Documentation ¶
Index ¶
- Variables
- func BuildTokenDescription(prefix string, meta map[string]string) (string, error)
- func IsValidBindName(bindType, bindName string, availableVariables []string) (bool, error)
- type ACLCache
- type Binder
- type BinderStateStore
- type Bindings
- type Login
- type MockACLCache
- type RaftApplyFn
- type TokenWriter
- type TokenWriterConfig
- type TokenWriterStore
Constants ¶
This section is empty.
Variables ¶
var ErrCannotWriteGlobalToken = errors.New("Cannot upsert global tokens within this datacenter")
ErrCannotWriteGlobalToken indicates that writing a token failed because the token is global and this is a non-primary datacenter.
Functions ¶
func BuildTokenDescription ¶
BuildTokenDescription builds a description for an ACLToken by encoding the given meta as JSON and applying the prefix.
Types ¶
type Binder ¶
type Binder struct {
// contains filtered or unexported fields
}
Binder is responsible for collecting the ACL roles, service identities, node identities, and enterprise metadata to be assigned to a token generated as a result of "logging in" via an auth method.
It does so by applying the auth method's configured binding rules and in the case of enterprise, namespace rules.
func NewBinder ¶
func NewBinder(store BinderStateStore, datacenter string) *Binder
NewBinder creates a Binder with the given state store and datacenter.
func (*Binder) Bind ¶
func (b *Binder) Bind(authMethod *structs.ACLAuthMethod, verifiedIdentity *authmethod.Identity) (*Bindings, error)
Bind collects the ACL roles, service identities, etc. to be assigned to the created token.
type BinderStateStore ¶
type BinderStateStore interface { ACLBindingRuleList(ws memdb.WatchSet, methodName string, entMeta *acl.EnterpriseMeta) (uint64, structs.ACLBindingRules, error) ACLRoleGetByName(ws memdb.WatchSet, roleName string, entMeta *acl.EnterpriseMeta) (uint64, *structs.ACLRole, error) }
BinderStateStore is the subset of state store methods used by the binder.
type Bindings ¶
type Bindings struct { Roles []structs.ACLTokenRoleLink ServiceIdentities []*structs.ACLServiceIdentity NodeIdentities []*structs.ACLNodeIdentity EnterpriseMeta acl.EnterpriseMeta }
Bindings contains the ACL roles, service identities, node identities and enterprise meta to be assigned to the created token.
type Login ¶
type Login struct {
// contains filtered or unexported fields
}
Login wraps the process of creating an ACLToken from the identity verified by an auth method.
func NewLogin ¶
func NewLogin(binder *Binder, writer *TokenWriter) *Login
NewLogin returns a new Login with the given binder and writer.
func (*Login) TokenForVerifiedIdentity ¶
func (l *Login) TokenForVerifiedIdentity(identity *authmethod.Identity, authMethod *structs.ACLAuthMethod, description string) (*structs.ACLToken, error)
TokenForVerifiedIdentity creates an ACLToken for the given identity verified by an auth method.
type MockACLCache ¶
MockACLCache is an autogenerated mock type for the ACLCache type
func NewMockACLCache ¶
func NewMockACLCache(t mockConstructorTestingTNewMockACLCache) *MockACLCache
NewMockACLCache creates a new instance of MockACLCache. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
func (*MockACLCache) RemoveIdentityWithSecretToken ¶
func (_m *MockACLCache) RemoveIdentityWithSecretToken(secretToken string)
RemoveIdentityWithSecretToken provides a mock function with given fields: secretToken
type RaftApplyFn ¶
type RaftApplyFn func(structs.MessageType, interface{}) (interface{}, error)
type TokenWriter ¶
type TokenWriter struct {
TokenWriterConfig
}
TokenWriter encapsulates the logic of writing ACL tokens to the state store including validation, cache purging, etc.
func NewTokenWriter ¶
func NewTokenWriter(cfg TokenWriterConfig) *TokenWriter
NewTokenWriter creates a new token writer.
func (*TokenWriter) Create ¶
Create a new token. Setting fromLogin to true changes behavior slightly for tokens created by login (as opposed to set manually via the API).
type TokenWriterConfig ¶
type TokenWriterConfig struct { RaftApply RaftApplyFn ACLCache ACLCache Store TokenWriterStore CheckUUID lib.UUIDCheckFunc MaxExpirationTTL time.Duration MinExpirationTTL time.Duration PrimaryDatacenter string InPrimaryDatacenter bool LocalTokensEnabled bool }
type TokenWriterStore ¶
type TokenWriterStore interface { ACLTokenGetByAccessor(ws memdb.WatchSet, accessorID string, entMeta *acl.EnterpriseMeta) (uint64, *structs.ACLToken, error) ACLTokenGetBySecret(ws memdb.WatchSet, secretID string, entMeta *acl.EnterpriseMeta) (uint64, *structs.ACLToken, error) ACLRoleGetByID(ws memdb.WatchSet, id string, entMeta *acl.EnterpriseMeta) (uint64, *structs.ACLRole, error) ACLRoleGetByName(ws memdb.WatchSet, name string, entMeta *acl.EnterpriseMeta) (uint64, *structs.ACLRole, error) ACLPolicyGetByID(ws memdb.WatchSet, id string, entMeta *acl.EnterpriseMeta) (uint64, *structs.ACLPolicy, error) ACLPolicyGetByName(ws memdb.WatchSet, name string, entMeta *acl.EnterpriseMeta) (uint64, *structs.ACLPolicy, error) ACLTokenUpsertValidateEnterprise(token *structs.ACLToken, existing *structs.ACLToken) error }