Documentation ¶
Index ¶
- Constants
- func MergeResourceAccess(ras ...[]security.ResourceAccess) []security.ResourceAccess
- func ParseTokenUnvalidatedUnfiltered(token string) (*security.User, *auth.Claims, error)
- func ToResourceAccess(groups ...string) []security.ResourceAccess
- type Plugin
- func (p *Plugin) ExtractUserProcessGroups(claims *security.Claims) (user *security.User, err error)
- func (p *Plugin) GenericOIDCExtractUserProcessGroups(ic *security.IssuerConfig, claims *security.GenericOIDCClaims) (user *security.User, err error)
- func (p *Plugin) GroupsOnBehalf(u *security.User, tenant string) []security.ResourceAccess
- func (p *Plugin) HasGroupExpression(user *security.User, resourceTenant string, ...) bool
- func (p *Plugin) NewGroupExpression(appPrefix, firstScope, secondScope, role string) grp.GroupExpression
- func (p *Plugin) ParseTokenUnvalidated(token string) (*security.User, *security.Claims, error)
- func (p *Plugin) TenantsOnBehalf(user *security.User, groups []security.ResourceAccess) ([]string, bool, error)
Constants ¶
const OidcDirectory = "oidc.metal-stack.io/directory"
Variables ¶
This section is empty.
Functions ¶
func MergeResourceAccess ¶
func MergeResourceAccess(ras ...[]security.ResourceAccess) []security.ResourceAccess
MergeResourceAccess merges the given slices of ResourceAccess in a single one. Duplicates are not filtered.
func ParseTokenUnvalidatedUnfiltered ¶ added in v0.3.1
ParseTokenUnvalidated extracts information from the given jwt token without validating it. FederatedClaims are optional and ResourceAccess are constructed from Roles and Groups claims.
func ToResourceAccess ¶
func ToResourceAccess(groups ...string) []security.ResourceAccess
ToResourceAccess creates a slice of ResourceAccess for the given groups
Types ¶
type Plugin ¶
type Plugin struct {
// contains filtered or unexported fields
}
func (*Plugin) ExtractUserProcessGroups ¶
ExtractUserProcessGroups is a implementation of security-extensionpoint Groups will reformatted [app]-[]-[]-[role], e.g. "maas-all-all-admin", "kaas-all-all-kaasadmin", "k8s-all-all-admin". All groups without or with another the tenant-prefix are filtered.
func (*Plugin) GenericOIDCExtractUserProcessGroups ¶ added in v0.7.0
func (p *Plugin) GenericOIDCExtractUserProcessGroups(ic *security.IssuerConfig, claims *security.GenericOIDCClaims) (user *security.User, err error)
ExtractUserProcessGroups is a implementation of security-extensionpoint Groups will reformatted [app]-[]-[]-[role], e.g. "maas-all-all-admin", "kaas-all-all-kaasadmin", "k8s-all-all-admin". All groups without or with another tenant-prefix are filtered.
func (*Plugin) GroupsOnBehalf ¶
GroupsOnBehalf returns the list of groups that the user can do an behalf of the other tenant. The groups returned are canonical groups without tenant prefix and cluster-tenant, e.g. "kaas-all-all-admin".
func (*Plugin) HasGroupExpression ¶
func (p *Plugin) HasGroupExpression(user *security.User, resourceTenant string, groupExpression grp.GroupExpression) bool
HasGroupExpression checks if the given user has group permissions that fulfil the group-expression which supports "*" as wildcards for resourceTenant and groupExpression
func (*Plugin) NewGroupExpression ¶ added in v0.8.0
func (p *Plugin) NewGroupExpression(appPrefix, firstScope, secondScope, role string) grp.GroupExpression
NewGroupExpression creates a new GroupExpression with the given values and ensures that they are properly encoded (i.e. '-' are replaced by '$')
func (*Plugin) ParseTokenUnvalidated ¶
ParseTokenUnvalidated extracts information from the given jwt token without validating it
func (*Plugin) TenantsOnBehalf ¶
func (p *Plugin) TenantsOnBehalf(user *security.User, groups []security.ResourceAccess) ([]string, bool, error)
TenantsOnBehalf returns the tenants, that the user can act on behalf with one of the given group-permissions. If the user is allowed to act on "all" tenants on behalf, only the flag "all" is true and no tenants are returned.