sec

package
v0.3.2 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Feb 20, 2020 License: MIT Imports: 6 Imported by: 4

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func MergeResourceAccess

func MergeResourceAccess(ras ...[]security.ResourceAccess) []security.ResourceAccess

MergeResourceAccess merges the given slices of ResourceAccess in a single one. Duplicates are not filtered.

func ParseTokenUnvalidatedUnfiltered added in v0.3.1

func ParseTokenUnvalidatedUnfiltered(token string) (*security.User, *security.Claims, error)

ParseTokenUnvalidated extracts information from the given jwt token without validating it

func ToResourceAccess

func ToResourceAccess(groups ...string) []security.ResourceAccess

ToResourceAccess creates a slice of ResourceAccess for the given groups

Types

type Plugin

type Plugin struct {
	// contains filtered or unexported fields
}

func NewPlugin

func NewPlugin(grpr *grp.Grpr) *Plugin

func (*Plugin) ExtractUserProcessGroups

func (p *Plugin) ExtractUserProcessGroups(claims *security.Claims) (user *security.User, err error)

ExtractUserProcessGroups is a implementation of security-extensionpoint Groups will reformatted [app]-[]-[]-[role], e.g. "maas-all-all-admin", "kaas-all-all-kaasadmin", "k8s-all-all-admin". All groups without or with another the tenant-prefix are filtered.

func (*Plugin) GroupsOnBehalf

func (p *Plugin) GroupsOnBehalf(u *security.User, tenant string) []security.ResourceAccess

GroupsOnBehalf returns the list of groups that the user can do an behalf of the other tenant. The groups returned are canonical groups without tenant prefix and cluster-tenant, e.g. "kaas-all-all-admin".

func (*Plugin) HasGroupExpression

func (p *Plugin) HasGroupExpression(user *security.User, tenant string, groupExpression grp.GroupExpression) bool

HasGroupExpression checks if the given user has group permissions that fulfil the group-expression which supports "*" as wildcards

func (*Plugin) HasOneOfGroups

func (p *Plugin) HasOneOfGroups(user *security.User, tenant string, groups ...security.ResourceAccess) bool

HasOneOfGroups returns, if the given user has one of the the given groups for/"on behalf of" the given tenant. The groups to check are canonical groups without tenant prefix, e.g. "kaas-all-all-admin". The matches are exact matches, so "kaas-all-all-admin" only matches "kaas-all-all-admin", see HasGroupExpression for more flexible queries

func (*Plugin) ParseTokenUnvalidated

func (p *Plugin) ParseTokenUnvalidated(token string) (*security.User, *security.Claims, error)

ParseTokenUnvalidated extracts information from the given jwt token without validating it

func (*Plugin) TenantsOnBehalf

func (p *Plugin) TenantsOnBehalf(user *security.User, groups []security.ResourceAccess) ([]string, bool, error)

TenantsOnBehalf returns the tenants, that the user can act on behalf with one of the given group-permissions. If the user is allowed to act on "all" tenants on behalf, only the flag "all" is true and no tenants are returned.

func (*Plugin) UserTenantGroups

func (p *Plugin) UserTenantGroups(u *security.User) []security.ResourceAccess

UserTenantGroups returns the list of user-groups that the user can do for his tenant.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL