Documentation
¶
Index ¶
- func AuthorizeSingleInstanceName(ctx context.Context, authorizer Authorizer, instanceName digest.InstanceName) error
- func NewContextWithAuthenticationMetadata(ctx context.Context, authenticationMetadata *AuthenticationMetadata) context.Context
- type AuthenticationMetadata
- func AuthenticationMetadataFromContext(ctx context.Context) *AuthenticationMetadata
- func MustNewAuthenticationMetadataFromProto(message *auth_pb.AuthenticationMetadata) *AuthenticationMetadata
- func NewAuthenticationMetadataFromProto(message *auth_pb.AuthenticationMetadata) (*AuthenticationMetadata, error)
- func NewAuthenticationMetadataFromRaw(metadataRaw any) (*AuthenticationMetadata, error)
- func (am *AuthenticationMetadata) GetFullProto() *auth_pb.AuthenticationMetadata
- func (am *AuthenticationMetadata) GetPublicProto() (*auth_pb.AuthenticationMetadata, bool)
- func (am *AuthenticationMetadata) GetRaw() map[string]any
- func (am *AuthenticationMetadata) GetTracingAttributes() []attribute.KeyValue
- type Authorizer
- func NewAnyAuthorizer(authorizers []Authorizer) Authorizer
- func NewJMESPathExpressionAuthorizer(expression *jmespath.JMESPath) Authorizer
- func NewRemoteAuthorizer(client grpc.ClientConnInterface, scope *structpb.Value, clock clock.Clock, ...) Authorizer
- func NewStaticAuthorizer(matcher digest.InstanceNameMatcher) Authorizer
- type RemoteAuthorizerCacheKey
- type RemoteRequestHeadersAuthenticatorCacheKey
- type RequestHeadersAuthenticator
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func AuthorizeSingleInstanceName ¶
func AuthorizeSingleInstanceName(ctx context.Context, authorizer Authorizer, instanceName digest.InstanceName) error
AuthorizeSingleInstanceName is a convenience function to authorize a single instance name with an Authorizer.
func NewContextWithAuthenticationMetadata ¶
func NewContextWithAuthenticationMetadata(ctx context.Context, authenticationMetadata *AuthenticationMetadata) context.Context
NewContextWithAuthenticationMetadata creates a new Context object that has AuthenticationMetadata attached to it.
Types ¶
type AuthenticationMetadata ¶
type AuthenticationMetadata struct {
// contains filtered or unexported fields
}
AuthenticationMetadata contains information on the authentication user that is performing the current operation.
func AuthenticationMetadataFromContext ¶
func AuthenticationMetadataFromContext(ctx context.Context) *AuthenticationMetadata
AuthenticationMetadataFromContext reobtains the AuthenticationMetadata that was attached to the Context object.
If the Context object contains no metadata, a default instance corresponding to the empty metadata is returned.
func MustNewAuthenticationMetadataFromProto ¶
func MustNewAuthenticationMetadataFromProto(message *auth_pb.AuthenticationMetadata) *AuthenticationMetadata
MustNewAuthenticationMetadataFromProto is identical to NewAuthenticationMetadataFromProto(), except that it panics upon failure. This method is provided for testing.
func NewAuthenticationMetadataFromProto ¶
func NewAuthenticationMetadataFromProto(message *auth_pb.AuthenticationMetadata) (*AuthenticationMetadata, error)
NewAuthenticationMetadataFromProto creates a new AuthenticationMetadata object that contains the data obtained by the gRPC Authenticator.
func NewAuthenticationMetadataFromRaw ¶
func NewAuthenticationMetadataFromRaw(metadataRaw any) (*AuthenticationMetadata, error)
NewAuthenticationMetadataFromRaw is identical to NewAuthenticationMetadataFromProto, except that it takes the metadata as a JSON-like value (i.e., a map[string]any).
func (*AuthenticationMetadata) GetFullProto ¶
func (am *AuthenticationMetadata) GetFullProto() *auth_pb.AuthenticationMetadata
GetFullProto returns the AuthenticationMetadata in Protobuf form.
func (*AuthenticationMetadata) GetPublicProto ¶
func (am *AuthenticationMetadata) GetPublicProto() (*auth_pb.AuthenticationMetadata, bool)
GetPublicProto returns the AuthenticationMetadata in Protobuf form, only containing the values that are safe to display as part of logs.
This method also returns a boolean value that indicates whether the resulting message contains any data to display. When false, it may be desirable to suppress displaying it.
func (*AuthenticationMetadata) GetRaw ¶
func (am *AuthenticationMetadata) GetRaw() map[string]any
GetRaw returns the original JSON-like value that was used to construct the AuthenticationMetadata.
func (*AuthenticationMetadata) GetTracingAttributes ¶
func (am *AuthenticationMetadata) GetTracingAttributes() []attribute.KeyValue
GetTracingAttributes returns OpenTelemetry tracing attributes that can be added to spans.
type Authorizer ¶
type Authorizer interface {
// Authorize returns a slice of errors, in the same order as the
// passed instance names.
//
// For each error, a nil value indicates that an instance name was
// authorized.
// A non-nil value indicates that the instance name was not authorized,
// or that an error occurred when authorizing.
//
// Note that this function may block, and should not be called while
// locks are held which may be contended.
Authorize(ctx context.Context, instanceNames []digest.InstanceName) []error
}
Authorizer authorizes the requesting user to perform scoped actions against particular instance names.
func NewAnyAuthorizer ¶
func NewAnyAuthorizer(authorizers []Authorizer) Authorizer
NewAnyAuthorizer creates an Authorizer that forwards calls to a series of backends, permitting access to a given instance name if one or more backends do so as well.
func NewJMESPathExpressionAuthorizer ¶
func NewJMESPathExpressionAuthorizer(expression *jmespath.JMESPath) Authorizer
NewJMESPathExpressionAuthorizer creates an Authorizer that evaluates a JMESPath expression to make an authorization decision. The JMESpath expression is called with a JSON object that includes both the REv2 instance name and authentication metadata.
func NewRemoteAuthorizer ¶
func NewRemoteAuthorizer( client grpc.ClientConnInterface, scope *structpb.Value, clock clock.Clock, evictionSet eviction.Set[RemoteAuthorizerCacheKey], maximumCacheSize int, ) Authorizer
NewRemoteAuthorizer creates a new Authorizer which asks a remote gRPC service for authorize response. The result from the remote service is cached.
func NewStaticAuthorizer ¶
func NewStaticAuthorizer(matcher digest.InstanceNameMatcher) Authorizer
NewStaticAuthorizer creates a new Authorizer which allows all requests to matching instance names, ignoring context.
type RemoteAuthorizerCacheKey ¶
RemoteAuthorizerCacheKey is the key type for the cache inside remoteAuthorizer.
type RemoteRequestHeadersAuthenticatorCacheKey ¶
RemoteRequestHeadersAuthenticatorCacheKey is the key type for the cache inside remoteRequestHeadersAuthenticator.
type RequestHeadersAuthenticator ¶
type RequestHeadersAuthenticator interface {
Authenticate(ctx context.Context, headers map[string][]string) (*AuthenticationMetadata, error)
}
RequestHeadersAuthenticator can be used to grant or deny access to a server based on request headers, typically from an HTTP or gRPC request.
func NewRemoteRequestHeadersAuthenticator ¶
func NewRemoteRequestHeadersAuthenticator( client grpc.ClientConnInterface, scope *structpb.Value, clock clock.Clock, evictionSet eviction.Set[RemoteRequestHeadersAuthenticatorCacheKey], maximumCacheSize int, ) RequestHeadersAuthenticator
NewRemoteRequestHeadersAuthenticator creates a new RequestHeadersAuthenticator for incoming requests that forwards headers to a remote service for authentication. The result from the remote service is cached.
Source Files
Directories