA/Rego policy.
It can be used as both a unary and stream interceptor, or manually invoked to perform policy checks using `Eval`
func New ¶
func New(policy *opa.AuthzPolicy, authzHooks ...RPCAuthzHook) *Authorizer
New creates a new Authorizer from an opa.AuthzPolicy. Any supplied authorization hooks will be executed, in the order provided, on each policy evauluation. NOTE: The policy is used for both client and server hooks below. If you need
distinct policy for client vs server, create 2 Authorizer's.
func NewWithPolicy ¶
func NewWithPolicy(ctx context.Context, policy string, authzHooks ...RPCAuthzHook) (*Authorizer, error)
NewWithPolicy creates a new Authorizer from a policy string. Any supplied authorization hooks will be executed, in the order provided, on each policy evaluation. NOTE: The policy is used for both client and server hooks below. If you need
distinct policy for client vs server, create 2 Authorizer's.
func (*Authorizer) Authorize ¶
func (g *Authorizer) Authorize(ctx context.Context, req interface{}, info *grpc.UnaryServerInfo, handler grpc.UnaryHandler) (interface{}, error)
Authorize implements grpc.UnaryServerInterceptor
func (*Authorizer) AuthorizeClient ¶ added in v1.0.9
func (g *Authorizer) AuthorizeClient(ctx context.Context, method string, req, reply interface{}, cc *grpc.ClientConn, invoker grpc.UnaryInvoker, opts ...grpc.CallOption) error
AuthorizeClient implements grpc.UnaryClientInterceptor
func (*Authorizer) AuthorizeClientStream ¶ added in v1.0.9
func (g *Authorizer) AuthorizeClientStream(ctx context.Context, desc *grpc.StreamDesc, cc *grpc.ClientConn, method string, streamer grpc.Streamer, opts ...grpc.CallOption) (grpc.ClientStream, error)
AuthorizeClientStream implements grpc.StreamClientInterceptor and applies policy checks on any SendMsg calls.
func (*Authorizer) AuthorizeStream ¶
func (g *Authorizer) AuthorizeStream(srv interface{}, ss grpc.ServerStream, info *grpc.StreamServerInfo, handler grpc.StreamHandler) error
AuthorizeStream implements grpc.StreamServerInterceptor and applies policy checks on any RecvMsg calls.
func (*Authorizer) Eval ¶
func (g *Authorizer) Eval(ctx context.Context, input *RPCAuthInput) error
Eval will evalulate the supplied input against the authorization policy, returning nil iff policy evaulation was successful, and the request is permitted, or an appropriate status.Error otherwise. Any input hooks will be executed prior to policy evaluation, and may mutate `input`, regardless of the the success or failure of policy.
type CertAuthInput ¶
type CertAuthInput struct { // The certificate subject Subject pkix.Name `json:"subject"` // The certificate issuer Issuer pkix.Name `json:"issuer"` // DNS names, from SubjectAlternativeName DNSNames []string `json:"dnsnames"` // The raw SPIFFE identifier, if present SPIFFEID string `json:"spiffeid"` }
CertAuthInput contains policy-relevant information derived from a certificate
func CertInputFrom ¶
func CertInputFrom(authInfo credentials.AuthInfo) *CertAuthInput
CertInputFrom populates certificate information from the supplied credentials, if available.
type EnvironmentInput ¶ added in v1.10.0
type EnvironmentInput struct { // True if the policy evaluation is being performed by some entity other than the host // (for example, policy checks performed by an authorizing proxy or other agent) NonHostPolicyCheck bool `json:"non_host_policy_check"` }
EnvironmentInput contains information about the environment in which the policy evaluation is happening.
type HookPredicate ¶
type HookPredicate func(*RPCAuthInput) bool
A HookPredicate returns true if a conditional hook should run
type HostAuthInput ¶
type HostAuthInput struct { // The host address Net *NetAuthInput `json:"net"` // Information about the certificate served by the host, if any Cert *CertAuthInput `json:"cert"` // Information about the principal associated with the host, if any Principal *PrincipalAuthInput `json:"principal"` }
HostAuthInput contains policy-relevant information about the system receiving an RPC
type NetAuthInput ¶
type NetAuthInput struct { // The 'network' as returned by net.Addr.Network() (e.g. "tcp", "udp") Network string `json:"network"` // The address string, as returned by net.Addr.String(), with port (if any) removed Address string `json:"address"` // The port, as parsed from net.Addr.String(), if present Port string `json:"port"` }
NetAuthInput contains policy-relevant information related to a network endpoint
func NetInputFromAddr ¶
func NetInputFromAddr(addr net.Addr) *NetAuthInput
NetInputFromAddr returns NetAuthInput from the supplied net.Addr
type PeerAuthInput ¶
type PeerAuthInput struct { // Network information about the peer Net *NetAuthInput `json:"net"` // Information about the certificate presented by the peer, if any Cert *CertAuthInput `json:"cert"` // Information about the principal associated with the peer, if any Principal *PrincipalAuthInput `json:"principal"` }
PeerAuthInput contains policy-relevant information about an RPC peer.
func PeerInputFromContext ¶
func PeerInputFromContext(ctx context.Context) *PeerAuthInput
PeerInputFromContext populates peer information from the supplied context, if available.
type PrincipalAuthInput ¶
type PrincipalAuthInput struct { // The principal identifier (e.g. a username or service role) ID string `json:"id"` // Auxilliary groups associated with this principal. Groups []string `json:"groups"` }
PrincipalAuthInput contains policy-relevant information about the principal associated with an operation.
type RPCAuthInput ¶
type RPCAuthInput struct { // The GRPC method name, as '/Package.Service/Method' Method string `json:"method"` // The request protocol buffer, serialized as JSON. Message json.RawMessage `json:"message"` // The message type as 'Package.Message' MessageType string `json:"type"` // Raw grpc metdata associated with this call. Metadata metadata.MD `json:"metadata"` // Information about the calling peer, if available. Peer *PeerAuthInput `json:"peer"` // Information about the host serving the RPC. Host *HostAuthInput `json:"host"` // Information about approvers when using multi-party authentication. Approvers []*PrincipalAuthInput `json:"approvers"` // Information about the environment in which the policy evaluation is // happening. Environment *EnvironmentInput `json:"environment"` // Implementation specific extensions. Extensions json.RawMessage `json:"extensions"` // TargetConn is a connection to the target under evaluation. It is only non-nil when // the policy evaluation is being performed by some entity other than the host and // can be used in rpcauth hooks to gather information by making RPC calls to the // host. // TargetConn is not exposed to policy evaluation. TargetConn grpc.ClientConnInterface `json:"-"` }
RPCAuthInput is used as policy input to validate Sansshell RPCs
func NewRPCAuthInput ¶
NewRPCAuthInput creates RpcAuthInput for the supplied method and request, deriving other information (if available) from the context.
type RPCAuthzHook ¶
type RPCAuthzHook interface {
Hook(context.Context, *RPCAuthInput) error
}
A RPCAuthzHook is invoked on populated RpcAuthInput prior to policy evaluation, and may augment / mutate the input, or pre-emptively reject a request.
func HookIf ¶
func HookIf(hook RPCAuthzHook, condition HookPredicate) RPCAuthzHook
HookIf wraps an existing hook, and only executes it when the provided condition returns true
func HostNetHook ¶
func HostNetHook(addr net.Addr) RPCAuthzHook
HostNetHook returns an RPCAuthzHook that sets host networking information.
func JustificationHook ¶ added in v1.0.3
func JustificationHook(justificationFunc func(string) error) RPCAuthzHook
JustificationHook takes the given optional justification function and returns an RPCAuthzHook that validates if justification was included. If it is required and passes the optional validation function it will return nil, otherwise an error.
func PeerPrincipalFromCertHook ¶ added in v1.24.8
func PeerPrincipalFromCertHook() RPCAuthzHook
PeerPrincipalFromCertHook returns an RPCAuthzHook that sets principal information based on the peer's certificate, using the common name as the id and the organizational units as the groups.
type RPCAuthzHookFunc ¶
type RPCAuthzHookFunc func(context.Context, *RPCAuthInput) error
RPCAuthzHookFunc implements RpcAuthzHook for a simple function
func (RPCAuthzHookFunc) Hook ¶
func (r RPCAuthzHookFunc) Hook(ctx context.Context, input *RPCAuthInput) error
Hook runs the hook function on the given input