access

package
v0.0.0-...-a1c6c52 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Oct 9, 2024 License: MIT Imports: 17 Imported by: 0

Documentation

Overview

Package access provides utilities for access control

Index

Constants

This section is empty.

Variables

View Source 
var OnlyAdminAccess bool

OnlyAdminAccess requires admin access for everything

Functions

func ContextWithAuthorization 

func ContextWithAuthorization(ctx context.Context, a *Authorization) context.Context

ContextWithAuthorization returns a new context with any non-nil authorization added to it

func ContextWithEmail 

func ContextWithEmail(ctx context.Context, identity string) context.Context

ContextWithEmail returns a new context with the (authenticated) email added to it

func ContextWithIdentity 

func ContextWithIdentity(ctx context.Context, identity string) context.Context

ContextWithIdentity returns a new context with the (authenticated) identity added to it

func EmailFromContext 

func EmailFromContext(ctx context.Context) string

EmailFromContext retrieves the (authenticated) email from the context

func EnsureFunctionAccounts 

func EnsureFunctionAccounts(db *csql.DB, accounts ...FunctionAccount) error

EnsureFunctionAccounts creates the specified function accounts if they do not exist yet

func HandleAuthorizationRoute 

func HandleAuthorizationRoute(router *mux.Router)

HandleAuthorizationRoute adds a route /authorization GET to the router

The route returns the current authorization for the authenticated requester.

func IdentityFromContext 

func IdentityFromContext(ctx context.Context) string

IdentityFromContext retrieves the (authenticated) identity from the context

func NewBackdoorMiddelware 

func NewBackdoorMiddelware(bmb *BackdoorMiddlewareBuilder) mux.MiddlewareFunc

NewBackdoorMiddelware returns a middleware handler for a backdoor

The key for the backdoors map is the bearer token passed with the request.

Example: if you specify the backdoor 

"please": Authorization{Roles:[]string{"admin"}}

then any request with an authorization bearer token consisting of the single magic word "please" will be authorized with the admin role.

With curl, use -H 'Authorization: Bearer please' or pass a cookie with -b 'Kurbisio-JWT=please'

The backdoor also accepts special tickets for VIPs. It then looks up the final authorization from the account collection in the backend.

func NewJwtMiddelware 

func NewJwtMiddelware(jmb *JwtMiddlewareBuilder) mux.MiddlewareFunc

NewJwtMiddelware returns a middleware handler to validate JWT bearer token.

Java-Web-Token (JWT) are accepted as "Authorization: Bearer" header or as "Kurbisio-JWT"-cookie.

This middleware requires that there is a resource "account" in the database, with an external index "identity", which stores the authorization for each identity as properties. An account identity is a combination of the token issuer with the user's email, separated by the pipe symbol '|'. Example:

"https://securetoken.google.com/loyalty2u-ea4fd|test@example.com"

This is a final handler with regards to the bearer token. It will return http.StatusUnauthorized when a token is available but insufficent to authorize the request.

func NewJwtMiddelware2 

func NewJwtMiddelware2(jmb *JwtMiddlewareBuilder) mux.MiddlewareFunc

NewJwtMiddelware2 returns a middleware handler to validate JWT bearer token.

Java-Web-Token (JWT) are accepted as "Authorization: Bearer" header or as "Kurbisio-JWT"-cookie.

This middleware requires that there is a resource "account" in the database, with an external indexes "identity" and a searchable field "email". An account stores the authorization for each identity as properties. An account identity is a combination of the token issuer with the user's subject string, separated by the pipe symbol '|'. Example:

"https://securetoken.google.com/loyalty2u-ea4fd|abcdefgh"

Email is similar, but with the user's email. Example:

"https://securetoken.google.com/loyalty2u-ea4fd|testuser@test.com"

This is a final handler with regards to the bearer token. It will return http.StatusUnauthorized when a token is available but insufficent to authorize the request.

Types

type Authorization 

type Authorization struct {
	Roles     []string          `json:"roles"`
	Selectors map[string]string `json:"selectors,omitempty"`
}

Authorization is a context object which stores authorization information for user, things, or machines.

An authorization carries a list or roles and identifiers of resources from the backend configuration. It can also carry additional properties.

Authorizations are added to a request context with 

ctx = auth.ContextWithAuthorization(ctx)

and retrieved with 

auth := AuthorizationFromContext(ctx)

Authorization objects are added to the context by by different middleware implementations, depending on authorization tokens in the HTTP request. Kurbisio supports JWT bearer token, Kurbisio-Device-Token, Kurbisio-Machine-Token and a pair of Kurbisio-Thing-Key/Kurbisio-Thing-Identifier.

For the benefit of simple frontend development, it also supports a Kurbisio-JWT cookie.

func AuthorizationFromContext 

func AuthorizationFromContext(ctx context.Context) *Authorization

AuthorizationFromContext retrieves an authorization from the context

func (*Authorization) HasRole 

func (a *Authorization) HasRole(role string) bool

HasRole returns true if the authorization contains the requested role; otherwise it returns false.

func (*Authorization) HasRoles 

func (a *Authorization) HasRoles() bool

HasRoles returns true if the authorization contains any roles; otherwise it returns false

func (*Authorization) IsAuthorized 

func (a *Authorization) IsAuthorized(resources []string, operation core.Operation, params map[string]string, permits []Permit) bool

IsAuthorized returns true if the authorization is authorized for the requested resource and operation according to the passed permits.

The permits are a list of Permit objects, each containing a role, a list of operations and a list of required selectors.

The "admin" role has a universal permit for all operations. If a permit if given to "everybody", then this permit applies to all roles but "public"

The "admin viewer" role has a universal permit for read and list opersations

func (*Authorization) Selector 

func (a *Authorization) Selector(key string) (string, bool)

Selector returns the value for the requested key; if the selector does not exist, it returns an empty string and false.

type AuthorizationCache 

type AuthorizationCache struct {
	// contains filtered or unexported fields
}

AuthorizationCache is an in-memory cache for authorizations. It is used by jwt middleware to cache authorization objects for bearer tokens. The purpose of the cache is to reduce the number of database queries, without the cache the middleware would have to lookup the authorization for every single request.

func NewAuthorizationCache 

func NewAuthorizationCache() *AuthorizationCache

NewAuthorizationCache creates a new authorization cache

func (*AuthorizationCache) Read 

func (a *AuthorizationCache) Read(token string) *Authorization

Read returns an authorization from in-process cache. Token should be the temporary token the authorization was derived from, not any of the ids. This function is go-routine safe

func (*AuthorizationCache) Write 

func (a *AuthorizationCache) Write(token string, auth *Authorization)

Write stores an authorization in the in-memory cache. Token should be the temporary token it was derived from, not any of the ids. This function is go-routine safe

type BackdoorMiddlewareBuilder 

type BackdoorMiddlewareBuilder struct {
	// Backdoors is a mapping from a bearer token to an actual authorization
	Backdoors map[string]Authorization
	// VIPs is a mapping from a bearer token to an identity
	VIPs map[string]string
	// DB is the postgres database. Must have a collection resource "account" with an external index
	// "identity". The database is only used for VIP tickets.
	DB *csql.DB
}

BackdoorMiddlewareBuilder is a helper builder for JwtMiddelware

type FunctionAccount 

type FunctionAccount struct {
	Identity string
	Roles    []string
}

FunctionAccount is a function accoutn

type IdentityIssuer 

type IdentityIssuer struct {
	// PublicKeyDownloadURL is the download url for public keys. In case of google, this would be
	//  "https://www.googleapis.com/robot/v1/metadata/x509/securetoken@system.gserviceaccount.com"
	PublicKeyDownloadURL string
	// Issuer is the accepted issuer for the token
	Name string
}

IdentityIssuer is an entity that provides identity

type JwtMiddlewareBuilder 

type JwtMiddlewareBuilder struct {
	// The list of providers of identities
	Issuers []IdentityIssuer
	// DB is the postgres database. Must have a collection resource "account" with an external index
	// "identity".
	DB *csql.DB
}

JwtMiddlewareBuilder is a helper builder for JwtMiddelware

type Permit 

type Permit struct {
	Role       string           `json:"role"`
	Operations []core.Operation `json:"operations"`
	Selectors  []string         `json:"selectors"`
}

Permit models an authorization permit for a resource. It gives the role permission to execute any of the listed operations, provided that it can satisfy the requested selectors.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.