Documentation ¶
Overview ¶
Package acl - Contains solutions for introducing Access Control Layers to a leaps service. All acl types should implement the Authenticator interface, as this is used by the curator to determine user access. ACLs can also implement behaviour for managing sources or exposing information through HTTP APIs etc.
Index ¶
Constants ¶
This section is empty.
Variables ¶
var (
ErrInvalidAuthType = errors.New("invalid token authenticator type")
)
Errors for the auth package.
var (
ErrNoKey = errors.New("key did not exist")
)
Errors for the Redis type.
Functions ¶
This section is empty.
Types ¶
type AccessLevel ¶
type AccessLevel int
AccessLevel - A unit of access to a particular document ID.
const ( NoAccess AccessLevel = iota ReadAccess EditAccess CreateAccess )
Units of AccessLevel for expressing a users access to a document.
type Anarchy ¶
type Anarchy struct {
AllowCreate bool
}
Anarchy - Most basic implementation of an ACL, everyone has access to everything.
func (Anarchy) Authenticate ¶
func (a Anarchy) Authenticate(_ interface{}, _, _ string) AccessLevel
Authenticate - Always returns at least edit access, because anarchy.
type Authenticator ¶
type Authenticator interface { // Authenticate - Check a users access level. Leave documentID blank to check for CreateAccess. Authenticate(userMetadata interface{}, token, documentID string) AccessLevel }
Authenticator - Implemented by types able to validate tokens for editing or creating documents. This is abstracted in order to accommodate for multiple authentication strategies.
Authenticate is the single call for all access level queries. The userID and token strings are used to identify a specific user and session token respectively, it is up to the implementation to make use of these fields or disregard them entirely.
The documentID field is used to a identify a specific document for accessing. If this field is populated then the authenticator is expected to check the access level the user has for that specific document, if the document does not exist then NoAccess should be returned. If, however, the field is left blank then the authenticator is expected to check for CreateAccess.
func NewAnarchy ¶
func NewAnarchy(allowCreate bool) Authenticator
NewAnarchy - Create a new anarchy authenticator.
func NewRedis ¶
func NewRedis(config RedisConfig, logger log.Modular) Authenticator
NewRedis - Creates a Redis using the provided configuration.
type FileExists ¶
type FileExists struct {
// contains filtered or unexported fields
}
FileExists - An acl authenticator type that validates document edit sessions by checking that the document ID (the file path) exists. Can be configured to show hidden files.
func NewFileExists ¶
func NewFileExists(config FileExistsConfig, logger log.Modular) *FileExists
NewFileExists - Creates an File using the provided configuration.
func (*FileExists) Authenticate ¶
func (f *FileExists) Authenticate(_ interface{}, _, documentID string) AccessLevel
Authenticate - Checks whether the documentID (file path) exists, returns EditAccess if it does.
func (*FileExists) GetPaths ¶
func (f *FileExists) GetPaths() []string
GetPaths - Returns the cached list of file paths available.
type FileExistsConfig ¶
type FileExistsConfig struct { Path string `json:"path" yaml:"path"` ShowHidden bool `json:"show_hidden" yaml:"show_hidden"` RefreshPeriod int64 `json:"refresh_period_s" yaml:"refresh_period_s"` ReservedIgnores []string `json:"ignore_files" yaml:"ignore_files"` }
FileExistsConfig - A config object for the FileExists acl object.
func NewFileExistsConfig ¶
func NewFileExistsConfig() FileExistsConfig
NewFileExistsConfig - Returns a default config object for a FileExists object.
type Redis ¶
type Redis struct {
// contains filtered or unexported fields
}
Redis - An Authenticator type that uses Redis for passing authentication tokens into leaps.
Leaps can be configured to use Redis for authentication. A service can provide an access token to leaps on behalf of a prospective user by adding a single key to the shared redis instance that outlines the type of access to be provided.
The key should be the unique, one-use access token that is also shared with the user. The value is a JSON blob that details the credentials and access level of the authentication:
Key: <token> Value: { "access_level":"<access_level>", "user_id":"<user_id>", "document_id":"<document_id>" }
<token> The shared token that the user is also given and subsequently provides to leaps. <access_level> The access level that your service wishes to grant the user. <user_id> The id of the authenticated user. <document_id> The id of the document, omit or leave this blank if you are granting CREATE access.
The options for <access_level> are `CREATE`, `EDIT` and `READ`.
Once leaps has read and verified the auth token it will delete the key. Key/value pairs should have a TTL such that they will expire if not used.
func (*Redis) Authenticate ¶
func (s *Redis) Authenticate(userMetadata interface{}, token, documentID string) AccessLevel
Authenticate - Reads a key (token) from redis and parses the value to check for an access level.
type RedisConfig ¶
type RedisConfig struct { URL string `json:"url" yaml:"url"` Password string `json:"password" yaml:"password"` PoolIdleTOut int64 `json:"pool_idle_s" yaml:"pool_idle_s"` PoolMaxIdle int `json:"pool_max_idle" yaml:"pool_max_idle"` }
RedisConfig - A config object for the redis authentication object.
func NewRedisConfig ¶
func NewRedisConfig() RedisConfig
NewRedisConfig - Returns a default config object for a Redis.