security

package
v1.9.6 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jul 5, 2022 License: Apache-2.0 Imports: 16 Imported by: 37

Documentation

Index

Constants

View Source
const (
	// AuthFailed is returned by Authenticate when a call to Athenticate fails
	AuthFailed = iota

	// AuthEdgeNode is returned by Authenticate when the authenticated user is an embedded ESS edge node. userID is in the format of "{destinationType}/{destinationID}"
	AuthEdgeNode

	// AuthAdmin is returned by Authenticate when the authenticated user is an org admin, have admin access of objects and manifests
	AuthAdmin

	// AuthObjectAdmin is returned by Authenticate when the authenticated user is an org admin, have admin access of objects (no admin access of manifest)
	AuthObjectAdmin

	// AuthUser is returned by Authenticate when the authenticated user is a regular user
	AuthUser

	// AuthSyncAdmin is returned by Authenticate when the authenticated user is a Sync Service Admin
	AuthSyncAdmin

	// AuthService is returned by Authenticate when the authenticated user is a Service
	AuthService

	// AuthNodeUser is returned by Authenticate when the authenticate user uses exchange nodeId and nodeToken. DestinationType is not needed as AuthNodeUser
	AuthNodeUser
)

Auth code

View Source
const (
	// Indicate this entry of ACL is for exchange user
	ACLUser = "user"

	// Indicate this entry of ACL is for exchange node
	ACLNode = "node"
)

ACL user type

View Source
const (
	// username/nodename in ACL list with ACLWriter role has read/write access
	ACLWriter = "aclWriter"

	// username/nodename in ACL list with ACLReader role has read access only
	ACLReader = "aclReader"

	// role for destinations acl
	ACLNA = "na"
)

ACL role, only AuthAdmin and AuthSyncAdmin can modify ACL list. This is currently only be used for "objects" ACL. ACL role only applies to "objects". Use "n/a" for destination acls

View Source
const SPIRequestIdentityHeader = "X-Sync-Service-Dest"

SPIRequestIdentityHeader is the header used to send the identity in HTTP SPI requests Should only be used here and in the httpCommunication tests

Variables

Store is a reference to the storage in use

Functions

func AddIdentityToSPIRequest

func AddIdentityToSPIRequest(request *http.Request, requestURL string)

AddIdentityToSPIRequest Adds identity related stuff to SPI requests made by an ESS

func Authenticate

func Authenticate(request *http.Request) (int, string, string)

Authenticate authenticates a particular HTTP request and indicates whether it is an edge node, org admin, or plain user. Also returned is the user's org and identitity. An edge node's identity is destType/destID. A service's identity is serviceOrg/arch/version/serviceName.

func CanUserAccessAllObjects added in v0.10.12

func CanUserAccessAllObjects(request *http.Request, orgID, objectType string) (bool, int, string)

CanUserAccessAllObjects checks if the user identified by the credentials in the supplied request, can read the specified object type. return values: 1) true indicates the given user can access all objects of given objectType in given orgID; false indicates can access "public" objects of given objectType in given orgID only 2) authCode 3) userID

func CanUserCreateObject

func CanUserCreateObject(request *http.Request, orgID string, metaData *common.MetaData) (bool, string, string)

CanUserCreateObject checks if the user identified by the credentials in the supplied request, can create an object of the object type, and send it to the destinations in the meta data.

func CheckAddACLInputFormat added in v0.10.12

func CheckAddACLInputFormat(aclType string, aclInputList []common.ACLentry) (*[]common.ACLentry, error)

CheckAddACLInputFormat checks ACL entry format.

func CheckObjectCanBeModifiedByUser added in v0.10.12

func CheckObjectCanBeModifiedByUser(userID, orgID, objectType string, aclUserType string) bool

CheckObjectCanBeModifiedByUser returns true if give user has ACLWriter access to given object type

func CheckObjectTypesCanBeAccessByGivenUser added in v0.10.12

func CheckObjectTypesCanBeAccessByGivenUser(orgID string, aclUserType string, aclUsername string) (bool, []string, error)

CheckObjectTypesCanBeAccessByGivenUser returns a list of objectTypes that given user has access to. If first returned value is true, then the given user can access all object types

func CheckRemoveACLInputFormat added in v0.10.12

func CheckRemoveACLInputFormat(aclInputList []common.ACLentry) error

CheckRemoveACLInputFormat checks ACL entry format.

func GetACLUserType added in v0.10.12

func GetACLUserType(authCode int) string

GetACLUserType get ACLUserType by authCode

func KeyandSecretForURL

func KeyandSecretForURL(url string) (string, string)

KeyandSecretForURL returns an app key and an app secret pair to be used by the ESS when communicating with the specified URL.

func SetAuthentication

func SetAuthentication(auth Authentication)

SetAuthentication is called by the code starting the Sync Service to set the Authentication implementation to be used by the Sync Service.

func Start

func Start()

Start starts up the security component

func Stop

func Stop()

Stop stops the security component

func ValidateSPIRequestIdentity

func ValidateSPIRequestIdentity(request *http.Request) (bool, string, string, string)

ValidateSPIRequestIdentity validates the identity sent in a SPI request by an ESS to a CSS Returns true if the identity is ok for a SPI request, along with the orgID, destType, and destID sent in the request.

Types

type Authentication

type Authentication interface {
	// Authenticate  authenticates a particular HTTP request and indicates
	// whether it is an edge node, org admin, or plain user. Also returned is the
	// user's org and identitity. An edge node's identity is destType/destID. A
	// service's identity is serviceOrg/version/serviceName.
	Authenticate(request *http.Request) (int, string, string)

	// KeyandSecretForURL returns an app key and an app secret pair to be
	// used by the ESS when communicating with the specified URL.
	KeyandSecretForURL(url string) (string, string)

	// Start gives the Authentication implementation a chance to initialize itself
	Start()
}

Authentication is the interface invoked by the Sync Service for authentication related stuff. An implementation of this interface is provided by the code starting up the Sync Service to the Sync Service core code.�type

type CSSCredentials

type CSSCredentials struct {
	AppKey    string `json:"key"`
	AppSecret string `json:"secret"`
}

CSSCredentials defines the appkey and appsecret used to communicate with the CSS

type CredentialInfo

type CredentialInfo struct {
	Username string `json:"username"`
	Secret   string `json:"secret"`
	OrgID    string `json:"orgID"`
	Type     string `json:"type"`
	// contains filtered or unexported fields
}

CredentialInfo is the information related to an app key

type DummyAuthenticate

type DummyAuthenticate struct {
	// contains filtered or unexported fields
}

DummyAuthenticate is the dummy implementation of the Authenticate interface. It should NOT be used in production deployments.

This implementation ignores App secrets.

App keys for:

APIs        are of the form userID@orgID or email@emailDomain@orgID.
            The file {PersistentRootPath}/sync/dummy-auth.json is used to
            determine if a userID is a regular user or a sync admin,
            and determin if a userID is a exchange admin.

            The file {PersistentRootPath}/sync/dummy-auth.json is of the form:
               {
                 "regularUsers": [ "user1", "user2" ],
                 "syncAdmins": [ "admin" ],
                 "exchangeAdmins": [ "admin", "user1"]
               }
            The userIDs in the field regularUsers are regular users and the
            userIDs in the field syncAdmins are sync-service administrators.

            If a userID does not appear in the file, it is assumed to be an
            admin for the specified org.

Edge nodes  are of the form orgID/destType/destID

func (*DummyAuthenticate) Authenticate

func (auth *DummyAuthenticate) Authenticate(request *http.Request) (int, string, string)

Authenticate authenticates a particular HTTP request and indicates whether it is an edge node, org admin, or plain user. Also returned is the user's org and identitity. An edge node's identity is destType/destID. A service's identity is serviceOrg/version/serviceName.

Note: This Authenticate implementation is for development use. App secrets

are ignored. App keys for APIs are of the form, userID@orgID or
email@emailDomain@orgID. The file dummy-auth.json is used to determine
if a userID is a regular user or a sync admin. If the userID does not
appear there, it is assumed to be an admin for the specified org.
Edge node app keys are of the form orgID/destType/destID

func (*DummyAuthenticate) KeyandSecretForURL

func (auth *DummyAuthenticate) KeyandSecretForURL(url string) (string, string)

KeyandSecretForURL returns an app key and an app secret pair to be used by the ESS when communicating with the specified URL.

func (*DummyAuthenticate) Start

func (auth *DummyAuthenticate) Start()

Start initializes the DummyAuthenticate struct

type PresetAuthenticate

type PresetAuthenticate struct {
	Credentials map[string]CredentialInfo `json:"credentials"`

	// CSSCredentials is the credentials to use when communicating with the CSS
	CSSCredentials CSSCredentials `json:"cssCredentials"`
}

PresetAuthenticate is an implementation of the Authenticate interface that uses a set of ids defined in the file {PersistenceRootPath}/sync/preset-auth.json.

The file {PersistenceRootPath}/sync/preset-auth.json is of the form:

{
  "credentials": {
    "edgeNodeKey1": {
      "secret": "edgeNodeSecret1", "orgID": "orgid", "username": "destType/destID", "type": "EdgeNode"
    },
    "appKey1": {
      "secret": "appSecret1", "orgID": "orgid", "username": "user1", "type": "admin"
    }
  },
  "cssCredentials": { "key": "edgeNodeKey1", "secret": "edgeNodeSecret1" }
}

The credentials field is a set of JSON objects, whose key or name is an appKey. The JSON objects have fields in them for the user's appSecret, the org they are part of, their user name and their type. The values for the type field are admin, edgenode, user, syncadmin, and service. The username field for an edge node is of the form destType/destID and for a service it is of the form serviceOrg/version/serviceName.

The cssCredentials field is used to provide an ESS with the credentials it needs to communicate with the CSS via HTTP. These credentials must be in one of the elements of the above described credentials field on the CSS.

func (*PresetAuthenticate) Authenticate

func (auth *PresetAuthenticate) Authenticate(request *http.Request) (int, string, string)

Authenticate authenticates a particular HTTP request and indicates whether it is an edge node, org admin, or plain user. Also returned is the user's org and identitity. An edge node's identity is destType/destID. A service's identity is serviceOrg/version/serviceName.

func (*PresetAuthenticate) KeyandSecretForURL

func (auth *PresetAuthenticate) KeyandSecretForURL(url string) (string, string)

KeyandSecretForURL returns an app key and an app secret pair to be used by the ESS when communicating with the specified URL.

func (*PresetAuthenticate) Start

func (auth *PresetAuthenticate) Start()

Start initializes the PresetAuthenticate struct

type TestAuthenticate

type TestAuthenticate struct {
}

TestAuthenticate is the test implementation of the Authenticate interface.

func (*TestAuthenticate) Authenticate

func (auth *TestAuthenticate) Authenticate(request *http.Request) (int, string, string)

Authenticate authenticates a particular HTTP request and indicates whether it is an edge node, org admin, or plain user. Also returned is the user's org and identitity. An edge node's identity is destType/destID. A service's identity is serviceOrg/arch/version/serviceName.

Note: This Authenticate implementation is for running the tests. App secrets

are ignored. App keys for APIs are of the form, userID@orgID. It supports
the following users:
    testerUser - A regular user
    testerObjectAdmin - An admin of object, no right access to manifest
    testerAdmin - An admin of the specified orgID
    testSyncAdmin - An admin of the Sync Service
    testerService1 - A service
    testerService2 - A service
Edge node app keys are of the form orgID/destType/destID

func (*TestAuthenticate) KeyandSecretForURL

func (auth *TestAuthenticate) KeyandSecretForURL(url string) (string, string)

KeyandSecretForURL returns an app key and an app secret pair to be used by the ESS when communicating with the specified URL.

func (*TestAuthenticate) Start

func (auth *TestAuthenticate) Start()

Start initializes the Test Authentication implementation

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL