Documentation
¶
Index ¶
- func AuthorizedRegistryAccess(registry *baasapi.Registry, userID baasapi.UserID, ...) bool
- func AuthorizedResourceControlAccess(resourceControl *baasapi.ResourceControl, context *RestrictedRequestContext) bool
- func AuthorizedResourceControlCreation(resourceControl *baasapi.ResourceControl, context *RestrictedRequestContext) bool
- func AuthorizedResourceControlDeletion(resourceControl *baasapi.ResourceControl, context *RestrictedRequestContext) bool
- func AuthorizedResourceControlUpdate(resourceControl *baasapi.ResourceControl, context *RestrictedRequestContext) bool
- func AuthorizedTeamManagement(teamID baasapi.TeamID, context *RestrictedRequestContext) bool
- func AuthorizedUserManagement(userID baasapi.UserID, context *RestrictedRequestContext) bool
- func FilterBaask8sGroups(baask8sGroups []baasapi.Baask8sGroup, context *RestrictedRequestContext) []baasapi.Baask8sGroup
- func FilterBaask8ss(baask8ss []baasapi.Baask8s, context *RestrictedRequestContext) []baasapi.Baask8s
- func FilterLeaderTeams(teams []baasapi.Team, context *RestrictedRequestContext) []baasapi.Team
- func FilterRegistries(registries []baasapi.Registry, context *RestrictedRequestContext) []baasapi.Registry
- func FilterTemplates(templates []baasapi.Template, context *RestrictedRequestContext) []baasapi.Template
- func FilterUserTeams(teams []baasapi.Team, context *RestrictedRequestContext) []baasapi.Team
- func FilterUsers(users []baasapi.User, context *RestrictedRequestContext) []baasapi.User
- func RetrieveTokenData(request *http.Request) (*baasapi.TokenData, error)
- func StripAddrPort(addr string) string
- type RateLimiter
- type RequestBouncer
- func (bouncer *RequestBouncer) AdministratorAccess(h http.Handler) http.Handler
- func (bouncer *RequestBouncer) AuthenticatedAccess(h http.Handler) http.Handler
- func (bouncer *RequestBouncer) Baask8sAccess(r *http.Request, baask8s *baasapi.Baask8s) error
- func (bouncer *RequestBouncer) PublicAccess(h http.Handler) http.Handler
- func (bouncer *RequestBouncer) RegistryAccess(r *http.Request, registry *baasapi.Registry) error
- func (bouncer *RequestBouncer) RestrictedAccess(h http.Handler) http.Handler
- type RequestBouncerParams
- type RestrictedRequestContext
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func AuthorizedRegistryAccess ¶
func AuthorizedRegistryAccess(registry *baasapi.Registry, userID baasapi.UserID, memberships []baasapi.TeamMembership) bool
AuthorizedRegistryAccess ensure that the user can access the specified registry. It will check if the user is part of the authorized users or part of a team that is listed in the authorized teams.
func AuthorizedResourceControlAccess ¶
func AuthorizedResourceControlAccess(resourceControl *baasapi.ResourceControl, context *RestrictedRequestContext) bool
AuthorizedResourceControlAccess checks whether the user can alter an existing resource control.
func AuthorizedResourceControlCreation ¶
func AuthorizedResourceControlCreation(resourceControl *baasapi.ResourceControl, context *RestrictedRequestContext) bool
AuthorizedResourceControlCreation ensure that the user can create a resource control object. A non-administrator user cannot create a resource control where: * the Public flag is set false * he wants to create a resource control without any user/team accesses * he wants to add more than one user in the user accesses * he wants tp add a user in the user accesses that is not corresponding to its id * he wants to add a team he is not a member of
func AuthorizedResourceControlDeletion ¶
func AuthorizedResourceControlDeletion(resourceControl *baasapi.ResourceControl, context *RestrictedRequestContext) bool
AuthorizedResourceControlDeletion ensure that the user can delete a resource control object. A non-administrator user cannot delete a resource control where: * the Public flag is false * he is not one of the users in the user accesses * he is not a member of any team within the team accesses
func AuthorizedResourceControlUpdate ¶
func AuthorizedResourceControlUpdate(resourceControl *baasapi.ResourceControl, context *RestrictedRequestContext) bool
AuthorizedResourceControlUpdate ensure that the user can update a resource control object. It reuses the creation restrictions and adds extra checks. A non-administrator user cannot update a resource control where: * he wants to put one or more user in the user accesses
func AuthorizedTeamManagement ¶
func AuthorizedTeamManagement(teamID baasapi.TeamID, context *RestrictedRequestContext) bool
AuthorizedTeamManagement ensure that access to the management of the specified team is granted. It will check if the user is either administrator or leader of that team.
func AuthorizedUserManagement ¶
func AuthorizedUserManagement(userID baasapi.UserID, context *RestrictedRequestContext) bool
AuthorizedUserManagement ensure that access to the management of the specified user is granted. It will check if the user is either administrator or the owner of the user account.
func FilterBaask8sGroups ¶
func FilterBaask8sGroups(baask8sGroups []baasapi.Baask8sGroup, context *RestrictedRequestContext) []baasapi.Baask8sGroup
FilterBaask8sGroups filters baask8s groups based on user role and team memberships. Non administrator users only have access to authorized baask8s groups.
func FilterBaask8ss ¶
func FilterBaask8ss(baask8ss []baasapi.Baask8s, context *RestrictedRequestContext) []baasapi.Baask8s
FilterBaask8ss filters baask8s based on user role and team memberships. Non administrator users only have access to authorized baask8ss (can be inherited via endoint groups).
func FilterLeaderTeams ¶
func FilterLeaderTeams(teams []baasapi.Team, context *RestrictedRequestContext) []baasapi.Team
FilterLeaderTeams filters teams based on user role. Team leaders only have access to team they lead.
func FilterRegistries ¶
func FilterRegistries(registries []baasapi.Registry, context *RestrictedRequestContext) []baasapi.Registry
FilterRegistries filters registries based on user role and team memberships. Non administrator users only have access to authorized registries.
func FilterTemplates ¶
func FilterTemplates(templates []baasapi.Template, context *RestrictedRequestContext) []baasapi.Template
FilterTemplates filters templates based on the user role. Non-administrato template do not have access to templates where the AdministratorOnly flag is set to true.
func FilterUserTeams ¶
func FilterUserTeams(teams []baasapi.Team, context *RestrictedRequestContext) []baasapi.Team
FilterUserTeams filters teams based on user role. non-administrator users only have access to team they are member of.
func FilterUsers ¶
func FilterUsers(users []baasapi.User, context *RestrictedRequestContext) []baasapi.User
FilterUsers filters users based on user role. Non-administrator users only have access to non-administrator users.
func RetrieveTokenData ¶
RetrieveTokenData returns the TokenData object stored in the request context.
func StripAddrPort ¶
StripAddrPort removes port from IP address
Types ¶
type RateLimiter ¶
RateLimiter represents an entity that manages request rate limiting
func NewRateLimiter ¶
func NewRateLimiter(maxRequests int, duration time.Duration, banDuration time.Duration) *RateLimiter
NewRateLimiter initializes a new RateLimiter
func (*RateLimiter) LimitAccess ¶
func (limiter *RateLimiter) LimitAccess(next http.Handler) http.Handler
LimitAccess wraps current request with check if remote address does not goes above the defined limits
type RequestBouncer ¶
type RequestBouncer struct {
// contains filtered or unexported fields
}
RequestBouncer represents an entity that manages API request accesses
func NewRequestBouncer ¶
func NewRequestBouncer(parameters *RequestBouncerParams) *RequestBouncer
NewRequestBouncer initializes a new RequestBouncer
func (*RequestBouncer) AdministratorAccess ¶
func (bouncer *RequestBouncer) AdministratorAccess(h http.Handler) http.Handler
AdministratorAccess defines a chain of middleware for restricted baask8ss. Authentication as well as administrator role are required to access these baask8ss.
func (*RequestBouncer) AuthenticatedAccess ¶
func (bouncer *RequestBouncer) AuthenticatedAccess(h http.Handler) http.Handler
AuthenticatedAccess defines a security check for private baask8ss. Authentication is required to access these baask8ss.
func (*RequestBouncer) Baask8sAccess ¶
func (bouncer *RequestBouncer) Baask8sAccess(r *http.Request, baask8s *baasapi.Baask8s) error
Baask8sAccess retrieves the JWT token from the request context and verifies that the user can access the specified baask8s. An error is returned when access is denied.
func (*RequestBouncer) PublicAccess ¶
func (bouncer *RequestBouncer) PublicAccess(h http.Handler) http.Handler
PublicAccess defines a security check for public baask8ss. No authentication is required to access these baask8ss.
func (*RequestBouncer) RegistryAccess ¶
func (bouncer *RequestBouncer) RegistryAccess(r *http.Request, registry *baasapi.Registry) error
RegistryAccess retrieves the JWT token from the request context and verifies that the user can access the specified registry. An error is returned when access is denied.
func (*RequestBouncer) RestrictedAccess ¶
func (bouncer *RequestBouncer) RestrictedAccess(h http.Handler) http.Handler
RestrictedAccess defines a security check for restricted baask8ss. Authentication is required to access these baask8ss. The request context will be enhanced with a RestrictedRequestContext object that might be used later to authorize/filter access to resources.
type RequestBouncerParams ¶
type RequestBouncerParams struct {
JWTService baasapi.JWTService
UserService baasapi.UserService
TeamMembershipService baasapi.TeamMembershipService
Baask8sGroupService baasapi.Baask8sGroupService
AuthDisabled bool
}
RequestBouncerParams represents the required parameters to create a new RequestBouncer instance.
type RestrictedRequestContext ¶
type RestrictedRequestContext struct {
IsAdmin bool
IsTeamLeader bool
UserID baasapi.UserID
UserMemberships []baasapi.TeamMembership
}
RestrictedRequestContext is a data structure containing information used in RestrictedAccess
func RetrieveRestrictedRequestContext ¶
func RetrieveRestrictedRequestContext(request *http.Request) (*RestrictedRequestContext, error)
RetrieveRestrictedRequestContext returns the RestrictedRequestContext object stored in the request context.
Source Files