Documentation ¶
Overview ¶
Package client provides communication with the Aserto services.
There are two groups of services:
1. client/authorizer provides access to the authorizer service and the edge services running alongside it.
2. client/tenant provides access to the Aserto control plane services.
The aserto package provides access to the Aserto authorizer and supporting service.
Authorization requests are performed using an AuthorizerClient. A client can be used on its own to make authorization calls or, more commonly, it can be used to create server middleware.
AuthorizerClient ¶
The AuthorizerClient interface, defined in "github.com/aserto-dev/go-authorizer/aserto/authorizer/v2", describes the operations exposed by the Aserto authorizer service.
Two implementation of AuthorizerClient are available:
1. `authorizer/grpc` provides a client that communicates with the authorizer using gRPC.
2. `authorizer/http` provides a client that communicates with the authorizer over its REST HTTP endpoints.
Middleware ¶
Two middleware implementations are available in subpackages:
1. middleware/grpc provides middleware for gRPC servers.
2. middleware/http provides middleware for HTTP REST servers.
When authorization middleware is configured and attached to a server, it examines incoming requests, extracts authorization parameters like the caller's identity, calls the Aserto authorizers, and rejects messages if their access is denied.
Other Services ¶
In addition to the authorizer service, go-aserto provides gRPC clients for Aserto's administrative services, allowing users to programmatically manage their aserto account.
There are two top-level services, each with its own set of sub-services.
1. `client/authorizer` defines a client for services run at the edge and used to serve authorization requests. 2. `client/tenant` defines the control-plane services used to configure authorizers.
Index ¶
- Variables
- func Connect(options *ConnectionOptions) (*grpc.ClientConn, error)
- func NewConnection(opts ...ConnectionOption) (*grpc.ClientConn, error)
- func SetAccountContext(ctx context.Context, accountID string) context.Context
- func SetTenantContext(ctx context.Context, tenantID string) context.Context
- type Config
- type ConnectionOption
- func WithAPIKeyAuth(key string) ConnectionOption
- func WithAccountID(accountID string) ConnectionOption
- func WithAddr(addr string) ConnectionOption
- func WithCACertPath(path string) ConnectionOption
- func WithChainStreamInterceptor(mw ...grpc.StreamClientInterceptor) ConnectionOption
- func WithChainUnaryInterceptor(mw ...grpc.UnaryClientInterceptor) ConnectionOption
- func WithClientCert(certPath, keyPath string) ConnectionOption
- func WithDialOptions(opts ...grpc.DialOption) ConnectionOption
- func WithHeader(key, value string) ConnectionOption
- func WithInsecure(insecure bool) ConnectionOption
- func WithNoTLS(noTLS bool) ConnectionOption
- func WithTenantID(tenantID string) ConnectionOption
- func WithTokenAuth(token string) ConnectionOption
- func WithURL(svcURL *url.URL) ConnectionOption
- type ConnectionOptions
- type TLSConfig
- func (c *TLSConfig) ClientConfig(skipVerify bool) (*tls.Config, error)
- func (c *TLSConfig) ClientCredentials(skipVerify bool) (credentials.TransportCredentials, error)
- func (c *TLSConfig) HasCA() bool
- func (c *TLSConfig) HasCert() bool
- func (c *TLSConfig) ServerConfig() (*tls.Config, error)
- func (c *TLSConfig) ServerCredentials() (credentials.TransportCredentials, error)
Constants ¶
This section is empty.
Variables ¶
var ErrInvalidConfig = errors.New("invalid configuration")
var ErrInvalidOptions = errors.New("invalid connection options")
Functions ¶
func Connect ¶
func Connect(options *ConnectionOptions) (*grpc.ClientConn, error)
Connect creates a gRPC connection with the given options.
func NewConnection ¶
func NewConnection(opts ...ConnectionOption) (*grpc.ClientConn, error)
NewConnection creates a gRPC connection with the given options.
func SetAccountContext ¶ added in v0.33.0
Types ¶
type Config ¶
type Config struct { // Address of the service to connect to. // // Address is typically in the form "hostname:port" but may also be a Unix socket or DNS URI. // See https://github.com/grpc/grpc/blob/master/doc/naming.md#name-syntax for more details. Address string `json:"address"` // A JWT to be used for authentication with the service. // // Token and APIKey are mutually exclusive. Token string `json:"token"` // An API key to be used for authentication with the service. APIKey string `json:"api_key"` // An Aserto tenant ID. TenantID string `json:"tenant_id"` // An Aserto account ID. AccountID string `json:"account_id"` // In mTLS connections, ClientCertPath is the path of the client's // certificate file. ClientCertPath string `json:"client_cert_path"` // In mTLS connections, ClientKeyPath is the path of the client's // private key file. ClientKeyPath string `json:"client_key_path"` // In TLS connections, CACertPath is the path of a CA certificate to // validate the server's certificate against. CACertPath string `json:"ca_cert_path"` // In TLS connections, skip verification of the server certificate. Insecure bool `json:"insecure"` // Disable TLS and use a plaintext connection. NoTLS bool `json:"no_tls"` // Additional headers to include in requests to the service. Headers map[string]string `json:"headers"` // Deprecated: no longer used. Timeouts are controlled on a per-call basis // by the provided context. TimeoutInSeconds int `json:"timeout_in_seconds"` }
gRPC Client Configuration.
func (*Config) Connect ¶ added in v0.33.0
func (cfg *Config) Connect(opts ...ConnectionOption) (*grpc.ClientConn, error)
Connects to the service specified in Config, possibly with additional connection options.
func (*Config) ToConnectionOptions ¶
func (cfg *Config) ToConnectionOptions() ([]ConnectionOption, error)
Converts the Config into a ConnectionOption slice that can be passed to NewConnection().
type ConnectionOption ¶
type ConnectionOption func(*ConnectionOptions) error
ConnectionOption functions are used to configure ConnectionOptions instances.
func WithAPIKeyAuth ¶
func WithAPIKeyAuth(key string) ConnectionOption
WithAPIKeyAuth uses an Aserto API key to authenticate with the authorizer service.
func WithAccountID ¶ added in v0.33.0
func WithAccountID(accountID string) ConnectionOption
WithAccountID sets the Aserto account ID.
func WithAddr ¶
func WithAddr(addr string) ConnectionOption
WithAddr overrides the default authorizer server address.
Note: WithAddr and WithURL are mutually exclusive.
func WithCACertPath ¶
func WithCACertPath(path string) ConnectionOption
WithCACertPath treats the specified certificate file as a trusted root CA.
Include it when calling a service that uses a self-issued SSL certificate.
func WithChainStreamInterceptor ¶
func WithChainStreamInterceptor(mw ...grpc.StreamClientInterceptor) ConnectionOption
WithChainStreamInterceptor adds a stream interceptor to grpc dial options.
func WithChainUnaryInterceptor ¶
func WithChainUnaryInterceptor(mw ...grpc.UnaryClientInterceptor) ConnectionOption
WithChainUnaryInterceptor adds a unary interceptor to grpc dial options.
func WithClientCert ¶ added in v0.33.0
func WithClientCert(certPath, keyPath string) ConnectionOption
WithClientCert configure the client certificate for mTLS connections.
func WithDialOptions ¶
func WithDialOptions(opts ...grpc.DialOption) ConnectionOption
WithDialOptions add custom dial options to the grpc connection.
func WithHeader ¶ added in v0.33.0
func WithHeader(key, value string) ConnectionOption
WithHeader adds an header to the client config instance.
func WithInsecure ¶
func WithInsecure(insecure bool) ConnectionOption
WithInsecure disables TLS verification.
func WithNoTLS ¶ added in v0.33.0
func WithNoTLS(noTLS bool) ConnectionOption
WithNoTLS disables transport security. The connection is established in plaintext.
func WithTenantID ¶
func WithTenantID(tenantID string) ConnectionOption
WithTenantID sets the Aserto tenant ID.
func WithTokenAuth ¶
func WithTokenAuth(token string) ConnectionOption
WithTokenAuth uses an OAuth2.0 token to authenticate with the authorizer service.
func WithURL ¶
func WithURL(svcURL *url.URL) ConnectionOption
WithURL overrides the default authorizer server URL. Unlike WithAddr, WithURL lets gRPC users to connect to communicate with a locally running authorizer over Unix sockets. See https://github.com/grpc/grpc/blob/master/doc/naming.md#grpc-name-resolution for more details about gRPC name resolution.
Note: WithURL and WithAddr are mutually exclusive.
type ConnectionOptions ¶
type ConnectionOptions struct { Config // Credentials used to authenticate with the authorizer service. Either API Key or OAuth Token. Creds credentials.PerRPCCredentials // UnaryClientInterceptors passed to the grpc client. UnaryClientInterceptors []grpc.UnaryClientInterceptor // StreamClientInterceptors passed to the grpc client. StreamClientInterceptors []grpc.StreamClientInterceptor // DialOptions passed to the grpc client. DialOptions []grpc.DialOption }
ConnectionOptions holds settings used to establish a connection to the authorizer service.
func NewConnectionOptions ¶
func NewConnectionOptions(opts ...ConnectionOption) (*ConnectionOptions, error)
NewConnectionOptions creates a ConnectionOptions object from a collection of ConnectionOption functions.
func (*ConnectionOptions) Apply ¶ added in v0.33.0
func (o *ConnectionOptions) Apply(opts ...ConnectionOption) error
Apply additional options.
func (*ConnectionOptions) ToDialOptions ¶ added in v0.33.0
func (o *ConnectionOptions) ToDialOptions() ([]grpc.DialOption, error)
type TLSConfig ¶ added in v0.33.1
type TLSConfig struct { Cert string `json:"tls_cert_path"` Key string `json:"tls_key_path"` CA string `json:"tls_ca_cert_path"` }
TLSConfig contains paths to an X509 certificate's key-pair and CA files. It can be used to create client or server tls.Config or grpc TransportCredentials.
func (*TLSConfig) ClientConfig ¶ added in v0.33.1
ClientConfig returns TLS configuration for a client.
func (*TLSConfig) ClientCredentials ¶ added in v0.33.1
func (c *TLSConfig) ClientCredentials(skipVerify bool) (credentials.TransportCredentials, error)
ClientCredentials returns transport credentials for a GRPC client.
func (*TLSConfig) ServerConfig ¶ added in v0.33.1
ServerConfig returns TLS configuration for a server.
func (*TLSConfig) ServerCredentials ¶ added in v0.33.1
func (c *TLSConfig) ServerCredentials() (credentials.TransportCredentials, error)
ServerCredentials returns transport credentials for a GRPC server.