cbauthimpl

package
v0.1.8 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Mar 17, 2023 License: Apache-2.0 Imports: 17 Imported by: 4

Documentation

Overview

Package cbauthimpl contains internal implementation details of cbauth. It's APIs are subject to change without notice.

Index

Constants

View Source 
const (
	CFG_CHANGE_CERTS_TLSCONFIG uint64 = 1 << iota
	CFG_CHANGE_CLUSTER_ENCRYPTION
	CFG_CHANGE_USER_LIMITS
	CFG_CHANGE_CLIENT_CERTS_TLSCONFIG
)

Variables

View Source 
var ErrCallbackAlreadyRegistered = errors.New("Certificate refresh callback is already registered")

ErrCallbackAlreadyRegistered is used to signal that certificate refresh callback is already registered

View Source 
var ErrNoAuth = errors.New("Authentication failure")

ErrNoAuth is an error that is returned when the user credentials are not recognized

View Source 
var ErrNoUuid = errors.New("No UUID for user")

ErrNoUuid is an error that is returned when the uuid for user is empty

View Source 
var ErrUserNotFound = errors.New("Username not found")

ErrUserNotFound is used to signal when username can't be extracted from client certificate.

Functions

func GetClientCertAuthType 

func GetClientCertAuthType(s *Svc) (tls.ClientAuthType, error)

GetClientCertAuthType returns TLS cert type

func GetCreds 

func GetCreds(s *Svc, host string, port int) (memcachedUser, user, pwd string, err error)

GetCreds returns service password for given host and port together with memcached admin name and http special user. Or "", "", "", nil if host/port represents unknown service.

func GetUserBuckets added in v0.1.2 

func GetUserBuckets(s *Svc, user, domain string) ([]string, error)

func GetUserLimits 

func GetUserLimits(s *Svc, user, domain, service string) (map[string]int, error)

func GetUserUuid added in v0.1.1 

func GetUserUuid(s *Svc, user, domain string) (string, error)

func IsAuthTokenPresent 

func IsAuthTokenPresent(req *http.Request) bool

IsAuthTokenPresent returns true iff ns_server's ui token header ("ns-server-ui") is set to "yes". UI is using that header to indicate that request is using so called token auth.

func RegisterConfigRefreshCallback 

func RegisterConfigRefreshCallback(s *Svc, cb ConfigRefreshCallback) error

RegisterConfigRefreshCallback registers callback for refreshing SSL certs or TLS config.

func RegisterTLSRefreshCallback 

func RegisterTLSRefreshCallback(s *Svc, callback TLSRefreshCallback) error

RegisterTLSRefreshCallback registers callback for refreshing TLS config

func ResetSvc 

func ResetSvc(s *Svc, staleErr error)

ResetSvc marks service's db as stale.

func SetTransport 

func SetTransport(s *Svc, rt http.RoundTripper)

SetTransport allows to change RoundTripper for Svc

Types

type Cache 

type Cache struct {
	Nodes                   []Node
	AuthCheckURL            string `json:"authCheckUrl"`
	PermissionCheckURL      string `json:"permissionCheckUrl"`
	LimitsCheckURL          string
	UuidCheckURL            string
	UserBucketsURL          string
	SpecialUser             string   `json:"specialUser"`
	SpecialPasswords        []string `json:"specialPasswords"`
	PermissionsVersion      string
	LimitsConfig            LimitsConfig
	UserVersion             string
	AuthVersion             string
	CertVersion             int
	ClientCertVersion       int
	ExtractUserFromCertURL  string                  `json:"extractUserFromCertURL"`
	ClientCertAuthState     string                  `json:"clientCertAuthState"`
	ClientCertAuthVersion   string                  `json:"clientCertAuthVersion"`
	ClusterEncryptionConfig ClusterEncryptionConfig `json:"clusterEncryptionConfig"`
	TLSConfig               tlsConfigImport         `json:"tlsConfig"`
}

Cache is a structure into which the revrpc json is unmarshalled

type CacheParams added in v0.1.8 

type CacheParams struct {
	// contains filtered or unexported fields
}

type ClusterEncryptionConfig 

type ClusterEncryptionConfig struct {
	EncryptData        bool
	DisableNonSSLPorts bool
}

ClusterEncryptionConfig contains info about whether to use SSL ports for communication channels and whether to disable non-SSL ports.

func GetClusterEncryptionConfig 

func GetClusterEncryptionConfig(s *Svc) (ClusterEncryptionConfig, error)

GetClusterEncryptionConfig returns if cross node communication needs to be encrypted and if non-SSL ports need to be disabled.

type ConfigRefreshCallback 

type ConfigRefreshCallback func(uint64) error

ConfigRefreshCallback type describes the callback called when any of the following are updated: 1. SSL certificates 2. TLS configuration 3. Cluster encryption configuration

The clients are notified of the configuration changes by OR'ing the appropriate flags defined above and passing them as an argument to the callback function.

type CredsImpl 

type CredsImpl struct {
	// contains filtered or unexported fields
}

CredsImpl implements cbauth.Creds interface.

func MaybeGetCredsFromCert 

func MaybeGetCredsFromCert(s *Svc, req *http.Request) (*CredsImpl, error)

MaybeGetCredsFromCert extracts user's credentials from certificate Those returned credentials could be used for calling IsAllowed function

func VerifyOnBehalf 

func VerifyOnBehalf(s *Svc, user, password, onBehalfUser,
	onBehalfDomain string) (*CredsImpl, error)

VerifyOnBehalf authenticates http request with on behalf header

func VerifyOnServer 

func VerifyOnServer(s *Svc, reqHeaders http.Header) (*CredsImpl, error)

VerifyOnServer authenticates http request by calling POST /_cbauth REST endpoint

func VerifyPassword 

func VerifyPassword(s *Svc, user, password string) (*CredsImpl, error)

VerifyPassword verifies given user/password creds against cbauth password database. Returns nil, nil if given creds are not recognised at all.

func (*CredsImpl) Domain 

func (c *CredsImpl) Domain() string

Domain method returns user domain (for auditing)

func (*CredsImpl) IsAllowed 

func (c *CredsImpl) IsAllowed(permission string) (bool, error)

IsAllowed method returns true if the permission is granted for these credentials

func (*CredsImpl) Name 

func (c *CredsImpl) Name() string

Name method returns user name (e.g. for auditing)

func (*CredsImpl) User 

func (c *CredsImpl) User() (name, domain string)

User method returns user and domain for non-auditing purpose.

func (*CredsImpl) Uuid 

func (c *CredsImpl) Uuid() (string, error)

User uuid used for generating user stats, need not be present. Only present for local users.

type LimitsConfig 

type LimitsConfig struct {
	EnforceLimits     bool
	UserLimitsVersion string
}

LimitsConfig contains info about whether Limits needs to be enforced and what the limits version is.

func GetLimitsConfig 

func GetLimitsConfig(s *Svc) (LimitsConfig, error)

GetLimitsConfig returns limits settings.

type Node 

type Node struct {
	Host     string
	User     string
	Password string
	Ports    []int
	Local    bool
}

Node struct is used as part of Cache messages to describe creds and ports of some cluster node.

type ReqCache added in v0.1.8 

type ReqCache struct {
	// contains filtered or unexported fields
}

type ReqParams added in v0.1.8 

type ReqParams struct {
	// contains filtered or unexported fields
}

type Svc 

type Svc struct {
	// contains filtered or unexported fields
}

Svc is a struct that holds state of cbauth service.

func NewSVC 

func NewSVC(period time.Duration, staleErr error) *Svc

NewSVC constructs Svc instance. Period is initial period of time where attempts to access stale DB won't cause DBStaleError responses, but service will instead wait for UpdateDB call.

func NewSVCForTest 

func NewSVCForTest(period time.Duration, staleErr error, waitfn func(time.Duration, chan struct{}, func())) *Svc

NewSVCForTest constructs Svc isntance.

func (*Svc) UpdateDB 

func (s *Svc) UpdateDB(c *Cache, outparam *bool) error

UpdateDB is a revrpc method that is used by ns_server update cbauth state.

type TLSConfig 

type TLSConfig struct {
	MinVersion               uint16
	CipherSuites             []uint16
	CipherSuiteNames         []string
	CipherSuiteOpenSSLNames  []string
	PreferServerCipherSuites bool
	ClientAuthType           tls.ClientAuthType

	PrivateKeyPassphrase       []byte
	ClientPrivateKeyPassphrase []byte
	// contains filtered or unexported fields
}

TLSConfig contains tls settings to be used by cbauth clients When something in tls config changes user is notified via TLSRefreshCallback

func GetTLSConfig 

func GetTLSConfig(s *Svc) (TLSConfig, error)

GetTLSConfig returns current tls config that contains cipher suites, min TLS version, etc.

type TLSRefreshCallback 

type TLSRefreshCallback func() error

TLSRefreshCallback type describes callback for reinitializing TLSConfig when ssl certificate or client cert auth setting changes.

Notes

Bugs

  • consider some kind of CAS later

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.