auth

package
v0.11.1 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Sep 6, 2024 License: Apache-2.0 Imports: 26 Imported by: 0

Documentation

Index

Constants

View Source
const AnonymousAuthServiceName = "Anonymous"
View Source
const BasicAuthServiceName = "Basic"
View Source
const EveryoneGroup = "everyone"

All users are implicitly part of this group.

View Source
const KubernetesAuthServiceName = "KubernetesNative"
View Source
const OidcAuthServiceName = "OIDC"

Variables

This section is empty.

Functions

func CreateGrpcMiddlewareAuthFunction added in v0.9.4

func CreateGrpcMiddlewareAuthFunction(authService AuthService) func(ctx context.Context) (context.Context, error)

CreateGrpcMiddlewareAuthFunction for use with GRPC. That function returns success if any service successfully authenticates the user, and an error if all services fail to authenticate.

If authentication succeeds, the username returned by the authentication service is added to the request context for logging purposes.

func CreateHttpMiddlewareAuthFunction added in v0.9.4

func CreateHttpMiddlewareAuthFunction(authService AuthService) func(w http.ResponseWriter, r *http.Request) (context.Context, error)

CreateHttpMiddlewareAuthFunction for use with GRPC. That function returns success if any service successfully authenticates the user, and an error if all services fail to authenticate.

If authentication succeeds, the username returned by the authentication service is added to the request context for logging purposes.

func WithPrincipal added in v0.4.52

func WithPrincipal(ctx context.Context, principal Principal) context.Context

WithPrincipal returns a new context containing a principal that is a child to the given context.

Types

type ActionAuthorizer added in v0.4.52

type ActionAuthorizer interface {
	AuthorizeAction(ctx *armadacontext.Context, perm permission.Permission) error
	AuthorizeQueueAction(ctx *armadacontext.Context, queue queue.Queue, anyPerm permission.Permission, perm queue.PermissionVerb) error
}

type AnonymousAuthService added in v0.4.52

type AnonymousAuthService struct{}

func (AnonymousAuthService) Authenticate added in v0.4.52

func (AnonymousAuthService) Authenticate(ctx context.Context, authHeader string) (Principal, error)

type AuthService added in v0.4.52

type AuthService interface {
	Authenticate(ctx context.Context, authHeader string) (Principal, error)
}

AuthService represents a method of authentication for the HTTP or gRPC API. Each implementation represents a particular method, e.g., username/password or OpenID. The HTTP/gRPC server may be started with multiple AuthService to give several options for authentication.

func ConfigureAuth

func ConfigureAuth(config configuration.AuthConfig) ([]AuthService, error)

type Authorizer added in v0.4.52

type Authorizer struct {
	// contains filtered or unexported fields
}

func NewAuthorizer added in v0.4.52

func NewAuthorizer(permissionChecker PermissionChecker) *Authorizer

func (*Authorizer) AuthorizeAction added in v0.4.52

func (b *Authorizer) AuthorizeAction(ctx *armadacontext.Context, perm permission.Permission) error

func (*Authorizer) AuthorizeQueueAction added in v0.4.52

func (b *Authorizer) AuthorizeQueueAction(
	ctx *armadacontext.Context,
	queue queue.Queue,
	anyPerm permission.Permission,
	perm queue.PermissionVerb,
) error

type BasicAuthService added in v0.4.52

type BasicAuthService struct {
	// contains filtered or unexported fields
}

func NewBasicAuthService added in v0.4.52

func NewBasicAuthService(users map[string]configuration.UserInfo) *BasicAuthService

func (*BasicAuthService) Authenticate added in v0.4.52

func (authService *BasicAuthService) Authenticate(_ context.Context, authHeader string) (Principal, error)

type CacheData added in v0.4.52

type CacheData struct {
	Name  string `json:"name"`
	Valid bool   `json:"valid"`
}

type KubernetesNativeAuthService added in v0.4.52

type KubernetesNativeAuthService struct {
	KidMappingFileLocation string
	TokenCache             *cache.Cache
	InvalidTokenExpiry     int64
	TokenReviewer          TokenReviewer
	Clock                  clock.Clock
}

func NewKubernetesNativeAuthService added in v0.4.52

func NewKubernetesNativeAuthService(config configuration.KubernetesAuthConfig) KubernetesNativeAuthService

func (*KubernetesNativeAuthService) Authenticate added in v0.4.52

func (authService *KubernetesNativeAuthService) Authenticate(ctx context.Context, authHeader string) (Principal, error)

type KubernetesTokenReviewer added in v0.4.52

type KubernetesTokenReviewer struct{}

func (*KubernetesTokenReviewer) ReviewToken added in v0.4.52

func (reviewer *KubernetesTokenReviewer) ReviewToken(ctx context.Context, clusterUrl string, token string, ca []byte) (*authv1.TokenReview, error)

type MultiAuthService added in v0.9.4

type MultiAuthService struct {
	// contains filtered or unexported fields
}

func NewMultiAuthService added in v0.9.4

func NewMultiAuthService(authServices []AuthService) *MultiAuthService

func (*MultiAuthService) Authenticate added in v0.9.4

func (multi *MultiAuthService) Authenticate(ctx context.Context, authHeader string) (Principal, error)

Authenticate - The services in authServices are tried one at a time in sequence. Successful authentication short-circuits the process.

type OpenIdAuthService added in v0.4.52

type OpenIdAuthService struct {
	// contains filtered or unexported fields
}

func NewOpenIdAuthService added in v0.4.52

func NewOpenIdAuthService(verifier *oidc.IDTokenVerifier, groupsClaim string) *OpenIdAuthService

func NewOpenIdAuthServiceForProvider added in v0.4.52

func NewOpenIdAuthServiceForProvider(ctx context.Context, config *configuration.OpenIdAuthenticationConfig) (*OpenIdAuthService, error)

func (*OpenIdAuthService) Authenticate added in v0.4.52

func (authService *OpenIdAuthService) Authenticate(ctx context.Context, authHeader string) (Principal, error)

type Owned added in v0.4.52

type Owned interface {
	GetUserOwners() []string
	GetGroupOwners() []string
}

type PermissionChecker added in v0.4.52

type PermissionChecker interface {
	UserHasPermission(ctx context.Context, perm permission.Permission) bool
	UserOwns(ctx context.Context, obj Owned) (owned bool, ownershipGroups []string)
}

type PermissionClaimQueries added in v0.4.52

type PermissionClaimQueries map[permission.Permission]string

type Principal added in v0.4.52

type Principal interface {
	GetName() string
	GetAuthMethod() string
	GetGroupNames() []string
	IsInGroup(group string) bool
	HasScope(scope string) bool
	HasClaim(claim string) bool
}

Principal represents an entity that can be authenticated (e.g., a user). Each principal has a name associated with it and may be part of one or more groups. Scopes and claims are as defined in OpenId.

func GetPrincipal added in v0.4.52

func GetPrincipal(ctx context.Context) Principal

GetPrincipal returns the principal (e.g., a user) contained in a context. The principal is assumed to be stored as a ctx.Value. If no principal can be found, a principal representing an anonymous (unauthenticated) user is returned.

type PrincipalPermissionChecker added in v0.4.52

type PrincipalPermissionChecker struct {
	// contains filtered or unexported fields
}

func NewPrincipalPermissionChecker added in v0.4.52

func NewPrincipalPermissionChecker(
	permissionGroupMap map[permission.Permission][]string,
	permissionScopeMap map[permission.Permission][]string,
	permissionClaimMap map[permission.Permission][]string,
) *PrincipalPermissionChecker

func (*PrincipalPermissionChecker) UserHasPermission added in v0.4.52

func (checker *PrincipalPermissionChecker) UserHasPermission(ctx context.Context, perm permission.Permission) bool

UserHasPermission returns true if the principal contained in the context has the given permission, which is determined by checking if any of the groups, scopes, or claims associated with the principal has that permission.

func (*PrincipalPermissionChecker) UserOwns added in v0.4.52

func (checker *PrincipalPermissionChecker) UserOwns(ctx context.Context, obj Owned) (owned bool, ownershipGroups []string)

UserOwns check if obj is owned by the principal contained in the context, or by a group of which the principal is a member. If obj is owned by a group of which the principal is a member, this method also returns the list of groups that own the object and that the principal is a member of. If obj is owned by the principal in the context, no groups are returned.

TODO Should we always return the groups (even if the principal owns obj directly)?

type StaticPrincipal added in v0.4.52

type StaticPrincipal struct {
	// contains filtered or unexported fields
}

Default implementation of the Principal interface. Here, static refers to the fact that the principal doesn't change once it has been created.

func NewStaticPrincipal added in v0.4.52

func NewStaticPrincipal(name string, authMethod string, groups []string) *StaticPrincipal

func NewStaticPrincipalWithScopesAndClaims added in v0.4.52

func NewStaticPrincipalWithScopesAndClaims(name string, authMethod string, groups []string, scopes []string, claims []string) *StaticPrincipal

func (*StaticPrincipal) GetAuthMethod added in v0.9.4

func (p *StaticPrincipal) GetAuthMethod() string

func (*StaticPrincipal) GetGroupNames added in v0.4.52

func (p *StaticPrincipal) GetGroupNames() []string

func (*StaticPrincipal) GetName added in v0.4.52

func (p *StaticPrincipal) GetName() string

func (*StaticPrincipal) HasClaim added in v0.4.52

func (p *StaticPrincipal) HasClaim(claim string) bool

func (*StaticPrincipal) HasScope added in v0.4.52

func (p *StaticPrincipal) HasScope(scope string) bool

func (*StaticPrincipal) IsInGroup added in v0.4.52

func (p *StaticPrincipal) IsInGroup(group string) bool

type TokenReviewer added in v0.4.52

type TokenReviewer interface {
	ReviewToken(ctx context.Context, clusterUrl string, token string, ca []byte) (*authv1.TokenReview, error)
}

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL