service

package
v0.0.0-...-0a271de Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Feb 27, 2025 License: AGPL-3.0 Imports: 15 Imported by: 6

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

This section is empty.

Types

type AddUserArg 

type AddUserArg struct {
	// UUID is an optional unique identifier for the user.
	// If it is empty, one will be generated during creation.
	UUID user.UUID

	// Name is the identifying name for the user.
	Name user.Name

	// Display name is the user's short name for display.
	DisplayName string

	// Password is an optional password for the user.
	// If it is empty, a one-time key is generated for the user's first login.
	Password *auth.Password

	// CreatorUUID identifies the user that requested this creation.
	CreatorUUID user.UUID

	// Permissions are the permissions to grant to the user upon creation.
	// If no permission is passed, then NoAccess is set.
	Permission permission.AccessSpec
}

AddUserArg represents the arguments for creating a single user.

type PermissionService 

type PermissionService struct {
	// contains filtered or unexported fields
}

PermissionService provides the API for working with permissions.

func NewPermissionService 

func NewPermissionService(st PermissionState) *PermissionService

NewPermissionService returns a new PermissionService for interacting with the underlying permission state.

func (*PermissionService) AllModelAccessForCloudCredential 

func (s *PermissionService) AllModelAccessForCloudCredential(ctx context.Context, key credential.Key) ([]access.CredentialOwnerModelAccess, error)

AllModelAccessForCloudCredential for a given (cloud) credential key, return all model name and model access level combinations.

func (*PermissionService) CreatePermission 

func (s *PermissionService) CreatePermission(ctx context.Context, spec corepermission.UserAccessSpec) (corepermission.UserAccess, error)

CreatePermission gives the user access per the provided spec. All errors are passed through from the spec validation and state layer.

func (*PermissionService) DeletePermission 

func (s *PermissionService) DeletePermission(ctx context.Context, subject user.Name, target corepermission.ID) error

DeletePermission removes the given user's access to the given target. A NotValid error is returned if the subject (user) string is empty, or the target is not valid. Any errors from the state layer are passed through.

func (*PermissionService) EnsureExternalUserIfAuthorized 

func (s *PermissionService) EnsureExternalUserIfAuthorized(ctx context.Context, subject user.Name, target corepermission.ID) error

EnsureExternalUserIfAuthorized checks if an external user is missing from the database and has permissions on an object. If they do then they will be added. This ensures that juju has a record of external users that have inherited their permissions from everyone@external.

func (*PermissionService) ReadAllAccessForUserAndObjectType 

func (s *PermissionService) ReadAllAccessForUserAndObjectType(ctx context.Context, subject user.Name, objectType corepermission.ObjectType) ([]corepermission.UserAccess, error)

ReadAllAccessForUserAndObjectType returns a slice of user access for the user specified and of the given object type. A NotValid error is returned if the given access type does not exist, or the subject (user) is an empty string. E.G. All clouds the user has access to.

func (*PermissionService) ReadAllUserAccessForTarget 

func (s *PermissionService) ReadAllUserAccessForTarget(ctx context.Context, target corepermission.ID) ([]corepermission.UserAccess, error)

ReadAllUserAccessForTarget return a slice of user access for all users with access to the given target. A NotValid error is returned if the target is not valid. Any errors from the state layer are passed through.

func (*PermissionService) ReadAllUserAccessForUser 

func (s *PermissionService) ReadAllUserAccessForUser(ctx context.Context, subject user.Name) ([]corepermission.UserAccess, error)

ReadAllUserAccessForUser returns a slice of the user access the given user has for any access type. // A NotValid error is returned if the subject (user) string is empty. Any errors from the state layer are passed through.

func (*PermissionService) ReadUserAccessForTarget 

func (s *PermissionService) ReadUserAccessForTarget(ctx context.Context, subject user.Name, target corepermission.ID) (corepermission.UserAccess, error)

ReadUserAccessForTarget returns the user access for the given user on the given target. A NotValid error is returned if the subject (user) string is empty, or the target is not valid. Any errors from the state layer are passed through.

func (*PermissionService) ReadUserAccessLevelForTarget 

func (s *PermissionService) ReadUserAccessLevelForTarget(ctx context.Context, subject user.Name, target corepermission.ID) (corepermission.Access, error)

ReadUserAccessLevelForTarget returns the user access level for the given user on the given target. A NotValid error is returned if the subject (user) string is empty, or the target is not valid. Any errors from the state layer are passed through. If the access level of a user cannot be found then accesserrors.AccessNotFound is returned.

func (*PermissionService) UpdatePermission 

func (s *PermissionService) UpdatePermission(ctx context.Context, args access.UpdatePermissionArgs) error

UpdatePermission updates the permission on the target for the given subject (user). If the subject is an external user, and they do not exist, they are created. Access can be granted or revoked. Revoking Read access will delete the permission. accesserrors.UserNotFound is returned if the user is local and does not exist in the users table. accesserrors.PermissionAccessGreater is returned if the user is being granted an access level greater or equal to what they already have.

type PermissionState 

type PermissionState interface {
	// CreatePermission gives the user access per the provided spec.
	// It requires the user/target combination has not already been
	// created.
	CreatePermission(ctx context.Context, uuid uuid.UUID, spec permission.UserAccessSpec) (permission.UserAccess, error)

	// DeletePermission removes the given subject's (user) access to the
	// given target.
	DeletePermission(ctx context.Context, subject user.Name, target permission.ID) error

	// UpdatePermission updates the permission on the target for the given
	// subject (user). If a subject does not exist, it is created using the
	// subject and api user. Access can be granted or revoked.
	UpdatePermission(ctx context.Context, args access.UpdatePermissionArgs) error

	// ReadUserAccessForTarget returns the subject's (user) access for the
	// given user on the given target.
	ReadUserAccessForTarget(ctx context.Context, subject user.Name, target permission.ID) (permission.UserAccess, error)

	// ReadUserAccessLevelForTarget returns the subject's (user) access level
	// for the given user on the given target.
	// If the access level of a user cannot be found then
	// accesserrors.AccessNotFound is returned.
	ReadUserAccessLevelForTarget(ctx context.Context, subject user.Name, target permission.ID) (permission.Access, error)

	// EnsureExternalUserIfAuthorized checks if an external user is missing from the database
	// and has permissions on an object. If they do then they will be added.
	// This ensures that juju has a record of external users that have inherited
	// their permissions from everyone@external.
	EnsureExternalUserIfAuthorized(ctx context.Context, subject user.Name, target permission.ID) error

	// ReadAllUserAccessForUser returns a slice of the user access the given
	// subject's (user) has for any access type.
	ReadAllUserAccessForUser(ctx context.Context, subject user.Name) ([]permission.UserAccess, error)

	// ReadAllUserAccessForTarget return a slice of user access for all users
	// with access to the given target.
	ReadAllUserAccessForTarget(ctx context.Context, target permission.ID) ([]permission.UserAccess, error)

	// ReadAllAccessTypeForUser return a slice of user access for the subject
	// (user) specified and of the given object type.
	// E.G. All clouds the user has access to.
	ReadAllAccessForUserAndObjectType(ctx context.Context, subject user.Name, objectType permission.ObjectType) ([]permission.UserAccess, error)

	// AllModelAccessForCloudCredential for a given (cloud) credential key, return all
	// model name and model access levels.
	AllModelAccessForCloudCredential(ctx context.Context, key credential.Key) ([]access.CredentialOwnerModelAccess, error)
}

PermissionState describes retrieval and persistence methods for user permission on various targets.

type Sealer 

type Sealer interface {
	// Seal will seal the payload using the nonce and box for the user.
	Seal(nonce, payload []byte) ([]byte, error)
}

Sealer is an interface that can be used to seal a byte slice. This will use the nonce and box for a given user to seal the payload.

type Service 

type Service struct {
	*UserService
	*PermissionService
}

Service provides the API for working with users.

func NewService 

func NewService(st State) *Service

NewService returns a new Service for interacting with the underlying access state.

type State 

type State interface {
	UserState
	PermissionState
}

State represents a type for interacting with the underlying state.

type UserService 

type UserService struct {
	// contains filtered or unexported fields
}

UserService provides the API for working with users.

func NewUserService 

func NewUserService(st UserState) *UserService

NewUserService returns a new UserService for interacting with the underlying user state.

func (*UserService) AddExternalUser 

func (s *UserService) AddExternalUser(ctx context.Context, name user.Name, displayName string, creatorUUID user.UUID) error

AddExternalUser adds a new external user to the database and does not set a password or activation key. The following error types are possible from this function:

  • accesserrors.UserNameNotValid: When the username supplied is not valid.
  • accesserrors.UserAlreadyExists: If a user with the supplied name already exists.
  • accesserrors.CreatorUUIDNotFound: If the creator supplied for the user does not exist.

func (*UserService) AddUser 

func (s *UserService) AddUser(ctx context.Context, arg AddUserArg) (user.UUID, []byte, error)

AddUser will add a new user to the database and return the UUID of the user if successful. If no password is set in the incoming argument, the user will be added with an activation key. The following error types are possible from this function:

  • accesserrors.UserNameNotValid: When the username supplied is not valid.
  • accesserrors.UserAlreadyExists: If a user with the supplied name already exists.
  • accesserrors.CreatorUUIDNotFound: If a creator has been supplied for the user and the creator does not exist.
  • auth.ErrPasswordNotValid: If the password supplied is not valid.

func (*UserService) DisableUserAuthentication 

func (s *UserService) DisableUserAuthentication(ctx context.Context, name user.Name) error

DisableUserAuthentication will disable the user for authentication. The following error types are possible from this function: - accesserrors.UserNameNotValid: When the username supplied is not valid. - accesserrors.NotFound: If no user by the given UUID exists.

func (*UserService) EnableUserAuthentication 

func (s *UserService) EnableUserAuthentication(ctx context.Context, name user.Name) error

EnableUserAuthentication will enable the user for authentication. The following error types are possible from this function: - accesserrors.UserNameNotValid: When the username supplied is not valid. - accesserrors.NotFound: If no user by the given UUID exists.

func (*UserService) GetAllUsers 

func (s *UserService) GetAllUsers(ctx context.Context, includeDisabled bool) ([]user.User, error)

GetAllUsers will retrieve all users with authentication information (last login, disabled) from the database. If no users exist an empty slice will be returned.

func (*UserService) GetUser 

func (s *UserService) GetUser(
	ctx context.Context,
	uuid user.UUID,
) (user.User, error)

GetUser will find and return the user with UUID. If there is no user for the UUID then an error that satisfies accesserrors.NotFound will be returned.

func (*UserService) GetUserByAuth 

func (s *UserService) GetUserByAuth(
	ctx context.Context,
	name user.Name,
	password auth.Password,
) (user.User, error)

GetUserByAuth will find and return the user with UUID. If there is no user for the name and password, then an error that satisfies accesserrors.NotFound will be returned. If supplied with an invalid user name then an error that satisfies accesserrors.UserNameNotValid will be returned. It will not return users that have been previously removed.

func (*UserService) GetUserByName 

func (s *UserService) GetUserByName(
	ctx context.Context,
	name user.Name,
) (user.User, error)

GetUserByName will find and return the user associated with name. If there is no user for the user name then an error that satisfies accesserrors.NotFound will be returned. If supplied with an invalid user name then an error that satisfies accesserrors.UserNameNotValid will be returned.

GetUserByName will not return users that have been previously removed.

func (*UserService) LastModelLogin 

func (s *UserService) LastModelLogin(ctx context.Context, name user.Name, modelUUID coremodel.UUID) (time.Time, error)

LastModelLogin will return the last login time of the specified user. The following error types are possible from this function: - accesserrors.UserNameNotValid when the username is not valid. - accesserrors.UserNotFound when the user cannot be found. - [modelerrors.NotFound] if no model by the given modelUUID exists. - accesserrors.UserNeverAccessedModel if there is no record of the user accessing the model.

func (*UserService) RemoveUser 

func (s *UserService) RemoveUser(ctx context.Context, name user.Name) error

RemoveUser marks the user as removed and removes any credentials or activation codes for the current users. Once a user is removed they are no longer usable in Juju and should never be un removed. The following error types are possible from this function: - accesserrors.UserNameNotValid: When the username supplied is not valid. - accesserrors.NotFound: If no user by the given UUID exists.

func (*UserService) ResetPassword 

func (s *UserService) ResetPassword(ctx context.Context, name user.Name) ([]byte, error)

ResetPassword will remove any active passwords for a user and generate a new activation key for the user to use to set a new password. The following error types are possible from this function: - accesserrors.UserNameNotValid: When the username supplied is not valid. - accesserrors.NotFound: If no user by the given UUID exists.

func (*UserService) SetLastModelLogin 

func (s *UserService) SetLastModelLogin(ctx context.Context, name user.Name, modelUUID coremodel.UUID, lastLogin time.Time) error

SetLastModelLogin will set the last login time for the user to the given value. The following error types are possible from this function: accesserrors.UserNameNotValid when the username supplied is not valid. accesserrors.UserNotFound when the user cannot be found. [modelerrors.NotFound] if no model by the given modelUUID exists.

func (*UserService) SetPassword 

func (s *UserService) SetPassword(ctx context.Context, name user.Name, pass auth.Password) error

SetPassword changes the users password to the new value and removes any active activation keys for the users. The following error types are possible from this function:

  • accesserrors.UserNameNotValid: When the username supplied is not valid.
  • accesserrors.NotFound: If no user by the given name exists.
  • internal/auth.ErrPasswordNotValid: If the password supplied is not valid.

func (*UserService) SetPasswordWithActivationKey 

func (s *UserService) SetPasswordWithActivationKey(ctx context.Context, name user.Name, nonce, box []byte) (Sealer, error)

SetPasswordWithActivationKey will use the activation key from the user. To then apply the payload password. If the user does not exist an error that satisfies accesserrors.NotFound will be returned. If the nonce is not the correct length an error that satisfies errors.NotValid will be returned.

This will use the NaCl secretbox to open the box and then unmarshal the payload to set the new password for the user. If the payload cannot be unmarshalled an error will be returned. To prevent the leaking of the key and nonce (which can unbox the secret), a Sealer will be returned that can be used to seal the response payload.

func (*UserService) UpdateLastModelLogin 

func (s *UserService) UpdateLastModelLogin(ctx context.Context, name user.Name, modelUUID coremodel.UUID) error

UpdateLastModelLogin will update the last login time for the user. The following error types are possible from this function: - accesserrors.UserNameNotValid when the username supplied is not valid. - accesserrors.UserNotFound when the user cannot be found. - [modelerrors.NotFound] if no model by the given modelUUID exists.

type UserState 

type UserState interface {
	// AddUser will add a new user to the database. If the user already exists
	// an error that satisfies accesserrors.UserAlreadyExists will be returned.
	// If the users creator is set and does not exist then an error that satisfies
	// accesserrors.UserCreatorUUIDNotFound will be returned.
	AddUser(
		ctx context.Context,
		uuid user.UUID,
		name user.Name,
		displayName string,
		external bool,
		creatorUUID user.UUID,
	) error

	// AddUserWithPasswordHash will add a new user to the database with the
	// provided password hash and salt. If the user already exists an error that
	// satisfies accesserrors.UserAlreadyExists will be returned. If the users creator
	// does not exist or has been previously removed an error that satisfies
	// accesserrors.UserCreatorUUIDNotFound will be returned.
	AddUserWithPasswordHash(
		ctx context.Context,
		uuid user.UUID,
		name user.Name,
		displayName string,
		creatorUUID user.UUID,
		permission permission.AccessSpec,
		passwordHash string,
		passwordSalt []byte,
	) error

	// AddUserWithActivationKey will add a new user to the database with the
	// provided activation key. If the user already exists an error that
	// satisfies accesserrors.UserAlreadyExists will be returned. if the users creator
	// does not exist or has been previously removed an error that satisfies
	// accesserrors.UserCreatorUUIDNotFound will be returned.
	AddUserWithActivationKey(
		ctx context.Context,
		uuid user.UUID,
		name user.Name,
		displayName string,
		creatorUUID user.UUID,
		permission permission.AccessSpec,
		activationKey []byte,
	) error

	// GetAllUsers will retrieve all users with authentication information
	// (last login, disabled) from the database. If no users exist an empty slice
	// will be returned.
	GetAllUsers(ctx context.Context, includeDisabled bool) ([]user.User, error)

	// GetUser will retrieve the user with authentication information (last login, disabled)
	// specified by UUID from the database. If the user does not exist an error that satisfies
	// accesserrors.UserNotFound will be returned.
	GetUser(context.Context, user.UUID) (user.User, error)

	// GetUserByName will retrieve the user with authentication information (last login, disabled)
	// specified by name from the database. If the user does not exist an error that satisfies
	// accesserrors.UserNotFound will be returned.
	GetUserByName(ctx context.Context, name user.Name) (user.User, error)

	// GetUserByAuth will retrieve the user with checking authentication information
	// specified by name and password from the database. If the user does not exist
	// an error that satisfies accesserrors.UserNotFound will be returned.
	GetUserByAuth(context.Context, user.Name, auth.Password) (user.User, error)

	// RemoveUser marks the user as removed. This obviates the ability of a user
	// to function, but keeps the user retaining provenance, i.e. auditing.
	// RemoveUser will also remove any credentials and activation codes for the
	// user. If no user exists for the given user name then an error that satisfies
	// accesserrors.UserNotFound will be returned.
	RemoveUser(context.Context, user.Name) error

	// SetActivationKey removes any active passwords for the user and sets the
	// activation key. If no user is found for the supplied user name an error
	// is returned that satisfies accesserrors.UserNotFound.
	SetActivationKey(context.Context, user.Name, []byte) error

	// GetActivationKey will retrieve the activation key for the user.
	// If no user is found for the supplied user name an error is returned that
	// satisfies accesserrors.UserNotFound.
	GetActivationKey(context.Context, user.Name) ([]byte, error)

	// SetPasswordHash removes any active activation keys and sets the user
	// password hash and salt. If no user is found for the supplied user name an error
	// is returned that satisfies accesserrors.UserNotFound.
	SetPasswordHash(context.Context, user.Name, string, []byte) error

	// EnableUserAuthentication will enable the user for authentication.
	// If no user is found for the supplied user name an error is returned that
	// satisfies accesserrors.UserNotFound.
	EnableUserAuthentication(context.Context, user.Name) error

	// DisableUserAuthentication will disable the user for authentication.
	// If no user is found for the supplied user name an error is returned that
	// satisfies accesserrors.UserNotFound.
	DisableUserAuthentication(context.Context, user.Name) error

	// UpdateLastModelLogin will update the last login time for the user.
	// The following error types are possible from this function:
	// - accesserrors.UserNameNotValid: When the username is not valid.
	// - accesserrors.UserNotFound: When the user cannot be found.
	// - modelerrors.NotFound: If no model by the given modelUUID exists.
	UpdateLastModelLogin(context.Context, user.Name, coremodel.UUID, time.Time) error

	// LastModelLogin will return the last login time of the specified user.
	// The following error types are possible from this function:
	// - accesserrors.UserNameNotValid: When the username is not valid.
	// - accesserrors.UserNotFound: When the user cannot be found.
	// - modelerrors.NotFound: If no model by the given modelUUID exists.
	// - accesserrors.UserNeverAccessedModel: If there is no record of the user
	// accessing the model.
	LastModelLogin(context.Context, user.Name, coremodel.UUID) (time.Time, error)
}

UserState describes retrieval and persistence methods for user identify and authentication.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.