embiam

package module
v0.0.19 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Sep 5, 2021 License: MIT Imports: 12 Imported by: 0

README

embiam

Embedded identity and access management

-- WHAT IS embiam? The idea is to embed IAM directly in your API server. Since IAM doesn't require much CPU power or RAM, it's obvious to combine the primary tasks in your APIS and IAM. Use embiam to make your IAM simpler, easier to maintain, and more efficient. Efficiency doesn't only lead to cost reduction on your cloud infrastructure but also to greener IT because it's using less energy. With higher efficiency you also improve your user's expericence because the reponse times shrink and your user's have a smoother and more reactive experince using your applications. #CodeGreenIT

-- HOW TO USE IT? -- Initializing If your server is starting include the initialization of embiam

embiam.Initialize(new(embiam.DbFile))

In this case we are using the filesystem as database of the data (check the directory db/ in the folder to your executable). See example 2 how to apply it.

-- Checking identities Just embed embiam in your API code and use it to check username (we call it nick) and password. If the validation was successful, you get an identity token. Send it back to the client application. With this identity token the client application can validate further calls - without sending passwords around.

identityToken, err := embiam.CheckIdentity(credentials.Nick, credentials.Password, clientHost)

see example 1

-- Secure APIs with identity tokens After the authentication (with nick and password) the client application gets an identity token. This is used to validate the calls to your APIs. Before the actual task of the API is started, the identity token is checked. When the check was successful the actual task can be done, e.g. the data is fechted from the db or the item is added to the shopping basket.

if !embiam.IsIdentityTokenValid(requestBody.IdentityToken, clientHost) {
	http.Error(w, "", http.StatusForbidden)
	return
}

see example 1

-- Creating new nicks We call it nick instead of user because a nick describes also a machine, not only person. Nicks are generated and can't be choosen. So is the password. The procedure to provide a new identity with a new nick is as follows: 1. A nick token is generated. The nick token is valid for a certain time (e.g. 3 days - this is configured in conf.json). Usually the admin generates the token and sends it to the new user.

   newNickToken := embiam.GetNickToken()

2. The new user receives the nick token and uses it to get a new nick, a new password and a secret (to restore passwords). At the same time embiam saves the new nick into database (for password and secret embiam only stores hashes). The nick token is deleted.

   newNick := embiam.GenerateNewNick(nickToken)

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func AddNicksAuthorizationsToCache added in v0.0.19 

func AddNicksAuthorizationsToCache(entity *Entity) error

AddNicksAuthorizationsToCache adds the authorizations of a nick to the authorization cache

func CheckAuthIdentity 

func CheckAuthIdentity(authValue string, validFor string) (identityTokenStruct, string, error)

CheckAuthIdentity checks an authValue and provides and identity token (for validFor) it also returns the nick, that was checked

func CheckIdentity 

func CheckIdentity(nick, password, validFor string) (identityTokenStruct, error)

CheckIdentity checks nick and password and provides and identity token (for validFor)

func Hash 

func Hash(original string) string

Hash calculates 'hash' for 'original' using bcrypt

func Initialize 

func Initialize(aDb DbInterface)

Initialize prepares embiam

func InitializeDirectory added in v0.0.3 

func InitializeDirectory(folderPath string) error

InitializeDirectory checks if 'folderPath' exists and creates it, if it's not existing

func IsAuthIdentityTokenValid 

func IsAuthIdentityTokenValid(authValue string, validFor string) bool

IsAuthIdentityTokenValid checks if the identity token is valid, validFor contains information about the client, e.g. the IP address

func IsAuthorized added in v0.0.3 

func IsAuthorized(identityToken string, ressourceString string, actionString string) bool

IsAuthorized checks if the entity, provided through token, is authorizied for action on ressource

func IsIdentityTokenValid 

func IsIdentityTokenValid(token string, validFor string) bool

IsIdentityTokenValid checks if the identity token is valid, validFor contains information about the client, e.g. the IP address

func ReadDefaultRoles added in v0.0.19 

func ReadDefaultRoles() error

ReadDefaultRoles loads the list of roles for new entities

func ReadRoles added in v0.0.19 

func ReadRoles() error

ReadRoles loads the roles newly from Db

func SaveDefaultRoles added in v0.0.19 

func SaveDefaultRoles(newDefaultRoles []RoleIdType) error

SaveDefaultRoles loads the list of roles for new entities

func SaveRoles added in v0.0.19 

func SaveRoles(newRoles RoleCacheMap) error

SaveRoles loads the roles newly from Db

Types

type ActionMap added in v0.0.19 

type ActionMap map[ActionType]struct{}

ActionMap is a set of activities

type ActionType added in v0.0.19 

type ActionType string

ActionType - an activity can be performed on a recource and is relevant for authority checks 

const ActionAsteriks ActionType = "*"

type AuthorizationCacheMap added in v0.0.19 

type AuthorizationCacheMap map[string][]AuthorizationStruct

AuthorizationCacheMap contains a Authorizations for nicks

type AuthorizationStruct added in v0.0.19 

type AuthorizationStruct struct {
	Ressource RessourceType `json:"ressource"`
	Action    ActionMap     `json:"action"`
}

AuthorizationStruct describes a ressource together with actitivies

type ConfigurationStruct 

type ConfigurationStruct struct {
	ServerId                     string `json:"serverId"`
	Port                         string `json:"port"`
	EntityTokenValidityHours     int    `json:"entityTokenValidityHours"`
	IdentityTokenValiditySeconds int    `json:"identityTokenValiditySeconds"`
	MaxSignInAttempts            int    `json:"maxSignInAttempts"`
}
var Configuration ConfigurationStruct

type DbFile 

type DbFile struct {
	EntityFilePath        string
	EntityDeletedFilePath string
	EntityTokenFilePath   string
	RolePath              string
	DBPath                string

	RoleFilename        string
	DefaultRoleFilename string
}

DbFile - use the filesystem and store json files

func (DbFile) DeleteContentsFromDirectory added in v0.0.3 

func (m DbFile) DeleteContentsFromDirectory(dir string) error

func (DbFile) DeleteEntity added in v0.0.16 

func (m DbFile) DeleteEntity(nick string) error

func (DbFile) EntityExists 

func (m DbFile) EntityExists(nick string) bool

func (*DbFile) Initialize 

func (m *DbFile) Initialize()

func (DbFile) ReadEntityByNick 

func (m DbFile) ReadEntityByNick(nick string) (*Entity, error)

func (DbFile) ReadEntityList added in v0.0.10 

func (m DbFile) ReadEntityList() (nicklist []string, e error)

func (DbFile) ReadPublicEntityByNick added in v0.0.17 

func (m DbFile) ReadPublicEntityByNick(nick string) (*PublicEntity, error)

func (DbFile) SaveEntity 

func (m DbFile) SaveEntity(e *Entity) error

type DbInterface 

type DbInterface interface {
	Initialize()
	// Entity
	ReadEntityList() (nicklist []string, e error)
	ReadEntityByNick(nick string) (*Entity, error)
	ReadPublicEntityByNick(nick string) (*PublicEntity, error)
	EntityExists(nick string) bool
	SaveEntity(entity *Entity) error
	DeleteEntity(nick string) error
	// contains filtered or unexported methods
}
var Db DbInterface

******************************************************************* 

Interface Db (database, persistent storage)

*******************************************************************

type DbTransient added in v0.0.2 

type DbTransient struct {
	// contains filtered or unexported fields
}

DbTransient - non-persistent database for testing and demonstration

func (DbTransient) DeleteEntity added in v0.0.16 

func (m DbTransient) DeleteEntity(nick string) error

func (DbTransient) EntityExists added in v0.0.2 

func (m DbTransient) EntityExists(nick string) bool

func (*DbTransient) Initialize added in v0.0.2 

func (m *DbTransient) Initialize()

func (DbTransient) ReadEntityByNick added in v0.0.2 

func (m DbTransient) ReadEntityByNick(nick string) (*Entity, error)

func (DbTransient) ReadEntityList added in v0.0.10 

func (m DbTransient) ReadEntityList() (nicklist []string, e error)

ToDo: Reuqired???

func (DbTransient) ReadPublicEntityByNick added in v0.0.17 

func (m DbTransient) ReadPublicEntityByNick(nick string) (*PublicEntity, error)

func (DbTransient) SaveEntity added in v0.0.2 

func (m DbTransient) SaveEntity(e *Entity) error

type Entity 

type Entity struct {
	Nick                 string       `json:"nick"`
	PasswordHash         string       `json:"passwordHash"`
	SecretHash           string       `json:"secretHash"`
	Active               bool         `json:"active"`
	WrongPasswordCounter int          `json:"wrongPasswordCounter"`
	LastSignInAttempt    time.Time    `json:"lastSignInAttempt"`
	LastSignIn           time.Time    `json:"lastSignIn"`
	CreateTimeStamp      time.Time    `json:"createTimeStamp"`
	UpdateTimeStamp      time.Time    `json:"updateTimeStamp"`
	Roles                []RoleIdType `json:"roles"`
}

Entity describes a user or a device

type EntityToken 

type EntityToken struct {
	Token      string    `json:"token"`
	Pin        string    `json:"pin"`
	ValidUntil time.Time `json:"validUntil"`
}

******************************************************************* 

ENTITY TOKEN

Entity Tokens are used to create new entities. The administrator
creates an entity token and sends it to the new user. The new
user uses the entity token to create an new entity. After the
entity was created, the entity token is deleted.

*******************************************************************

func NewEntityToken 

func NewEntityToken() (EntityToken, error)

NewEntityToken creates a new entity token (token itself and validity, comming from configuration)

type NewEntityStruct added in v0.0.10 

type NewEntityStruct struct {
	Nick                 string       `json:"nick"`
	Password             string       `json:"password"`
	Secret               string       `json:"secret"`
	PasswordHash         string       `json:"passwordHash"`
	SecretHash           string       `json:"secretHash"`
	Active               bool         `json:"active"`
	WrongPasswordCounter int          `json:"wrongPasswordCounter"`
	LastSignInAttempt    time.Time    `json:"lastSignInAttempt"`
	LastSignIn           time.Time    `json:"lastSignIn"`
	CreateTimeStamp      time.Time    `json:"createTimeStamp"`
	UpdateTimeStamp      time.Time    `json:"updateTimeStamp"`
	Roles                []RoleIdType `json:"roles"`
}

NewEntity contains all fields of Entity but also the password and the secret (not only the hash)

func NewEntity 

func NewEntity(entityToken, pin string) (newEntity NewEntityStruct, err error)

NewEntity creates a new entity using an entityToken and PIN

type PublicEntity added in v0.0.17 

type PublicEntity struct {
	Nick                 string       `json:"nick"`
	Active               bool         `json:"active"`
	WrongPasswordCounter int          `json:"wrongPasswordCounter"`
	LastSignInAttempt    time.Time    `json:"lastSignInAttempt"`
	LastSignIn           time.Time    `json:"lastSignIn"`
	CreateTimeStamp      time.Time    `json:"createTimeStamp"`
	UpdateTimeStamp      time.Time    `json:"updateTimeStamp"`
	Roles                []RoleIdType `json:"roles"`
}

PublicEntity describes a user or a device (without hashes)

type RessourceType added in v0.0.19 

type RessourceType string

RessourceType - a ressource is a thing that is relevant for authorization checks

type RoleBodyStruct added in v0.0.19 

type RoleBodyStruct struct {
	Authorization []AuthorizationStruct `json:"authorization"`
	ContainedRole []RoleIdType          `json:"containedRoles"`
}

RoleBodyStruct contains authorizations contained in the role and also other roles

type RoleCacheMap added in v0.0.19 

type RoleCacheMap map[RoleIdType]RoleBodyStruct

RoleCacheMap combines the Id of the role with the role's body

type RoleIdType added in v0.0.19 

type RoleIdType string

RoleIdType - a role is a collection of Authorization with an Id it can also contain other roles and forms a hierarchical structure of authorizations

type ServerId added in v0.0.11 

type ServerId [2]uint64

random 128-bit Id of the server

func (*ServerId) New added in v0.0.11 

func (id *ServerId) New()

New generates a new ServerId

func (*ServerId) String added in v0.0.11 

func (id *ServerId) String() string

Stringer for ServerId

Source Files

View all Source files

Directories

Path Synopsis
The programm is a simple REST server and handles two request: 1.
 The programm is a simple REST server and handles two request: 1.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.