auth

package
v0.2.2 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: May 18, 2021 License: MPL-2.0 Imports: 28 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	AnonymousUserId = "u_anon"
)

Variables

This section is empty.

Functions

func CalculateAuthorizedCollectionActions added in v0.2.1 

func CalculateAuthorizedCollectionActions(ctx context.Context,
	authResults VerifyResults,
	mapToRange map[resource.Type]action.ActionSet,
	scopeId, pin string) (map[string]*structpb.ListValue, error)

CalculateAuthorizedCollectionActions returns authorized actions for the given inputs.

NOTE: Eventually we should unit test this, but for now every service handler is validating the results of this (as it was pulled out of the service handlers).

func DisabledAuthTestContext 

func DisabledAuthTestContext(iamRepoFn common.IamRepoFactory, scopeId string, opt ...Option) context.Context

DisabledAuthTestContext is meant for testing, and uses a context that has auth checking entirely disabled. Supported options: WithScopeId an WithUserId are used directly; WithKms is passed through into the verifier context.

func NewVerifierContext 

func NewVerifierContext(ctx context.Context,
	logger hclog.Logger,
	iamRepoFn common.IamRepoFactory,
	authTokenRepoFn common.AuthTokenRepoFactory,
	serversRepoFn common.ServersRepoFactory,
	kms *kms.Kms,
	requestInfo RequestInfo) context.Context

NewVerifierContext creates a context that carries a verifier object from the HTTP handlers to the gRPC service handlers. It should only be created in the HTTP handler and should exist for every request that reaches the service handlers.

Types

type Account added in v0.2.0 

type Account interface {
	GetPublicId() string
	GetCreateTime() *timestamp.Timestamp
	GetUpdateTime() *timestamp.Timestamp
	GetName() string
	GetDescription() string
	GetAuthMethodId() string
	GetVersion() uint32
}

type AuthMethod added in v0.2.0 

type AuthMethod interface {
	GetPublicId() string
	GetCreateTime() *timestamp.Timestamp
	GetUpdateTime() *timestamp.Timestamp
	GetName() string
	GetDescription() string
	GetScopeId() string
	GetVersion() uint32
	GetIsPrimaryAuthMethod() bool
}

AuthMethod contains the common methods across all the different types of auth methods.

type Option 

type Option func(*options)

Option - how Options are passed as arguments

func WithAction 

func WithAction(action action.Type) Option

func WithAnonymousUserNotAllowed added in v0.1.3 

func WithAnonymousUserNotAllowed(notAllowed bool) Option

func WithId 

func WithId(id string) Option

func WithKms 

func WithKms(kms *kms.Kms) Option

func WithPin 

func WithPin(pin string) Option

func WithRecoveryTokenNotAllowed added in v0.1.3 

func WithRecoveryTokenNotAllowed(notAllowed bool) Option

func WithResource added in v0.1.5 

func WithResource(resource *perms.Resource) Option

WithResource specifies a resouce to use

func WithScopeId 

func WithScopeId(id string) Option

func WithType 

func WithType(rt resource.Type) Option

func WithUserId 

func WithUserId(id string) Option

type RequestInfo 

type RequestInfo struct {
	Path           string
	Method         string
	PublicId       string
	EncryptedToken string
	Token          string
	TokenFormat    TokenFormat

	DisableAuthzFailures bool
	DisableAuthEntirely  bool
	// contains filtered or unexported fields
}

RequestInfo contains request parameters necessary for checking authn/authz

type Subtype added in v0.2.2 

type Subtype int
const (
	UnknownSubtype Subtype = iota
	PasswordSubtype
	OidcSubtype
)

func SubtypeFromId 

func SubtypeFromId(id string) Subtype

SubtypeFromId takes any public id in the auth subsystem and uses the prefix to determine what subtype the id is for. Returns UnknownSubtype if no Subtype with this id's prefix is found.

func SubtypeFromType 

func SubtypeFromType(t string) Subtype

SubtypeFromType converts a string to a Subtype. returns UnknownSubtype if no Subtype with that name is found.

func (Subtype) String added in v0.2.2 

func (t Subtype) String() string

type TokenFormat 

type TokenFormat int
const (
	// We weren't given one or couldn't parse it
	AuthTokenTypeUnknown TokenFormat = iota

	// Came in via the Authentication: Bearer header
	AuthTokenTypeBearer

	// Came in via split cookies
	AuthTokenTypeSplitCookie

	// It's of recovery type
	AuthTokenTypeRecoveryKms
)

func GetTokenFromRequest 

func GetTokenFromRequest(logger hclog.Logger, kmsCache *kms.Kms, req *http.Request) (string, string, TokenFormat)

GetTokenFromRequest pulls the token from either the Authorization header or split cookies and parses it. If it cannot be parsed successfully, the issue is logged and we return blank, so logic will continue as the anonymous user. The public ID and _encrypted_ token are returned along with the token format.

type VerifyResults 

type VerifyResults struct {
	UserId      string
	AuthTokenId string
	Error       error
	Scope       *scopes.ScopeInfo

	// AuthenticatedFinished means that the request has passed through the
	// authentication system successfully. This does _not_ indicate whether a
	// token was provided on the request. Requests for `u_anon` will still have
	// this set true! This is because if a request has a token that is invalid,
	// we fall back to `u_anon` because the request may still be allowed for any
	// anonymous user; it simply fails to validate for and look up grants for an
	// actual known user.
	//
	// A good example is when running dev mode twice. The first time you can
	// authenticate and get a token which is saved by the token helper. The
	// second time, you run a command and it reads the token from the helper.
	// That token is no longer valid, but if the action is granted to `u_anon`
	// the action should still succeed. What happens internally is that the
	// token fails to look up a non-anonymous user, so we fallback to the
	// anonymous user, which is the default.
	//
	// If you want to know if the request had a valid token provided, use a
	// switch on UserId. Anything that isn't `u_anon` will have to have had a
	// valid token provided. And a valid token will never fall back to `u_anon`.
	AuthenticationFinished bool

	// RoundTripValue can be set to allow the function performing authentication
	// (often accompanied by lookup(s)) to return a result of that lookup to the
	// calling function. It is opaque to this package.
	RoundTripValue interface{}
	// contains filtered or unexported fields
}

func Verify 

func Verify(ctx context.Context, opt ...Option) (ret VerifyResults)

Verify takes in a context that has expected parameters as values and runs an authn/authz check. It returns a user ID, the scope ID for the request (which may come from the URL and may come from the token) and whether or not to proceed, e.g. whether the authn/authz check resulted in failure. If an error occurs it's logged to the system log.

func (*VerifyResults) FetchActionSetForId added in v0.1.5 

func (r *VerifyResults) FetchActionSetForId(ctx context.Context, id string, availableActions action.ActionSet, opt ...Option) action.ActionSet

FetchActionSetForId returns the allowed actions for a given ID using the current set of ACLs and all other parameters the same (user, etc.)

func (*VerifyResults) FetchActionSetForType added in v0.1.5 

func (r *VerifyResults) FetchActionSetForType(ctx context.Context, typ resource.Type, availableActions action.ActionSet, opt ...Option) action.ActionSet

FetchActionSetForType returns the allowed actions for a given collection type using the current set of ACLs and all other parameters the same (user, etc.)

func (*VerifyResults) FetchOutputFields added in v0.2.1 

func (r *VerifyResults) FetchOutputFields(res perms.Resource, act action.Type) perms.OutputFieldsMap

Source Files

View all Source files

Directories

Path Synopsis
request
store
store

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.