access

package
v1.5.1 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Aug 14, 2022 License: CC0-1.0 Imports: 15 Imported by: 2

Documentation

Overview

Package access contains access control code for webservers.

Users (subjects) get rights to resources (objects) via groups. A group is a collection of access rights. Users are members of groups. Access is denied unless explicitly granted.

Index

Constants

This section is empty.

Variables

View Source 
var (
	ErrClosed = errors.New("ACL table was closed")
)

Defined error codes for PersistedACLTable

View Source 
var PersistedACLTableErrRetries = 10

PersistedACLTableErrRetries is the number of times the code will try to read the disk configuration before overwriting it with the current (working) configuration. Set to -1 if it should never attempt to overwrite.

Functions

This section is empty.

Types

type ACLTable 

type ACLTable interface {

	/*
		Close closes this table.
	*/
	Close() error

	/*
		GroupNames returns a list of all known groups.
	*/
	GroupNames() ([]string, error)

	/*
		UserNames returns a list of all known users.
	*/
	UserNames() ([]string, error)

	/*
		GroupsOfUser for user returns the list of groups for a specific user.
	*/
	GroupsOfUser(name string) ([]string, error)

	/*
		AddPermission adds a new resource permission.
	*/
	AddPermission(group, resource string, permission *Rights) error

	/*
	   Permissions returns all permissions of a  group.
	*/
	Permissions(group string) (map[string]string, error)

	/*
	   ClearPermissions removes all permissions of a group.
	*/
	ClearPermissions(group string) error

	/*
		IsPermitted checks if a user has a certain permission. If the
		permission is given it also returns the rule which granted permission.
	*/
	IsPermitted(user, resource string, request *Rights) (bool, string, error)

	/*
		AddGroup creates a new group.
	*/
	AddGroup(name string) error

	/*
		RemoveGroup removes a group.
	*/
	RemoveGroup(name string) error

	/*
		AddUserToGroup adds a user to a group.
	*/
	AddUserToGroup(name string, group string) error

	/*
		RemoveUserFromGroup removes a user from a group.
	*/
	RemoveUserFromGroup(name string, group string) error

	/*
		GetConfig returns a data structure which contains the whole config of this
		ACLTable. The data structure can be easily converted into JSON.
	*/
	GetConfig() (map[string]interface{}, error)

	/*
		String returns a string representation of this ACL table.
	*/
	String() string
}

ACLTable is a management object which can be used to define and enforce users rights.

func NewMemoryACLTable 

func NewMemoryACLTable() ACLTable

NewMemoryACLTable returns a new empty basic ACL table.

func NewMemoryACLTableFromConfig 

func NewMemoryACLTableFromConfig(config map[string]interface{}) (ACLTable, error)

NewMemoryACLTableFromConfig builds an ACL table from a given data structure which was previously produced by GetConfig.

func NewPersistedACLTable 

func NewPersistedACLTable(filename string, interval time.Duration) (ACLTable, error)

NewPersistedACLTable returns a new file-persisted ACL table.

type Group 

type Group struct {
	Name              string
	ResourceAccessAbs map[string]*Rights // Map from resource to access rights
	ResourceAccessPre map[string]*Rights // Map from resource prefix to access rights
}

Group is a collection of access rights.

func (*Group) AddResourceAccess 

func (g *Group) AddResourceAccess(res string, r *Rights) error

AddResourceAccess adds a new resource access right. A * as the resource string suffix will grant access to all resources which start with the resource string.

func (*Group) ClearResourceAccess 

func (g *Group) ClearResourceAccess()

ClearResourceAccess removes all resource access rights from this group.

func (*Group) IsPermitted 

func (g *Group) IsPermitted(resource string, request *Rights) (bool, string)

IsPermitted checks if this group has access to a certain resource. Returns also the rule which gives permission.

func (*Group) String 

func (g *Group) String() string

String returns the access rights of this group as a string table.

type MemoryACLTable 

type MemoryACLTable struct {
	PermissionCache *datautil.MapCache           // Cache for permission checks
	Users           map[string]map[string]*Group // Mapping from users to groups
	Groups          map[string]*Group            // Table of groups
}

MemoryACLTable is the main ACL table implementation. It stores permission and group information in memory.

func (*MemoryACLTable) AddGroup 

func (t *MemoryACLTable) AddGroup(name string) error

AddGroup creates a new group.

func (*MemoryACLTable) AddPermission 

func (t *MemoryACLTable) AddPermission(group, resource string, permission *Rights) error

AddPermission adds a new resource permission.

func (*MemoryACLTable) AddUserToGroup 

func (t *MemoryACLTable) AddUserToGroup(name string, group string) error

AddUserToGroup adds a user to a group.

func (*MemoryACLTable) ClearPermissions 

func (t *MemoryACLTable) ClearPermissions(group string) error

ClearPermissions removes all permissions of a group.

func (*MemoryACLTable) Close 

func (t *MemoryACLTable) Close() error

Close closes this table.

func (*MemoryACLTable) GetConfig 

func (t *MemoryACLTable) GetConfig() (map[string]interface{}, error)

GetConfig returns a data structure which contains the whole config of this ACLTable. The data structure can be easily converted into JSON.

func (*MemoryACLTable) GroupNames 

func (t *MemoryACLTable) GroupNames() ([]string, error)

GroupNames returns a list of all known groups.

func (*MemoryACLTable) GroupsOfUser 

func (t *MemoryACLTable) GroupsOfUser(name string) ([]string, error)

GroupsOfUser for user returns the list of groups for a specific user.

func (*MemoryACLTable) IsPermitted 

func (t *MemoryACLTable) IsPermitted(user, resource string, request *Rights) (bool, string, error)

IsPermitted checks if a user has a certain permission. If the permission is given it also returns the rule which granted permission.

func (*MemoryACLTable) Permissions 

func (t *MemoryACLTable) Permissions(group string) (map[string]string, error)

Permissions returns all permissions of a group.

func (*MemoryACLTable) RemoveGroup 

func (t *MemoryACLTable) RemoveGroup(name string) error

RemoveGroup removes a group.

func (*MemoryACLTable) RemoveUserFromGroup 

func (t *MemoryACLTable) RemoveUserFromGroup(name string, group string) error

RemoveUserFromGroup removes a user from a group.

func (*MemoryACLTable) String 

func (t *MemoryACLTable) String() string

String returns a string representation of this ACL table.

func (*MemoryACLTable) UserNames 

func (t *MemoryACLTable) UserNames() ([]string, error)

UserNames returns a list of all known users.

type PersistedACLTable 

type PersistedACLTable struct {
	SyncError error // Synchronization errors
	// contains filtered or unexported fields
}

PersistedACLTable is an ACL table whose state is persisted in a file and in memory. The table in memory and the file on disk are kept automatically in sync. This object is thread-safe. A persistent synchronization error between file and memory table will lock this object down.

func (*PersistedACLTable) AddGroup 

func (t *PersistedACLTable) AddGroup(name string) error

AddGroup creates a new group.

func (*PersistedACLTable) AddPermission 

func (t *PersistedACLTable) AddPermission(group, resource string, permission *Rights) error

AddPermission adds a new resource permission.

func (*PersistedACLTable) AddUserToGroup 

func (t *PersistedACLTable) AddUserToGroup(name string, group string) error

AddUserToGroup adds a user to a group.

func (*PersistedACLTable) ClearPermissions 

func (t *PersistedACLTable) ClearPermissions(group string) error

ClearPermissions removes all permissions of a group.

func (*PersistedACLTable) Close 

func (t *PersistedACLTable) Close() error

Close closes this table.

func (*PersistedACLTable) GetConfig 

func (t *PersistedACLTable) GetConfig() (map[string]interface{}, error)

GetConfig returns a data structure which contains the whole config of this ACLTable. The data structure can be easily converted into JSON.

func (*PersistedACLTable) GroupNames 

func (t *PersistedACLTable) GroupNames() ([]string, error)

GroupNames returns a list of all known groups.

func (*PersistedACLTable) GroupsOfUser 

func (t *PersistedACLTable) GroupsOfUser(name string) ([]string, error)

GroupsOfUser for user returns the list of groups for a specific user.

func (*PersistedACLTable) IsPermitted 

func (t *PersistedACLTable) IsPermitted(user, resource string, request *Rights) (bool, string, error)

IsPermitted checks if a user has a certain permission. If the permission is given it also returns the rule which granted permission.

func (*PersistedACLTable) Permissions 

func (t *PersistedACLTable) Permissions(group string) (map[string]string, error)

Permissions returns all permissions of a group.

func (*PersistedACLTable) RemoveGroup 

func (t *PersistedACLTable) RemoveGroup(name string) error

RemoveGroup removes a group.

func (*PersistedACLTable) RemoveUserFromGroup 

func (t *PersistedACLTable) RemoveUserFromGroup(name string, group string) error

RemoveUserFromGroup removes a user from a group.

func (*PersistedACLTable) String 

func (t *PersistedACLTable) String() string

String returns a string representation of this ACL table.

func (*PersistedACLTable) UserNames 

func (t *PersistedACLTable) UserNames() ([]string, error)

UserNames returns a list of all known users.

type Rights 

type Rights struct {
	Create bool // Create requests can be processed
	Read   bool // Read requests can be processed
	Update bool // Update requests can be processed
	Delete bool // Delete requests can be processed
}

Rights is an atomic permission of access.

func RightsFromString 

func RightsFromString(rights string) (*Rights, error)

RightsFromString creates a new Rights object from a given rights string. A rights string defines the access rights (c)reate, (r)ead, (u)pdate and (d)elete. Missing rights are defined with a '-' sign. For example: read-only access would be '-r--', full access would be 'crud'. REST APIs typically associate request types with these rights: (c) POST, (r) GET, (u) PATCH, (d) DELETE.

func (*Rights) IsAllowed 

func (r *Rights) IsAllowed(request *Rights) bool

IsAllowed checks if a given set of access requests is allowed by this set of access permissions.

func (*Rights) String 

func (r *Rights) String() string

String returns a string representation of this rights atom.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.