api

package
v0.1.1 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Oct 4, 2022 License: MIT Imports: 23 Imported by: 0

README

The API package contains all of the generated code as well as the business logic for responding to web API requests.

This package is limited to the REST API - the UI is not in scope.

The code in this directory is called from cmd/serve.go. The auto-generated code is created via make generate-api, and can be removed with make clean-api.

  • swagger.yaml -- the API spec from which the server code is generated
  • models/ -- auto-generated except for user.go
  • restapi/ -- mostly auto-generated
  • restapi/configure.go -- originally auto-generated, now static. Used to set up middleware
  • api.go -- API server configuration

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func GetManuallyAuthorized 

func GetManuallyAuthorized(ctx context.Context, client *auth.Client, store store.Store, uid string) (bool, error)

GetManuallyAuthorized returns whether the user is manually authorized (checking both their claim and the store)

func ImpersonatedTokenSource 

func ImpersonatedTokenSource(tokenConfig ImpersonatedTokenConfig) (oauth2.TokenSource, error)

ImpersonatedTokenSource returns a TokenSource issued to a user or service account to impersonate another. The source project using ImpersonatedTokenSource must enable the "IAMCredentials" API. Also, the target service account must grant the orginating principal the "Service Account Token Creator" IAM role: https://cloud.google.com/iam/docs/service-accounts#the_service_account_token_creator_role 

rootSource (TokenSource): The root TokenSource
   used as to acquire the target identity TokenSource.
   rootSource *must* include scopes that contains
   "https://www.googleapis.com/auth/iam"
   or
   "https://www.googleapis.com/auth/cloud.platform"
targetPrincipal (string): The service account to impersonate.
targetScopes ([]string): Scopes to request during the
   authorization grant.
delegates ([]string): The chained list of delegates required
    to grant the final access_token.  If set, the sequence of
    identities must have "Service Account Token Creator" capability
    granted to the preceding identity.  For example, if set to
    [serviceAccountB, serviceAccountC], the source_credential
    must have the Token Creator role on serviceAccountB.
    serviceAccountB must have the Token Creator on serviceAccountC.
    Finally, C must have Token Creator on target_principal.
    If left unset, source_credential must have that role on
    target_principal.
lifetime (time.Duration): Number of seconds the impersonated credential should
   be valid for (up to 3600).

Note that this is not a standard OAuth flow, but rather uses Google Cloud IAMCredentials API to exchange one oauth token for an impersonated account see: https://cloud.google.com/iam/credentials/reference/rest/v1/projects.serviceAccounts/generateAccessToken

func InitAuthClient 

func InitAuthClient(projectID string, useCreds bool, serviceAccount string) *auth.Client

InitAuthClient creates a Firebase admin SDK auth client. If useCreds is false, no GCP credentials are required but the client can only validate ID tokens If useCreds is true, the environment must have Google application default credentials If serviceAccount is non-empty, try and impersonate the named account

func IsSAMLProvider 

func IsSAMLProvider(provider string) bool

IsSAMLProvider reports whether the given provider ID corresponds to a SAML provider

func MakeAuthorizer 

func MakeAuthorizer(rt *Runtime) runtime.AuthorizerFunc

MakeAuthorizer returns an authorizer that checks that the authenticated user is allowed to make API requests

func MakeDummyKeyAuth 

func MakeDummyKeyAuth(rt *Runtime) func(string) (*models.User, error)

MakeDummyKeyAuth returns a function that creates a fixed user, ignoring the provided token

func MakeKeyAuth 

func MakeKeyAuth(rt *Runtime) func(string) (*models.User, error)

MakeKeyAuth returns a function that creates a user from the token in the provided Authorization header

func NewAPI 

func NewAPI(rt *Runtime) *restapi.Server

NewAPI creates a new configured BeSec API server

func NewCreatePlanHandler 

func NewCreatePlanHandler(rt *Runtime) operations.CreatePlanHandler

NewCreatePlanHandler creates a handler

func NewCreatePlanRevisionHandler 

func NewCreatePlanRevisionHandler(rt *Runtime) operations.CreatePlanRevisionHandler

NewCreatePlanRevisionHandler creates a handler

func NewCreateProjectHandler 

func NewCreateProjectHandler(rt *Runtime) operations.CreateProjectHandler

NewCreateProjectHandler creates a handler

func NewDeletePlanHandler 

func NewDeletePlanHandler(rt *Runtime) operations.DeletePlanHandler

NewDeletePlanHandler creates a handler

func NewDeleteProjectHandler 

func NewDeleteProjectHandler(rt *Runtime) operations.DeleteProjectHandler

NewDeleteProjectHandler creates a handler

func NewGetAuthConfigHandler 

func NewGetAuthConfigHandler(rt *Runtime) operations.GetAuthConfigHandler

NewGetAuthConfigHandler creates a handler

func NewGetPlanHandler 

func NewGetPlanHandler(rt *Runtime) operations.GetPlanHandler

NewGetPlanHandler creates a handler

func NewGetPlanRevisionHandler 

func NewGetPlanRevisionHandler(rt *Runtime) operations.GetPlanRevisionHandler

NewGetPlanRevisionHandler creates a handler

func NewGetPlanRevisionPracticeResponsesHandler 

func NewGetPlanRevisionPracticeResponsesHandler(rt *Runtime) operations.GetPlanRevisionPracticeResponsesHandler

NewGetPlanRevisionPracticeResponsesHandler creates a handler

func NewGetPlanVersionsHandler 

func NewGetPlanVersionsHandler(rt *Runtime) operations.GetPlanVersionsHandler

NewGetPlanVersionsHandler creates a handler

func NewGetPracticesHandler 

func NewGetPracticesHandler(rt *Runtime) operations.GetPracticesHandler

NewGetPracticesHandler creates a handler

func NewGetProjectHandler 

func NewGetProjectHandler(rt *Runtime) operations.GetProjectHandler

NewGetProjectHandler creates a handler

func NewListPracticesVersionsHandler 

func NewListPracticesVersionsHandler(rt *Runtime) operations.ListPracticesVersionsHandler

NewListPracticesVersionsHandler creates a handler

func NewListProjectsHandler 

func NewListProjectsHandler(rt *Runtime) operations.ListProjectsHandler

NewListProjectsHandler creates a handler

func NewLoggedInHandler 

func NewLoggedInHandler(rt *Runtime) operations.LoggedInHandler

NewLoggedInHandler creates a handler

func NewUpdateProjectHandler 

func NewUpdateProjectHandler(rt *Runtime) operations.UpdateProjectHandler

NewUpdateProjectHandler creates a handler

func NewUser 

func NewUser(token *auth.Token, authConfig ExtendedAuthConfig) (*models.User, error)

NewUser creates a User from the already-validated token

func NewUserAlert 

func NewUserAlert(rt *Runtime, user *models.User)

NewUserAlert sends a notification about a user's first login and on success records it in the user's local data

func RequestAccessAlert 

func RequestAccessAlert(rt *Runtime, user *models.User)

RequestAccessAlert sends a notification about a new user attempting to log in and on success records it in the user's local data

func SetManuallyAuthorized 

func SetManuallyAuthorized(ctx context.Context, client *auth.Client, store store.Store, uid string, value bool) error

SetManuallyAuthorized records whether the user is manually authorized, in the store and as a custom claim for when their token is next created

func SlackSender 

func SlackSender(c chan SlackMessage, rt *Runtime, webhook string)

SlackSender sends messages received on c to Slack. Any duplicated messages that appear within a short period are not sent. If the message is successfully sent, it's recorded in the user's local record

Types

type ExtendedAuthConfig 

type ExtendedAuthConfig struct {
	models.AuthConfig
}

ExtendedAuthConfig extends models.AuthConfig with convenience methods

func NewExtendedAuthConfig 

func NewExtendedAuthConfig(authConfig models.AuthConfig) ExtendedAuthConfig

NewExtendedAuthConfig validates the AuthConfig and returns an extended type

type ImpersonatedTokenConfig 

type ImpersonatedTokenConfig struct {
	TargetPrincipal string
	Lifetime        time.Duration
	Delegates       []string
	TargetScopes    []string
}

ImpersonatedTokenConfig prameters to start Credential impersonation exchange.

type Runtime 

type Runtime struct {
	Store               store.Store
	AuthClient          *auth.Client
	AuthConfig          ExtendedAuthConfig
	RequestAccessAlerts bool // Whether to send notifications to admins when a new unauthorized user attempts to login
	NewUserAlerts       bool // Whether to send notifications to admins when an authorized user signs in for the first time
	SlackChan           chan SlackMessage
	PublicPaths         map[string]map[string]bool // map from path to a map from HTTP method to whether it is public
	// contains filtered or unexported fields
}

Runtime captures the shared state & services used by the server

func NewRuntime 

func NewRuntime(Store store.Store,
	AuthClient *auth.Client,
	AuthConfig ExtendedAuthConfig,
	RequestAccessAlerts bool,
	NewUserAlerts bool,
	SlackChan chan SlackMessage,
) *Runtime

NewRuntime creates a Runtime with the given parameters

func (*Runtime) GetPractices 

func (rt *Runtime) GetPractices(ctx context.Context, version string) ([]lib.Practice, error)

GetPractices is a caching version of Store.GetPractices

type SlackMessage 

type SlackMessage struct {
	// contains filtered or unexported fields
}

SlackMessage captures the info needed for SlackSender to send and record a message

Source Files

View all Source files

Directories

Path Synopsis
operations
Package restapi BeSec
 Package restapi BeSec
operations

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.