Documentation
¶
Index ¶
- Constants
- Variables
- func CheckUserDomain(ctx context.Context, username string) error
- func ContextWithDischargeID(ctx context.Context, dischargeID string) context.Context
- func ContextWithRequiredDomain(ctx context.Context, domain string) context.Context
- func ContextWithUserCredentials(ctx context.Context, username, password string) context.Context
- func ContextWithUsername(ctx context.Context, username string) context.Context
- func DischargeIDCaveat(dischargeID string) checkers.Caveat
- func DomainDischargeOp(domain string) bakery.Op
- func GlobalOp(action string) bakery.Op
- func GroupsDischargeOp(groups []string) bakery.Op
- func NewChecker(a *Authorizer) *checkers.Checker
- func UserHasPublicKeyCaveat(user params.Username, pk *bakery.PublicKey) checkers.Caveat
- func UserOp(u params.Username, action string) bakery.Op
- type Authorizer
- type Identity
- type Params
Constants ¶
const ( AdminUsername = "admin@candid" SSHKeyGetterGroup = "sshkeygetter@candid" GroupListGroup = "grouplist@candid" )
const ( ActionRead = "read" ActionVerify = "verify" ActionDischargeFor = "dischargeFor" ActionDischarge = "discharge" ActionCreateAgent = "createAgent" ActionReadAdmin = "readAdmin" ActionWriteAdmin = "writeAdmin" ActionReadGroups = "readGroups" ActionWriteGroups = "writeGroups" ActionReadSSHKeys = "readSSHKeys" ActionWriteSSHKeys = "writeSSHKeys" ActionLogin = "login" ActionReadDischargeToken = "read-discharge-token" )
The following constants define possible operation actions.
Variables ¶
var AdminACL = []string{AdminUsername}
TODO(mhilton) make the admin ACL configurable
var AdminProviderID = store.MakeProviderIdentity("idm", "admin")
var Namespace = checkers.NewNamespace(map[string]string{ checkers.StdNamespace: "", httpbakery.CheckersNamespace: "http", checkersNamespace: "", })
Namespace contains the checkers.Namespace supported by the identity service.
Functions ¶
func CheckUserDomain ¶
CheckUserDomain checks that the given user name has a valid domain name with respect to the given context (see also ContextWithRequiredDomain).
func ContextWithDischargeID ¶
ContextWithDischargeID returns a context with the given discharge ID stored.
func ContextWithRequiredDomain ¶
ContextWithRequiredDomain returns a context associated with the given domain, such that declared identities will only be allowed if they have that domain.
func ContextWithUserCredentials ¶
ContextWithUserCredentials returns a context with the given user credentials attached. These will then be checked when performing authorizations.
func ContextWithUsername ¶
ContextWithUsername returns a context with the given username stored. Any user attached to the context will be considered authenticated by IdentityFromContext.
func DischargeIDCaveat ¶
DischargeIDCaveat creates a first-party caveat that ensures that a specific discharge is being performed.
func DomainDischargeOp ¶
DomainDischargeOp creates an operation that is discharging the specified domain.
func GroupsDischargeOp ¶
GroupsDischargeOp creates an operation that is discharging as a user in one of the specified groups.
func NewChecker ¶
func NewChecker(a *Authorizer) *checkers.Checker
func UserHasPublicKeyCaveat ¶
UserHasPublicKeyCaveat creates a first-party caveat that ensures that the given user is associated with the given public key.
Types ¶
type Authorizer ¶
type Authorizer struct {
// contains filtered or unexported fields
}
An Authorizer is used to authorize operations in the identity server.
func New ¶
func New(params Params) *Authorizer
New creates a new Authorizer for authorizing identity server operations.
func (*Authorizer) Auth ¶
func (a *Authorizer) Auth(ctx context.Context, mss []macaroon.Slice, ops ...bakery.Op) (*identchecker.AuthInfo, error)
Auth checks that client, as identified by the given context and macaroons, is authorized to perform the given operations. It may return an bakery.DischargeRequiredError when further checks are required, or params.ErrUnauthorized if the user is authenticated but does not have the required authorization.
func (*Authorizer) Identity ¶
Identity creates a new identity for the user with the given username, such a user must exist in the store.
func (*Authorizer) SetAdminPublicKey ¶
SetAdminPublicKey configures the public key on the admin user. This is to allow agent login as the admin user.
type Identity ¶
type Identity struct {
// contains filtered or unexported fields
}
An Identity is the implementation of identchecker.Identity used in the identity server.
func (*Identity) Allow ¶
Allow implements identchecker.ACLIdentity.Allow by checking whether the given identity is in any of the required groups or users.
type Params ¶
type Params struct {
// AdminPassword is the password of the admin user in the
// identity server.
AdminPassword string
// Location is the url of the discharger that third-party caveats
// will be addressed to. This should be the address of this
// identity server.
Location string
// MacaroonOpStore is the store of macaroon operations and root
// keys.
MacaroonVerifier bakery.MacaroonVerifier
// Store is the identity store.
Store store.Store
// IdentityProviders contains the set of identity providers that
// are configured for the service. The authenticatore uses these
// to get group information for authenticated users.
IdentityProviders []idp.IdentityProvider
}
Params specifify the configuration parameters for a new Authroizer.
Source Files
Directories