auth

package
v1.13.3 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Oct 19, 2022 License: MPL-2.0 Imports: 16 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

View Source
var ErrCannotWriteGlobalToken = errors.New("Cannot upsert global tokens within this datacenter")

ErrCannotWriteGlobalToken indicates that writing a token failed because the token is global and this is a non-primary datacenter.

Functions

func BuildTokenDescription

func BuildTokenDescription(prefix string, meta map[string]string) (string, error)

BuildTokenDescription builds a description for an ACLToken by encoding the given meta as JSON and applying the prefix.

func IsValidBindName

func IsValidBindName(bindType, bindName string, availableVariables []string) (bool, error)

IsValidBindName returns whether the given BindName template produces valid results when interpolating the auth method's available variables.

Types

type ACLCache

type ACLCache interface {
	RemoveIdentityWithSecretToken(secretToken string)
}

type Binder

type Binder struct {
	// contains filtered or unexported fields
}

Binder is responsible for collecting the ACL roles, service identities, node identities, and enterprise metadata to be assigned to a token generated as a result of "logging in" via an auth method.

It does so by applying the auth method's configured binding rules and in the case of enterprise, namespace rules.

func NewBinder

func NewBinder(store BinderStateStore, datacenter string) *Binder

NewBinder creates a Binder with the given state store and datacenter.

func (*Binder) Bind

func (b *Binder) Bind(authMethod *structs.ACLAuthMethod, verifiedIdentity *authmethod.Identity) (*Bindings, error)

Bind collects the ACL roles, service identities, etc. to be assigned to the created token.

type BinderStateStore

type BinderStateStore interface {
	ACLBindingRuleList(ws memdb.WatchSet, methodName string, entMeta *acl.EnterpriseMeta) (uint64, structs.ACLBindingRules, error)
	ACLRoleGetByName(ws memdb.WatchSet, roleName string, entMeta *acl.EnterpriseMeta) (uint64, *structs.ACLRole, error)
}

BinderStateStore is the subset of state store methods used by the binder.

type Bindings

type Bindings struct {
	Roles             []structs.ACLTokenRoleLink
	ServiceIdentities []*structs.ACLServiceIdentity
	NodeIdentities    []*structs.ACLNodeIdentity
	EnterpriseMeta    acl.EnterpriseMeta
}

Bindings contains the ACL roles, service identities, node identities and enterprise meta to be assigned to the created token.

func (*Bindings) None

func (b *Bindings) None() bool

None indicates that the resulting bindings would not give the created token access to any resources.

type Login

type Login struct {
	// contains filtered or unexported fields
}

Login wraps the process of creating an ACLToken from the identity verified by an auth method.

func NewLogin

func NewLogin(binder *Binder, writer *TokenWriter) *Login

NewLogin returns a new Login with the given binder and writer.

func (*Login) TokenForVerifiedIdentity

func (l *Login) TokenForVerifiedIdentity(identity *authmethod.Identity, authMethod *structs.ACLAuthMethod, description string) (*structs.ACLToken, error)

TokenForVerifiedIdentity creates an ACLToken for the given identity verified by an auth method.

type MockACLCache

type MockACLCache struct {
	mock.Mock
}

MockACLCache is an autogenerated mock type for the ACLCache type

func NewMockACLCache

func NewMockACLCache(t testing.TB) *MockACLCache

NewMockACLCache creates a new instance of MockACLCache. It also registers the testing.TB interface on the mock and a cleanup function to assert the mocks expectations.

func (*MockACLCache) RemoveIdentityWithSecretToken

func (_m *MockACLCache) RemoveIdentityWithSecretToken(secretToken string)

RemoveIdentityWithSecretToken provides a mock function with given fields: secretToken

type RaftApplyFn

type RaftApplyFn func(structs.MessageType, interface{}) (interface{}, error)

type TokenWriter

type TokenWriter struct {
	TokenWriterConfig
}

TokenWriter encapsulates the logic of writing ACL tokens to the state store including validation, cache purging, etc.

func NewTokenWriter

func NewTokenWriter(cfg TokenWriterConfig) *TokenWriter

NewTokenWriter creates a new token writer.

func (*TokenWriter) Create

func (w *TokenWriter) Create(token *structs.ACLToken, fromLogin bool) (*structs.ACLToken, error)

Create a new token. Setting fromLogin to true changes behavior slightly for tokens created by login (as opposed to set manually via the API).

func (*TokenWriter) Delete

func (w *TokenWriter) Delete(secretID string, fromLogout bool) error

Delete the ACL token with the given SecretID from the state store.

func (*TokenWriter) Update

func (w *TokenWriter) Update(token *structs.ACLToken) (*structs.ACLToken, error)

Update an existing token.

type TokenWriterConfig

type TokenWriterConfig struct {
	RaftApply RaftApplyFn
	ACLCache  ACLCache
	Store     TokenWriterStore
	CheckUUID lib.UUIDCheckFunc

	MaxExpirationTTL time.Duration
	MinExpirationTTL time.Duration

	PrimaryDatacenter   string
	InPrimaryDatacenter bool
	LocalTokensEnabled  bool
}

type TokenWriterStore

type TokenWriterStore interface {
	ACLTokenGetByAccessor(ws memdb.WatchSet, accessorID string, entMeta *acl.EnterpriseMeta) (uint64, *structs.ACLToken, error)
	ACLTokenGetBySecret(ws memdb.WatchSet, secretID string, entMeta *acl.EnterpriseMeta) (uint64, *structs.ACLToken, error)
	ACLRoleGetByID(ws memdb.WatchSet, id string, entMeta *acl.EnterpriseMeta) (uint64, *structs.ACLRole, error)
	ACLRoleGetByName(ws memdb.WatchSet, name string, entMeta *acl.EnterpriseMeta) (uint64, *structs.ACLRole, error)
	ACLPolicyGetByID(ws memdb.WatchSet, id string, entMeta *acl.EnterpriseMeta) (uint64, *structs.ACLPolicy, error)
	ACLPolicyGetByName(ws memdb.WatchSet, name string, entMeta *acl.EnterpriseMeta) (uint64, *structs.ACLPolicy, error)
	ACLTokenUpsertValidateEnterprise(token *structs.ACLToken, existing *structs.ACLToken) error
}

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL