Documentation ¶
Overview ¶
Package auth defines a standard interface for request access controllers.
An access controller has a simple interface with a single `Authorized` method which checks that a given request is authorized to perform one or more actions on one or more resources. This method should return a non-nil error if the requset is not authorized.
An implementation registers its access controller by name with a constructor which accepts an options map for configuring the access controller.
options := map[string]interface{}{"sillySecret": "whysosilly?"} accessController, _ := auth.GetAccessController("silly", options)
This `accessController` can then be used in a request handler like so:
func updateOrder(w http.ResponseWriter, r *http.Request) { orderNumber := r.FormValue("orderNumber") resource := auth.Resource{Type: "customerOrder", Name: orderNumber} access := auth.Access{Resource: resource, Action: "update"} if ctx, err := accessController.Authorized(ctx, access); err != nil { if challenge, ok := err.(auth.Challenge) { // Let the challenge write the response. challenge.ServeHTTP(w, r) } else { // Some other error. } } }
Index ¶
Constants ¶
This section is empty.
Variables ¶
var ( ErrNoRequestContext = errors.New("no http request in context") ErrNoAuthUserInfo = errors.New("no auth user info in context") )
Common errors used with this package.
Functions ¶
Types ¶
type AccessController ¶
type AccessController interface { // Authorized returns a non-nil error if the context is granted access and // returns a new authorized context. If one or more Access structs are // provided, the requested access will be compared with what is available // to the context. The given context will contain a "http.request" key with // a `*http.Request` value. If the error is non-nil, access should always // be denied. The error may be of type Challenge, in which case the caller // may have the Challenge handle the request or choose what action to take // based on the Challenge header or response status. The returned context // object should have a "auth.user" value set to a UserInfo struct. Authorized(ctx context.Context, access ...Access) (context.Context, error) }
AccessController controls access to registry resources based on a request and required access levels for a request. Implementations can support both complete denial and http authorization challenges.
func GetAccessController ¶
func GetAccessController(name string, options map[string]interface{}) (AccessController, error)
GetAccessController constructs an AccessController with the given options using the named backend.
type Challenge ¶
type Challenge interface { error // ServeHTTP prepares the request to conduct the appropriate challenge // response. For most implementations, simply calling ServeHTTP should be // sufficient. Because no body is written, users may write a custom body after // calling ServeHTTP, but any headers must be written before the call and may // be overwritten. ServeHTTP(w http.ResponseWriter, r *http.Request) }
Challenge is a special error type which is used for HTTP 401 Unauthorized responses and is able to write the response with WWW-Authenticate challenge header values based on the error.
type InitFunc ¶
type InitFunc func(options map[string]interface{}) (AccessController, error)
InitFunc is the type of an AccessController factory function and is used to register the contsructor for different AccesController backends.
Directories ¶
Path | Synopsis |
---|---|
Package silly provides a simple authentication scheme that checks for the existence of an Authorization header and issues access if is present and non-empty.
|
Package silly provides a simple authentication scheme that checks for the existence of an Authorization header and issues access if is present and non-empty. |