auth

package
v0.1.4 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jan 5, 2021 License: MPL-2.0 Imports: 23 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func DisabledAuthTestContext

func DisabledAuthTestContext(opt ...Option) context.Context

DisabledAuthTestContext is meant for testing, and uses a context that has auth checking entirely disabled

func NewVerifierContext

func NewVerifierContext(ctx context.Context,
	logger hclog.Logger,
	iamRepoFn common.IamRepoFactory,
	authTokenRepoFn common.AuthTokenRepoFactory,
	serversRepoFn common.ServersRepoFactory,
	kms *kms.Kms,
	requestInfo RequestInfo) context.Context

NewVerifierContext creates a context that carries a verifier object from the HTTP handlers to the gRPC service handlers. It should only be created in the HTTP handler and should exist for every request that reaches the service handlers.

Types

type Option

type Option func(*options)

Option - how Options are passed as arguments

func WithAction

func WithAction(action action.Type) Option

func WithAnonymousUserNotAllowed added in v0.1.3

func WithAnonymousUserNotAllowed(notAllowed bool) Option

func WithId

func WithId(id string) Option

func WithKms

func WithKms(kms *kms.Kms) Option

func WithPin

func WithPin(pin string) Option

func WithRecoveryTokenNotAllowed added in v0.1.3

func WithRecoveryTokenNotAllowed(notAllowed bool) Option

func WithScopeId

func WithScopeId(id string) Option

func WithType

func WithType(rt resource.Type) Option

func WithUserId

func WithUserId(id string) Option

type RequestInfo

type RequestInfo struct {
	Path           string
	Method         string
	PublicId       string
	EncryptedToken string
	Token          string
	TokenFormat    TokenFormat

	DisableAuthzFailures bool
	DisableAuthEntirely  bool
	// contains filtered or unexported fields
}

RequestInfo contains request parameters necessary for checking authn/authz

type SubType

type SubType int
const (
	UnknownSubtype SubType = iota
	PasswordSubtype
)

func SubtypeFromId

func SubtypeFromId(id string) SubType

SubtypeFromId takes any public id in the auth subsystem and uses the prefix to determine what subtype the id is for. Returns UnknownSubtype if no SubType with this id's prefix is found.

func SubtypeFromType

func SubtypeFromType(t string) SubType

SubtypeFromType converts a string to a SubType. returns UnknownSubtype if no SubType with that name is found.

func (SubType) String

func (t SubType) String() string

type TokenFormat

type TokenFormat int
const (
	// We weren't given one or couldn't parse it
	AuthTokenTypeUnknown TokenFormat = iota

	// Came in via the Authentication: Bearer header
	AuthTokenTypeBearer

	// Came in via split cookies
	AuthTokenTypeSplitCookie

	// It's of recovery type
	AuthTokenTypeRecoveryKms
)

func GetTokenFromRequest

func GetTokenFromRequest(logger hclog.Logger, kmsCache *kms.Kms, req *http.Request) (string, string, TokenFormat)

GetTokenFromRequest pulls the token from either the Authorization header or split cookies and parses it. If it cannot be parsed successfully, the issue is logged and we return blank, so logic will continue as the anonymous user. The public ID and _encrypted_ token are returned along with the token format.

type VerifyResults

type VerifyResults struct {
	UserId      string
	AuthTokenId string
	Error       error
	Scope       *scopes.ScopeInfo

	// RoundTripValue can be set to allow the function performing authentication
	// (often accompanied by lookup(s)) to return a result of that lookup to the
	// calling function. It is opaque to this package.
	RoundTripValue interface{}
	// contains filtered or unexported fields
}

func Verify

func Verify(ctx context.Context, opt ...Option) (ret VerifyResults)

Verify takes in a context that has expected parameters as values and runs an authn/authz check. It returns a user ID, the scope ID for the request (which may come from the URL and may come from the token) and whether or not to proceed, e.g. whether the authn/authz check resulted in failure. If an error occurs it's logged to the system log.

func (*VerifyResults) AdditionalVerification

func (r *VerifyResults) AdditionalVerification(ctx context.Context, opt ...Option) (ret VerifyResults)

AdditionalVerification is used to perform checks of additional resources for actions that need to touch more than one.

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL