candidclient

package
v1.12.1 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jul 7, 2022 License: AGPL-3.0 Imports: 15 Imported by: 4

Documentation

Index

Constants

View Source
const (
	// Production holds the URL of the production jujucharms candid
	// server.
	Production = "https://api.jujucharms.com/identity"

	// Staging holds the URL of the staging jujucharms candid server.
	Staging = "https://api.staging.jujucharms.com/identity"
)

Variables

This section is empty.

Functions

func IdentityCaveats

func IdentityCaveats(url string) []checkers.Caveat

IdentityCaveats returns a slice containing a third party "is-authenticated-user" caveat addressed to the identity server at the given URL that will authenticate the user with discharged. The user can be determined by calling Client.DeclaredIdentity on the declarations made by the discharge macaroon,

func IdentityUserIDCaveats

func IdentityUserIDCaveats(url string) []checkers.Caveat

IdentityUserIDCaveats returns a slice containing a third party "is-authenticated-userid" caveat addressed to the identity server at the given URL that will authenticate the user with discharged. The user can be determined by calling Client.DeclaredIdentity on the declarations made by the discharge macaroon,

func LoginMethods

func LoginMethods(client *http.Client, u *url.URL) (*params.LoginMethods, error)

LoginMethods returns information about the available login methods for the given URL, which is expected to be a URL as passed to a VisitWebPage function during the macaroon bakery discharge process.

func StripDomain

func StripDomain(candidClient *Client, domain string) identchecker.IdentityClient

StripDomain returns an implementation of identchecker.IdentityClient that strips the given domain name off any user and group names returned from it. It also adds it as an @ suffix when querying for ACL membership for names that don't already contain a domain.

This is useful when an existing user of the identity manager needs to obtain backwardly compatible usernames when an identity manager is changed to add a domain suffix.

func UserDeclaration

func UserDeclaration(username string) checkers.Caveat

UserDeclaration returns a first party caveat that can be used by an identity manager to declare an identity on a discharge macaroon.

func UserIDDeclaration

func UserIDDeclaration(id string) checkers.Caveat

UserIDDeclaration returns a first party caveat that can be used by an identity manager to declare an identity on a discharge macaroon.

Types

type Client

type Client struct {
	// contains filtered or unexported fields
}

Client represents the client of an identity server. It implements the identchecker.IdentityClient interface, so can be used directly to provide authentication for macaroon-based services.

func New

func New(p NewParams) (*Client, error)

New returns a new client.

func (*Client) CacheEvict

func (c *Client) CacheEvict(username string)

CacheEvict evicts username from the user info cache.

func (*Client) CacheEvictAll

func (c *Client) CacheEvictAll()

CacheEvictAll evicts everything from the user info cache.

func (*Client) ClearUserMFACredentials added in v1.11.0

func (c *Client) ClearUserMFACredentials(ctx context.Context, p *params.ClearUserMFACredentialsRequest) error

ClearUserMFACredentials removes all MFA credentials for a user.

func (*Client) CreateAgent

func (c *Client) CreateAgent(ctx context.Context, p *params.CreateAgentRequest) (*params.CreateAgentResponse, error)

CreateAgent creates a new agent and returns the newly chosen username for the agent.

func (*Client) DeclaredIdentity

func (c *Client) DeclaredIdentity(ctx context.Context, declared map[string]string) (identchecker.Identity, error)

DeclaredIdentity implements IdentityClient.DeclaredIdentity. On success, it returns a value that implements Identity as well as identchecker.Identity.

func (*Client) DeleteSSHKeys

func (c *Client) DeleteSSHKeys(ctx context.Context, p *params.DeleteSSHKeysRequest) error

DeleteSSHKeys removes all of the ssh keys specified from the keys stored for the given user. It is not an error to attempt to remove a key that is not associated with the user.

func (*Client) DischargeTokenForUser

func (c *Client) DischargeTokenForUser(ctx context.Context, p *params.DischargeTokenForUserRequest) (params.DischargeTokenForUserResponse, error)

DischargeTokenForUser allows an administrator to create a discharge token for the specified user.

func (*Client) GetSSHKeys

func (c *Client) GetSSHKeys(ctx context.Context, p *params.SSHKeysRequest) (params.SSHKeysResponse, error)

GetSSHKeys returns any SSH keys stored for the given user.

func (*Client) GetUserGroupsWithID

func (c *Client) GetUserGroupsWithID(ctx context.Context, p *params.GetUserGroupsWithIDRequest) (*params.GroupsResponse, error)

GetUserGroupsWithID returns the groups for a user with the given ID.

func (*Client) GetUserWithID

func (c *Client) GetUserWithID(ctx context.Context, p *params.GetUserWithIDRequest) (*params.User, error)

GetUserWithID returns the user information for the request user.

func (*Client) IdentityFromContext

func (c *Client) IdentityFromContext(ctx context.Context) (identchecker.Identity, []checkers.Caveat, error)

IdentityFromContext implements identchecker.IdentityClient.IdentityFromContext by returning caveats created by IdentityCaveats.

func (*Client) ModifyUserGroups

func (c *Client) ModifyUserGroups(ctx context.Context, p *params.ModifyUserGroupsRequest) error

ModifyUserGroups updates the groups stored for the given user. Groups can be either added or removed in a single query. It is an error to try and both add and remove groups at the same time.

func (*Client) PutSSHKeys

func (c *Client) PutSSHKeys(ctx context.Context, p *params.PutSSHKeysRequest) error

PutSSHKeys updates the set of SSH keys stored for the given user. If the add parameter is set to true then keys that are already stored will be added to, otherwise they will be replaced.

func (*Client) QueryUsers

func (c *Client) QueryUsers(ctx context.Context, p *params.QueryUsersRequest) ([]string, error)

QueryUsers filters the user database for users that match the given request. If no filters are requested all usernames will be returned.

func (*Client) SetUserDeprecated

func (c *Client) SetUserDeprecated(ctx context.Context, p *params.SetUserRequest) error

SetUserDeprecated creates or updates the user with the given username. If the user already exists then any IDPGroups or SSHKeys specified in the request will be ignored. See SetUserGroups, ModifyUserGroups, SetSSHKeys and DeleteSSHKeys if you wish to manipulate these for a user. TODO change this into a create-agent function.

func (*Client) SetUserExtraInfo

func (c *Client) SetUserExtraInfo(ctx context.Context, p *params.SetUserExtraInfoRequest) error

SetUserExtraInfo updates extra-info for the given user. For each specified extra-info field the stored values will be updated to be the specified value. All other values will remain unchanged.

func (*Client) SetUserExtraInfoItem

func (c *Client) SetUserExtraInfoItem(ctx context.Context, p *params.SetUserExtraInfoItemRequest) error

SetUserExtraInfoItem updates the stored extra-info item with the given key for the given user.

func (*Client) SetUserGroups

func (c *Client) SetUserGroups(ctx context.Context, p *params.SetUserGroupsRequest) error

SetUserGroups updates the groups stored for the given user to the given value.

func (*Client) User

func (c *Client) User(ctx context.Context, p *params.UserRequest) (*params.User, error)

User returns the user information for the request user.

func (*Client) UserExtraInfo

func (c *Client) UserExtraInfo(ctx context.Context, p *params.UserExtraInfoRequest) (map[string]interface{}, error)

UserExtraInfo returns any stored extra-info for the given user.

func (*Client) UserExtraInfoItem

func (c *Client) UserExtraInfoItem(ctx context.Context, p *params.UserExtraInfoItemRequest) (interface{}, error)

UserExtraInfoItem returns any stored extra-info item with the given key for the given user.

func (*Client) UserGroups

func (c *Client) UserGroups(ctx context.Context, p *params.UserGroupsRequest) ([]string, error)

UserGroups returns the list of groups associated with the requested user.

func (*Client) UserIDPGroups

func (c *Client) UserIDPGroups(ctx context.Context, p *params.UserIDPGroupsRequest) ([]string, error)

UserIDPGroups returns the list of groups associated with the requested user. This is deprected and UserGroups should be used in preference.

func (*Client) UserToken

func (c *Client) UserToken(ctx context.Context, p *params.UserTokenRequest) (*bakery.Macaroon, error)

UserToken returns a token, in the form of a macaroon, identifying the user. This token can only be generated by an administrator.

func (*Client) VerifyToken

func (c *Client) VerifyToken(ctx context.Context, p *params.VerifyTokenRequest) (map[string]string, error)

VerifyToken verifies that the given token is a macaroon generated by this service and returns any declared values.

func (*Client) WhoAmI

func (c *Client) WhoAmI(ctx context.Context, p *params.WhoAmIRequest) (params.WhoAmIResponse, error)

WhoAmI returns details of the authenticated user.

type GroupCache

type GroupCache struct {
	// contains filtered or unexported fields
}

GroupCache holds a cache of group membership information.

func NewGroupCache

func NewGroupCache(c *Client, cacheTime time.Duration) *GroupCache

NewGroupCache returns a GroupCache that will cache group membership information.

It will cache results for at most cacheTime.

Note that use of this type should be avoided when possible - in the future it may not be possible to enumerate group membership for a user.

func (*GroupCache) CacheEvict

func (c *GroupCache) CacheEvict(username string)

CacheEvict evicts username from the cache.

func (*GroupCache) CacheEvictAll

func (c *GroupCache) CacheEvictAll()

CacheEvictAll evicts everything from the cache.

func (*GroupCache) Groups

func (gc *GroupCache) Groups(username string) ([]string, error)

Groups returns the set of groups that the user is a member of.

type Identity

type Identity interface {
	identchecker.ACLIdentity

	// Username returns the user name of the user.
	Username() (string, error)

	// Groups returns all the groups that the user is a member of.
	//
	// Note: use of this method should be avoided if possible, as a user may
	// potentially be in huge numbers of groups.
	Groups() ([]string, error)
}

Identity represents a Candid identity. It includes bakery.ACLIdentity but also includes methods for determining the username and enquiring about groups.

Note that currently the Id method just returns the user name, but client code should not rely on it doing that - eventually it will return an opaque user identifier rather than the user name.

type NewParams

type NewParams struct {
	// BaseURL holds the URL of the identity manager.
	BaseURL string

	// Client holds the client to use to make requests
	// to the identity manager.
	Client *httpbakery.Client

	// AgentUsername holds the username for group-fetching authorization.
	// If this is empty, no group information will be provided.
	// The agent key is expected to be held inside the Client.
	AgentUsername string

	// CacheTime holds the maximum duration for which
	// group membership information will be cached.
	// If this is zero, group membership information will not be cached.
	CacheTime time.Duration

	// If UseUserID is true then the macaroons will use unique user
	// ID to transfer identity information rather than usernames.
	UseUserID bool
}

NewParams holds the parameters for creating a new client.

type PermChecker

type PermChecker struct {
	// contains filtered or unexported fields
}

PermChecker provides a way to query ACLs using the identity client.

func NewPermChecker

func NewPermChecker(c *Client, cacheTime time.Duration) *PermChecker

NewPermChecker returns a permission checker that uses the given identity client to check permissions.

It will cache results for at most cacheTime.

func NewPermCheckerWithCache

func NewPermCheckerWithCache(cache *GroupCache) *PermChecker

NewPermCheckerWithCache returns a new PermChecker using the given cache for its group queries.

func (*PermChecker) Allow

func (c *PermChecker) Allow(username string, acl []string) (bool, error)

Allow reports whether the given ACL admits the user with the given name. If the user does not exist and the ACL does not allow username or everyone, it will return (false, nil).

func (*PermChecker) CacheEvict

func (c *PermChecker) CacheEvict(username string)

CacheEvict evicts username from the cache.

func (*PermChecker) CacheEvictAll

func (c *PermChecker) CacheEvictAll()

CacheEvictAll evicts everything from the cache.

Directories

Path Synopsis
Package redirect implements redirection based login.
Package redirect implements redirection based login.
Package ussomacaroon provides a client that can authenticate with an identity server by discharging macaroons on an Ubuntu SSO server.
Package ussomacaroon provides a client that can authenticate with an identity server by discharging macaroons on an Ubuntu SSO server.
Package ussologin defines functionality used for allowing clients to authenticate with the Candid server using USSO OAuth.
Package ussologin defines functionality used for allowing clients to authenticate with the Candid server using USSO OAuth.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL