Documentation
¶
Overview ¶
Package iamruntimemiddleware builds an echo middleware which validates request authorization tokens.
Index ¶
- func CheckAccess(c echo.Context, actions []*authorization.AccessRequestAction, ...) error
- func CheckAccessTo(c echo.Context, resourceIDActionPairs ...string) error
- func ContextCheckAccess(ctx context.Context, actions []*authorization.AccessRequestAction, ...) error
- func ContextCheckAccessTo(ctx context.Context, resourceIDActionPairs ...string) error
- func ContextCreateRelationships(ctx context.Context, in *authorization.CreateRelationshipsRequest, ...) (*authorization.CreateRelationshipsResponse, error)
- func ContextDeleteRelationships(ctx context.Context, in *authorization.DeleteRelationshipsRequest, ...) (*authorization.DeleteRelationshipsResponse, error)
- func ContextSubject(c echo.Context) string
- func ContextToken(c echo.Context) *jwt.Token
- func ContextValidateCredential(ctx context.Context, in *authentication.ValidateCredentialRequest, ...) error
- func CreateRelationships(c echo.Context, in *authorization.CreateRelationshipsRequest, ...) (*authorization.CreateRelationshipsResponse, error)
- func DeleteRelationships(c echo.Context, in *authorization.DeleteRelationshipsRequest, ...) (*authorization.DeleteRelationshipsResponse, error)
- func ValidateCredential(c echo.Context, in *authentication.ValidateCredentialRequest, ...) error
- type Config
- type Runtime
Examples ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func CheckAccess ¶
func CheckAccess(c echo.Context, actions []*authorization.AccessRequestAction, opts ...grpc.CallOption) error
CheckAccess executes an access request on the runtime in the context with the provided actions. If any error is returned, the error is converted to an echo error with a proper status code.
Example ¶
middleware, _ := NewConfig().ToMiddleware() engine := echo.New() engine.Use(middleware) engine.GET("/resources/:resource_id", func(c echo.Context) error { check := []*authorization.AccessRequestAction{ {ResourceId: c.Param("resource_id"), Action: "resource_get"}, } if err := CheckAccess(c, check); err != nil { return err } return c.String(http.StatusOK, "user has access to resource") }) _ = http.ListenAndServe(":8080", engine)
Output:
func CheckAccessTo ¶ added in v0.1.2
CheckAccessTo builds a check access request and executes it on the runtime in the provided context. Arguments must be pairs of Resource ID and Role Actions.
Example ¶
middleware, _ := NewConfig().ToMiddleware() engine := echo.New() engine.Use(middleware) engine.GET("/resources/:resource_id", func(c echo.Context) error { if err := CheckAccessTo(c, c.Param("resource_id"), "resource_get"); err != nil { return err } return c.String(http.StatusOK, "user has access to resource") }) _ = http.ListenAndServe(":8080", engine)
Output:
func ContextCheckAccess ¶ added in v0.1.4
func ContextCheckAccess(ctx context.Context, actions []*authorization.AccessRequestAction, opts ...grpc.CallOption) error
ContextCheckAccess same as CheckAccess except it works on a context.Context.
func ContextCheckAccessTo ¶ added in v0.1.4
ContextCheckAccessTo same as CheckAccessTo except it works on a context.Context.
func ContextCreateRelationships ¶ added in v0.1.4
func ContextCreateRelationships(ctx context.Context, in *authorization.CreateRelationshipsRequest, opts ...grpc.CallOption) (*authorization.CreateRelationshipsResponse, error)
ContextCreateRelationships same as CreateRelationships except it works on a context.Context.
func ContextDeleteRelationships ¶ added in v0.1.4
func ContextDeleteRelationships(ctx context.Context, in *authorization.DeleteRelationshipsRequest, opts ...grpc.CallOption) (*authorization.DeleteRelationshipsResponse, error)
ContextDeleteRelationships same as DeleteRelationships except it works on a context.Context.
func ContextSubject ¶
func ContextSubject(c echo.Context) string
ContextSubject retrieves the subject from the provided echo context. If the subject is not found in the provided context, an empty string is returned.
Use ContextSubject() from iamruntime if a stdlib context is being used.
func ContextToken ¶
func ContextToken(c echo.Context) *jwt.Token
ContextToken retrieves the decoded jwt token from the provided echo context. If the token is not found in the provided context, nil is returned.
Use ContextToken() from iamruntime if a stdlib context is being used.
func ContextValidateCredential ¶ added in v0.1.4
func ContextValidateCredential(ctx context.Context, in *authentication.ValidateCredentialRequest, opts ...grpc.CallOption) error
ContextValidateCredential same as ValidateCredential except it works off a context.Context.
func CreateRelationships ¶
func CreateRelationships(c echo.Context, in *authorization.CreateRelationshipsRequest, opts ...grpc.CallOption) (*authorization.CreateRelationshipsResponse, error)
CreateRelationships executes a create relationship request on the runtime in the context. If any error is returned, the error is converted to an echo error with a proper status code.
Example ¶
middleware, _ := NewConfig().ToMiddleware() engine := echo.New() engine.Use(middleware) engine.POST("/resources", func(c echo.Context) error { resource := CreateResourceFromRequest(c) relationRequest := &authorization.CreateRelationshipsRequest{ ResourceId: resource.ID, Relationships: []*authorization.Relationship{ { Relation: "parent", SubjectId: resource.ParentResourceID, }, }, } if _, err := CreateRelationships(c, relationRequest); err != nil { return err } return c.String(http.StatusOK, "resource created with relationships") }) _ = http.ListenAndServe(":8080", engine)
Output:
func DeleteRelationships ¶
func DeleteRelationships(c echo.Context, in *authorization.DeleteRelationshipsRequest, opts ...grpc.CallOption) (*authorization.DeleteRelationshipsResponse, error)
DeleteRelationships executes a delete relationship request on the runtime in the context. If any error is returned, the error is converted to an echo error with a proper status code.
Example ¶
middleware, _ := NewConfig().ToMiddleware() engine := echo.New() engine.Use(middleware) engine.DELETE("/resources/:resource_id", func(c echo.Context) error { resource := GetResourceFromRequest(c) if err := DeleteResourceFromRequest(c); err != nil { return err } relationRequest := &authorization.DeleteRelationshipsRequest{ ResourceId: resource.ID, Relationships: []*authorization.Relationship{ { Relation: "parent", SubjectId: resource.ParentResourceID, }, }, } if _, err := DeleteRelationships(c, relationRequest); err != nil { return err } return c.String(http.StatusOK, "resource created with relationships") }) _ = http.ListenAndServe(":8080", engine)
Output:
func ValidateCredential ¶
func ValidateCredential(c echo.Context, in *authentication.ValidateCredentialRequest, opts ...grpc.CallOption) error
ValidateCredential executes an access request on the runtime in the context with the provided actions. If any error is returned, the error is converted to an echo error with a proper status code.
Example ¶
middleware, _ := NewConfig().ToMiddleware() engine := echo.New() engine.Use(middleware) engine.GET("/user", func(c echo.Context) error { otherToken := c.QueryParam("check-token") if err := ValidateCredential(c, &authentication.ValidateCredentialRequest{Credential: otherToken}); err != nil { if errors.Is(err, iamruntime.ErrInvalidCredentials) { return fmt.Errorf("%w: other credentials are invalid", err) } return err } return c.String(http.StatusOK, "other token is valid") }) _ = http.ListenAndServe(":8080", engine)
Output:
Types ¶
type Config ¶
type Config struct { // Skipper defines a function to skip middleware. Skipper middleware.Skipper // Socket defines the iam runtime socket path. // Default is /tmp/runtime.sock // Not used if Runtime is defined. Socket string // Runtime specifies the middleware will use. // If no runtime is provided, a new runtime client is created using the Socket path. Runtime Runtime // contains filtered or unexported fields }
Config defines configuration for the iam-runtime middleware. Build the echo middleware by calling Config.ToMiddleware()
func (Config) ToMiddleware ¶
ToMiddleware builds a new echo middleware function from the defined config. If no runtime client is defined, a default one is initialized. The default runtime will use the configured Socket path to connect to the runtime server. If no Socket is provided, the default socket path is used (/tmp/runtime.sock)
Example ¶
middleware, _ := NewConfig().ToMiddleware() engine := echo.New() engine.Use(middleware) engine.GET("/user", func(c echo.Context) error { return c.String(http.StatusOK, "welcome "+ContextSubject(c)) }) _ = http.ListenAndServe(":8080", engine)
Output:
func (Config) WithRuntime ¶
WithRuntime returns a new Config with the provided runtime set.
func (Config) WithSkipper ¶
func (c Config) WithSkipper(value middleware.Skipper) Config
WithSkipper returns a new Config with the provided skipper set.
type Runtime ¶
type Runtime interface { authentication.AuthenticationClient authorization.AuthorizationClient }
Runtime defines the required methods for a supported runtime.
func ContextRuntime ¶
func ContextRuntime(c echo.Context) Runtime
ContextRuntime retrieves the iam runtime from the context. If the runtime is not found in the provided context, nil is returned.
Use ContextRuntime() or ContextRuntimeAny() from iamruntime if a stdlib context is being used.