Documentation ¶
Index ¶
Constants ¶
const ( // MaxLevel represents the maximum group hierarchy level. MaxLevel = uint64(5) // MinLevel represents the minimum group hierarchy level. MinLevel = uint64(1) )
const ( // LoginKey is temporary User key received on successfull login. LoginKey uint32 = iota // RecoveryKey represents a key for resseting password. RecoveryKey // APIKey enables the one to act on behalf of the user. APIKey )
Variables ¶
var ( // ErrAssignToGroup indicates failure to assign member to a group. ErrAssignToGroup = errors.New("failed to assign member to a group") // ErrUnassignFromGroup indicates failure to unassign member from a group. ErrUnassignFromGroup = errors.New("failed to unassign member from a group") // ErrMissingParent indicates that parent can't be found ErrMissingParent = errors.New("failed to retrieve parent") // ErrGroupNotEmpty indicates group is not empty, can't be deleted. ErrGroupNotEmpty = errors.New("group is not empty") // ErrMemberAlreadyAssigned indicates that members is already assigned. ErrMemberAlreadyAssigned = errors.New("member is already assigned") )
var ( // ErrInvalidKeyIssuedAt indicates that the Key is being used before it's issued. ErrInvalidKeyIssuedAt = errors.New("invalid issue time") // ErrKeyExpired indicates that the Key is expired. ErrKeyExpired = errors.New("use of expired key") // ErrAPIKeyExpired indicates that the Key is expired // and that the key type is API key. ErrAPIKeyExpired = errors.New("use of expired API key") )
var ( // ErrFailedToRetrieveMembers failed to retrieve group members. ErrFailedToRetrieveMembers = errors.New("failed to retrieve group members") // ErrFailedToRetrieveMembership failed to retrieve memberships ErrFailedToRetrieveMembership = errors.New("failed to retrieve memberships") // ErrFailedToRetrieveAll failed to retrieve groups. ErrFailedToRetrieveAll = errors.New("failed to retrieve all groups") // ErrFailedToRetrieveParents failed to retrieve groups. ErrFailedToRetrieveParents = errors.New("failed to retrieve all groups") // ErrFailedToRetrieveChildren failed to retrieve groups. ErrFailedToRetrieveChildren = errors.New("failed to retrieve all groups") )
Functions ¶
This section is empty.
Types ¶
type Authn ¶
type Authn interface { // Issue issues a new Key, returning its token value alongside. Issue(ctx context.Context, token string, key Key) (Key, string, error) // Revoke removes the Key with the provided id that is // issued by the user identified by the provided key. Revoke(ctx context.Context, token, id string) error // RetrieveKey retrieves data for the Key identified by the provided // ID, that is issued by the user identified by the provided key. RetrieveKey(ctx context.Context, token, id string) (Key, error) // Identify validates token token. If token is valid, content // is returned. If token is invalid, or invocation failed for some // other reason, non-nil error value is returned in response. Identify(ctx context.Context, token string) (Identity, error) }
Authn specifies an API that must be fullfiled by the domain service implementation, and all of its decorators (e.g. logging & metrics). Token is a string value of the actual Key and is used to authenticate an Auth service request.
type Authz ¶
type Authz interface { // Authorize checks authorization of the given `subject`. Basically, // Authorize verifies that Is `subject` allowed to `relation` on // `object`. Authorize returns a non-nil error if the subject has // no relation on the object (which simply means the operation is // denied). Authorize(ctx context.Context, pr PolicyReq) error // AddPolicy creates a policy for the given subject, so that, after // AddPolicy, `subject` has a `relation` on `object`. Returns a non-nil // error in case of failures. AddPolicy(ctx context.Context, pr PolicyReq) error // AddPolicies adds new policies for given subjects. This method is // only allowed to use as an admin. AddPolicies(ctx context.Context, token, object string, subjectIDs, relations []string) error // DeletePolicy removes a policy. DeletePolicy(ctx context.Context, pr PolicyReq) error // DeletePolicies deletes policies for given subjects. This method is // only allowed to use as an admin. DeletePolicies(ctx context.Context, token, object string, subjectIDs, relations []string) error // ListPolicies lists policies based on the given PolicyReq structure. ListPolicies(ctx context.Context, pr PolicyReq) (PolicyPage, error) }
Authz represents a authorization service. It exposes functionalities through `auth` to perform authorization.
type Group ¶
type Group struct { ID string OwnerID string ParentID string Name string Description string Metadata GroupMetadata // Indicates a level in tree hierarchy. // Root node is level 1. Level int // Path in a tree consisting of group ids // parentID1.parentID2.childID1 // e.g. 01EXPM5Z8HRGFAEWTETR1X1441.01EXPKW2TVK74S5NWQ979VJ4PJ.01EXPKW2TVK74S5NWQ979VJ4PJ Path string Children []*Group CreatedAt time.Time UpdatedAt time.Time }
Group represents the group information.
type GroupMetadata ¶
type GroupMetadata map[string]interface{}
GroupMetadata defines the Metadata type.
type GroupPage ¶
type GroupPage struct { PageMetadata Groups []Group }
GroupPage contains page related metadata as well as list of groups that belong to this page.
type GroupRepository ¶
type GroupRepository interface { // Save group Save(ctx context.Context, g Group) (Group, error) // Update a group Update(ctx context.Context, g Group) (Group, error) // Delete a group Delete(ctx context.Context, id string) error // RetrieveByID retrieves group by its id RetrieveByID(ctx context.Context, id string) (Group, error) // RetrieveAll retrieves all groups. RetrieveAll(ctx context.Context, pm PageMetadata) (GroupPage, error) // RetrieveAllParents retrieves all groups that are ancestors to the group with given groupID. RetrieveAllParents(ctx context.Context, groupID string, pm PageMetadata) (GroupPage, error) // RetrieveAllChildren retrieves all children from group with given groupID up to the hierarchy level. RetrieveAllChildren(ctx context.Context, groupID string, pm PageMetadata) (GroupPage, error) // Retrieves list of groups that member belongs to Memberships(ctx context.Context, memberID string, pm PageMetadata) (GroupPage, error) // Members retrieves everything that is assigned to a group identified by groupID. Members(ctx context.Context, groupID, groupType string, pm PageMetadata) (MemberPage, error) // Assign adds a member to group. Assign(ctx context.Context, groupID, groupType string, memberIDs ...string) error // Unassign removes a member from a group Unassign(ctx context.Context, groupID string, memberIDs ...string) error }
GroupRepository specifies a group persistence API.
type GroupService ¶
type GroupService interface { // CreateGroup creates new group. CreateGroup(ctx context.Context, token string, g Group) (Group, error) // UpdateGroup updates the group identified by the provided ID. UpdateGroup(ctx context.Context, token string, g Group) (Group, error) // ViewGroup retrieves data about the group identified by ID. ViewGroup(ctx context.Context, token, id string) (Group, error) // ListGroups retrieves groups. ListGroups(ctx context.Context, token string, pm PageMetadata) (GroupPage, error) // ListChildren retrieves groups that are children to group identified by parentID ListChildren(ctx context.Context, token, parentID string, pm PageMetadata) (GroupPage, error) // ListParents retrieves groups that are parent to group identified by childID. ListParents(ctx context.Context, token, childID string, pm PageMetadata) (GroupPage, error) // ListMembers retrieves everything that is assigned to a group identified by groupID. ListMembers(ctx context.Context, token, groupID, groupType string, pm PageMetadata) (MemberPage, error) // ListMemberships retrieves all groups for member that is identified with memberID belongs to. ListMemberships(ctx context.Context, token, memberID string, pm PageMetadata) (GroupPage, error) // RemoveGroup removes the group identified with the provided ID. RemoveGroup(ctx context.Context, token, id string) error // Assign adds a member with memberID into the group identified by groupID. Assign(ctx context.Context, token, groupID, groupType string, memberIDs ...string) error // Unassign removes member with memberID from group identified by groupID. Unassign(ctx context.Context, token, groupID string, memberIDs ...string) error // AssignGroupAccessRights adds access rights on thing groups to user group. AssignGroupAccessRights(ctx context.Context, token, thingGroupID, userGroupID string) error }
GroupService specifies an API that must be fullfiled by the domain service implementation, and all of its decorators (e.g. logging & metrics).
type Key ¶
type Key struct { ID string Type uint32 IssuerID string Subject string IssuedAt time.Time ExpiresAt time.Time }
Key represents API key.
type KeyRepository ¶
type KeyRepository interface { // Save persists the Key. A non-nil error is returned to indicate // operation failure Save(context.Context, Key) (string, error) // Retrieve retrieves Key by its unique identifier. Retrieve(context.Context, string, string) (Key, error) // Remove removes Key with provided ID. Remove(context.Context, string, string) error }
KeyRepository specifies Key persistence API.
type MemberPage ¶
type MemberPage struct { PageMetadata Members []Member }
MemberPage contains page related metadata as well as list of members that belong to this page.
type PageMetadata ¶
type PageMetadata struct { Total uint64 Offset uint64 Limit uint64 Size uint64 Level uint64 Name string Type string Metadata GroupMetadata }
PageMetadata contains page metadata that helps navigation.
type PolicyAgent ¶
type PolicyAgent interface { // CheckPolicy checks if the subject has a relation on the object. // It returns a non-nil error if the subject has no relation on // the object (which simply means the operation is denied). CheckPolicy(ctx context.Context, pr PolicyReq) error // AddPolicy creates a policy for the given subject, so that, after // AddPolicy, `subject` has a `relation` on `object`. Returns a non-nil // error in case of failures. AddPolicy(ctx context.Context, pr PolicyReq) error // DeletePolicy removes a policy. DeletePolicy(ctx context.Context, pr PolicyReq) error RetrievePolicies(ctx context.Context, pr PolicyReq) ([]*acl.RelationTuple, error) }
PolicyAgent facilitates the communication to authorization services and implements Authz functionalities for certain authorization services (e.g. ORY Keto).
type PolicyPage ¶
type PolicyPage struct {
Policies []string
}
type PolicyReq ¶
PolicyReq represents an argument struct for making a policy related function calls.
type Service ¶
type Service interface { Authn Authz // GroupService implements groups API, creating groups, assigning members GroupService }
Service specifies an API that must be fulfilled by the domain service implementation, and all of its decorators (e.g. logging & metrics). Token is a string value of the actual Key and is used to authenticate an Auth service request.
func New ¶
func New(keys KeyRepository, groups GroupRepository, idp mainflux.IDProvider, tokenizer Tokenizer, policyAgent PolicyAgent, duration time.Duration) Service
New instantiates the auth service implementation.
Directories ¶
Path | Synopsis |
---|---|
Package api contains implementation of Auth service HTTP API.
|
Package api contains implementation of Auth service HTTP API. |
grpc
Package grpc contains implementation of Auth service gRPC API.
|
Package grpc contains implementation of Auth service gRPC API. |
Package keto contains PolicyAgent implementation using Keto.
|
Package keto contains PolicyAgent implementation using Keto. |
Package postgres contains Key repository implementations using PostgreSQL as the underlying database.
|
Package postgres contains Key repository implementations using PostgreSQL as the underlying database. |
Package tracing contains middlewares that will add spans to existing traces.
|
Package tracing contains middlewares that will add spans to existing traces. |