GO-2024-2703: Kopia: Storage connection credentials written to console on "repository status" CLI command with JSON output in github.com/kopia/kopia

auth

package

v0.11.2 Latest Latest Go to latest Published: Jul 7, 2022 License: Apache-2.0 Imports: 15 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/kopia/kopia

Links

Open Source Insights

Documentation ¶

Overview ¶

Package auth provides authentication and authorization constructs.

Index ¶

Constants
Variables
type AccessLevel
type Authenticator
type AuthorizationInfo
- func NoAccess() AuthorizationInfo
type Authorizer
- func DefaultAuthorizer() Authorizer
- func LegacyAuthorizer() Authorizer

Constants ¶

View Source

const (
	AccessLevelNone   = acl.AccessLevelNone
	AccessLevelRead   = acl.AccessLevelRead   // RO access
	AccessLevelAppend = acl.AccessLevelAppend // RO + create new
	AccessLevelFull   = acl.AccessLevelFull   // read/write/delete
)

Access levels forwarded to 'acl' package to allow it to easily implement AuthorizationInfo interface.

Variables ¶

View Source

var ContentRule = acl.TargetRule{
	manifest.TypeLabelKey: acl.ContentManifestType,
}

ContentRule is a special target rule that targets contents instead of manifests. nolint:gochecknoglobals

View Source

var DefaultACLs = []*acl.Entry{
	{

		User:   anyUser,
		Target: ContentRule,
		Access: acl.AccessLevelAppend,
	},
	{

		User: anyUser,
		Target: acl.TargetRule{
			manifest.TypeLabelKey:  policy.ManifestType,
			policy.PolicyTypeLabel: policy.PolicyTypeGlobal,
		},
		Access: AccessLevelRead,
	},
	{

		User: anyUser,
		Target: acl.TargetRule{
			manifest.TypeLabelKey:  policy.ManifestType,
			policy.PolicyTypeLabel: policy.PolicyTypeHost,
			policy.HostnameLabel:   acl.OwnHost,
		},
		Access: AccessLevelRead,
	},
	{

		User: anyUser,
		Target: acl.TargetRule{
			manifest.TypeLabelKey: policy.ManifestType,
			policy.UsernameLabel:  acl.OwnUser,
			policy.HostnameLabel:  acl.OwnHost,
		},
		Access: acl.AccessLevelFull,
	},
	{

		User: anyUser,
		Target: acl.TargetRule{
			manifest.TypeLabelKey:  snapshot.ManifestType,
			snapshot.UsernameLabel: acl.OwnUser,
			snapshot.HostnameLabel: acl.OwnHost,
		},
		Access: acl.AccessLevelFull,
	},
	{

		User: anyUser,
		Target: acl.TargetRule{
			manifest.TypeLabelKey:        user.ManifestType,
			user.UsernameAtHostnameLabel: acl.OwnUser + "@" + acl.OwnHost,
		},
		Access: acl.AccessLevelFull,
	},
}

DefaultACLs specifies default ACLs. nolint:gochecknoglobals

Functions ¶

This section is empty.

Types ¶

type AccessLevel ¶

type AccessLevel = acl.AccessLevel

AccessLevel specifies access level when accessing repository objects.

type Authenticator ¶

type Authenticator interface {
	IsValid(ctx context.Context, rep repo.Repository, username, password string) bool
	Refresh(ctx context.Context) error
}

Authenticator verifies that the provided username/password is valid.

func AuthenticateHtpasswdFile ¶

func AuthenticateHtpasswdFile(f *htpasswd.File) Authenticator

AuthenticateHtpasswdFile returns an authenticator that accepts users in the provided htpasswd file.

func AuthenticateRepositoryUsers ¶

func AuthenticateRepositoryUsers() Authenticator

AuthenticateRepositoryUsers returns authenticator that accepts username/password combinations stored in 'user' manifests in the repository.

func AuthenticateSingleUser ¶

func AuthenticateSingleUser(expectedUsername, expectedPassword string) Authenticator

AuthenticateSingleUser returns an Authenticator that only allows one username/password combination.

func CombineAuthenticators ¶

func CombineAuthenticators(authenticators ...Authenticator) Authenticator

CombineAuthenticators return authenticator that applies the provided authenticators in order and returns true if any of them accepts given username/password combination.

type AuthorizationInfo ¶

type AuthorizationInfo interface {
	// ContentAccessLevel determines whether the user can read/write contents.
	ContentAccessLevel() AccessLevel

	// ManifestAccessLevel determines whether the user has access to a manifest with given labels.
	ManifestAccessLevel(labels map[string]string) AccessLevel
}

AuthorizationInfo determines logged in user's access level.

func NoAccess ¶

func NoAccess() AuthorizationInfo

NoAccess returns AuthorizationInfo which grants no permissions.

type Authorizer ¶

type Authorizer interface {
	Authorize(ctx context.Context, rep repo.Repository, username string) AuthorizationInfo
	Refresh(ctx context.Context) error
}

Authorizer gets authorization info for logged in user.

func DefaultAuthorizer ¶

func DefaultAuthorizer() Authorizer

DefaultAuthorizer returns Authorizer that will fetch ACLs from the repository and evaluate them in the context of current user to determine their permision levels. It will fall back to legacy authorizer if no ACL entries are defined in the repository.

func LegacyAuthorizer ¶

func LegacyAuthorizer() Authorizer

LegacyAuthorizer is an Authorizer that returns authorizer with legacy (pre-ACL) authorization rules (authenticated users can see their own snapshots/policies only).

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL