Documentation
¶
Index ¶
- Variables
- type EntityTree
- type NetAuthServer
- func (s *NetAuthServer) AddEntityToGroup(ctx context.Context, r *pb.ModEntityMembershipRequest) (*pb.SimpleResult, error)
- func (s *NetAuthServer) AuthEntity(ctx context.Context, r *pb.NetAuthRequest) (*pb.SimpleResult, error)
- func (s *NetAuthServer) ChangeSecret(ctx context.Context, r *pb.ModEntityRequest) (*pb.SimpleResult, error)
- func (s *NetAuthServer) DeleteGroup(ctx context.Context, r *pb.ModGroupRequest) (*pb.SimpleResult, error)
- func (s *NetAuthServer) EntityInfo(ctx context.Context, r *pb.NetAuthRequest) (*pb.Entity, error)
- func (s *NetAuthServer) GetToken(ctx context.Context, r *pb.NetAuthRequest) (*pb.TokenResult, error)
- func (s *NetAuthServer) GroupInfo(ctx context.Context, r *pb.ModGroupRequest) (*pb.GroupInfoResult, error)
- func (s *NetAuthServer) ListGroupMembers(ctx context.Context, r *pb.GroupMemberRequest) (*pb.EntityList, error)
- func (s *NetAuthServer) ListGroups(ctx context.Context, r *pb.GroupListRequest) (*pb.GroupList, error)
- func (s *NetAuthServer) LockEntity(ctx context.Context, r *pb.NetAuthRequest) (*pb.SimpleResult, error)
- func (s *NetAuthServer) ManageCapabilities(ctx context.Context, r *pb.ModCapabilityRequest) (*pb.SimpleResult, error)
- func (s *NetAuthServer) ModifyEntityKeys(ctx context.Context, r *pb.ModEntityKeyRequest) (*pb.KeyList, error)
- func (s *NetAuthServer) ModifyEntityMeta(ctx context.Context, r *pb.ModEntityRequest) (*pb.SimpleResult, error)
- func (s *NetAuthServer) ModifyGroupMeta(ctx context.Context, r *pb.ModGroupRequest) (*pb.SimpleResult, error)
- func (s *NetAuthServer) ModifyGroupNesting(ctx context.Context, r *pb.ModGroupNestingRequest) (*pb.SimpleResult, error)
- func (s *NetAuthServer) ModifyUntypedEntityMeta(ctx context.Context, r *pb.ModEntityMetaRequest) (*pb.UntypedMetaResult, error)
- func (s *NetAuthServer) ModifyUntypedGroupMeta(ctx context.Context, r *pb.ModGroupMetaRequest) (*pb.UntypedMetaResult, error)
- func (s *NetAuthServer) NewEntity(ctx context.Context, r *pb.ModEntityRequest) (*pb.SimpleResult, error)
- func (s *NetAuthServer) NewGroup(ctx context.Context, r *pb.ModGroupRequest) (*pb.SimpleResult, error)
- func (s *NetAuthServer) Ping(ctx context.Context, pingRequest *pb.PingRequest) (*pb.PingResponse, error)
- func (s *NetAuthServer) RemoveEntity(ctx context.Context, r *pb.ModEntityRequest) (*pb.SimpleResult, error)
- func (s *NetAuthServer) RemoveEntityFromGroup(ctx context.Context, r *pb.ModEntityMembershipRequest) (*pb.SimpleResult, error)
- func (s *NetAuthServer) UnlockEntity(ctx context.Context, r *pb.NetAuthRequest) (*pb.SimpleResult, error)
- func (s *NetAuthServer) ValidateToken(ctx context.Context, r *pb.NetAuthRequest) (*pb.SimpleResult, error)
Constants ¶
This section is empty.
Variables ¶
var ( // ErrRequestorUnqualified is returned when a caller has // attempted to perform some action that requires // authorization and the caller is either not authorized, was // unable to present a token, or the token did not contain // sufficient capabilities. ErrRequestorUnqualified = errors.New("the requestor is not qualified to perform that action") // ErrMalformedRequest is returned when a caller makes some // request to the server but has failed to provide a complete // request, or has provided a request that is in conflict with // itself. ErrMalformedRequest = errors.New("the request is malformed and cannot be processed") // ErrInternalError is a catchall for errors that are // otherwise unidentified and unrecoverable in the server. ErrInternalError = errors.New("An internal error has occurred") )
Functions ¶
This section is empty.
Types ¶
type EntityTree ¶
type EntityTree interface { GetEntity(string) (*pb.Entity, error) ValidateSecret(string, string) error MakeBootstrap(string, string) DisableBootstrap() SetEntitySecretByID(string, string) error LockEntity(string) error UnlockEntity(string) error NewEntity(string, int32, string) error DeleteEntityByID(string) error UpdateEntityMeta(string, *pb.EntityMeta) error UpdateEntityKeys(string, string, string, string) ([]string, error) ManageUntypedEntityMeta(string, string, string, string) ([]string, error) NewGroup(string, string, string, int32) error DeleteGroup(string) error ListGroups() ([]*pb.Group, error) GetGroupByName(string) (*pb.Group, error) UpdateGroupMeta(string, *pb.Group) error ManageUntypedGroupMeta(string, string, string, string) ([]string, error) GetMemberships(*pb.Entity, bool) []string AddEntityToGroup(string, string) error RemoveEntityFromGroup(string, string) error ListMembers(string) ([]*pb.Entity, error) ModifyGroupExpansions(string, string, pb.ExpansionMode) error SetEntityCapabilityByID(string, string) error RemoveEntityCapabilityByID(string, string) error SetGroupCapabilityByName(string, string) error RemoveGroupCapabilityByName(string, string) error }
An EntityTree is a mechanism for storing entities and information about them.
type NetAuthServer ¶
type NetAuthServer struct { Tree EntityTree Token token.Service }
A NetAuthServer is a collection of methods that satisfy the requirements of the NetAuthServer protocol buffer.
func (*NetAuthServer) AddEntityToGroup ¶
func (s *NetAuthServer) AddEntityToGroup(ctx context.Context, r *pb.ModEntityMembershipRequest) (*pb.SimpleResult, error)
AddEntityToGroup will add an existing entity to an existing group if they are not already a direct member. If they are a direct member this call is idempotent. This action must be authorized by the presentation of a token containing the appropriate capability.
func (*NetAuthServer) AuthEntity ¶
func (s *NetAuthServer) AuthEntity(ctx context.Context, r *pb.NetAuthRequest) (*pb.SimpleResult, error)
AuthEntity performs entity authentication and returns boolean status for the authentication attempt. This method should be preferred for systems that will not need a token, or will issue a token of their own on the authority of this response.
func (*NetAuthServer) ChangeSecret ¶
func (s *NetAuthServer) ChangeSecret(ctx context.Context, r *pb.ModEntityRequest) (*pb.SimpleResult, error)
ChangeSecret allows an entity secret to be reset. There are two possible flows through this function based on whether or not the request is self-modifying or not. In the case of a self modifying request (entity requests change of its own secret) then the entity must be in possession of the old secret, not a token, to authorize the change. In the event the request is administrative (the entity is requesting the change of another entity's secret) then the entity must posses a token with the right capability.
func (*NetAuthServer) DeleteGroup ¶
func (s *NetAuthServer) DeleteGroup(ctx context.Context, r *pb.ModGroupRequest) (*pb.SimpleResult, error)
DeleteGroup removes a group from the NetAuth server. This action must be authorized by the presentation of a token containing appropriate capabilities. This call will not CASCADE deletes and will not check if the group is empty before proceeding. Other methods *should* safely handle this and check that they aren't pointing to a group that doesn't exist anymore, but its still good form to clean up references before calling this action.
func (*NetAuthServer) EntityInfo ¶
func (s *NetAuthServer) EntityInfo(ctx context.Context, r *pb.NetAuthRequest) (*pb.Entity, error)
EntityInfo returns as much information about an entity is as known. This response will not include information about the entity's memberships in groups within the tree, but will include all fields in the EntityMeta section.
func (*NetAuthServer) GetToken ¶
func (s *NetAuthServer) GetToken(ctx context.Context, r *pb.NetAuthRequest) (*pb.TokenResult, error)
GetToken is functionally identical to AuthEntity above, but will also return a token that can be used to perform further requests to the NetAuth server.
func (*NetAuthServer) GroupInfo ¶
func (s *NetAuthServer) GroupInfo(ctx context.Context, r *pb.ModGroupRequest) (*pb.GroupInfoResult, error)
GroupInfo returns as much information as is known about a group. This does not include group membership.
func (*NetAuthServer) ListGroupMembers ¶
func (s *NetAuthServer) ListGroupMembers(ctx context.Context, r *pb.GroupMemberRequest) (*pb.EntityList, error)
ListGroupMembers lists the members that are in a particular group. This call requires computing fairly large chunks of the membership graph.
func (*NetAuthServer) ListGroups ¶
func (s *NetAuthServer) ListGroups(ctx context.Context, r *pb.GroupListRequest) (*pb.GroupList, error)
ListGroups lists the groups a particular entity is in, or all groups on the server if no entity is specified. In the case of calculating the groups a specific entity is in this can be quite expensive since large chunks of the membership tree will need to be calculated.
func (*NetAuthServer) LockEntity ¶ added in v0.0.11
func (s *NetAuthServer) LockEntity(ctx context.Context, r *pb.NetAuthRequest) (*pb.SimpleResult, error)
LockEntity locks an entity. This action must be authorized with an appropriate token.
func (*NetAuthServer) ManageCapabilities ¶
func (s *NetAuthServer) ManageCapabilities(ctx context.Context, r *pb.ModCapabilityRequest) (*pb.SimpleResult, error)
ManageCapabilities permits the assignment and removal of capabilities from an entity or group. If the entity and group are both specified, then the group will be ignored and the modification will be performed on the named entity.
func (*NetAuthServer) ModifyEntityKeys ¶
func (s *NetAuthServer) ModifyEntityKeys(ctx context.Context, r *pb.ModEntityKeyRequest) (*pb.KeyList, error)
ModifyEntityKeys can be used to add, remove, or retrieve the keys associated with an entity. This action must be authorized by the presentation of a token with appropriate capabilities.
func (*NetAuthServer) ModifyEntityMeta ¶
func (s *NetAuthServer) ModifyEntityMeta(ctx context.Context, r *pb.ModEntityRequest) (*pb.SimpleResult, error)
ModifyEntityMeta can be used to modify the EntityMeta section of an Entity. This request must be authorized by a token that contains the correct capabilities to modify others. Some fields cannot be changed by this mechanism and must be changed via other calls which perform more authorization and validation checks.
func (*NetAuthServer) ModifyGroupMeta ¶
func (s *NetAuthServer) ModifyGroupMeta(ctx context.Context, r *pb.ModGroupRequest) (*pb.SimpleResult, error)
ModifyGroupMeta allows metadata stored on the group to be rewritten. Some fields may not be changed using this action and must use more specialized calls which perform additional authorization and validation checks. This action must be authorized by the presentation of a token containing appropriate capabilities.
func (*NetAuthServer) ModifyGroupNesting ¶
func (s *NetAuthServer) ModifyGroupNesting(ctx context.Context, r *pb.ModGroupNestingRequest) (*pb.SimpleResult, error)
ModifyGroupNesting permits changing the rules for group expansions. These expansions can either include a group's members, or prune the members of one group from another. Expansions are checked to ensure they do not exist already, and that the addition of an expansion would not create a cycle in the membership graph.
func (*NetAuthServer) ModifyUntypedEntityMeta ¶ added in v0.0.10
func (s *NetAuthServer) ModifyUntypedEntityMeta(ctx context.Context, r *pb.ModEntityMetaRequest) (*pb.UntypedMetaResult, error)
ModifyUntypedEntityMeta alters the data stored in the untyped K/V segment of an entity's metadata. This action must be authorized by the presentation of a token with appropriate capabilities.
func (*NetAuthServer) ModifyUntypedGroupMeta ¶ added in v0.0.10
func (s *NetAuthServer) ModifyUntypedGroupMeta(ctx context.Context, r *pb.ModGroupMetaRequest) (*pb.UntypedMetaResult, error)
ModifyUntypedGroupMeta alters the data stored in the untyped K/V segment of an entity's metadata. This action must be authorized by the presentation of a token with appropriate capabilities.
func (*NetAuthServer) NewEntity ¶
func (s *NetAuthServer) NewEntity(ctx context.Context, r *pb.ModEntityRequest) (*pb.SimpleResult, error)
NewEntity creates a new entity. This action must be authorized by the presentation of a valid token containing appropriate capabilities.
func (*NetAuthServer) NewGroup ¶
func (s *NetAuthServer) NewGroup(ctx context.Context, r *pb.ModGroupRequest) (*pb.SimpleResult, error)
NewGroup creates a new group on the NetAuth server. This action must be authorized by the presentation of a token containing appropriate capabilities.
func (*NetAuthServer) Ping ¶
func (s *NetAuthServer) Ping(ctx context.Context, pingRequest *pb.PingRequest) (*pb.PingResponse, error)
Ping requests the health status of the server and returns it to the client. This is designed to be a virtually free action that should be safe to invoke at any time to see if the server is available.
func (*NetAuthServer) RemoveEntity ¶
func (s *NetAuthServer) RemoveEntity(ctx context.Context, r *pb.ModEntityRequest) (*pb.SimpleResult, error)
RemoveEntity removes an entity. This action must be authorized by the presentation of a valid token containing appropriate capabilities.
func (*NetAuthServer) RemoveEntityFromGroup ¶
func (s *NetAuthServer) RemoveEntityFromGroup(ctx context.Context, r *pb.ModEntityMembershipRequest) (*pb.SimpleResult, error)
RemoveEntityFromGroup will remove an existing entity from an existing group. This action must be authorized by the presentation of a token containing appropriate capabilities.
func (*NetAuthServer) UnlockEntity ¶ added in v0.0.11
func (s *NetAuthServer) UnlockEntity(ctx context.Context, r *pb.NetAuthRequest) (*pb.SimpleResult, error)
UnlockEntity locks an entity. This action must be authorized with an appropriate token.
func (*NetAuthServer) ValidateToken ¶
func (s *NetAuthServer) ValidateToken(ctx context.Context, r *pb.NetAuthRequest) (*pb.SimpleResult, error)
ValidateToken will attempt to determine the validity of a token previously issued by the NetAuth server.