auth

package
v1.12.4 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Dec 13, 2022 License: AGPL-3.0 Imports: 15 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	AdminUsername        = "admin@candid"
	SSHKeyGetterGroup    = "sshkeygetter@candid"
	GroupListGroup       = "grouplist@candid"
	UserInformationGroup = "userinfo@candid"
)
View Source 
const (
	ActionRead                    = "read"
	ActionVerify                  = "verify"
	ActionDischargeFor            = "dischargeFor"
	ActionDischarge               = "discharge"
	ActionCreateAgent             = "createAgent"
	ActionCreateParentAgent       = "createParentAgent"
	ActionReadAdmin               = "readAdmin"
	ActionWriteAdmin              = "writeAdmin"
	ActionReadGroups              = "readGroups"
	ActionWriteGroups             = "writeGroups"
	ActionReadSSHKeys             = "readSSHKeys"
	ActionWriteSSHKeys            = "writeSSHKeys"
	ActionLogin                   = "login"
	ActionReadDischargeToken      = "read-discharge-token"
	ActionClearUserMFACredentials = "clearUserMFACredentials"
)

The following constants define possible operation actions.

Variables

View Source 
var AdminProviderID = store.MakeProviderIdentity("idm", "admin")
View Source 
var Namespace = checkers.NewNamespace(map[string]string{
	checkers.StdNamespace:        "",
	httpbakery.CheckersNamespace: "http",
	checkersNamespace:            "",
})

Namespace contains the checkers.Namespace supported by the identity service.

Functions

func CheckUserDomain 

func CheckUserDomain(ctx context.Context, username string) error

CheckUserDomain checks that the given user name has a valid domain name with respect to the given context (see also ContextWithRequiredDomain).

func ContextWithDischargeID 

func ContextWithDischargeID(ctx context.Context, dischargeID string) context.Context

ContextWithDischargeID returns a context with the given discharge ID stored.

func ContextWithRequiredDomain 

func ContextWithRequiredDomain(ctx context.Context, domain string) context.Context

ContextWithRequiredDomain returns a context associated with the given domain, such that declared identities will only be allowed if they have that domain.

func ContextWithUserCredentials 

func ContextWithUserCredentials(ctx context.Context, username, password string) context.Context

ContextWithUserCredentials returns a context with the given user credentials attached. These will then be checked when performing authorizations.

func ContextWithUsername 

func ContextWithUsername(ctx context.Context, username string) context.Context

ContextWithUsername returns a context with the given username stored. Any user attached to the context will be considered authenticated by IdentityFromContext.

func DomainDischargeOp 

func DomainDischargeOp(domain string) bakery.Op

DomainDischargeOp creates an operation that is discharging the specified domain.

func GlobalOp 

func GlobalOp(action string) bakery.Op

GlobalOp is an operation that is not specific to a user.

func GroupsDischargeOp 

func GroupsDischargeOp(groups []string) bakery.Op

GroupsDischargeOp creates an operation that is discharging as a user in one of the specified groups.

func NewChecker 

func NewChecker(a *Authorizer) *checkers.Checker

func UserHasPublicKeyCaveat 

func UserHasPublicKeyCaveat(user params.Username, pk *bakery.PublicKey) checkers.Caveat

UserHasPublicKeyCaveat creates a first-party caveat that ensures that the given user is associated with the given public key.

func UserIDOp 

func UserIDOp(uid string, action string) bakery.Op

UserIDOp is an operation specific to a user ID.

func UserOp 

func UserOp(u params.Username, action string) bakery.Op

UserOp is an operation specific to a username.

Types

type Authorizer 

type Authorizer struct {
	// contains filtered or unexported fields
}

An Authorizer is used to authorize operations in the identity server.

func New 

func New(params Params) (*Authorizer, error)

New creates a new Authorizer for authorizing identity server operations.

func (*Authorizer) Auth 

func (a *Authorizer) Auth(ctx context.Context, mss []macaroon.Slice, ops ...bakery.Op) (*identchecker.AuthInfo, error)

Auth checks that client, as identified by the given context and macaroons, is authorized to perform the given operations. It may return an bakery.DischargeRequiredError when further checks are required, or params.ErrUnauthorized if the user is authenticated but does not have the required authorization.

func (*Authorizer) DeclaredIdentity 

func (a *Authorizer) DeclaredIdentity(ctx context.Context, declared map[string]string) (identchecker.Identity, error)

DeclaredIdentity implements identchecker.IdentityClient.DeclaredIdentity by retrieving the user information from the declared map.

func (*Authorizer) Identity 

func (a *Authorizer) Identity(ctx context.Context, id *store.Identity) (*Identity, error)

Identity creates a new identity for the user identified by the given store.Identity.

func (*Authorizer) IdentityFromContext 

func (a *Authorizer) IdentityFromContext(ctx context.Context) (identchecker.Identity, []checkers.Caveat, error)

IdentityFromContext implements identchecker.IdentityClient.IdentityFromContext by looking for admin credentials in the context.

func (*Authorizer) SetAdminPublicKey 

func (a *Authorizer) SetAdminPublicKey(ctx context.Context, pk *bakery.PublicKey) error

SetAdminPublicKey configures the public key on the admin user. This is to allow agent login as the admin user.

type Identity 

type Identity struct {
	store.Identity
	// contains filtered or unexported fields
}

An Identity is the implementation of identchecker.Identity used in the identity server.

func (*Identity) Allow 

func (id *Identity) Allow(ctx context.Context, acl []string) (bool, error)

Allow implements identchecker.ACLIdentity.Allow by checking whether the given identity is in any of the required groups or users.

func (*Identity) Domain 

func (id *Identity) Domain() string

Domain implements identchecker.Identity.Domain.

func (*Identity) Groups 

func (id *Identity) Groups(ctx context.Context) ([]string, error)

Groups returns all the groups associated with the user. The groups include those stored in the identity server's database along with any retrieved by the relevent identity provider's GetGroups method. Once the set of groups has been determined it is cached in the Identity.

func (*Identity) Id 

func (id *Identity) Id() string

Id implements identchecker.Identity.Id.

type Params 

type Params struct {
	// AdminPassword is the password of the admin user in the
	// identity server.
	AdminPassword string

	// Location is the url of the discharger that third-party caveats
	// will be addressed to. This should be the address of this
	// identity server.
	Location string

	// MacaroonVerifier is the store of macaroon operations and root
	// keys.
	MacaroonVerifier bakery.MacaroonVerifier

	// Store is the identity store.
	Store store.Store

	// IdentityProviders contains the set of identity providers that
	// are configured for the service. The authenticatore uses these
	// to get group information for authenticated users.
	IdentityProviders []idp.IdentityProvider

	// ACLStore is the acl store.
	ACLManager *aclstore.Manager
}

Params specifify the configuration parameters for a new Authroizer.

Source Files

View all Source files

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.