Documentation ¶
Index ¶
- Constants
- func MergeResourceAccess(ras ...[]security.ResourceAccess) []security.ResourceAccess
- func ParseTokenUnvalidatedUnfiltered(token string) (*security.User, *auth.Claims, error)
- func ToResourceAccess(groups ...string) []security.ResourceAccess
- type Plugin
- func (p *Plugin) ExtractUserProcessGroups(claims *security.Claims) (user *security.User, err error)
- func (p *Plugin) GenericOIDCExtractUserProcessGroups(ic *security.IssuerConfig, claims *security.GenericOIDCClaims) (user *security.User, err error)
- func (p *Plugin) GroupsOnBehalf(u *security.User, tenant string) []security.ResourceAccess
- func (p *Plugin) HasGroupExpression(user *security.User, tenant string, groupExpression grp.GroupExpression) bool
- func (p *Plugin) HasOneOfGroups(user *security.User, tenant string, groups ...security.ResourceAccess) bool
- func (p *Plugin) ParseTokenUnvalidated(token string) (*security.User, *security.Claims, error)
- func (p *Plugin) TenantsOnBehalf(user *security.User, groups []security.ResourceAccess) ([]string, bool, error)
- func (p *Plugin) UserTenantGroups(u *security.User) []security.ResourceAccess
Constants ¶
const OidcDirectory = "oidc.metal-stack.io/directory"
Variables ¶
This section is empty.
Functions ¶
func MergeResourceAccess ¶
func MergeResourceAccess(ras ...[]security.ResourceAccess) []security.ResourceAccess
MergeResourceAccess merges the given slices of ResourceAccess in a single one. Duplicates are not filtered.
func ParseTokenUnvalidatedUnfiltered ¶ added in v0.3.1
ParseTokenUnvalidated extracts information from the given jwt token without validating it. FederatedClaims are optional and ResourceAccess are constructed from Roles and Groups claims.
func ToResourceAccess ¶
func ToResourceAccess(groups ...string) []security.ResourceAccess
ToResourceAccess creates a slice of ResourceAccess for the given groups
Types ¶
type Plugin ¶
type Plugin struct {
// contains filtered or unexported fields
}
func (*Plugin) ExtractUserProcessGroups ¶
ExtractUserProcessGroups is a implementation of security-extensionpoint Groups will reformatted [app]-[]-[]-[role], e.g. "maas-all-all-admin", "kaas-all-all-kaasadmin", "k8s-all-all-admin". All groups without or with another the tenant-prefix are filtered.
func (*Plugin) GenericOIDCExtractUserProcessGroups ¶ added in v0.7.0
func (p *Plugin) GenericOIDCExtractUserProcessGroups(ic *security.IssuerConfig, claims *security.GenericOIDCClaims) (user *security.User, err error)
ExtractUserProcessGroups is a implementation of security-extensionpoint Groups will reformatted [app]-[]-[]-[role], e.g. "maas-all-all-admin", "kaas-all-all-kaasadmin", "k8s-all-all-admin". All groups without or with another tenant-prefix are filtered.
func (*Plugin) GroupsOnBehalf ¶
GroupsOnBehalf returns the list of groups that the user can do an behalf of the other tenant. The groups returned are canonical groups without tenant prefix and cluster-tenant, e.g. "kaas-all-all-admin".
func (*Plugin) HasGroupExpression ¶
func (p *Plugin) HasGroupExpression(user *security.User, tenant string, groupExpression grp.GroupExpression) bool
HasGroupExpression checks if the given user has group permissions that fulfil the group-expression which supports "*" as wildcards
func (*Plugin) HasOneOfGroups ¶
func (p *Plugin) HasOneOfGroups(user *security.User, tenant string, groups ...security.ResourceAccess) bool
HasOneOfGroups returns, if the given user has one of the the given groups for/"on behalf of" the given tenant. The groups to check are canonical groups without tenant prefix, e.g. "kaas-all-all-admin". The matches are exact matches, so "kaas-all-all-admin" only matches "kaas-all-all-admin", see HasGroupExpression for more flexible queries
func (*Plugin) ParseTokenUnvalidated ¶
ParseTokenUnvalidated extracts information from the given jwt token without validating it
func (*Plugin) TenantsOnBehalf ¶
func (p *Plugin) TenantsOnBehalf(user *security.User, groups []security.ResourceAccess) ([]string, bool, error)
TenantsOnBehalf returns the tenants, that the user can act on behalf with one of the given group-permissions. If the user is allowed to act on "all" tenants on behalf, only the flag "all" is true and no tenants are returned.
func (*Plugin) UserTenantGroups ¶
func (p *Plugin) UserTenantGroups(u *security.User) []security.ResourceAccess
UserTenantGroups returns the list of user-groups that the user can do for his tenant.