authorization

package
v4.36.2 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jul 5, 2022 License: Apache-2.0 Imports: 9 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

View Source
var (
	// IdentitySubexpNames is a list of valid regex subexp names.
	IdentitySubexpNames = []string{subexpNameUser, subexpNameGroup}
)

Functions

func IsAuthLevelSufficient

func IsAuthLevelSufficient(authenticationLevel authentication.Level, authorizationLevel Level) bool

IsAuthLevelSufficient returns true if the current authenticationLevel is above the authorizationLevel.

func LevelToPolicy added in v4.34.0

func LevelToPolicy(level Level) (policy string)

LevelToPolicy converts a int authorization level to string policy.

Types

type AccessControlDomain

type AccessControlDomain struct {
	Matcher StringSubjectMatcher
}

AccessControlDomain represents an ACL domain.

func NewAccessControlDomain added in v4.35.0

func NewAccessControlDomain(domain string) AccessControlDomain

NewAccessControlDomain creates a new SubjectObjectMatcher that matches the domain as a basic string.

func NewAccessControlDomainRegex added in v4.35.0

func NewAccessControlDomainRegex(pattern regexp.Regexp) AccessControlDomain

NewAccessControlDomainRegex creates a new SubjectObjectMatcher that matches the domain either in a basic way or dynamic User/Group subexpression group way.

func (AccessControlDomain) IsMatch

func (acl AccessControlDomain) IsMatch(subject Subject, object Object) (match bool)

IsMatch returns true if the ACL domain matches the object domain.

type AccessControlDomainMatcher added in v4.36.0

type AccessControlDomainMatcher struct {
	Name          string
	Wildcard      bool
	UserWildcard  bool
	GroupWildcard bool
}

AccessControlDomainMatcher is the basic domain matcher.

func (AccessControlDomainMatcher) IsMatch added in v4.36.0

func (m AccessControlDomainMatcher) IsMatch(domain string, subject Subject) (match bool)

IsMatch returns true if this rule matches.

type AccessControlGroup

type AccessControlGroup struct {
	Name string
}

AccessControlGroup represents an ACL subject of type `group:`.

func (AccessControlGroup) IsMatch

func (acg AccessControlGroup) IsMatch(subject Subject) (match bool)

IsMatch returns true if the AccessControlGroup name matches one of the groups of the Subject.

type AccessControlResource

type AccessControlResource struct {
	Matcher StringSubjectMatcher
}

AccessControlResource represents an ACL resource that matches without named groups.

func NewAccessControlResource added in v4.36.0

func NewAccessControlResource(pattern regexp.Regexp) AccessControlResource

NewAccessControlResource creates a AccessControlResource or AccessControlResourceGroup.

func (AccessControlResource) IsMatch

func (acl AccessControlResource) IsMatch(subject Subject, object Object) (match bool)

IsMatch returns true if the ACL resource match the object path.

type AccessControlRule

type AccessControlRule struct {
	Position  int
	Domains   []AccessControlDomain
	Resources []AccessControlResource
	Methods   []string
	Networks  []*net.IPNet
	Subjects  []AccessControlSubjects
	Policy    Level
}

AccessControlRule controls and represents an ACL internally.

func NewAccessControlRule

func NewAccessControlRule(pos int, rule schema.ACLRule, networksMap map[string][]*net.IPNet, networksCacheMap map[string]*net.IPNet) *AccessControlRule

NewAccessControlRule parses a schema ACL and generates an internal ACL.

func NewAccessControlRules

func NewAccessControlRules(config schema.AccessControlConfiguration) (rules []*AccessControlRule)

NewAccessControlRules converts a schema.AccessControlConfiguration into an AccessControlRule slice.

func (*AccessControlRule) IsMatch

func (acr *AccessControlRule) IsMatch(subject Subject, object Object) (match bool)

IsMatch returns true if all elements of an AccessControlRule match the object and subject.

type AccessControlSubjects

type AccessControlSubjects struct {
	Subjects []SubjectMatcher
}

AccessControlSubjects represents an ACL subject.

func (*AccessControlSubjects) AddSubject

func (acs *AccessControlSubjects) AddSubject(subjectRule string)

AddSubject appends to the AccessControlSubjects based on a subject rule string.

func (AccessControlSubjects) IsMatch

func (acs AccessControlSubjects) IsMatch(subject Subject) (match bool)

IsMatch returns true if the ACL subjects match the subject properties.

type AccessControlUser

type AccessControlUser struct {
	Name string
}

AccessControlUser represents an ACL subject of type `user:`.

func (AccessControlUser) IsMatch

func (acu AccessControlUser) IsMatch(subject Subject) (match bool)

IsMatch returns true if the AccessControlUser name matches the Subject username.

type Authorizer

type Authorizer struct {
	// contains filtered or unexported fields
}

Authorizer the component in charge of checking whether a user can access a given resource.

func NewAuthorizer

func NewAuthorizer(configuration *schema.Configuration) *Authorizer

NewAuthorizer create an instance of authorizer with a given access control configuration.

func (Authorizer) GetRequiredLevel

func (p Authorizer) GetRequiredLevel(subject Subject, object Object) Level

GetRequiredLevel retrieve the required level of authorization to access the object.

func (Authorizer) GetRuleMatchResults added in v4.34.0

func (p Authorizer) GetRuleMatchResults(subject Subject, object Object) (results []RuleMatchResult)

GetRuleMatchResults iterates through the rules and produces a list of RuleMatchResult provided a subject and object.

func (Authorizer) IsSecondFactorEnabled

func (p Authorizer) IsSecondFactorEnabled() bool

IsSecondFactorEnabled return true if at least one policy is set to second factor.

type Level

type Level int

Level is the type representing an authorization level.

const (
	// Bypass bypass level.
	Bypass Level = iota
	// OneFactor one factor level.
	OneFactor Level = iota
	// TwoFactor two factor level.
	TwoFactor Level = iota
	// Denied denied level.
	Denied Level = iota
)

func PolicyToLevel

func PolicyToLevel(policy string) Level

PolicyToLevel converts a string policy to int authorization level.

type Object

type Object struct {
	URL url.URL

	Domain string
	Path   string
	Method string
}

Object represents a protected object for the purposes of ACL matching.

func NewObject

func NewObject(targetURL *url.URL, method string) (object Object)

NewObject creates a new Object type from a URL and a method header.

func NewObjectRaw

func NewObjectRaw(targetURL *url.URL, method []byte) (object Object)

NewObjectRaw creates a new Object type from a URL and a method header.

func (Object) String

func (o Object) String() string

String is a string representation of the Object.

type RegexpGroupStringSubjectMatcher added in v4.36.0

type RegexpGroupStringSubjectMatcher struct {
	Pattern         regexp.Regexp
	SubexpNameUser  int
	SubexpNameGroup int
}

RegexpGroupStringSubjectMatcher matches the input string against the pattern taking into account Subexp groups.

func (RegexpGroupStringSubjectMatcher) IsMatch added in v4.36.0

func (r RegexpGroupStringSubjectMatcher) IsMatch(input string, subject Subject) (match bool)

IsMatch returns true if the underlying pattern matches the input given the subject.

func (RegexpGroupStringSubjectMatcher) String added in v4.36.0

String returns the pattern string.

type RegexpStringSubjectMatcher added in v4.36.0

type RegexpStringSubjectMatcher struct {
	Pattern regexp.Regexp
}

RegexpStringSubjectMatcher just matches the input string against the pattern.

func (RegexpStringSubjectMatcher) IsMatch added in v4.36.0

func (r RegexpStringSubjectMatcher) IsMatch(input string, _ Subject) (match bool)

IsMatch returns true if the underlying pattern matches the input.

func (RegexpStringSubjectMatcher) String added in v4.36.0

String returns the pattern string.

type RuleMatchResult added in v4.34.0

type RuleMatchResult struct {
	Rule *AccessControlRule

	Skipped bool

	MatchDomain        bool
	MatchResources     bool
	MatchMethods       bool
	MatchNetworks      bool
	MatchSubjects      bool
	MatchSubjectsExact bool
}

RuleMatchResult describes how well a rule matched a subject/object combo.

func (RuleMatchResult) IsMatch added in v4.34.0

func (r RuleMatchResult) IsMatch() (match bool)

IsMatch returns true if all the criteria matched.

func (RuleMatchResult) IsPotentialMatch added in v4.34.0

func (r RuleMatchResult) IsPotentialMatch() (match bool)

IsPotentialMatch returns true if the rule is potentially a match.

type StringSubjectMatcher added in v4.36.0

type StringSubjectMatcher interface {
	IsMatch(input string, subject Subject) (match bool)
}

StringSubjectMatcher is a matcher that takes an input string and subject.

type Subject

type Subject struct {
	Username string
	Groups   []string
	IP       net.IP
}

Subject represents the identity of a user for the purposes of ACL matching.

func (Subject) IsAnonymous

func (s Subject) IsAnonymous() bool

IsAnonymous returns true if the Subject username and groups are empty.

func (Subject) String

func (s Subject) String() string

String returns a string representation of the Subject.

type SubjectMatcher added in v4.35.0

type SubjectMatcher interface {
	IsMatch(subject Subject) (match bool)
}

SubjectMatcher is a matcher that takes a subject.

type SubjectObjectMatcher added in v4.35.0

type SubjectObjectMatcher interface {
	IsMatch(subject Subject, object Object) (match bool)
}

SubjectObjectMatcher is a matcher that takes both a subject and an object.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL