authz

package
v0.25.559 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Mar 8, 2024 License: MIT Imports: 17 Imported by: 0

Documentation

Overview

Package authz provides an implemention of http authorization where specific URI (or URI's and their children) are allowed access by a set of roles

the caller can supply a way to map from a request to a role name.

the access control points are on entire URI segments only, e.g. Allow("/foo/bar", "bob") gives access to /foo/bar /foo/bar/baz, but not /foo/barry

Access is based on the deepest matching path, not the accumulated paths, so, Allow("/foo", "bob") Allow("/foo/bar", "barry") will allow barry access to /foo/bar but not access to /foo

AllowAny("/foo") will allow any authenticated request access to the /foo resource AllowAnyRole("/bar") will allow any authenticated request with a non-empty role access to the /bar resource

AllowAny, allowAnyRole always overrides any matching Allow regardless of the order of calls multiple calls to Allow for the same resource are cumulative, e.g. Allow("/foo", "bob") Allow("/foo", "barry") is equivilent to Allow("/foo", "bob", "barry")

Once you've built your Provider you can call NewHandler to get a http.Handler that implements those rules.

Index

Constants

This section is empty.

Variables

View Source
var (
	// ErrNoRoleMapperSpecified can't call NewHandler before you've set the RoleMapper function
	ErrNoRoleMapperSpecified = errors.New("you must have a RoleMapper set to be able to create a http.Handler")
	// ErrNoPathsConfigured is returned by NewHandler if you call NewHandler, but haven't configured any paths to be accessible
	ErrNoPathsConfigured = errors.New("you must have at least one path before being able to create a http.Handler")
)

Functions

This section is empty.

Types

type Config

type Config struct {
	// Allow will allow the specified roles access to this path and its children, in format: ${path}:${role},${role}
	Allow []string `json:"allow" yaml:"allow"`

	// AllowAny will allow any authenticated request access to this path and its children
	AllowAny []string `json:"allow_any" yaml:"allow_any"`

	// AllowAnyRole will allow any authenticated request that include a non empty role
	AllowAnyRole []string `json:"allow_any_role" yaml:"allow_any_role"`

	// LogAllowedAny specifies to log allowed access to nodes in AllowAny list
	LogAllowedAny bool `json:"log_allowed_any" yaml:"log_allowed_any"`

	// LogAllowed specifies to log allowed access
	LogAllowed bool `json:"log_allowed" yaml:"log_allowed"`

	// LogDenied specifies to log denied access
	LogDenied bool `json:"log_denied" yaml:"log_denied"`

	// SkipLogPaths if set, specifies a list of paths to not log.
	// this can be used for /v1/status/node or /metrics
	SkipLogPaths []telemetry.LoggerSkipPath `json:"logger_skip_paths,omitempty" yaml:"logger_skip_paths,omitempty"`
}

Config contains configuration for the authorization module

type GRPCAuthz

type GRPCAuthz interface {
	// SetGRPCRoleMapper configures the function that provides
	// the mapping from a gRPC request to a role name
	SetGRPCRoleMapper(m func(ctx context.Context) identity.Identity)
	// NewUnaryInterceptor returns grpc.UnaryServerInterceptor that enforces the current
	// authorization configuration.
	// The returned interceptor will extract the role and verify that the role has access to the
	// URI being request, and either return an error, or pass the request on to the supplied
	// delegate handler
	NewUnaryInterceptor() grpc.UnaryServerInterceptor
}

GRPCAuthz represents an Authorization provider interface, You can call Allow or AllowAny to specify which roles are allowed access to which path segments. once configured you can create a Unary interceptor that enforces that configuration for you by calling NewUnaryInterceptor

type HTTPAuthz

type HTTPAuthz interface {
	// SetRoleMapper configures the function that provides the mapping from an HTTP request to a role name
	SetRoleMapper(func(*http.Request) identity.Identity)
	// NewHandler returns a http.Handler that enforces the current authorization configuration
	// The handler has its own copy of the configuration changes to the Provider after calling
	// NewHandler won't affect previously created Handlers.
	// The returned handler will extract the role and verify that the role has access to the
	// URI being request, and either return an error, or pass the request on to the supplied
	// delegate handler
	NewHandler(delegate http.Handler) (http.Handler, error)
}

HTTPAuthz represents an Authorization provider interface, You can call Allow or AllowAny to specify which roles are allowed access to which path segments. once configured you can create a http.Handler that enforces that configuration for you by calling NewHandler

type Provider

type Provider struct {
	// contains filtered or unexported fields
}

Provider represents an Authorization provider, You can call Allow or AllowAny to specify which roles are allowed access to which path segments. once configured you can create a http.Handler that enforces that configuration for you by calling NewHandler

func New

func New(cfg *Config) (*Provider, error)

New returns new Authz provider

func (*Provider) Allow

func (c *Provider) Allow(path string, roles ...string)

Allow will allow the specified roles access to this path and its children [unless a specific Allow/AllowAny is called for a child path] multiple calls to Allow for the same path are cumulative

func (*Provider) AllowAny

func (c *Provider) AllowAny(path string)

AllowAny will allow any authenticated request access to this path and its children [unless a specific Allow/AllowAny is called for a child path]

func (*Provider) AllowAnyRole

func (c *Provider) AllowAnyRole(path string)

AllowAnyRole will allow any authenticated request that include a non empty role access to this path and its children [unless a specific Allow/AllowAny is called for a child path]

func (*Provider) Clone

func (c *Provider) Clone() *Provider

Clone returns a deep copy of this Provider

func (*Provider) NewHandler

func (c *Provider) NewHandler(delegate http.Handler) (http.Handler, error)

NewHandler returns a http.Handler that enforces the current authorization configuration The handler has its own copy of the configuration changes to the Provider after calling NewHandler won't affect previously created Handlers. The returned handler will extract the role and verify that the role has access to the URI being request, and either return an error, or pass the request on to the supplied delegate handler

func (*Provider) NewUnaryInterceptor

func (c *Provider) NewUnaryInterceptor() grpc.UnaryServerInterceptor

NewUnaryInterceptor returns grpc.UnaryServerInterceptor to check access

func (*Provider) SetGRPCRoleMapper

func (c *Provider) SetGRPCRoleMapper(m func(ctx context.Context) identity.Identity)

SetGRPCRoleMapper configures the function that provides the mapping from a gRPC request to a role name

func (*Provider) SetRoleMapper

func (c *Provider) SetRoleMapper(m func(r *http.Request) identity.Identity)

SetRoleMapper configures the function that provides the mapping from an HTTP request to a role name

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL