Documentation
¶
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type AgentAuthenticator ¶
type AgentAuthenticator struct{}
AgentIdentityProvider performs authentication for machine and unit agents.
func (*AgentAuthenticator) Authenticate ¶
func (*AgentAuthenticator) Authenticate(entityFinder EntityFinder, tag names.Tag, req params.LoginRequest) (state.Entity, error)
Authenticate authenticates the provided entity. It takes an entityfinder and the tag used to find the entity that requires authentication.
type BakeryService ¶
type BakeryService interface {
AddCaveat(*macaroon.Macaroon, checkers.Caveat) error
CheckAny([]macaroon.Slice, map[string]string, checkers.Checker) (map[string]string, error)
NewMacaroon(string, []byte, []checkers.Caveat) (*macaroon.Macaroon, error)
}
BakeryService defines the subset of bakery.Service that we require for authentication.
type EntityAuthenticator ¶
type EntityAuthenticator interface {
// Authenticate authenticates the given entity
Authenticate(entityFinder EntityFinder, tag names.Tag, req params.LoginRequest) (state.Entity, error)
}
EntityAuthenticator is the interface all entity authenticators need to implement to authenticate juju entities.
type EntityFinder ¶
EntityFinder finds the entity described by the tag.
type ExpirableStorageBakeryService ¶
type ExpirableStorageBakeryService interface {
BakeryService
// ExpireStorageAt returns a new ExpirableStorageBakeryService with
// a store that will expire items added to it at the specified time.
ExpireStorageAt(time.Time) (ExpirableStorageBakeryService, error)
}
ExpirableStorageBakeryService extends BakeryService with the ExpireStorageAt method so that root keys are removed from storage at that time.
type ExternalMacaroonAuthenticator ¶
type ExternalMacaroonAuthenticator struct {
// Service holds the service that is
// used to verify macaroon authorization.
Service BakeryService
// Macaroon guards macaroon-authentication-based access
// to the APIs. Appropriate caveats will be added before
// sending it to a client.
Macaroon *macaroon.Macaroon
// IdentityLocation holds the URL of the trusted third party
// that is used to address the is-authenticated-user
// third party caveat to.
IdentityLocation string
}
ExternalMacaroonAuthenticator performs authentication for external users using macaroons. If the authentication fails because provided macaroons are invalid, and macaroon authentiction is enabled, it will return a *common.DischargeRequiredError holding a macaroon to be discharged.
func (*ExternalMacaroonAuthenticator) Authenticate ¶
func (m *ExternalMacaroonAuthenticator) Authenticate(entityFinder EntityFinder, _ names.Tag, req params.LoginRequest) (state.Entity, error)
Authenticate authenticates the provided entity. If there is no macaroon provided, it will return a *DischargeRequiredError containing a macaroon that can be used to grant access.
type UserAuthenticator ¶
type UserAuthenticator struct {
AgentAuthenticator
// Service holds the service that is used to mint and verify macaroons.
Service ExpirableStorageBakeryService
// Clock is used to calculate the expiry time for macaroons.
Clock clock.Clock
}
UserAuthenticator performs authentication for local users. If a password
func (*UserAuthenticator) Authenticate ¶
func (u *UserAuthenticator) Authenticate( entityFinder EntityFinder, tag names.Tag, req params.LoginRequest, ) (state.Entity, error)
Authenticate authenticates the entity with the specified tag, and returns an error on authentication failure.
If and only if no password is supplied, then Authenticate will check for any valid macaroons. Otherwise, password authentication will be performed.
func (*UserAuthenticator) CreateLocalLoginMacaroon ¶
func (u *UserAuthenticator) CreateLocalLoginMacaroon(tag names.UserTag) (*macaroon.Macaroon, error)
CreateLocalLoginMacaroon creates a time-limited macaroon for a local user to log into the controller with. The macaroon will be valid for use with UserAuthenticator.Authenticate until the time limit expires, or the Juju controller agent restarts.
NOTE(axw) this method will generate a key for a previously unseen user, and store it in the bakery.Service's storage. Callers should first ensure the user is valid before calling this, to avoid filling storage with keys for invalid users.
Source Files