Documentation ¶
Index ¶
- func CalculateAuthorizedCollectionActions(ctx context.Context, authResults VerifyResults, ...) (map[string]*structpb.ListValue, error)
- func DisabledAuthTestContext(iamRepoFn common.IamRepoFactory, scopeId string, opt ...Option) context.Context
- func GetTokenFromRequest(ctx context.Context, kmsCache *kms.Kms, req *http.Request) (string, string, uint32)
- func NewVerifierContext(ctx context.Context, iamRepoFn common.IamRepoFactory, ...) context.Context
- func NewVerifierContextWithAccounts(ctx context.Context, iamRepoFn common.IamRepoFactory, ...) context.Context
- type Option
- func WithAction(action action.Type) Option
- func WithAnonymousUserNotAllowed(notAllowed bool) Option
- func WithId(id string) Option
- func WithKms(kms *kms.Kms) Option
- func WithPin(pin string) Option
- func WithRecoveryTokenNotAllowed(notAllowed bool) Option
- func WithResource(resource *perms.Resource) Option
- func WithScopeId(id string) Option
- func WithType(rt resource.Type) Option
- func WithUserId(id string) Option
- type TokenFormat
- type VerifyResults
- func (r *VerifyResults) ACL() perms.ACL
- func (r *VerifyResults) FetchActionSetForId(ctx context.Context, id string, availableActions action.ActionSet, ...) action.ActionSet
- func (r *VerifyResults) FetchActionSetForType(ctx context.Context, typ resource.Type, availableActions action.ActionSet, ...) action.ActionSet
- func (r *VerifyResults) FetchOutputFields(res perms.Resource, act action.Type) *perms.OutputFields
- func (r *VerifyResults) ScopesAuthorizedForList(ctx context.Context, rootScopeId string, resourceType resource.Type) (map[string]*scopes.ScopeInfo, error)
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func CalculateAuthorizedCollectionActions ¶
func CalculateAuthorizedCollectionActions(ctx context.Context, authResults VerifyResults, mapToRange map[resource.Type]action.ActionSet, scopeId, pin string, ) (map[string]*structpb.ListValue, error)
CalculateAuthorizedCollectionActions returns authorized actions for the given inputs.
NOTE: Eventually we should unit test this, but for now every service handler is validating the results of this (as it was pulled out of the service handlers).
func DisabledAuthTestContext ¶
func DisabledAuthTestContext(iamRepoFn common.IamRepoFactory, scopeId string, opt ...Option) context.Context
DisabledAuthTestContext is meant for testing, and uses a context that has auth checking entirely disabled. Supported options: WithScopeId an WithUserId are used directly; WithKms is passed through into the verifier context.
func GetTokenFromRequest ¶
func GetTokenFromRequest(ctx context.Context, kmsCache *kms.Kms, req *http.Request) (string, string, uint32)
GetTokenFromRequest pulls the token from either the Authorization header or split cookies and parses it. If it cannot be parsed successfully, the issue is logged and we return blank, so logic will continue as the anonymous user. The public ID and _encrypted_ token are returned along with the token format.
func NewVerifierContext ¶
func NewVerifierContext(ctx context.Context, iamRepoFn common.IamRepoFactory, authTokenRepoFn common.AuthTokenRepoFactory, serversRepoFn common.ServersRepoFactory, kms *kms.Kms, requestInfo *authpb.RequestInfo, ) context.Context
NewVerifierContext creates a context that carries a verifier object from the HTTP handlers to the gRPC service handlers. It should only be created in the HTTP handler and should exist for every request that reaches the service handlers.
func NewVerifierContextWithAccounts ¶ added in v0.11.1
func NewVerifierContextWithAccounts(ctx context.Context, iamRepoFn common.IamRepoFactory, authTokenRepoFn common.AuthTokenRepoFactory, serversRepoFn common.ServersRepoFactory, passwordAuthRepoFn common.PasswordAuthRepoFactory, oidcAuthRepoFn common.OidcAuthRepoFactory, kms *kms.Kms, requestInfo *authpb.RequestInfo, ) context.Context
TODO (jefferai 10/2022): NewVerifierContextWithAccounts performs the function of NewVerifierContext (see the docs for that function) but with extra parameters that can be used to look up account information. This is not intended to be a long-lived function; see https://hashicorp.atlassian.net/browse/ICU-6571 and https://hashicorp.atlassian.net/browse/ICU-6572
This is being added for a quick turnaround purpose and to avoid making large numbers of changes to tests when we may do a much bigger refactor; when those items are addressed this can be removed.
Types ¶
type Option ¶
type Option func(*options)
Option - how Options are passed as arguments
func WithAction ¶
func WithResource ¶
WithResource specifies a resouce to use
func WithScopeId ¶
func WithUserId ¶
type TokenFormat ¶
type TokenFormat uint32
const ( // We weren't given one or couldn't parse it AuthTokenTypeUnknown TokenFormat = iota // Came in via the Authentication: Bearer header AuthTokenTypeBearer // Came in via split cookies AuthTokenTypeSplitCookie // It's of recovery type AuthTokenTypeRecoveryKms )
type VerifyResults ¶
type VerifyResults struct { UserData template.Data // This is copied out from UserData above but used to avoid nil checks in // lots of places that embed this value UserId string AuthTokenId string Error error Scope *scopes.ScopeInfo // AuthenticatedFinished means that the request has passed through the // authentication system successfully. This does _not_ indicate whether a // token was provided on the request. Requests for `u_anon` will still have // this set true! This is because if a request has a token that is invalid, // we fall back to `u_anon` because the request may still be allowed for any // anonymous user; it simply fails to validate for and look up grants for an // actual known user. // // A good example is when running dev mode twice. The first time you can // authenticate and get a token which is saved by the token helper. The // second time, you run a command and it reads the token from the helper. // That token is no longer valid, but if the action is granted to `u_anon` // the action should still succeed. What happens internally is that the // token fails to look up a non-anonymous user, so we fallback to the // anonymous user, which is the default. // // If you want to know if the request had a valid token provided, use a // switch on UserId. Anything that isn't `u_anon` will have to have had a // valid token provided. And a valid token will never fall back to `u_anon`. AuthenticationFinished bool // RoundTripValue can be set to allow the function performing authentication // (often accompanied by lookup(s)) to return a result of that lookup to the // calling function. It is opaque to this package. RoundTripValue any // contains filtered or unexported fields }
func Verify ¶
func Verify(ctx context.Context, opt ...Option) (ret VerifyResults)
Verify takes in a context that has expected parameters as values and runs an authn/authz check. It returns a user ID, the scope ID for the request (which may come from the URL and may come from the token) and whether or not to proceed, e.g. whether the authn/authz check resulted in failure. If an error occurs it's logged to the system log.
func (*VerifyResults) ACL ¶ added in v0.10.4
func (r *VerifyResults) ACL() perms.ACL
ACL returns the perms.ACL of the verifier.
func (*VerifyResults) FetchActionSetForId ¶
func (r *VerifyResults) FetchActionSetForId(ctx context.Context, id string, availableActions action.ActionSet, opt ...Option) action.ActionSet
FetchActionSetForId returns the allowed actions for a given ID using the current set of ACLs and all other parameters the same (user, etc.)
func (*VerifyResults) FetchActionSetForType ¶
func (r *VerifyResults) FetchActionSetForType(ctx context.Context, typ resource.Type, availableActions action.ActionSet, opt ...Option) action.ActionSet
FetchActionSetForType returns the allowed actions for a given collection type using the current set of ACLs and all other parameters the same (user, etc.)
func (*VerifyResults) FetchOutputFields ¶
func (r *VerifyResults) FetchOutputFields(res perms.Resource, act action.Type) *perms.OutputFields
func (*VerifyResults) ScopesAuthorizedForList ¶ added in v0.10.4
func (r *VerifyResults) ScopesAuthorizedForList(ctx context.Context, rootScopeId string, resourceType resource.Type) (map[string]*scopes.ScopeInfo, error)
ScopesAuthorizedForList retrieves and returns all scopes where a user is authorized to perform a *list* action on. It looks recursively from `rootScopeId`.