auth

Documentation

Overview

Package auth defines a standard interface for request access controllers.

An access controller has a simple interface with a single `Authorized` method which checks that a given request is authorized to perform one or more actions on one or more resources. This method should return a non-nil error if the requset is not authorized.

An implementation registers its access controller by name with a constructor which accepts an options map for configuring the access controller.

options := map[string]interface{}{"sillySecret": "whysosilly?"}
accessController, _ := auth.GetAccessController("silly", options)

This `accessController` can then be used in a request handler like so:

func updateOrder(w http.ResponseWriter, r *http.Request) {
	orderNumber := r.FormValue("orderNumber")
	resource := auth.Resource{Type: "customerOrder", Name: orderNumber}
	access := auth.Access{Resource: resource, Action: "update"}

	if err := accessController.Authorized(r, access); err != nil {
		if challenge, ok := err.(auth.Challenge) {
			// Let the challenge write the response.
			challenge.ServeHTTP(w, r)
		} else {
			// Some other error.
		}
	}
}

Index

• func Register(name string, initFunc InitFunc) error
• type Access
• type AccessController
  • func GetAccessController(name string, options map[string]interface{}) (AccessController, error)
• type Challenge
• type InitFunc
• type Resource

Functions

func Register

func Register(name string, initFunc InitFunc) error

Register is used to register an InitFunc for an AccessController backend with the given name.

Types

type Access

type Access struct {
	Resource
	Action string
}

Access describes a specific action that is requested or allowed for a given recource.

type AccessController

type AccessController interface {
	// Authorized returns non-nil if the request is granted access. If one or
	// more Access structs are provided, the requested access will be compared
	// with what is available to the request. If the error is non-nil, access
	// should always be denied. The error may be of type Challenge, in which
	// case the caller may have the Challenge handle the request or choose
	// what action to take based on the Challenge header or response status.
	Authorized(req *http.Request, access ...Access) error
}

AccessController controls access to registry resources based on a request and required access levels for a request. Implementations can support both complete denial and http authorization challenges.

func GetAccessController

func GetAccessController(name string, options map[string]interface{}) (AccessController, error)

GetAccessController constructs an AccessController with the given options using the named backend.

type Challenge

type Challenge interface {
	error
	// ServeHTTP prepares the request to conduct the appropriate challenge
	// response. For most implementations, simply calling ServeHTTP should be
	// sufficient. Because no body is written, users may write a custom body after
	// calling ServeHTTP, but any headers must be written before the call and may
	// be overwritten.
	ServeHTTP(w http.ResponseWriter, r *http.Request)
}

Challenge is a special error type which is used for HTTP 401 Unauthorized responses and is able to write the response with WWW-Authenticate challenge header values based on the error.

type InitFunc

type InitFunc func(options map[string]interface{}) (AccessController, error)

InitFunc is the type of an AccessController factory function and is used to register the contsructor for different AccesController backends.

type Resource

type Resource struct {
	Type string
	Name string
}

Resource describes a resource by type and name.