Documentation ¶
Overview ¶
Package client provides communication with the Aserto services.
There are two groups of services:
1. client/authorizer provides access to the authorizer service and the edge services running alongside it.
2. client/tenant provides access to the Aserto control plane services.
The aserto package provides access to the Aserto authorizer and supporting service.
Authorization requests are performed using an AuthorizerClient. A client can be used on its own to make authorization calls or, more commonly, it can be used to create server middleware.
AuthorizerClient ¶
The AuthorizerClient interface, defined in "github.com/aserto-dev/go-authorizer/aserto/authorizer/v2", describes the operations exposed by the Aserto authorizer service.
Two implementation of AuthorizerClient are available:
1. `authorizer/grpc` provides a client that communicates with the authorizer using gRPC.
2. `authorizer/http` provides a client that communicates with the authorizer over its REST HTTP endpoints.
Middleware ¶
Two middleware implementations are available in subpackages:
1. middleware/grpc provides middleware for gRPC servers.
2. middleware/http provides middleware for HTTP REST servers.
When authorization middleware is configured and attached to a server, it examines incoming requests, extracts authorization parameters like the caller's identity, calls the Aserto authorizers, and rejects messages if their access is denied.
Other Services ¶
In addition to the authorizer service, go-aserto provides gRPC clients for Aserto's administrative services, allowing users to programmatically manage their aserto account.
There are two top-level services, each with its own set of sub-services.
1. `client/authorizer` defines a client for services run at the edge and used to serve authorization requests. 2. `client/tenant` defines the control-plane services used to configure authorizers.
Index ¶
- Variables
- func Connect(options *ConnectionOptions) (*grpc.ClientConn, error)
- func NewConnection(opts ...ConnectionOption) (*grpc.ClientConn, error)
- func SetSessionContext(ctx context.Context, sessionID string) context.Context
- func SetTenantContext(ctx context.Context, tenantID string) context.Context
- type Config
- type ConnectionOption
- func WithAPIKeyAuth(key string) ConnectionOption
- func WithAddr(addr string) ConnectionOption
- func WithCACertPath(path string) ConnectionOption
- func WithChainStreamInterceptor(mw ...grpc.StreamClientInterceptor) ConnectionOption
- func WithChainUnaryInterceptor(mw ...grpc.UnaryClientInterceptor) ConnectionOption
- func WithDialOptions(opts ...grpc.DialOption) ConnectionOption
- func WithInsecure(insecure bool) ConnectionOption
- func WithSessionID(sessionID string) ConnectionOption
- func WithTenantID(tenantID string) ConnectionOption
- func WithTokenAuth(token string) ConnectionOption
- func WithURL(svcURL *url.URL) ConnectionOption
- type ConnectionOptionErrors
- type ConnectionOptions
- type DialOptionsProvider
Constants ¶
This section is empty.
Variables ¶
var ErrInvalidOptions = errors.New("invalid connection options")
Functions ¶
func Connect ¶
func Connect(options *ConnectionOptions) (*grpc.ClientConn, error)
func NewConnection ¶
func NewConnection(opts ...ConnectionOption) (*grpc.ClientConn, error)
NewConnection establishes a gRPC connection.
Options ¶
Options can be specified to configure the connection or override default behavior:
1. WithAddr() - sets the server address and port. Default: "authorizer.prod.aserto.com:8443".
2. WithAPIKeyAuth() - sets an API key for authentication.
3. WithTokenAuth() - sets an OAuth2 token to be used for authentication.
4. WithTenantID() - sets the aserto tenant ID.
5. WithInsecure() - enables/disables TLS verification. Default: false.
6. WithCACertPath() - adds the specified PEM certificate file to the connection's list of trusted root CAs.
Timeout ¶
Connection timeout can be set on the specified context using context.WithTimeout. If no timeout is set on the context, the default connection timeout is 5 seconds. For example, to increase the timeout to 10 seconds:
ctx := context.Background() client, err := authorizer.New( context.WithTimeout(ctx, time.Duration(10) * time.Second), aserto.WithAPIKeyAuth("<API Key>"), aserto.WithTenantID("<Tenant ID>"), )
func SetSessionContext ¶
Types ¶
type Config ¶
type Config struct { Address string `json:"address"` Token string `json:"token"` TenantID string `json:"tenant_id"` APIKey string `json:"api_key"` ClientCertPath string `json:"client_cert_path"` ClientKeyPath string `json:"client_key_path"` CACertPath string `json:"ca_cert_path"` TimeoutInSeconds int `json:"timeout_in_seconds"` Insecure bool `json:"insecure"` Headers map[string]string `json:"headers"` }
gRPC Client Configuration.
func (*Config) ToConnectionOptions ¶
func (cfg *Config) ToConnectionOptions(dop DialOptionsProvider) ([]ConnectionOption, error)
type ConnectionOption ¶
type ConnectionOption func(*ConnectionOptions) error
ConnectionOption functions are used to configure ConnectionOptions instances.
func WithAPIKeyAuth ¶
func WithAPIKeyAuth(key string) ConnectionOption
WithAPIKeyAuth uses an Aserto API key to authenticate with the authorizer service.
func WithAddr ¶
func WithAddr(addr string) ConnectionOption
WithAddr overrides the default authorizer server address.
Note: WithAddr and WithURL are mutually exclusive.
func WithCACertPath ¶
func WithCACertPath(path string) ConnectionOption
WithCACertPath treats the specified certificate file as a trusted root CA.
Include it when calling an authorizer service that uses a self-issued SSL certificate.
func WithChainStreamInterceptor ¶
func WithChainStreamInterceptor(mw ...grpc.StreamClientInterceptor) ConnectionOption
WithChainStreamInterceptor adds a stream interceptor to grpc dial options.
func WithChainUnaryInterceptor ¶
func WithChainUnaryInterceptor(mw ...grpc.UnaryClientInterceptor) ConnectionOption
WithChainUnaryInterceptor adds a unary interceptor to grpc dial options.
func WithDialOptions ¶
func WithDialOptions(opts ...grpc.DialOption) ConnectionOption
WithDialOptions add custom dial options to the grpc connection.
func WithInsecure ¶
func WithInsecure(insecure bool) ConnectionOption
WithInsecure disables TLS verification.
func WithSessionID ¶
func WithSessionID(sessionID string) ConnectionOption
WithSessionID sets the Aserto session ID.
func WithTenantID ¶
func WithTenantID(tenantID string) ConnectionOption
WithTenantID sets the Aserto tenant ID.
func WithTokenAuth ¶
func WithTokenAuth(token string) ConnectionOption
WithTokenAuth uses an OAuth2.0 token to authenticate with the authorizer service.
func WithURL ¶
func WithURL(svcURL *url.URL) ConnectionOption
WithURL overrides the default authorizer server URL. Unlike WithAddr, WithURL lets gRPC users to connect to communicate with a locally running authorizer over Unix sockets. See https://github.com/grpc/grpc/blob/master/doc/naming.md#grpc-name-resolution for more details about gRPC name resolution.
Note: WithURL and WithAddr are mutually exclusive.
type ConnectionOptionErrors ¶
type ConnectionOptionErrors []error
ConnectionOptionErrors is an error that can encapsulate one or more underlying ErrInvalidOptions errors.
func (ConnectionOptionErrors) Error ¶
func (errs ConnectionOptionErrors) Error() string
type ConnectionOptions ¶
type ConnectionOptions struct { // The server's host name and port separated by a colon ("hostname:port"). // // Note: Address and URL are mutually exclusive. Only one of them may be set. Address string // URL is the service URL. // // Unlike ConnectionOptions.Address, URL gives gRPC clients the ability to use Unix sockets in addition // to DNS names (see https://github.com/grpc/grpc/blob/master/doc/naming.md#name-syntax) // // Note: Address and URL are mutually exclusive. Only one of them may be set. URL *url.URL // Path to a CA certificate file to treat as a root CA for TLS verification. CACertPath string // The tenant ID of your aserto account. TenantID string // Session ID. SessionID string // Credentials used to authenticate with the authorizer service. Either API Key or OAuth Token. Creds credentials.PerRPCCredentials // If true, skip TLS certificate verification. Insecure bool // UnaryClientInterceptors passed to the grpc client. UnaryClientInterceptors []grpc.UnaryClientInterceptor // StreamClientInterceptors passed to the grpc client. StreamClientInterceptors []grpc.StreamClientInterceptor // DialOptions passed to the grpc client. DialOptions []grpc.DialOption }
ConnectionOptions holds settings used to establish a connection to the authorizer service.
func NewConnectionOptions ¶
func NewConnectionOptions(opts ...ConnectionOption) (*ConnectionOptions, error)
NewConnectionOptions creates a ConnectionOptions object from a collection of ConnectionOption functions.
func (*ConnectionOptions) ServerAddress ¶
func (o *ConnectionOptions) ServerAddress() string
type DialOptionsProvider ¶
type DialOptionsProvider func(*Config) ([]grpc.DialOption, error)
func NewDialOptionsProvider ¶
func NewDialOptionsProvider(dialopts ...grpc.DialOption) DialOptionsProvider