candidclient

package
v1.12.3 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Feb 23, 2024 License: AGPL-3.0 Imports: 15 Imported by: 4

Documentation

Index

Constants

View Source 
const (
	// Production holds the URL of the production jujucharms candid
	// server.
	Production = "https://api.jujucharms.com/identity"

	// Staging holds the URL of the staging jujucharms candid server.
	Staging = "https://api.staging.jujucharms.com/identity"
)

Variables

This section is empty.

Functions

func IdentityCaveats 

func IdentityCaveats(url string) []checkers.Caveat

IdentityCaveats returns a slice containing a third party "is-authenticated-user" caveat addressed to the identity server at the given URL that will authenticate the user with discharged. The user can be determined by calling Client.DeclaredIdentity on the declarations made by the discharge macaroon,

func IdentityUserIDCaveats 

func IdentityUserIDCaveats(url string) []checkers.Caveat

IdentityUserIDCaveats returns a slice containing a third party "is-authenticated-userid" caveat addressed to the identity server at the given URL that will authenticate the user with discharged. The user can be determined by calling Client.DeclaredIdentity on the declarations made by the discharge macaroon,

func LoginMethods 

func LoginMethods(client *http.Client, u *url.URL) (*params.LoginMethods, error)

LoginMethods returns information about the available login methods for the given URL, which is expected to be a URL as passed to a VisitWebPage function during the macaroon bakery discharge process.

func StripDomain 

func StripDomain(candidClient *Client, domain string) identchecker.IdentityClient

StripDomain returns an implementation of identchecker.IdentityClient that strips the given domain name off any user and group names returned from it. It also adds it as an @ suffix when querying for ACL membership for names that don't already contain a domain.

This is useful when an existing user of the identity manager needs to obtain backwardly compatible usernames when an identity manager is changed to add a domain suffix.

func UserDeclaration 

func UserDeclaration(username string) checkers.Caveat

UserDeclaration returns a first party caveat that can be used by an identity manager to declare an identity on a discharge macaroon.

func UserIDDeclaration 

func UserIDDeclaration(id string) checkers.Caveat

UserIDDeclaration returns a first party caveat that can be used by an identity manager to declare an identity on a discharge macaroon.

Types

type Client 

type Client struct {
	// contains filtered or unexported fields
}

Client represents the client of an identity server. It implements the identchecker.IdentityClient interface, so can be used directly to provide authentication for macaroon-based services.

func New 

func New(p NewParams) (*Client, error)

New returns a new client.

func (*Client) CacheEvict 

func (c *Client) CacheEvict(username string)

CacheEvict evicts username from the user info cache.

func (*Client) CacheEvictAll 

func (c *Client) CacheEvictAll()

CacheEvictAll evicts everything from the user info cache.

func (*Client) ClearUserMFACredentials added in v1.11.0 

func (c *Client) ClearUserMFACredentials(ctx context.Context, p *params.ClearUserMFACredentialsRequest) error

ClearUserMFACredentials removes all MFA credentials for a user.

func (*Client) CreateAgent 

func (c *Client) CreateAgent(ctx context.Context, p *params.CreateAgentRequest) (*params.CreateAgentResponse, error)

CreateAgent creates a new agent and returns the newly chosen username for the agent.

func (*Client) DeclaredIdentity 

func (c *Client) DeclaredIdentity(ctx context.Context, declared map[string]string) (identchecker.Identity, error)

DeclaredIdentity implements IdentityClient.DeclaredIdentity. On success, it returns a value that implements Identity as well as identchecker.Identity.

func (*Client) DeleteSSHKeys 

func (c *Client) DeleteSSHKeys(ctx context.Context, p *params.DeleteSSHKeysRequest) error

DeleteSSHKeys removes all of the ssh keys specified from the keys stored for the given user. It is not an error to attempt to remove a key that is not associated with the user.

func (*Client) DischargeTokenForUser 

func (c *Client) DischargeTokenForUser(ctx context.Context, p *params.DischargeTokenForUserRequest) (params.DischargeTokenForUserResponse, error)

DischargeTokenForUser allows an administrator to create a discharge token for the specified user.

func (*Client) GetSSHKeys 

func (c *Client) GetSSHKeys(ctx context.Context, p *params.SSHKeysRequest) (params.SSHKeysResponse, error)

GetSSHKeys returns any SSH keys stored for the given user.

func (*Client) GetUserGroupsWithID 

func (c *Client) GetUserGroupsWithID(ctx context.Context, p *params.GetUserGroupsWithIDRequest) (*params.GroupsResponse, error)

GetUserGroupsWithID returns the groups for a user with the given ID.

func (*Client) GetUserWithID 

func (c *Client) GetUserWithID(ctx context.Context, p *params.GetUserWithIDRequest) (*params.User, error)

GetUserWithID returns the user information for the request user.

func (*Client) IdentityFromContext 

func (c *Client) IdentityFromContext(ctx context.Context) (identchecker.Identity, []checkers.Caveat, error)

IdentityFromContext implements identchecker.IdentityClient.IdentityFromContext by returning caveats created by IdentityCaveats.

func (*Client) ModifyUserGroups 

func (c *Client) ModifyUserGroups(ctx context.Context, p *params.ModifyUserGroupsRequest) error

ModifyUserGroups updates the groups stored for the given user. Groups can be either added or removed in a single query. It is an error to try and both add and remove groups at the same time.

func (*Client) PutSSHKeys 

func (c *Client) PutSSHKeys(ctx context.Context, p *params.PutSSHKeysRequest) error

PutSSHKeys updates the set of SSH keys stored for the given user. If the add parameter is set to true then keys that are already stored will be added to, otherwise they will be replaced.

func (*Client) QueryUsers 

func (c *Client) QueryUsers(ctx context.Context, p *params.QueryUsersRequest) ([]string, error)

QueryUsers filters the user database for users that match the given request. If no filters are requested all usernames will be returned.

func (*Client) SetUserDeprecated 

func (c *Client) SetUserDeprecated(ctx context.Context, p *params.SetUserRequest) error

SetUserDeprecated creates or updates the user with the given username. If the user already exists then any IDPGroups or SSHKeys specified in the request will be ignored. See SetUserGroups, ModifyUserGroups, SetSSHKeys and DeleteSSHKeys if you wish to manipulate these for a user. TODO change this into a create-agent function.

func (*Client) SetUserExtraInfo 

func (c *Client) SetUserExtraInfo(ctx context.Context, p *params.SetUserExtraInfoRequest) error

SetUserExtraInfo updates extra-info for the given user. For each specified extra-info field the stored values will be updated to be the specified value. All other values will remain unchanged.

func (*Client) SetUserExtraInfoItem 

func (c *Client) SetUserExtraInfoItem(ctx context.Context, p *params.SetUserExtraInfoItemRequest) error

SetUserExtraInfoItem updates the stored extra-info item with the given key for the given user.

func (*Client) SetUserGroups 

func (c *Client) SetUserGroups(ctx context.Context, p *params.SetUserGroupsRequest) error

SetUserGroups updates the groups stored for the given user to the given value.

func (*Client) User 

func (c *Client) User(ctx context.Context, p *params.UserRequest) (*params.User, error)

User returns the user information for the request user.

func (*Client) UserExtraInfo 

func (c *Client) UserExtraInfo(ctx context.Context, p *params.UserExtraInfoRequest) (map[string]interface{}, error)

UserExtraInfo returns any stored extra-info for the given user.

func (*Client) UserExtraInfoItem 

func (c *Client) UserExtraInfoItem(ctx context.Context, p *params.UserExtraInfoItemRequest) (interface{}, error)

UserExtraInfoItem returns any stored extra-info item with the given key for the given user.

func (*Client) UserGroups 

func (c *Client) UserGroups(ctx context.Context, p *params.UserGroupsRequest) ([]string, error)

UserGroups returns the list of groups associated with the requested user.

func (*Client) UserIDPGroups 

func (c *Client) UserIDPGroups(ctx context.Context, p *params.UserIDPGroupsRequest) ([]string, error)

UserIDPGroups returns the list of groups associated with the requested user. This is deprected and UserGroups should be used in preference.

func (*Client) UserToken 

func (c *Client) UserToken(ctx context.Context, p *params.UserTokenRequest) (*bakery.Macaroon, error)

UserToken returns a token, in the form of a macaroon, identifying the user. This token can only be generated by an administrator.

func (*Client) VerifyToken 

func (c *Client) VerifyToken(ctx context.Context, p *params.VerifyTokenRequest) (map[string]string, error)

VerifyToken verifies that the given token is a macaroon generated by this service and returns any declared values.

func (*Client) WhoAmI 

func (c *Client) WhoAmI(ctx context.Context, p *params.WhoAmIRequest) (params.WhoAmIResponse, error)

WhoAmI returns details of the authenticated user.

type GroupCache 

type GroupCache struct {
	// contains filtered or unexported fields
}

GroupCache holds a cache of group membership information.

func NewGroupCache 

func NewGroupCache(c *Client, cacheTime time.Duration) *GroupCache

NewGroupCache returns a GroupCache that will cache group membership information.

It will cache results for at most cacheTime.

Note that use of this type should be avoided when possible - in the future it may not be possible to enumerate group membership for a user.

func (*GroupCache) CacheEvict 

func (c *GroupCache) CacheEvict(username string)

CacheEvict evicts username from the cache.

func (*GroupCache) CacheEvictAll 

func (c *GroupCache) CacheEvictAll()

CacheEvictAll evicts everything from the cache.

func (*GroupCache) Groups 

func (gc *GroupCache) Groups(username string) ([]string, error)

Groups returns the set of groups that the user is a member of.

type Identity 

type Identity interface {
	identchecker.ACLIdentity

	// Username returns the user name of the user.
	Username() (string, error)

	// Groups returns all the groups that the user is a member of.
	//
	// Note: use of this method should be avoided if possible, as a user may
	// potentially be in huge numbers of groups.
	Groups() ([]string, error)
}

Identity represents a Candid identity. It includes bakery.ACLIdentity but also includes methods for determining the username and enquiring about groups.

Note that currently the Id method just returns the user name, but client code should not rely on it doing that - eventually it will return an opaque user identifier rather than the user name.

type NewParams 

type NewParams struct {
	// BaseURL holds the URL of the identity manager.
	BaseURL string

	// Client holds the client to use to make requests
	// to the identity manager.
	Client *httpbakery.Client

	// AgentUsername holds the username for group-fetching authorization.
	// If this is empty, no group information will be provided.
	// The agent key is expected to be held inside the Client.
	AgentUsername string

	// CacheTime holds the maximum duration for which
	// group membership information will be cached.
	// If this is zero, group membership information will not be cached.
	CacheTime time.Duration

	// If UseUserID is true then the macaroons will use unique user
	// ID to transfer identity information rather than usernames.
	UseUserID bool
}

NewParams holds the parameters for creating a new client.

type PermChecker 

type PermChecker struct {
	// contains filtered or unexported fields
}

PermChecker provides a way to query ACLs using the identity client.

func NewPermChecker 

func NewPermChecker(c *Client, cacheTime time.Duration) *PermChecker

NewPermChecker returns a permission checker that uses the given identity client to check permissions.

It will cache results for at most cacheTime.

func NewPermCheckerWithCache 

func NewPermCheckerWithCache(cache *GroupCache) *PermChecker

NewPermCheckerWithCache returns a new PermChecker using the given cache for its group queries.

func (*PermChecker) Allow 

func (c *PermChecker) Allow(username string, acl []string) (bool, error)

Allow reports whether the given ACL admits the user with the given name. If the user does not exist and the ACL does not allow username or everyone, it will return (false, nil).

func (*PermChecker) CacheEvict 

func (c *PermChecker) CacheEvict(username string)

CacheEvict evicts username from the cache.

func (*PermChecker) CacheEvictAll 

func (c *PermChecker) CacheEvictAll()

CacheEvictAll evicts everything from the cache.

Source Files

View all Source files

Directories

Path Synopsis
Package redirect implements redirection based login.
 Package redirect implements redirection based login.
Package ussomacaroon provides a client that can authenticate with an identity server by discharging macaroons on an Ubuntu SSO server.
 Package ussomacaroon provides a client that can authenticate with an identity server by discharging macaroons on an Ubuntu SSO server.
Package ussologin defines functionality used for allowing clients to authenticate with the Candid server using USSO OAuth.
 Package ussologin defines functionality used for allowing clients to authenticate with the Candid server using USSO OAuth.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.