user

package
v0.750.3 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Aug 19, 2024 License: Apache-2.0 Imports: 31 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	// SessionDuration is how long a newly created session is valid.
	SessionDuration = 7 * 24 * time.Hour
	// PersonalGroupPostfix is the system postfix appended to the username of all personal groups.
	PersonalGroupPostfix = "DeterminedPersonalGroup"
)

Variables

View Source 
var AuthZProvider authz.AuthZProviderType[UserAuthZ]

AuthZProvider is the authz registry for `user` package.

View Source 
var BuiltInUsers = []string{determinedUsername, adminUsername}

BuiltInUsers are created in the DB by the initial migration. They exist on every installation unless the admin has removed them.

View Source 
var ErrRemoteUserTokenExpired = status.Error(codes.Unauthenticated, "remote user token expired")

ErrRemoteUserTokenExpired notifies that the remote user's token has expired.

Functions

func Add 

func Add(
	ctx context.Context,
	user *model.User,
	ug *model.AgentUserGroup,
) (model.UserID, error)

Add creates a new user, adding it to the User & AgentUserGroup tables.

func AddSCIMUser 

func AddSCIMUser(ctx context.Context, suser *model.SCIMUser) (*model.SCIMUser, error)

AddSCIMUser adds a user as well as additional SCIM-specific fields. If the user already exists, this function will return an error.

func AddUserTx 

func AddUserTx(ctx context.Context, idb bun.IDB, user *model.User) (model.UserID, error)

AddUserTx & addAgentUserGroup are helper methods for Add & Update. AddUserTx UPSERT's the existence of a new user.

func ByID 

func ByID(ctx context.Context, userID model.UserID) (*model.FullUser, error)

ByID returns the full user for a given ID.

func BySessionID 

func BySessionID(ctx context.Context, sessionID model.SessionID) (*model.User, error)

BySessionID looks up a user by session ID in the database.

func ByToken 

func ByToken(ctx context.Context, token string, ext *model.ExternalSessions) (
	*model.User, *model.UserSession, error,
)

ByToken returns a user session given an authentication token. If a session belonging to a remote (SSO) user is found but has expired, ErrRemoteUserTokenExpired will be returned.

func ByUsername 

func ByUsername(ctx context.Context, username string) (*model.User, error)

ByUsername looks up a user by name in the database.

func DeleteSessionByID 

func DeleteSessionByID(ctx context.Context, sessionID model.SessionID) error

DeleteSessionByID deletes the user session with the given ID.

func DeleteSessionByToken 

func DeleteSessionByToken(ctx context.Context, token string) error

DeleteSessionByToken deletes user session if found (externally managed sessions are not stored in the DB and will not be found).

func GetAgentUserGroup 

func GetAgentUserGroup(
	ctx context.Context,
	userID model.UserID,
	workspaceID int,
) (*model.AgentUserGroup, error)

GetAgentUserGroup returns AgentUserGroup for a user + (optional) workspace.

func GetUserSetting 

func GetUserSetting(ctx context.Context, userID model.UserID) ([]*model.UserWebSetting, error)

GetUserSetting gets user setting.

func InitService 

func InitService(db *db.PgDB, extConfig *model.ExternalSessions)

InitService creates the user service singleton.

func List 

func List(ctx context.Context) (values []model.FullUser, err error)

List returns all of the users in the database.

func NewCookieFromToken 

func NewCookieFromToken(token string) *http.Cookie

NewCookieFromToken creates a new cookie from the given token.

func ProfileImage 

func ProfileImage(ctx context.Context, username string) (photo []byte, err error)

ProfileImage returns the profile picture associated with the user.

func RegisterAPIHandler 

func RegisterAPIHandler(echo *echo.Echo, m *Service, middleware ...echo.MiddlewareFunc)

RegisterAPIHandler initializes and registers the API handlers for all command related features.

func ReplicateClientSideSaltAndHash 

func ReplicateClientSideSaltAndHash(password string) string

ReplicateClientSideSaltAndHash replicates the password salt and hash done on the client side. We need this because we hash passwords on the client side, but when SCIM posts a user with a password to password sync, it doesn't - so when we try to log in later, we get a weird, unrecognizable sha512 hash from the frontend.

func ResetUserSetting 

func ResetUserSetting(ctx context.Context, userID model.UserID) error

ResetUserSetting resets user setting.

func RetrofitSCIMUser 

func RetrofitSCIMUser(ctx context.Context, suser *model.SCIMUser, userID model.UserID) (*model.SCIMUser, error)

RetrofitSCIMUser "upgrades" an existing user to one tracked in the SCIM table. This is a temporary measure for SaaS clusters to migrate existing users to SCIM users.

func SCIMUserByID 

func SCIMUserByID(ctx context.Context, tx bun.IDB, id model.UUID) (*model.SCIMUser, error)

SCIMUserByID returns the SCIM user with the given ID.

func SCIMUserList 

func SCIMUserList(ctx context.Context, startIndex, count int, username string) (*model.SCIMUsers, error)

SCIMUserList returns at most count SCIM users starting at startIndex (1-indexed). If username is set, restrict results to users with the matching username.

func ScimUserByAttribute 

func ScimUserByAttribute(ctx context.Context, name string, value string) (*model.SCIMUser, error)

ScimUserByAttribute returns the SCIM user with the given value for the given attribute.

func SetActive 

func SetActive(
	ctx context.Context,
	updateIDs []model.UserID,
	activate bool,
) error

SetActive changes multiple users' activation status.

func SetSCIMUser 

func SetSCIMUser(ctx context.Context, id string, user *model.SCIMUser) (*model.SCIMUser, error)

SetSCIMUser updates fields on an existing SCIM user.

func SetUserPassword 

func SetUserPassword(ctx context.Context, username, password string) error

SetUserPassword sets the password of the user with the given username to the plaintext string provided.

func StartSession 

func StartSession(ctx context.Context, user *model.User, opts ...UserSessionOption) (string, error)

StartSession creates a row in the user_sessions table.

func Update 

func Update(
	ctx context.Context,
	updated *model.User,
	toUpdate []string,
	ug *model.AgentUserGroup,
) error

Update updates an existing user. `toUpdate` names the fields to update.

func UpdateUserAndDeleteSession 

func UpdateUserAndDeleteSession(
	ctx context.Context,
	id string,
	user *model.SCIMUser,
	fields []string,
) (*model.SCIMUser, error)

UpdateUserAndDeleteSession updates some fields on an existing SCIM user and deletes the user session if inactive.

func UpdateUserSetting 

func UpdateUserSetting(ctx context.Context, settings []*model.UserWebSetting) error

UpdateUserSetting updates user setting.

func UpdateUsername 

func UpdateUsername(ctx context.Context, userID *model.UserID, newUsername string) error

UpdateUsername updates an existing user's username.

func UserBySCIMAttribute 

func UserBySCIMAttribute(ctx context.Context, name string, value string) (*model.User, error)

UserBySCIMAttribute returns the user with the given value for the given SCIM attribute.

Types

type Service 

type Service struct {
	// contains filtered or unexported fields
}

Service describes a user manager.

func GetService 

func GetService() *Service

GetService returns a reference to the user service singleton.

func (*Service) ProcessAuthentication 

func (s *Service) ProcessAuthentication(next echo.HandlerFunc) echo.HandlerFunc

ProcessAuthentication is a middleware processing function that attempts to authenticate incoming HTTP requests.

func (*Service) UserAndNotebookSessionFromToken 

func (s *Service) UserAndNotebookSessionFromToken(
	token string,
) (*model.User, *model.NotebookSession, error)

UserAndNotebookSessionFromToken gets the user and notebook session for a given token.

func (*Service) UserAndSessionFromRequest 

func (s *Service) UserAndSessionFromRequest(
	r *http.Request,
) (*model.User, *model.UserSession, error)

UserAndSessionFromRequest gets the user and session corresponding to the given request.

type UserAuthZ 

type UserAuthZ interface {

	// GET /api/v1/users/:user_id
	// Denying a user shouldn't return an error. Only a server error that needs to be
	// reported to the user should return an errr.
	CanGetUser(ctx context.Context, curUser, targetUser model.User) error

	// GET /users
	// GET /api/v1/users
	// FilterUserList normally shouldn't return an error. It should just remove
	// users that the requesting user shouldn't see. It returns an error directly without
	// indication it occurred during a filtering stage to bubble up a failure to the user.
	FilterUserList(ctx context.Context, curUser model.User, users []model.FullUser) (
		[]model.FullUser, error)

	// POST /user
	// POST /api/v1/users
	CanCreateUser(
		ctx context.Context, curUser, userToAdd model.User, agentUserGroup *model.AgentUserGroup,
	) error

	// PATCH /users/:username
	// POST /api/v1/users/:user_id/password
	CanSetUsersPassword(ctx context.Context, curUser, targetUser model.User) error
	// PATCH /users/:username
	CanSetUsersActive(ctx context.Context, curUser, targetUser model.User, toActiveVal bool) error
	// PATCH /users/:username
	CanSetUsersAdmin(ctx context.Context, curUser, targetUser model.User, toAdminVal bool) error
	// PATCH /users/:username
	CanSetUsersRemote(ctx context.Context, curUser model.User) error
	// PATCH /users/:username
	CanSetUsersAgentUserGroup(
		ctx context.Context, curUser, targetUser model.User, agentUserGroup model.AgentUserGroup,
	) error
	// PATCH /users/:username/username
	CanSetUsersUsername(ctx context.Context, curUser, targetUser model.User) error
	// PATCH /api/v1/users/:user_id
	CanSetUsersDisplayName(ctx context.Context, curUser, targetUser model.User) error

	// GET /users/:username/image
	CanGetUsersImage(ctx context.Context, curUser, targetUsername model.User) error

	// GET /api/v1/users/setting
	CanGetUsersOwnSettings(ctx context.Context, curUser model.User) error
	// POST /api/v1/users/setting
	CanCreateUsersOwnSetting(
		ctx context.Context, curUser model.User, settings []*model.UserWebSetting,
	) error
	// POST /api/v1/users/setting/reset
	CanResetUsersOwnSettings(ctx context.Context, curUser model.User) error
}

UserAuthZ describes authz methods for `user` package.

type UserAuthZBasic 

type UserAuthZBasic struct{}

UserAuthZBasic is basic OSS controls.

func (*UserAuthZBasic) CanCreateUser 

func (a *UserAuthZBasic) CanCreateUser(
	ctx context.Context, curUser, userToAdd model.User, agentUserGroup *model.AgentUserGroup,
) error

CanCreateUser returns an error if the user is not an admin.

func (*UserAuthZBasic) CanCreateUsersOwnSetting 

func (a *UserAuthZBasic) CanCreateUsersOwnSetting(
	ctx context.Context, curUser model.User, settings []*model.UserWebSetting,
) error

CanCreateUsersOwnSetting always returns nil.

func (*UserAuthZBasic) CanGetUser 

func (a *UserAuthZBasic) CanGetUser(
	ctx context.Context, curUser, targetUser model.User,
) error

CanGetUser always returns nil.

func (*UserAuthZBasic) CanGetUsersImage 

func (a *UserAuthZBasic) CanGetUsersImage(
	ctx context.Context, curUser, targetUser model.User,
) error

CanGetUsersImage always returns nil.

func (*UserAuthZBasic) CanGetUsersOwnSettings 

func (a *UserAuthZBasic) CanGetUsersOwnSettings(ctx context.Context, curUser model.User) error

CanGetUsersOwnSettings always returns nil.

func (*UserAuthZBasic) CanResetUsersOwnSettings 

func (a *UserAuthZBasic) CanResetUsersOwnSettings(ctx context.Context, curUser model.User) error

CanResetUsersOwnSettings always returns nil.

func (*UserAuthZBasic) CanSetUsersActive 

func (a *UserAuthZBasic) CanSetUsersActive(
	ctx context.Context, curUser, targetUser model.User, toActiveVal bool,
) error

CanSetUsersActive returns an error if the user is not an admin.

func (*UserAuthZBasic) CanSetUsersAdmin 

func (a *UserAuthZBasic) CanSetUsersAdmin(
	ctx context.Context, curUser, targetUser model.User, toAdminVal bool,
) error

CanSetUsersAdmin returns an error if the user is not an admin.

func (*UserAuthZBasic) CanSetUsersAgentUserGroup 

func (a *UserAuthZBasic) CanSetUsersAgentUserGroup(
	ctx context.Context, curUser, targetUser model.User, agentUserGroup model.AgentUserGroup,
) error

CanSetUsersAgentUserGroup returns an error if the user is not an admin.

func (*UserAuthZBasic) CanSetUsersDisplayName 

func (a *UserAuthZBasic) CanSetUsersDisplayName(
	ctx context.Context, curUser, targetUser model.User,
) error

CanSetUsersDisplayName returns an error if the user is not an admin when trying to set another user's display name.

func (*UserAuthZBasic) CanSetUsersPassword 

func (a *UserAuthZBasic) CanSetUsersPassword(
	ctx context.Context, curUser, targetUser model.User,
) error

CanSetUsersPassword returns an error if the user is not an admin when trying to set another user's password.

func (*UserAuthZBasic) CanSetUsersRemote 

func (a *UserAuthZBasic) CanSetUsersRemote(ctx context.Context, curUser model.User) error

CanSetUsersRemote returns an error if the user is not an admin.

func (*UserAuthZBasic) CanSetUsersUsername 

func (a *UserAuthZBasic) CanSetUsersUsername(
	ctx context.Context, curUser, targetUser model.User,
) error

CanSetUsersUsername returns an error if the user is not an admin.

func (*UserAuthZBasic) FilterUserList 

func (a *UserAuthZBasic) FilterUserList(
	ctx context.Context, curUser model.User, users []model.FullUser,
) ([]model.FullUser, error)

FilterUserList always returns the input user list and does not filtering.

type UserAuthZPermissive 

type UserAuthZPermissive struct{}

UserAuthZPermissive is the permission implementation.

func (*UserAuthZPermissive) CanCreateUser 

func (p *UserAuthZPermissive) CanCreateUser(
	ctx context.Context, curUser, userToAdd model.User,
	agentUserGroup *model.AgentUserGroup,
) error

CanCreateUser calls RBAC authz but enforces basic authz.

func (*UserAuthZPermissive) CanCreateUsersOwnSetting 

func (p *UserAuthZPermissive) CanCreateUsersOwnSetting(
	ctx context.Context, curUser model.User, settings []*model.UserWebSetting,
) error

CanCreateUsersOwnSetting calls RBAC authz but enforces basic authz.

func (*UserAuthZPermissive) CanGetUser 

func (p *UserAuthZPermissive) CanGetUser(
	ctx context.Context, curUser, targetUser model.User,
) error

CanGetUser calls RBAC authz but enforces basic authz.

func (*UserAuthZPermissive) CanGetUsersImage 

func (p *UserAuthZPermissive) CanGetUsersImage(
	ctx context.Context, curUser, targetUser model.User,
) error

CanGetUsersImage calls RBAC authz but enforces basic authz.

func (*UserAuthZPermissive) CanGetUsersOwnSettings 

func (p *UserAuthZPermissive) CanGetUsersOwnSettings(
	ctx context.Context, curUser model.User,
) error

CanGetUsersOwnSettings calls RBAC authz but enforces basic authz.

func (*UserAuthZPermissive) CanResetUsersOwnSettings 

func (p *UserAuthZPermissive) CanResetUsersOwnSettings(
	ctx context.Context, curUser model.User,
) error

CanResetUsersOwnSettings calls RBAC authz but enforces basic authz.

func (*UserAuthZPermissive) CanSetUsersActive 

func (p *UserAuthZPermissive) CanSetUsersActive(
	ctx context.Context, curUser, targetUser model.User, toActiveVal bool,
) error

CanSetUsersActive calls RBAC authz but enforces basic authz.

func (*UserAuthZPermissive) CanSetUsersAdmin 

func (p *UserAuthZPermissive) CanSetUsersAdmin(
	ctx context.Context, curUser, targetUser model.User, toAdminVal bool,
) error

CanSetUsersAdmin calls RBAC authz but enforces basic authz.

func (*UserAuthZPermissive) CanSetUsersAgentUserGroup 

func (p *UserAuthZPermissive) CanSetUsersAgentUserGroup(
	ctx context.Context, curUser, targetUser model.User,
	agentUserGroup model.AgentUserGroup,
) error

CanSetUsersAgentUserGroup calls RBAC authz but enforces basic authz.

func (*UserAuthZPermissive) CanSetUsersDisplayName 

func (p *UserAuthZPermissive) CanSetUsersDisplayName(
	ctx context.Context, curUser, targetUser model.User,
) error

CanSetUsersDisplayName calls RBAC authz but enforces basic authz.

func (*UserAuthZPermissive) CanSetUsersPassword 

func (p *UserAuthZPermissive) CanSetUsersPassword(
	ctx context.Context, curUser, targetUser model.User,
) error

CanSetUsersPassword calls RBAC authz but enforces basic authz.

func (*UserAuthZPermissive) CanSetUsersRemote 

func (p *UserAuthZPermissive) CanSetUsersRemote(ctx context.Context, curUser model.User) error

CanSetUsersRemote calls RBAC authz but enforces basic authz.

func (*UserAuthZPermissive) CanSetUsersUsername 

func (p *UserAuthZPermissive) CanSetUsersUsername(
	ctx context.Context, curUser, targetUser model.User,
) error

CanSetUsersUsername calls RBAC authz but enforces basic authz.

func (*UserAuthZPermissive) FilterUserList 

func (p *UserAuthZPermissive) FilterUserList(
	ctx context.Context, curUser model.User, users []model.FullUser,
) ([]model.FullUser, error)

FilterUserList calls RBAC authz but enforces basic authz.

type UserAuthZRBAC 

type UserAuthZRBAC struct{}

UserAuthZRBAC is the RBAC implementation of user authorization.

func (*UserAuthZRBAC) CanCreateUser 

func (a *UserAuthZRBAC) CanCreateUser(
	ctx context.Context, curUser, userToAdd model.User, agentUserGroup *model.AgentUserGroup,
) error

CanCreateUser returns an error if the user does not have admin permissions or does not have permission to update groups.

func (*UserAuthZRBAC) CanCreateUsersOwnSetting 

func (a *UserAuthZRBAC) CanCreateUsersOwnSetting(
	ctx context.Context, curUser model.User, setting []*model.UserWebSetting,
) error

CanCreateUsersOwnSetting always returns nil.

func (*UserAuthZRBAC) CanGetUser 

func (a *UserAuthZRBAC) CanGetUser(
	ctx context.Context, curUser, targetUser model.User,
) error

CanGetUser always returns true.

func (*UserAuthZRBAC) CanGetUsersImage 

func (a *UserAuthZRBAC) CanGetUsersImage(
	ctx context.Context, curUser, targetUser model.User,
) error

CanGetUsersImage always returns nil.

func (*UserAuthZRBAC) CanGetUsersOwnSettings 

func (a *UserAuthZRBAC) CanGetUsersOwnSettings(ctx context.Context, curUser model.User) error

CanGetUsersOwnSettings always returns nil.

func (*UserAuthZRBAC) CanResetUsersOwnSettings 

func (a *UserAuthZRBAC) CanResetUsersOwnSettings(ctx context.Context, curUser model.User) error

CanResetUsersOwnSettings always returns nil.

func (*UserAuthZRBAC) CanSetUsersActive 

func (a *UserAuthZRBAC) CanSetUsersActive(
	ctx context.Context, curUser, targetUser model.User, toActiveVal bool,
) error

CanSetUsersActive returns an error if the user does not have admin permissions.

func (*UserAuthZRBAC) CanSetUsersAdmin 

func (a *UserAuthZRBAC) CanSetUsersAdmin(
	ctx context.Context, curUser, targetUser model.User, toAdminVal bool,
) error

CanSetUsersAdmin returns an error if the user does not have admin permissions.

func (*UserAuthZRBAC) CanSetUsersAgentUserGroup 

func (a *UserAuthZRBAC) CanSetUsersAgentUserGroup(
	ctx context.Context, curUser, targetUser model.User, agentUserGroup model.AgentUserGroup,
) error

CanSetUsersAgentUserGroup returns an error if the user does not have admin permissions.

func (*UserAuthZRBAC) CanSetUsersDisplayName 

func (a *UserAuthZRBAC) CanSetUsersDisplayName(
	ctx context.Context, curUser, targetUser model.User,
) (err error)

CanSetUsersDisplayName returns an error if the user is not an admin and does not have admin permissions when trying to set another user's display name.

func (*UserAuthZRBAC) CanSetUsersPassword 

func (a *UserAuthZRBAC) CanSetUsersPassword(
	ctx context.Context, curUser, targetUser model.User,
) (err error)

CanSetUsersPassword returns an error if the user is not the target user and does not have admin permissions when trying to set another user's password.

func (*UserAuthZRBAC) CanSetUsersRemote 

func (a *UserAuthZRBAC) CanSetUsersRemote(ctx context.Context, curUser model.User) error

CanSetUsersRemote returns an error if the user does not have admin permissions.

func (*UserAuthZRBAC) CanSetUsersUsername 

func (a *UserAuthZRBAC) CanSetUsersUsername(
	ctx context.Context, curUser, targetUser model.User,
) error

CanSetUsersUsername returns an error if the user does not have admin permissions.

func (*UserAuthZRBAC) FilterUserList 

func (a *UserAuthZRBAC) FilterUserList(
	ctx context.Context, curUser model.User, users []model.FullUser,
) ([]model.FullUser, error)

FilterUserList always returns the input user list and does not filtering.

type UserProfileImage 

type UserProfileImage struct {
	bun.BaseModel `bun:"table:user_profile_images"`
	ID            int          `bun:"id,pk,autoincrement"`
	UserID        model.UserID `bun:"user_id"`
	FileData      []byte       `bun:"file_data"`
}

A UserProfileImage row just contains the profile image data. It is probably split into another table to avoid medium sized images missing TOAST and slowing scans down, but I'm not sure since I didn't write this code.

type UserSessionOption 

type UserSessionOption func(f *model.UserSession)

UserSessionOption is the return type for WithInheritedClaims helper function.

func WithInheritedClaims 

func WithInheritedClaims(claims map[string]string) UserSessionOption

WithInheritedClaims function will add the specified inherited claims to the user session.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.