Documentation ¶
Overview ¶
Package cbauthimpl contains internal implementation details of cbauth. It's APIs are subject to change without notice.
Index ¶
- Constants
- Variables
- func GetClientCertAuthType(s *Svc) (tls.ClientAuthType, error)
- func GetCreds(s *Svc, host string, port int) (memcachedUser, user, pwd string, err error)
- func GetUserBuckets(s *Svc, user, domain string) ([]string, error)
- func GetUserLimits(s *Svc, user, domain, service string) (map[string]int, error)
- func GetUserUuid(s *Svc, user, domain string) (string, error)
- func IsAuthTokenPresent(req *http.Request) bool
- func RegisterConfigRefreshCallback(s *Svc, cb ConfigRefreshCallback) error
- func RegisterTLSRefreshCallback(s *Svc, callback TLSRefreshCallback) error
- func ResetSvc(s *Svc, staleErr error)
- func SetTransport(s *Svc, rt http.RoundTripper)
- type Cache
- type CacheParams
- type ClusterEncryptionConfig
- type ConfigRefreshCallback
- type CredsImpl
- func MaybeGetCredsFromCert(s *Svc, req *http.Request) (*CredsImpl, error)
- func VerifyOnBehalf(s *Svc, user, password, onBehalfUser, onBehalfDomain string) (*CredsImpl, error)
- func VerifyOnServer(s *Svc, reqHeaders http.Header) (*CredsImpl, error)
- func VerifyPassword(s *Svc, user, password string) (*CredsImpl, error)
- type LimitsConfig
- type Node
- type ReqCache
- type ReqParams
- type Svc
- type TLSConfig
- type TLSRefreshCallback
- Bugs
Constants ¶
const ( CFG_CHANGE_CERTS_TLSCONFIG uint64 = 1 << iota CFG_CHANGE_CLUSTER_ENCRYPTION CFG_CHANGE_USER_LIMITS CFG_CHANGE_CLIENT_CERTS_TLSCONFIG )
Variables ¶
var ErrCallbackAlreadyRegistered = errors.New("Certificate refresh callback is already registered")
ErrCallbackAlreadyRegistered is used to signal that certificate refresh callback is already registered
var ErrNoAuth = errors.New("Authentication failure")
ErrNoAuth is an error that is returned when the user credentials are not recognized
var ErrNoUuid = errors.New("No UUID for user")
ErrNoUuid is an error that is returned when the uuid for user is empty
var ErrUserNotFound = errors.New("Username not found")
ErrUserNotFound is used to signal when username can't be extracted from client certificate.
Functions ¶
func GetClientCertAuthType ¶
func GetClientCertAuthType(s *Svc) (tls.ClientAuthType, error)
GetClientCertAuthType returns TLS cert type
func GetCreds ¶
GetCreds returns service password for given host and port together with memcached admin name and http special user. Or "", "", "", nil if host/port represents unknown service.
func GetUserBuckets ¶ added in v0.1.2
func GetUserLimits ¶
func IsAuthTokenPresent ¶
IsAuthTokenPresent returns true iff ns_server's ui token header ("ns-server-ui") is set to "yes". UI is using that header to indicate that request is using so called token auth.
func RegisterConfigRefreshCallback ¶
func RegisterConfigRefreshCallback(s *Svc, cb ConfigRefreshCallback) error
RegisterConfigRefreshCallback registers callback for refreshing SSL certs or TLS config.
func RegisterTLSRefreshCallback ¶
func RegisterTLSRefreshCallback(s *Svc, callback TLSRefreshCallback) error
RegisterTLSRefreshCallback registers callback for refreshing TLS config
func SetTransport ¶
func SetTransport(s *Svc, rt http.RoundTripper)
SetTransport allows to change RoundTripper for Svc
Types ¶
type Cache ¶
type Cache struct { Nodes []Node AuthCheckURL string `json:"authCheckUrl"` PermissionCheckURL string `json:"permissionCheckUrl"` LimitsCheckURL string UuidCheckURL string UserBucketsURL string SpecialUser string `json:"specialUser"` SpecialPasswords []string `json:"specialPasswords"` PermissionsVersion string LimitsConfig LimitsConfig UserVersion string AuthVersion string CertVersion int ClientCertVersion int ExtractUserFromCertURL string `json:"extractUserFromCertURL"` ClientCertAuthState string `json:"clientCertAuthState"` ClientCertAuthVersion string `json:"clientCertAuthVersion"` ClusterEncryptionConfig ClusterEncryptionConfig `json:"clusterEncryptionConfig"` TLSConfig tlsConfigImport `json:"tlsConfig"` }
Cache is a structure into which the revrpc json is unmarshalled
type CacheParams ¶ added in v0.1.8
type CacheParams struct {
// contains filtered or unexported fields
}
type ClusterEncryptionConfig ¶
ClusterEncryptionConfig contains info about whether to use SSL ports for communication channels and whether to disable non-SSL ports.
func GetClusterEncryptionConfig ¶
func GetClusterEncryptionConfig(s *Svc) (ClusterEncryptionConfig, error)
GetClusterEncryptionConfig returns if cross node communication needs to be encrypted and if non-SSL ports need to be disabled.
type ConfigRefreshCallback ¶
ConfigRefreshCallback type describes the callback called when any of the following are updated: 1. SSL certificates 2. TLS configuration 3. Cluster encryption configuration
The clients are notified of the configuration changes by OR'ing the appropriate flags defined above and passing them as an argument to the callback function.
type CredsImpl ¶
type CredsImpl struct {
// contains filtered or unexported fields
}
CredsImpl implements cbauth.Creds interface.
func MaybeGetCredsFromCert ¶
MaybeGetCredsFromCert extracts user's credentials from certificate Those returned credentials could be used for calling IsAllowed function
func VerifyOnBehalf ¶
func VerifyOnBehalf(s *Svc, user, password, onBehalfUser, onBehalfDomain string) (*CredsImpl, error)
VerifyOnBehalf authenticates http request with on behalf header
func VerifyOnServer ¶
VerifyOnServer authenticates http request by calling POST /_cbauth REST endpoint
func VerifyPassword ¶
VerifyPassword verifies given user/password creds against cbauth password database. Returns nil, nil if given creds are not recognised at all.
func (*CredsImpl) IsAllowed ¶
IsAllowed method returns true if the permission is granted for these credentials
type LimitsConfig ¶
LimitsConfig contains info about whether Limits needs to be enforced and what the limits version is.
func GetLimitsConfig ¶
func GetLimitsConfig(s *Svc) (LimitsConfig, error)
GetLimitsConfig returns limits settings.
type Node ¶
Node struct is used as part of Cache messages to describe creds and ports of some cluster node.
type ReqParams ¶ added in v0.1.8
type ReqParams struct {
// contains filtered or unexported fields
}
type Svc ¶
type Svc struct {
// contains filtered or unexported fields
}
Svc is a struct that holds state of cbauth service.
func NewSVC ¶
NewSVC constructs Svc instance. Period is initial period of time where attempts to access stale DB won't cause DBStaleError responses, but service will instead wait for UpdateDB call.
type TLSConfig ¶
type TLSConfig struct { MinVersion uint16 CipherSuites []uint16 CipherSuiteNames []string CipherSuiteOpenSSLNames []string PreferServerCipherSuites bool ClientAuthType tls.ClientAuthType PrivateKeyPassphrase []byte ClientPrivateKeyPassphrase []byte // contains filtered or unexported fields }
TLSConfig contains tls settings to be used by cbauth clients When something in tls config changes user is notified via TLSRefreshCallback
func GetTLSConfig ¶
GetTLSConfig returns current tls config that contains cipher suites, min TLS version, etc.
type TLSRefreshCallback ¶
type TLSRefreshCallback func() error
TLSRefreshCallback type describes callback for reinitializing TLSConfig when ssl certificate or client cert auth setting changes.
Notes ¶
Bugs ¶
consider some kind of CAS later