Documentation ¶
Overview ¶
Package auth provides authentication and authorization constructs.
Index ¶
Constants ¶
const ( AccessLevelNone = acl.AccessLevelNone AccessLevelRead = acl.AccessLevelRead // RO access AccessLevelAppend = acl.AccessLevelAppend // RO + create new AccessLevelFull = acl.AccessLevelFull // read/write/delete )
Access levels forwarded to 'acl' package to allow it to easily implement AuthorizationInfo interface.
Variables ¶
var ContentRule = acl.TargetRule{ manifest.TypeLabelKey: acl.ContentManifestType, }
ContentRule is a special target rule that targets contents instead of manifests.
var DefaultACLs = []*acl.Entry{ { User: anyUser, Target: ContentRule, Access: acl.AccessLevelAppend, }, { User: anyUser, Target: acl.TargetRule{ manifest.TypeLabelKey: policy.ManifestType, policy.PolicyTypeLabel: policy.PolicyTypeGlobal, }, Access: AccessLevelRead, }, { User: anyUser, Target: acl.TargetRule{ manifest.TypeLabelKey: policy.ManifestType, policy.PolicyTypeLabel: policy.PolicyTypeHost, policy.HostnameLabel: acl.OwnHost, }, Access: AccessLevelRead, }, { User: anyUser, Target: acl.TargetRule{ manifest.TypeLabelKey: policy.ManifestType, policy.UsernameLabel: acl.OwnUser, policy.HostnameLabel: acl.OwnHost, }, Access: acl.AccessLevelFull, }, { User: anyUser, Target: acl.TargetRule{ manifest.TypeLabelKey: snapshot.ManifestType, snapshot.UsernameLabel: acl.OwnUser, snapshot.HostnameLabel: acl.OwnHost, }, Access: acl.AccessLevelFull, }, { User: anyUser, Target: acl.TargetRule{ manifest.TypeLabelKey: user.ManifestType, user.UsernameAtHostnameLabel: acl.OwnUser + "@" + acl.OwnHost, }, Access: acl.AccessLevelFull, }, }
DefaultACLs specifies default ACLs.
Functions ¶
This section is empty.
Types ¶
type AccessLevel ¶
type AccessLevel = acl.AccessLevel
AccessLevel specifies access level when accessing repository objects.
type Authenticator ¶
type Authenticator interface { IsValid(ctx context.Context, rep repo.Repository, username, password string) bool Refresh(ctx context.Context) error }
Authenticator verifies that the provided username/password is valid.
func AuthenticateHtpasswdFile ¶
func AuthenticateHtpasswdFile(f *htpasswd.File) Authenticator
AuthenticateHtpasswdFile returns an authenticator that accepts users in the provided htpasswd file.
func AuthenticateRepositoryUsers ¶
func AuthenticateRepositoryUsers() Authenticator
AuthenticateRepositoryUsers returns authenticator that accepts username/password combinations stored in 'user' manifests in the repository.
func AuthenticateSingleUser ¶
func AuthenticateSingleUser(expectedUsername, expectedPassword string) Authenticator
AuthenticateSingleUser returns an Authenticator that only allows one username/password combination.
func CombineAuthenticators ¶
func CombineAuthenticators(authenticators ...Authenticator) Authenticator
CombineAuthenticators return authenticator that applies the provided authenticators in order and returns true if any of them accepts given username/password combination.
type AuthorizationInfo ¶
type AuthorizationInfo interface { // ContentAccessLevel determines whether the user can read/write contents. ContentAccessLevel() AccessLevel // ManifestAccessLevel determines whether the user has access to a manifest with given labels. ManifestAccessLevel(labels map[string]string) AccessLevel }
AuthorizationInfo determines logged in user's access level.
func NoAccess ¶
func NoAccess() AuthorizationInfo
NoAccess returns AuthorizationInfo which grants no permissions.
type Authorizer ¶
type Authorizer interface { Authorize(ctx context.Context, rep repo.Repository, username string) AuthorizationInfo Refresh(ctx context.Context) error }
Authorizer gets authorization info for logged in user.
func DefaultAuthorizer ¶
func DefaultAuthorizer() Authorizer
DefaultAuthorizer returns Authorizer that will fetch ACLs from the repository and evaluate them in the context of current user to determine their permission levels. It will fall back to legacy authorizer if no ACL entries are defined in the repository.
func LegacyAuthorizer ¶
func LegacyAuthorizer() Authorizer
LegacyAuthorizer is an Authorizer that returns authorizer with legacy (pre-ACL) authorization rules (authenticated users can see their own snapshots/policies only).