sec

package
v0.11.2 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Sep 20, 2022 License: MIT Imports: 7 Imported by: 4

Documentation

Index

Constants

View Source
const OidcDirectory = "oidc.metal-stack.io/directory"

Variables

This section is empty.

Functions

func MergeResourceAccess

func MergeResourceAccess(ras ...[]security.ResourceAccess) []security.ResourceAccess

MergeResourceAccess merges the given slices of ResourceAccess in a single one. Duplicates are not filtered.

func ParseTokenUnvalidatedUnfiltered added in v0.3.1

func ParseTokenUnvalidatedUnfiltered(token string) (*security.User, *auth.Claims, error)

ParseTokenUnvalidated extracts information from the given jwt token without validating it. FederatedClaims are optional and ResourceAccess are constructed from Roles and Groups claims.

func ToResourceAccess

func ToResourceAccess(groups ...string) []security.ResourceAccess

ToResourceAccess creates a slice of ResourceAccess for the given groups

Types

type Plugin

type Plugin struct {
	// contains filtered or unexported fields
}

func NewPlugin

func NewPlugin(grpr *grp.Grpr) *Plugin

func (*Plugin) ExtractUserProcessGroups

func (p *Plugin) ExtractUserProcessGroups(claims *security.Claims) (user *security.User, err error)

ExtractUserProcessGroups is a implementation of security-extensionpoint Groups will reformatted [app]-[]-[]-[role], e.g. "maas-all-all-admin", "kaas-all-all-kaasadmin", "k8s-all-all-admin". All groups without or with another the tenant-prefix are filtered.

func (*Plugin) GenericOIDCExtractUserProcessGroups added in v0.7.0

func (p *Plugin) GenericOIDCExtractUserProcessGroups(ic *security.IssuerConfig, claims *security.GenericOIDCClaims) (user *security.User, err error)

ExtractUserProcessGroups is a implementation of security-extensionpoint Groups will reformatted [app]-[]-[]-[role], e.g. "maas-all-all-admin", "kaas-all-all-kaasadmin", "k8s-all-all-admin". All groups without or with another tenant-prefix are filtered.

func (*Plugin) GroupsOnBehalf

func (p *Plugin) GroupsOnBehalf(u *security.User, tenant string) []security.ResourceAccess

GroupsOnBehalf returns the list of groups that the user can do an behalf of the other tenant. The groups returned are canonical groups without tenant prefix and cluster-tenant, e.g. "kaas-all-all-admin".

func (*Plugin) HasGroupExpression

func (p *Plugin) HasGroupExpression(user *security.User, resourceTenant string, groupExpression grp.GroupExpression) bool

HasGroupExpression checks if the given user has group permissions that fulfil the group-expression which supports "*" as wildcards for resourceTenant and groupExpression

func (*Plugin) NewGroupExpression added in v0.8.0

func (p *Plugin) NewGroupExpression(appPrefix, firstScope, secondScope, role string) grp.GroupExpression

NewGroupExpression creates a new GroupExpression with the given values and ensures that they are properly encoded (i.e. '-' are replaced by '$')

func (*Plugin) ParseTokenUnvalidated

func (p *Plugin) ParseTokenUnvalidated(token string) (*security.User, *security.Claims, error)

ParseTokenUnvalidated extracts information from the given jwt token without validating it

func (*Plugin) TenantsOnBehalf

func (p *Plugin) TenantsOnBehalf(user *security.User, groups []security.ResourceAccess) ([]string, bool, error)

TenantsOnBehalf returns the tenants, that the user can act on behalf with one of the given group-permissions. If the user is allowed to act on "all" tenants on behalf, only the flag "all" is true and no tenants are returned.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL