Documentation
¶
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func DisabledAuthTestContext ¶
DisabledAuthTestContext is meant for testing, and uses a context that has auth checking entirely disabled
func NewVerifierContext ¶
func NewVerifierContext(ctx context.Context, logger hclog.Logger, iamRepoFn common.IamRepoFactory, authTokenRepoFn common.AuthTokenRepoFactory, serversRepoFn common.ServersRepoFactory, kms *kms.Kms, requestInfo RequestInfo) context.Context
NewVerifierContext creates a context that carries a verifier object from the HTTP handlers to the gRPC service handlers. It should only be created in the HTTP handler and should exist for every request that reaches the service handlers.
Types ¶
type Option ¶
type Option func(*options)
Option - how Options are passed as arguments
func WithAction ¶
func WithScopeId ¶
func WithUserId ¶
type RequestInfo ¶
type RequestInfo struct {
Path string
Method string
PublicId string
EncryptedToken string
Token string
TokenFormat TokenFormat
DisableAuthzFailures bool
DisableAuthEntirely bool
// contains filtered or unexported fields
}
RequestInfo contains request parameters necessary for checking authn/authz
type SubType ¶
type SubType int
func SubtypeFromId ¶
SubtypeFromId takes any public id in the auth subsystem and uses the prefix to determine what subtype the id is for. Returns UnknownSubtype if no SubType with this id's prefix is found.
func SubtypeFromType ¶
SubtypeFromType converts a string to a SubType. returns UnknownSubtype if no SubType with that name is found.
type TokenFormat ¶
type TokenFormat int
const ( // We weren't given one or couldn't parse it AuthTokenTypeUnknown TokenFormat = iota // Came in via the Authentication: Bearer header AuthTokenTypeBearer // Came in via split cookies AuthTokenTypeSplitCookie // It's of recovery type AuthTokenTypeRecoveryKms )
func GetTokenFromRequest ¶
func GetTokenFromRequest(logger hclog.Logger, kmsCache *kms.Kms, req *http.Request) (string, string, TokenFormat)
GetTokenFromRequest pulls the token from either the Authorization header or split cookies and parses it. If it cannot be parsed successfully, the issue is logged and we return blank, so logic will continue as the anonymous user. The public ID and _encrypted_ token are returned along with the token format.
type VerifyResults ¶
type VerifyResults struct {
UserId string
AuthTokenId string
Error error
Scope *scopes.ScopeInfo
// contains filtered or unexported fields
}
func Verify ¶
func Verify(ctx context.Context, opt ...Option) (ret VerifyResults)
Verify takes in a context that has expected parameters as values and runs an authn/authz check. It returns a user ID, the scope ID for the request (which may come from the URL and may come from the token) and whether or not to proceed, e.g. whether the authn/authz check resulted in failure. If an error occurs it's logged to the system log.
func (*VerifyResults) AdditionalVerification ¶
func (r *VerifyResults) AdditionalVerification(ctx context.Context, opt ...Option) (ret VerifyResults)
AdditionalVerification is used to perform checks of additional resources for actions that need to touch more than one.
Source Files
Directories