authorization

package
v0.3.86 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jul 27, 2023 License: Apache-2.0 Imports: 33 Imported by: 0

Documentation

Index

Constants

View Source
const EveryoneGroup = "everyone"

All users are implicitly part of this group.

View Source
const (
	SIDAuthenticationAuthorityAssertedIdentity = "S-1-18-1"
)

Partly reimplementing github.com/jcmturner/gokrb5/v8/spnego/http.go for GRPC Copying constants as they are private

Variables

This section is empty.

Functions

func CreateMiddlewareAuthFunction

func CreateMiddlewareAuthFunction(authServices []AuthService) grpc_auth.AuthFunc

CreateMiddlewareAuthFunction returns an authentication function that combines the given authentication services. That function returns success if any service successfully authenticates the user, and an error if all services fail to authenticate. The services in authServices are tried one at a time in sequence. Successful authentication short-circuits the process.

If authentication succeeds, the username returned by the authentication service is added to the request context for logging purposes.

func WithPrincipal

func WithPrincipal(ctx context.Context, principal Principal) context.Context

WithPrincipal returns a new context containing a principal that is a child to the given context.

Types

type AnonymousAuthService

type AnonymousAuthService struct{}

func (AnonymousAuthService) Authenticate

func (AnonymousAuthService) Authenticate(ctx context.Context) (Principal, error)

func (*AnonymousAuthService) Name

func (authService *AnonymousAuthService) Name() string

type AuthService

type AuthService interface {
	Authenticate(ctx context.Context) (Principal, error)
	Name() string
}

AuthService represents a method of authentication for the gRPC API. Each implementation represents a particular method, e.g., username/password or OpenID. The gRPC server may be started with multiple AuthService to give several options for authentication.

type BasicAuthService

type BasicAuthService struct {
	// contains filtered or unexported fields
}

func NewBasicAuthService

func NewBasicAuthService(users map[string]configuration.UserInfo) *BasicAuthService

func (*BasicAuthService) Authenticate

func (authService *BasicAuthService) Authenticate(ctx context.Context) (Principal, error)

func (*BasicAuthService) Name

func (authService *BasicAuthService) Name() string

type CacheData

type CacheData struct {
	Name  string `json:"name"`
	Valid bool   `json:"valid"`
}

type KerberosAuthService

type KerberosAuthService struct {
	// contains filtered or unexported fields
}

func (*KerberosAuthService) Authenticate

func (authService *KerberosAuthService) Authenticate(ctx context.Context) (Principal, error)

func (*KerberosAuthService) Name

func (authService *KerberosAuthService) Name() string

type KubernetesNativeAuthService

type KubernetesNativeAuthService struct {
	KidMappingFileLocation string
	TokenCache             *cache.Cache
	InvalidTokenExpiry     int64
	TokenReviewer          TokenReviewer
	Clock                  clock.Clock
}

func (*KubernetesNativeAuthService) Authenticate

func (authService *KubernetesNativeAuthService) Authenticate(ctx context.Context) (Principal, error)

func (*KubernetesNativeAuthService) Name

func (authService *KubernetesNativeAuthService) Name() string

type KubernetesTokenReviewer

type KubernetesTokenReviewer struct{}

func (*KubernetesTokenReviewer) ReviewToken

func (reviewer *KubernetesTokenReviewer) ReviewToken(ctx context.Context, clusterUrl string, token string, ca []byte) (*authv1.TokenReview, error)

type OpenIdAuthService

type OpenIdAuthService struct {
	// contains filtered or unexported fields
}

func NewOpenIdAuthService

func NewOpenIdAuthService(verifier *oidc.IDTokenVerifier, groupsClaim string) *OpenIdAuthService

func (*OpenIdAuthService) Authenticate

func (authService *OpenIdAuthService) Authenticate(ctx context.Context) (Principal, error)

func (*OpenIdAuthService) Name

func (authService *OpenIdAuthService) Name() string

type Owned

type Owned interface {
	GetUserOwners() []string
	GetGroupOwners() []string
}

type PermissionChecker

type PermissionChecker interface {
	UserHasPermission(ctx context.Context, perm permission.Permission) bool
	UserOwns(ctx context.Context, obj Owned) (owned bool, ownershipGroups []string)
}

type PermissionClaimQueries

type PermissionClaimQueries map[permission.Permission]string

type Principal

type Principal interface {
	GetName() string
	GetGroupNames() []string
	IsInGroup(group string) bool
	HasScope(scope string) bool
	HasClaim(claim string) bool
}

Principal represents an entity that can be authenticated (e.g., a user). Each principal has a name associated with it and may be part of one or more groups. Scopes and claims are as defined in OpenId.

func GetPrincipal

func GetPrincipal(ctx context.Context) Principal

GetPrincipal returns the principal (e.g., a user) contained in a context. The principal is assumed to be stored as a ctx.Value. If no principal can be found, a principal representing an anonymous (unauthenticated) user is returned.

type PrincipalPermissionChecker

type PrincipalPermissionChecker struct {
	// contains filtered or unexported fields
}

func NewPrincipalPermissionChecker

func NewPrincipalPermissionChecker(
	permissionGroupMap map[permission.Permission][]string,
	permissionScopeMap map[permission.Permission][]string,
	permissionClaimMap map[permission.Permission][]string,
) *PrincipalPermissionChecker

func (*PrincipalPermissionChecker) UserHasPermission

func (checker *PrincipalPermissionChecker) UserHasPermission(ctx context.Context, perm permission.Permission) bool

UserHasPermission returns true if the principal contained in the context has the given permission, which is determined by checking if any of the groups, scopes, or claims associated with the principal has that permission.

func (*PrincipalPermissionChecker) UserOwns

func (checker *PrincipalPermissionChecker) UserOwns(ctx context.Context, obj Owned) (owned bool, ownershipGroups []string)

UserOwns check if obj is owned by the principal contained in the context, or by a group of which the principal is a member. If obj is owned by a group of which the principal is a member, this method also returns the list of groups that own the object and that the principal is a member of. If obj is owned by the principal in the context, no groups are returned.

TODO Should we always return the groups (even if the principal owns obj directly)?

type SPNEGOService

type SPNEGOService interface {
	AcceptSecContext(gssapi.ContextToken) (bool, context.Context, gssapi.Status)
}

type StaticPrincipal

type StaticPrincipal struct {
	// contains filtered or unexported fields
}

Default implementation of the Principal interface. Here, static refers to the fact that the principal doesn't change once it has been created.

func NewStaticPrincipal

func NewStaticPrincipal(name string, groups []string) *StaticPrincipal

func NewStaticPrincipalWithScopesAndClaims

func NewStaticPrincipalWithScopesAndClaims(name string, groups []string, scopes []string, claims []string) *StaticPrincipal

func (*StaticPrincipal) GetGroupNames

func (p *StaticPrincipal) GetGroupNames() []string

func (*StaticPrincipal) GetName

func (p *StaticPrincipal) GetName() string

func (*StaticPrincipal) HasClaim

func (p *StaticPrincipal) HasClaim(claim string) bool

func (*StaticPrincipal) HasScope

func (p *StaticPrincipal) HasScope(scope string) bool

func (*StaticPrincipal) IsInGroup

func (p *StaticPrincipal) IsInGroup(group string) bool

type TokenReviewer

type TokenReviewer interface {
	ReviewToken(ctx context.Context, clusterUrl string, token string, ca []byte) (*authv1.TokenReview, error)
}

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL