Documentation ¶
Overview ¶
Package cbauthimpl contains internal implementation details of cbauth. It's APIs are subject to change without notice.
Index ¶
- Constants
- Variables
- func GetClientCertAuthType(s *Svc) (tls.ClientAuthType, error)
- func GetClusterUuid(s *Svc) (string, error)
- func GetCreds(s *Svc, host string, port int) (memcachedUser, user, pwd string, err error)
- func GetNodeUuid(s *Svc) (string, error)
- func GetUserBuckets(s *Svc, user, domain string) ([]string, error)
- func GetUserUuid(s *Svc, user, domain string) (string, error)
- func IsAuthTokenPresent(Hdr httpreq.HttpHeader) bool
- func RegisterConfigRefreshCallback(s *Svc, cb ConfigRefreshCallback) error
- func RegisterTLSRefreshCallback(s *Svc, callback TLSRefreshCallback) error
- func ResetSvc(s *Svc, staleErr error)
- func SetExpectedClusterUuid(s *Svc, clusterUUID string) error
- func SetTransport(s *Svc, rt http.RoundTripper)
- type Cache
- type CacheConfig
- type CacheExt
- type CacheParams
- type CacheStats
- type CachesStats
- type ClusterEncryptionConfig
- type ConfigRefreshCallback
- type CredsImpl
- func MaybeGetCredsFromCert(s *Svc, tlsState *tls.ConnectionState) (*CredsImpl, error)
- func VerifyOnBehalf(s *Svc, user, password, onBehalfUser, onBehalfDomain string) (*CredsImpl, error)
- func VerifyOnServer(s *Svc, reqHeaders httpreq.HttpHeader) (*CredsImpl, error)
- func VerifyPassword(s *Svc, user, password string) (*CredsImpl, error)
- type GuardrailStatus
- type Node
- type ReqCache
- type ReqParams
- type Svc
- func (s *Svc) GetStats(Void, outparam *CachesStats) error
- func (s *Svc) Heartbeat(Void, outparam *Void) error
- func (s *Svc) SetConnectInfo(hostport, user, password string, heartbeatInterval, heartbeatWait int)
- func (s *Svc) UpdateDB(c *Cache, outparam *bool) error
- func (s *Svc) UpdateDBExt(c *CacheExt, outparam *bool) error
- type TLSConfig
- type TLSRefreshCallback
- type Void
- Bugs
Constants ¶
const ( CFG_CHANGE_CERTS_TLSCONFIG uint64 = 1 << iota CFG_CHANGE_CLUSTER_ENCRYPTION CFG_CHANGE_CLIENT_CERTS_TLSCONFIG CFG_CHANGE_GUARDRAIL_STATUSES )
Variables ¶
var ErrCallbackAlreadyRegistered = errors.New("Certificate refresh callback is already registered")
ErrCallbackAlreadyRegistered is used to signal that certificate refresh callback is already registered
var ErrNoAuth = errors.New("Authentication failure")
ErrNoAuth is an error that is returned when the user credentials are not recognized
var ErrNoUuid = errors.New("No UUID for user")
ErrNoUuid is an error that is returned when the uuid for user is empty
var ErrUserNotFound = errors.New("Username not found")
ErrUserNotFound is used to signal when username can't be extracted from client certificate.
Functions ¶
func GetClientCertAuthType ¶
func GetClientCertAuthType(s *Svc) (tls.ClientAuthType, error)
GetClientCertAuthType returns TLS cert type
func GetClusterUuid ¶ added in v0.1.11
GetClusterUuid returns UUID of the cluster cbauth is currently connecting to
func GetCreds ¶
GetCreds returns service password for given host and port together with memcached admin name and http special user. Or "", "", "", nil if host/port represents unknown service.
func GetNodeUuid ¶ added in v0.1.11
GetNodeUuid returns UUID of the node cbauth is currently connecting to
func GetUserBuckets ¶ added in v0.1.2
func IsAuthTokenPresent ¶
func IsAuthTokenPresent(Hdr httpreq.HttpHeader) bool
IsAuthTokenPresent returns true iff ns_server's ui token header ("ns-server-ui") is set to "yes". UI is using that header to indicate that request is using so called token auth.
func RegisterConfigRefreshCallback ¶
func RegisterConfigRefreshCallback(s *Svc, cb ConfigRefreshCallback) error
RegisterConfigRefreshCallback registers callback for refreshing SSL certs or TLS config.
func RegisterTLSRefreshCallback ¶
func RegisterTLSRefreshCallback(s *Svc, callback TLSRefreshCallback) error
RegisterTLSRefreshCallback registers callback for refreshing TLS config
func SetExpectedClusterUuid ¶ added in v0.1.11
SetExpectedClusterUuid sets the expected UUID of the cluster we are connecting to
func SetTransport ¶
func SetTransport(s *Svc, rt http.RoundTripper)
SetTransport allows to change RoundTripper for Svc
Types ¶
type Cache ¶
type Cache struct { Nodes []Node AuthCheckURL string `json:"authCheckUrl"` PermissionCheckURL string `json:"permissionCheckUrl"` UuidCheckURL string UserBucketsURL string SpecialUser string `json:"specialUser"` SpecialPasswords []string `json:"specialPasswords"` PermissionsVersion string UserVersion string AuthVersion string CertVersion int ClientCertVersion int ExtractUserFromCertURL string `json:"extractUserFromCertURL"` ClientCertAuthState string `json:"clientCertAuthState"` ClientCertAuthVersion string `json:"clientCertAuthVersion"` ClusterEncryptionConfig ClusterEncryptionConfig `json:"clusterEncryptionConfig"` TLSConfig tlsConfigImport `json:"tlsConfig"` CacheConfig CacheConfig `json:"cacheConfig"` GuardrailStatuses []GuardrailStatus `json:"guardrailStatuses"` }
Cache is a structure into which the revrpc json is unmarshalled
type CacheConfig ¶ added in v0.1.11
type CacheExt ¶ added in v0.1.11
type CacheExt struct { AuthCheckEndpoint string AuthVersion string PermissionCheckEndpoint string PermissionsVersion string ExtractUserFromCertEndpoint string ClientCertAuthVersion string ClientCertAuthState string NodeUUID string ClusterUUID string }
Cache is a structure into which the revrpc json is unmarshalled if used from external service
type CacheParams ¶ added in v0.1.8
type CacheParams struct {
// contains filtered or unexported fields
}
type CacheStats ¶ added in v0.1.11
type CachesStats ¶ added in v0.1.11
type CachesStats struct {
CacheStats []CacheStats `json:"cacheStats"`
}
type ClusterEncryptionConfig ¶
ClusterEncryptionConfig contains info about whether to use SSL ports for communication channels and whether to disable non-SSL ports.
func GetClusterEncryptionConfig ¶
func GetClusterEncryptionConfig(s *Svc) (ClusterEncryptionConfig, error)
GetClusterEncryptionConfig returns if cross node communication needs to be encrypted and if non-SSL ports need to be disabled.
type ConfigRefreshCallback ¶
ConfigRefreshCallback type describes the callback called when any of the following are updated: 1. SSL certificates 2. TLS configuration 3. Cluster encryption configuration
The clients are notified of the configuration changes by OR'ing the appropriate flags defined above and passing them as an argument to the callback function.
type CredsImpl ¶
type CredsImpl struct {
// contains filtered or unexported fields
}
CredsImpl implements cbauth.Creds interface.
func MaybeGetCredsFromCert ¶
func MaybeGetCredsFromCert(s *Svc, tlsState *tls.ConnectionState) (*CredsImpl, error)
MaybeGetCredsFromCert extracts user's credentials from certificate Those returned credentials could be used for calling IsAllowed function
func VerifyOnBehalf ¶
func VerifyOnBehalf(s *Svc, user, password, onBehalfUser, onBehalfDomain string) (*CredsImpl, error)
VerifyOnBehalf authenticates http request with on behalf header
func VerifyOnServer ¶
func VerifyOnServer(s *Svc, reqHeaders httpreq.HttpHeader) (*CredsImpl, error)
VerifyOnServer authenticates http request by calling POST /_cbauth REST endpoint
func VerifyPassword ¶
VerifyPassword verifies given user/password creds against cbauth password database. Returns nil, nil if given creds are not recognised at all.
func (*CredsImpl) IsAllowed ¶
IsAllowed method returns true if the permission is granted for these credentials
type GuardrailStatus ¶ added in v0.1.12
GuardrailStatus contains the current status for a resource that we want a service to be aware of. Severity may be one of the following, in ascending order of severity: - "serious" - "critical" - "maximum" (equivalently known as "Critical Enforcement")
func GetGuardrailStatuses ¶ added in v0.1.12
func GetGuardrailStatuses(s *Svc) ([]GuardrailStatus, error)
GetGuardrailStatuses returns guardrail statuses.
type Node ¶
Node struct is used as part of Cache messages to describe creds and ports of some cluster node.
type ReqParams ¶ added in v0.1.8
type ReqParams struct {
// contains filtered or unexported fields
}
type Svc ¶
type Svc struct {
// contains filtered or unexported fields
}
Svc is a struct that holds state of cbauth service.
func NewSVC ¶
NewSVC constructs Svc instance. Period is initial period of time where attempts to access stale DB won't cause DBStaleError responses, but service will instead wait for UpdateDB call.
func NewSVCForTest ¶
func NewSVCForTest(period time.Duration, staleErr error, waitfn func(time.Duration, chan struct{}, func())) *Svc
NewSVCForTest constructs Svc instance.
func (*Svc) GetStats ¶ added in v0.1.11
func (s *Svc) GetStats(Void, outparam *CachesStats) error
func (*Svc) SetConnectInfo ¶ added in v0.1.11
type TLSConfig ¶
type TLSConfig struct { MinVersion uint16 CipherSuites []uint16 CipherSuiteNames []string CipherSuiteOpenSSLNames []string PreferServerCipherSuites bool ClientAuthType tls.ClientAuthType PrivateKeyPassphrase []byte ClientPrivateKeyPassphrase []byte // contains filtered or unexported fields }
TLSConfig contains tls settings to be used by cbauth clients When something in tls config changes user is notified via TLSRefreshCallback
func GetTLSConfig ¶
GetTLSConfig returns current tls config that contains cipher suites, min TLS version, etc.
type TLSRefreshCallback ¶
type TLSRefreshCallback func() error
TLSRefreshCallback type describes callback for reinitializing TLSConfig when ssl certificate or client cert auth setting changes.
Notes ¶
Bugs ¶
consider some kind of CAS later