auth

package
v1.0.0-alpha Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Apr 18, 2018 License: AGPL-3.0 Imports: 14 Imported by: 0

Documentation

Index

Constants

View Source
const (
	AdminUsername     = "admin@candid"
	SSHKeyGetterGroup = "sshkeygetter@candid"
	GroupListGroup    = "grouplist@candid"
)
View Source
const (
	ActionRead               = "read"
	ActionVerify             = "verify"
	ActionDischargeFor       = "dischargeFor"
	ActionDischarge          = "discharge"
	ActionCreateAgent        = "createAgent"
	ActionReadAdmin          = "readAdmin"
	ActionWriteAdmin         = "writeAdmin"
	ActionReadGroups         = "readGroups"
	ActionWriteGroups        = "writeGroups"
	ActionReadSSHKeys        = "readSSHKeys"
	ActionWriteSSHKeys       = "writeSSHKeys"
	ActionLogin              = "login"
	ActionReadDischargeToken = "read-discharge-token"
)

The following constants define possible operation actions.

Variables

View Source
var AdminACL = []string{AdminUsername}

TODO(mhilton) make the admin ACL configurable

View Source
var AdminProviderID = store.MakeProviderIdentity("idm", "admin")
View Source
var Namespace = checkers.NewNamespace(map[string]string{
	checkers.StdNamespace:        "",
	httpbakery.CheckersNamespace: "http",
	checkersNamespace:            "",
})

Namespace contains the checkers.Namespace supported by the identity service.

Functions

func CheckUserDomain

func CheckUserDomain(ctx context.Context, username string) error

CheckUserDomain checks that the given user name has a valid domain name with respect to the given context (see also ContextWithRequiredDomain).

func ContextWithDischargeID

func ContextWithDischargeID(ctx context.Context, dischargeID string) context.Context

ContextWithDischargeID returns a context with the given discharge ID stored.

func ContextWithRequiredDomain

func ContextWithRequiredDomain(ctx context.Context, domain string) context.Context

ContextWithRequiredDomain returns a context associated with the given domain, such that declared identities will only be allowed if they have that domain.

func ContextWithUserCredentials

func ContextWithUserCredentials(ctx context.Context, username, password string) context.Context

ContextWithUserCredentials returns a context with the given user credentials attached. These will then be checked when performing authorizations.

func ContextWithUsername

func ContextWithUsername(ctx context.Context, username string) context.Context

ContextWithUsername returns a context with the given username stored. Any user attached to the context will be considered authenticated by IdentityFromContext.

func DischargeIDCaveat

func DischargeIDCaveat(dischargeID string) checkers.Caveat

DischargeIDCaveat creates a first-party caveat that ensures that a specific discharge is being performed.

func DomainDischargeOp

func DomainDischargeOp(domain string) bakery.Op

DomainDischargeOp creates an operation that is discharging the specified domain.

func GlobalOp

func GlobalOp(action string) bakery.Op

func GroupsDischargeOp

func GroupsDischargeOp(groups []string) bakery.Op

GroupsDischargeOp creates an operation that is discharging as a user in one of the specified groups.

func NewChecker

func NewChecker(a *Authorizer) *checkers.Checker

func UserHasPublicKeyCaveat

func UserHasPublicKeyCaveat(user params.Username, pk *bakery.PublicKey) checkers.Caveat

UserHasPublicKeyCaveat creates a first-party caveat that ensures that the given user is associated with the given public key.

func UserOp

func UserOp(u params.Username, action string) bakery.Op

Types

type Authorizer

type Authorizer struct {
	// contains filtered or unexported fields
}

An Authorizer is used to authorize operations in the identity server.

func New

func New(params Params) *Authorizer

New creates a new Authorizer for authorizing identity server operations.

func (*Authorizer) Auth

func (a *Authorizer) Auth(ctx context.Context, mss []macaroon.Slice, ops ...bakery.Op) (*identchecker.AuthInfo, error)

Auth checks that client, as identified by the given context and macaroons, is authorized to perform the given operations. It may return an bakery.DischargeRequiredError when further checks are required, or params.ErrUnauthorized if the user is authenticated but does not have the required authorization.

func (*Authorizer) Identity

func (a *Authorizer) Identity(ctx context.Context, username string) (*Identity, error)

Identity creates a new identity for the user with the given username, such a user must exist in the store.

func (*Authorizer) SetAdminPublicKey

func (a *Authorizer) SetAdminPublicKey(ctx context.Context, pk *bakery.PublicKey) error

SetAdminPublicKey configures the public key on the admin user. This is to allow agent login as the admin user.

type Identity

type Identity struct {
	// contains filtered or unexported fields
}

An Identity is the implementation of identchecker.Identity used in the identity server.

func (*Identity) Allow

func (id *Identity) Allow(ctx context.Context, acl []string) (bool, error)

Allow implements identchecker.ACLIdentity.Allow by checking whether the given identity is in any of the required groups or users.

func (*Identity) Domain

func (id *Identity) Domain() string

Domain implements identchecker.Identity.Domain.

func (*Identity) Groups

func (id *Identity) Groups(ctx context.Context) ([]string, error)

Groups returns all the groups associated with the user. The groups include those stored in the identity server's database along with any retrieved by the relevent identity provider's GetGroups method. Once the set of groups has been determined it is cached in the Identity.

func (*Identity) Id

func (id *Identity) Id() string

Id implements identchecker.Identity.Id.

func (*Identity) StoreIdentity

func (id *Identity) StoreIdentity(ctx context.Context) (*store.Identity, error)

StoreIdentity returns the store identity document. Callers must not mutate the contents of the returned value.

type Params

type Params struct {
	// AdminPassword is the password of the admin user in the
	// identity server.
	AdminPassword string

	// Location is the url of the discharger that third-party caveats
	// will be addressed to. This should be the address of this
	// identity server.
	Location string

	// MacaroonOpStore is the store of macaroon operations and root
	// keys.
	MacaroonVerifier bakery.MacaroonVerifier

	// Store is the identity store.
	Store store.Store

	// IdentityProviders contains the set of identity providers that
	// are configured for the service. The authenticatore uses these
	// to get group information for authenticated users.
	IdentityProviders []idp.IdentityProvider
}

Params specifify the configuration parameters for a new Authroizer.

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL