authentication

package
v0.0.0-...-9ec3720 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Apr 6, 2021 License: AGPL-3.0 Imports: 19 Imported by: 0

Documentation

Index

Constants

View Source 
const (

	// LocalLoginInteractionTimeout is how long a user has to complete
	// an interactive login before it is expired.
	LocalLoginInteractionTimeout = 2 * time.Minute
)

Variables

View Source 
var ErrExpired = errors.New("interaction timed out")

ErrExpired is returned by Interactions.Wait when interactions expire before they are done.

View Source 
var ErrWaitCanceled = errors.New("wait canceled")

ErrWaitCanceled is returned by Interactions.Wait when the cancel channel is signalled.

Functions

func CheckLocalLoginCaveat 

func CheckLocalLoginCaveat(caveat string) (names.UserTag, error)

CheckLocalLoginCaveat parses and checks that the given caveat string is valid for a local login request, and returns the tag of the local user that the caveat asserts is logged in. checkers.ErrCaveatNotRecognized will be returned if the caveat is not recognised.

func CheckLocalLoginRequest 

func CheckLocalLoginRequest(
	ctx context.Context,
	auth MacaroonChecker,
	req *http.Request,
) error

CheckLocalLoginRequest checks that the given HTTP request contains at least one valid local login macaroon minted by the given service using CreateLocalLoginMacaroon. It returns an error with a *bakery.VerificationError cause if the macaroon verification failed.

func CreateLocalLoginMacaroon 

func CreateLocalLoginMacaroon(
	ctx context.Context,
	tag names.UserTag,
	minter MacaroonMinter,
	clock clock.Clock,
	version bakery.Version,
) (*bakery.Macaroon, error)

CreateLocalLoginMacaroon creates a macaroon that may be provided to a user as proof that they have logged in with a valid username and password. This macaroon may then be used to obtain a discharge macaroon so that the user can log in without presenting their password for a set amount of time.

func DischargeCaveats 

func DischargeCaveats(tag names.UserTag, clock clock.Clock) []checkers.Caveat

Discharge caveats returns the caveats to add to a login discharge macaroon.

Types

type AgentAuthenticator 

type AgentAuthenticator struct{}

AgentAuthenticator performs authentication for machine and unit agents.

func (*AgentAuthenticator) Authenticate 

func (*AgentAuthenticator) Authenticate(ctx context.Context, entityFinder EntityFinder, tag names.Tag, req params.LoginRequest) (state.Entity, error)

Authenticate authenticates the provided entity. It takes an entityfinder and the tag used to find the entity that requires authentication.

type Bakery 

type Bakery interface {
	MacaroonMinter
	MacaroonChecker
}

Bakery defines the subset of bakery.Bakery that we require for authentication.

type EntityAuthenticator 

type EntityAuthenticator interface {
	// Authenticate authenticates the given entity
	Authenticate(ctx context.Context, entityFinder EntityFinder, tag names.Tag, req params.LoginRequest) (state.Entity, error)
}

EntityAuthenticator is the interface all entity authenticators need to implement to authenticate juju entities.

type EntityFinder 

type EntityFinder interface {
	FindEntity(tag names.Tag) (state.Entity, error)
}

EntityFinder finds the entity described by the tag.

type ExpirableStorageBakery 

type ExpirableStorageBakery interface {
	Bakery

	// ExpireStorageAfter returns a new ExpirableStorageBakery with
	// a store that will expire items added to it at the specified time.
	ExpireStorageAfter(time.Duration) (ExpirableStorageBakery, error)
}

ExpirableStorageBakery extends Bakery with the ExpireStorageAfter method so that root keys are removed from storage at that time.

type ExternalMacaroonAuthenticator 

type ExternalMacaroonAuthenticator struct {
	// Bakery holds the bakery that is
	// used to verify macaroon authorization.
	Bakery *identchecker.Bakery

	// IdentityLocation holds the URL of the trusted third party
	// that is used to address the is-authenticated-user
	// third party caveat to.
	IdentityLocation string

	// Clock is used to set macaroon expiry time.
	Clock clock.Clock
}

ExternalMacaroonAuthenticator performs authentication for external users using macaroons. If the authentication fails because provided macaroons are invalid, and macaroon authentiction is enabled, it will return a *apiservererrors.DischargeRequiredError holding a macaroon to be discharged.

func (*ExternalMacaroonAuthenticator) Authenticate 

func (m *ExternalMacaroonAuthenticator) Authenticate(ctx context.Context, entityFinder EntityFinder, _ names.Tag, req params.LoginRequest) (state.Entity, error)

Authenticate authenticates the provided entity. If there is no macaroon provided, it will return a *DischargeRequiredError containing a macaroon that can be used to grant access.

func (ExternalMacaroonAuthenticator) DeclaredIdentity 

func (ExternalMacaroonAuthenticator) DeclaredIdentity(ctx context.Context, declared map[string]string) (identchecker.Identity, error)

DeclaredIdentity implements IdentityClient.DeclaredIdentity.

func (*ExternalMacaroonAuthenticator) IdentityFromContext 

func (m *ExternalMacaroonAuthenticator) IdentityFromContext(ctx context.Context) (identchecker.Identity, []checkers.Caveat, error)

IdentityFromContext implements IdentityClient.IdentityFromContext.

type Interaction 

type Interaction struct {
	CaveatId   []byte
	LoginUser  names.UserTag
	LoginError error
}

Interaction records details of an in-progress interactive macaroon-based login.

type Interactions 

type Interactions struct {
	// contains filtered or unexported fields
}

Interactions maintains a set of Interactions.

func NewInteractions 

func NewInteractions() *Interactions

NewInteractions returns a new Interactions.

func (*Interactions) Done 

func (m *Interactions) Done(id string, loginUser names.UserTag, loginError error) error

Done signals that the user has either logged in, or attempted to and failed.

func (*Interactions) Expire 

func (m *Interactions) Expire(t time.Time)

Expire removes any interactions that were due to expire by the specified time.

func (*Interactions) Start 

func (m *Interactions) Start(caveatId []byte, expiry time.Time) (string, error)

Start records the start of an interactive login, and returns a random ID that uniquely identifies it. A call to Wait with the same ID will return the Interaction once it is done.

func (*Interactions) Wait 

func (m *Interactions) Wait(id string, cancel <-chan struct{}) (*Interaction, error)

Wait waits until the identified interaction is done, and returns the corresponding Interaction. If the cancel channel is signalled before the interaction is done, then ErrWaitCanceled is returned. If the interaction expires before it is done, ErrExpired is returned.

type MacaroonChecker 

type MacaroonChecker interface {
	Auth(mss ...macaroon.Slice) *bakery.AuthChecker
}

MacaroonChecker exposes the methods needed from bakery.Checker.

type MacaroonMinter 

type MacaroonMinter interface {
	NewMacaroon(ctx context.Context, version bakery.Version, caveats []checkers.Caveat, ops ...bakery.Op) (*bakery.Macaroon, error)
}

MacaroonMinter exposes the methods needed from bakery.Oven.

type UserAuthenticator 

type UserAuthenticator struct {
	AgentAuthenticator

	// Bakery holds the bakery that is used to mint and verify macaroons.
	Bakery ExpirableStorageBakery

	// Clock is used to calculate the expiry time for macaroons.
	Clock clock.Clock

	// LocalUserIdentityLocation holds the URL of the trusted third party
	// that is used to address the is-authenticated-user third party caveat
	// to for local users. This always points at the same controller
	// agent that is servicing the authorisation request.
	LocalUserIdentityLocation string
}

UserAuthenticator performs authentication for local users. If a password

func (*UserAuthenticator) Authenticate 

func (u *UserAuthenticator) Authenticate(
	ctx context.Context, entityFinder EntityFinder, tag names.Tag, req params.LoginRequest,
) (state.Entity, error)

Authenticate authenticates the entity with the specified tag, and returns an error on authentication failure.

If and only if no password is supplied, then Authenticate will check for any valid macaroons. Otherwise, password authentication will be performed.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.