security

package
v0.0.12 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Mar 17, 2019 License: Apache-2.0 Imports: 4 Imported by: 10

Documentation

Index

Constants

View Source
const (
	// SuperUserID is the uid of the administrator
	SuperUserID int64 = 1
	// GroupAdminID is the string ID of the group with all permissions
	GroupAdminID = "admin"
	// GroupEveryoneID is the string ID of the group everyone belongs to
	GroupEveryoneID = "everyone"

	// NativeGroup means that this user has been explicitly given membership in this group
	NativeGroup InheritanceInfo = iota
	// InheritedGroup means that this user is a member of this group through inheritance
	InheritedGroup
)
View Source
const (
	Read = 1 << Permission(iota)
	Write
	Unlink
	All = Read | Write | Unlink
)

The four Permissions are Read, Write, Unlink and All.

Variables

This section is empty.

Functions

This section is empty.

Types

type AccessControlList

type AccessControlList struct {
	sync.RWMutex
	// contains filtered or unexported fields
}

An AccessControlList defines the permissions for given groups. It is meant to be a property of a field.

func NewAccessControlList

func NewAccessControlList() *AccessControlList

NewAccessControlList returns a pointer to a new empty AccessControlList

func (*AccessControlList) AddPermission

func (acl *AccessControlList) AddPermission(group *Group, perm Permission)

AddPermission adds the given permission to the given group, keeping existing permissions untouched.

func (*AccessControlList) CheckPermission

func (acl *AccessControlList) CheckPermission(group *Group, perm Permission) bool

CheckPermission returns true if the given group has the given permission, either directly granted to it or granted to one of its inherited groups.

func (*AccessControlList) Permissions

func (acl *AccessControlList) Permissions() map[*Group]Permission

Permissions returns the list of all permissions of this ACL

func (*AccessControlList) RemovePermission

func (acl *AccessControlList) RemovePermission(group *Group, perm Permission)

RemovePermission removes the given permission from the given group, keeping other permissions untouched.

func (*AccessControlList) ReplacePermission

func (acl *AccessControlList) ReplacePermission(group *Group, perm Permission)

ReplacePermission replaces the current permission of the given group, by the given perm. It overrides any existing permission.

type AuthBackend

type AuthBackend interface {
	// Authenticate the user defined by login and secret. Additional data
	// needed by the authentication backend may be passed into the context.
	//
	// On success, it returns the ID of the authenticated user.
	// On failure, it should return a UserNotFoundError if this user is not
	// known to this backend or a InvalidCredentialsError if it is known but
	// cannot be authenticated.
	Authenticate(login, secret string, context *types.Context) (int64, error)
}

An AuthBackend is an interface that is capable of authenticating a user and tell whether a user is a member of a given group.

type AuthBackendRegistry

type AuthBackendRegistry struct {
	// contains filtered or unexported fields
}

An AuthBackendRegistry holds an ordered list of AuthBackend instances that enables authentication against several backends. A pointer to AuthBackendRegistry is itself an AuthBackend that can be used in another AuthBackendRegistry.

var AuthenticationRegistry *AuthBackendRegistry

AuthenticationRegistry is the authentication registry of the application

func (*AuthBackendRegistry) Authenticate

func (ar *AuthBackendRegistry) Authenticate(login, secret string, context *types.Context) (int64, error)

Authenticate tries to authenticate the user with the given uid and secret. Backends are polled in order. The user is authenticated as soon as one backend authenticates his uid with the given secret.

func (*AuthBackendRegistry) RegisterBackend

func (ar *AuthBackendRegistry) RegisterBackend(backend AuthBackend)

RegisterBackend registers the given backend in this registry. The newly added backend is inserted at the top of the list, so that it will override any existing backend that already manages the same uids.

type Group

type Group struct {
	ID       string
	Name     string
	Inherits []*Group
}

A Group defines a role which can be granted or denied permissions. - Groups can inherit from other groups and get access to these groups permissions. - A user can belong to one or several groups, and thus inherit from the permissions of the groups.

var (
	// GroupAdmin which has all permissions
	GroupAdmin *Group
	// GroupEveryone is a group that all users automatically belong to.
	GroupEveryone *Group
)

func (Group) String

func (g Group) String() string

String function for group

type GroupCollection

type GroupCollection struct {
	sync.RWMutex
	// contains filtered or unexported fields
}

A GroupCollection keeps a list of groups

var Registry *GroupCollection

Registry of all security groups of the application

func NewGroupCollection

func NewGroupCollection() *GroupCollection

NewGroupCollection returns a pointer to a new empty GroupCollection

func (*GroupCollection) AddMembership

func (gc *GroupCollection) AddMembership(uid int64, group *Group, inherit ...bool)

AddMembership adds the user defined by its uid to the given group and also to all groups that inherit this group. inherit is set to true when this method is called on an inherited group recursively. You should normally leave it unset.

func (*GroupCollection) AllGroups

func (gc *GroupCollection) AllGroups() []*Group

AllGroups returns a slice with all the groups of the collection

func (*GroupCollection) GetGroup

func (gc *GroupCollection) GetGroup(groupID string) *Group

GetGroup returns the group with the given groupID or nil if not found

func (*GroupCollection) HasMembership

func (gc *GroupCollection) HasMembership(uid int64, group *Group) bool

HasMembership returns true id the given uid is a member of the given group

func (*GroupCollection) NewGroup

func (gc *GroupCollection) NewGroup(ID, name string, inherits ...*Group) *Group

NewGroup creates a new Group with the given id, name and inherited groups and registers it in this GroupCollection. It returns a pointer to the newly created group.

func (*GroupCollection) RegisterGroup

func (gc *GroupCollection) RegisterGroup(group *Group)

RegisterGroup adds the given group to this GroupCollection If group with the same ID exists, this methods panics.

func (*GroupCollection) RemoveAllMembershipsForUser

func (gc *GroupCollection) RemoveAllMembershipsForUser(uid int64)

RemoveAllMembershipsForUser removes the given uid from all groups

func (*GroupCollection) RemoveMembership

func (gc *GroupCollection) RemoveMembership(uid int64, group *Group)

RemoveMembership removes the user with the given uid from the given group and all groups that inherit from this group.

func (*GroupCollection) UnregisterGroup

func (gc *GroupCollection) UnregisterGroup(group *Group)

UnregisterGroup removes the group with the given ID from this GroupCollection

func (*GroupCollection) UserGroups

func (gc *GroupCollection) UserGroups(uid int64) map[*Group]InheritanceInfo

UserGroups returns the slice of groups the user with the given uid belongs to, including inherited groups.

type InheritanceInfo

type InheritanceInfo int8

InheritanceInfo enables us to know if a user is part of a group natively or by inheritance.

type InvalidCredentialsError

type InvalidCredentialsError string

A InvalidCredentialsError should be returned by backends when the user is known to this backend but cannot be authenticated.

func (InvalidCredentialsError) Error

func (ice InvalidCredentialsError) Error() string

Error returns the error message

type Permission

type Permission uint8

A Permission defines which of the read, write or unlink rights apply.

type UserNotFoundError

type UserNotFoundError string

A UserNotFoundError should be returned by backends when the user is not known

func (UserNotFoundError) Error

func (unfe UserNotFoundError) Error() string

Error returns the error message

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL