Documentation ¶
Index ¶
- Constants
- func IdentityCaveats(url string) []checkers.Caveat
- func LoginMethods(client *http.Client, u *url.URL) (*params.LoginMethods, error)
- func StripDomain(idmClient *Client, domain string) identchecker.IdentityClient
- func UserDeclaration(username string) checkers.Caveat
- type Client
- func (c *Client) CacheEvict(username string)
- func (c *Client) CacheEvictAll()
- func (c *Client) CreateAgent(ctx context.Context, p *params.CreateAgentRequest) (*params.CreateAgentResponse, error)
- func (c *Client) DeclaredIdentity(ctx context.Context, declared map[string]string) (identchecker.Identity, error)
- func (c *Client) DeleteSSHKeys(ctx context.Context, p *params.DeleteSSHKeysRequest) error
- func (c *Client) DischargeTokenForUser(ctx context.Context, p *params.DischargeTokenForUserRequest) (params.DischargeTokenForUserResponse, error)
- func (c *Client) GetSSHKeys(ctx context.Context, p *params.SSHKeysRequest) (params.SSHKeysResponse, error)
- func (c *Client) IdentityFromContext(ctx context.Context) (identchecker.Identity, []checkers.Caveat, error)
- func (c *Client) ModifyUserGroups(ctx context.Context, p *params.ModifyUserGroupsRequest) error
- func (c *Client) PutSSHKeys(ctx context.Context, p *params.PutSSHKeysRequest) error
- func (c *Client) QueryUsers(ctx context.Context, p *params.QueryUsersRequest) ([]string, error)
- func (c *Client) SetUserDeprecated(ctx context.Context, p *params.SetUserRequest) error
- func (c *Client) SetUserExtraInfo(ctx context.Context, p *params.SetUserExtraInfoRequest) error
- func (c *Client) SetUserExtraInfoItem(ctx context.Context, p *params.SetUserExtraInfoItemRequest) error
- func (c *Client) SetUserGroups(ctx context.Context, p *params.SetUserGroupsRequest) error
- func (c *Client) User(ctx context.Context, p *params.UserRequest) (*params.User, error)
- func (c *Client) UserExtraInfo(ctx context.Context, p *params.UserExtraInfoRequest) (map[string]interface{}, error)
- func (c *Client) UserExtraInfoItem(ctx context.Context, p *params.UserExtraInfoItemRequest) (interface{}, error)
- func (c *Client) UserGroups(ctx context.Context, p *params.UserGroupsRequest) ([]string, error)
- func (c *Client) UserIDPGroups(ctx context.Context, p *params.UserIDPGroupsRequest) ([]string, error)
- func (c *Client) UserToken(ctx context.Context, p *params.UserTokenRequest) (*bakery.Macaroon, error)
- func (c *Client) VerifyToken(ctx context.Context, p *params.VerifyTokenRequest) (map[string]string, error)
- func (c *Client) WhoAmI(ctx context.Context, p *params.WhoAmIRequest) (params.WhoAmIResponse, error)
- type GroupCache
- type Identity
- type NewParams
- type PermChecker
Constants ¶
const ( Production = "https://api.jujucharms.com/identity" Staging = "https://api.staging.jujucharms.com/identity" )
Variables ¶
This section is empty.
Functions ¶
func IdentityCaveats ¶
IdentityCaveats returns a slice containing a third party "is-authenticated-user" caveat addressed to the identity server at the given URL that will authenticate the user with discharged. The user can be determined by calling Client.DeclaredIdentity on the declarations made by the discharge macaroon,
func LoginMethods ¶
LoginMethods returns information about the available login methods for the given URL, which is expected to be a URL as passed to a VisitWebPage function during the macaroon bakery discharge process.
func StripDomain ¶
func StripDomain(idmClient *Client, domain string) identchecker.IdentityClient
StripDomain returns an implementation of identchecker.IdentityClient that strips the given domain name off any user and group names returned from it. It also adds it as an @ suffix when querying for ACL membership for names that don't already contain a domain.
This is useful when an existing user of the identity manager needs to obtain backwardly compatible usernames when an identity manager is changed to add a domain suffix.
func UserDeclaration ¶
UserDeclaration returns a first party caveat that can be used by an identity manager to declare an identity on a discharge macaroon.
Types ¶
type Client ¶
type Client struct {
// contains filtered or unexported fields
}
Client represents the client of an identity server. It implements the identchecker.IdentityClient interface, so can be used directly to provide authentication for macaroon-based services.
func (*Client) CacheEvict ¶
CacheEvict evicts username from the user info cache.
func (*Client) CacheEvictAll ¶
func (c *Client) CacheEvictAll()
CacheEvictAll evicts everything from the user info cache.
func (*Client) CreateAgent ¶
func (c *Client) CreateAgent(ctx context.Context, p *params.CreateAgentRequest) (*params.CreateAgentResponse, error)
CreateAgent creates a new agent and returns the newly chosen username for the agent.
func (*Client) DeclaredIdentity ¶
func (c *Client) DeclaredIdentity(ctx context.Context, declared map[string]string) (identchecker.Identity, error)
DeclaredIdentity implements IdentityClient.DeclaredIdentity. On success, it returns a value that implements Identity as well as identchecker.Identity.
func (*Client) DeleteSSHKeys ¶
func (c *Client) DeleteSSHKeys(ctx context.Context, p *params.DeleteSSHKeysRequest) error
DeleteSSHKeys removes all of the ssh keys specified from the keys stored for the given user. It is not an error to attempt to remove a key that is not associated with the user.
func (*Client) DischargeTokenForUser ¶
func (c *Client) DischargeTokenForUser(ctx context.Context, p *params.DischargeTokenForUserRequest) (params.DischargeTokenForUserResponse, error)
DischargeTokenForUser allows an administrator to create a discharge token for the specified user.
func (*Client) GetSSHKeys ¶
func (c *Client) GetSSHKeys(ctx context.Context, p *params.SSHKeysRequest) (params.SSHKeysResponse, error)
GetSSHKeys returns any SSH keys stored for the given user.
func (*Client) IdentityFromContext ¶
func (c *Client) IdentityFromContext(ctx context.Context) (identchecker.Identity, []checkers.Caveat, error)
IdentityFromContext implements identchecker.IdentityClient.IdentityFromContext by returning caveats created by IdentityCaveats.
func (*Client) ModifyUserGroups ¶
func (c *Client) ModifyUserGroups(ctx context.Context, p *params.ModifyUserGroupsRequest) error
ModifyUserGroups updates the groups stored for the given user. Groups can be either added or removed in a single query. It is an error to try and both add and remove groups at the same time.
func (*Client) PutSSHKeys ¶
func (c *Client) PutSSHKeys(ctx context.Context, p *params.PutSSHKeysRequest) error
PutSSHKeys updates the set of SSH keys stored for the given user. If the add parameter is set to true then keys that are already stored will be added to, otherwise they will be replaced.
func (*Client) QueryUsers ¶
QueryUsers filters the user database for users that match the given request. If no filters are requested all usernames will be returned.
func (*Client) SetUserDeprecated ¶
func (c *Client) SetUserDeprecated(ctx context.Context, p *params.SetUserRequest) error
SetUserDeprecated creates or updates the user with the given username. If the user already exists then any IDPGroups or SSHKeys specified in the request will be ignored. See SetUserGroups, ModifyUserGroups, SetSSHKeys and DeleteSSHKeys if you wish to manipulate these for a user. TODO change this into a create-agent function.
func (*Client) SetUserExtraInfo ¶
func (c *Client) SetUserExtraInfo(ctx context.Context, p *params.SetUserExtraInfoRequest) error
SetUserExtraInfo updates extra-info for the given user. For each specified extra-info field the stored values will be updated to be the specified value. All other values will remain unchanged.
func (*Client) SetUserExtraInfoItem ¶
func (c *Client) SetUserExtraInfoItem(ctx context.Context, p *params.SetUserExtraInfoItemRequest) error
SetUserExtraInfoItem updates the stored extra-info item with the given key for the given user.
func (*Client) SetUserGroups ¶
func (c *Client) SetUserGroups(ctx context.Context, p *params.SetUserGroupsRequest) error
SetUserGroups updates the groups stored for the given user to the given value.
func (*Client) UserExtraInfo ¶
func (c *Client) UserExtraInfo(ctx context.Context, p *params.UserExtraInfoRequest) (map[string]interface{}, error)
UserExtraInfo returns any stored extra-info for the given user.
func (*Client) UserExtraInfoItem ¶
func (c *Client) UserExtraInfoItem(ctx context.Context, p *params.UserExtraInfoItemRequest) (interface{}, error)
UserExtraInfo returns any stored extra-info item with the given key for the given user.
func (*Client) UserGroups ¶
UserGroups returns the list of groups associated with the requested user.
func (*Client) UserIDPGroups ¶
func (c *Client) UserIDPGroups(ctx context.Context, p *params.UserIDPGroupsRequest) ([]string, error)
UserIDPGroups returns the list of groups associated with the requested user. This is deprected and UserGroups should be used in preference.
func (*Client) UserToken ¶
func (c *Client) UserToken(ctx context.Context, p *params.UserTokenRequest) (*bakery.Macaroon, error)
UserToken returns a token, in the form of a macaroon, identifying the user. This token can only be generated by an administrator.
func (*Client) VerifyToken ¶
func (c *Client) VerifyToken(ctx context.Context, p *params.VerifyTokenRequest) (map[string]string, error)
VerifyToken verifies that the given token is a macaroon generated by this service and returns any declared values.
func (*Client) WhoAmI ¶
func (c *Client) WhoAmI(ctx context.Context, p *params.WhoAmIRequest) (params.WhoAmIResponse, error)
WhoAmI returns details of the authenticated user.
type GroupCache ¶
type GroupCache struct {
// contains filtered or unexported fields
}
GroupCache holds a cache of group membership information.
func NewGroupCache ¶
func NewGroupCache(c *Client, cacheTime time.Duration) *GroupCache
NewGroupCache returns a GroupCache that will cache group membership information.
It will cache results for at most cacheTime.
Note that use of this type should be avoided when possible - in the future it may not be possible to enumerate group membership for a user.
func (*GroupCache) CacheEvict ¶
func (c *GroupCache) CacheEvict(username string)
CacheEvict evicts username from the cache.
func (*GroupCache) CacheEvictAll ¶
func (c *GroupCache) CacheEvictAll()
CacheEvictAll evicts everything from the cache.
type Identity ¶
type Identity interface { identchecker.ACLIdentity // Username returns the user name of the user. Username() (string, error) // Groups returns all the groups that the user is a member of. // // Note: use of this method should be avoided if possible, as a user may // potentially be in huge numbers of groups. Groups() ([]string, error) }
Identity represents a IDM identity. It includes bakery.ACLIdentity but also includes methods for determining the username and enquiring about groups.
Note that currently the Id method just returns the user name, but client code should not rely on it doing that - eventually it will return an opaque user identifier rather than the user name.
type NewParams ¶
type NewParams struct { // BaseURL holds the URL of the identity manager. BaseURL string // Client holds the client to use to make requests // to the identity manager. Client *httpbakery.Client // AgentUsername holds the username for group-fetching authorization. // If this is empty, no group information will be provided. // The agent key is expected to be held inside the Client. AgentUsername string // CacheTime holds the maximum duration for which // group membership information will be cached. // If this is zero, group membership information will not be cached. CacheTime time.Duration }
NewParams holds the parameters for creating a new client.
type PermChecker ¶
type PermChecker struct {
// contains filtered or unexported fields
}
PermChecker provides a way to query ACLs using the identity client.
func NewPermChecker ¶
func NewPermChecker(c *Client, cacheTime time.Duration) *PermChecker
NewPermChecker returns a permission checker that uses the given identity client to check permissions.
It will cache results for at most cacheTime.
func NewPermCheckerWithCache ¶
func NewPermCheckerWithCache(cache *GroupCache) *PermChecker
NewPermCheckerWithCache returns a new PermChecker using the given cache for its group queries.
func (*PermChecker) Allow ¶
func (c *PermChecker) Allow(username string, acl []string) (bool, error)
Allow reports whether the given ACL admits the user with the given name. If the user does not exist and the ACL does not allow username or everyone, it will return (false, nil).
func (*PermChecker) CacheEvict ¶
func (c *PermChecker) CacheEvict(username string)
CacheEvict evicts username from the cache.
func (*PermChecker) CacheEvictAll ¶
func (c *PermChecker) CacheEvictAll()
CacheEvictAll evicts everything from the cache.
Source Files ¶
Directories ¶
Path | Synopsis |
---|---|
Package idmtest holds a mock implementation of the identity manager suitable for testing.
|
Package idmtest holds a mock implementation of the identity manager suitable for testing. |
Package ussomacaroon provides a client that can authenticate with an identity server by discharging macaroons on an Ubuntu SSO server.
|
Package ussomacaroon provides a client that can authenticate with an identity server by discharging macaroons on an Ubuntu SSO server. |
Package ussologin defines functionality used for allowing clients to authenticate with the IDM server using USSO OAuth.
|
Package ussologin defines functionality used for allowing clients to authenticate with the IDM server using USSO OAuth. |