auth

package
v0.51.4 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Dec 10, 2024 License: Apache-2.0 Imports: 36 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

This section is empty.

Types

type Authenticator

type Authenticator struct {
	// contains filtered or unexported fields
}

Authenticator wraps functionality for admin server auth. It provides endpoints for login/logout, creates users, issues cookie-based auth tokens, and provides middleware for authenticating requests. The implementation was derived from: https://auth0.com/docs/quickstart/webapp/golang/01-login.

func NewAuthenticator

func NewAuthenticator(logger *zap.Logger, adm *admin.Service, cookieStore *cookies.Store, opts *AuthenticatorOptions) (*Authenticator, error)

NewAuthenticator creates an Authenticator.

func (*Authenticator) Annotator

func (a *Authenticator) Annotator(ctx context.Context, r *http.Request) metadata.MD

Annotator is a gRPC-gateway annotator that moves access tokens in HTTP cookies to the "authorization" gRPC metadata.

func (*Authenticator) HTTPMiddleware

func (a *Authenticator) HTTPMiddleware(next http.Handler) http.Handler

HTTPMiddleware is a HTTP middleware variant of UnaryServerInterceptor. It additionally supports reading access tokens from cookies. It should be used for non-gRPC HTTP endpoints (CookieAuthAnnotator takes care of handling cookies in gRPC-gateway requests).

func (*Authenticator) HTTPMiddlewareLenient added in v0.42.0

func (a *Authenticator) HTTPMiddlewareLenient(next http.Handler) http.Handler

HTTPMiddlewareLenient is a lenient variant of HTTPMiddleware. If the authoriztion header is malformed or invalid, it will still succeed, setting anonClaims on the request.

func (*Authenticator) RegisterEndpoints

func (a *Authenticator) RegisterEndpoints(mux *http.ServeMux, limiter ratelimit.Limiter)

Login flow:

  1. Frontend calls <canonical domain>/auth/login?redirect=<frontend return URL>
  2. It redirects to <auth provider> for login
  3. The auth provider redirects to <canonical domain>/auth/callback
  4. It redirects to <custom domain>/auth/with-token
  5. It redirects to <frontend return URL>

Logout flow:

  1. Frontend calls <custom domain>/auth/logout?redirect=<frontend return URL>
  2. It redirects to <canonical domain>/auth/logout/provider?redirect=<frontend return URL>
  3. It redirects to <auth provider> for logout
  4. The auth provider redirects to <canonical domain>/auth/logout/callback
  5. It redirects to <frontend return URL>

The "canonical domain" is the Rill-managed external URL of the current service (e.g. "admin.rilldata.com"). The "custom domain" is the custom domain of the current org with path suffix for the admin service (e.g. "myorg.com/api"). If the current org doesn't have a custom domain, the custom domain can be substituted for the canonical domain (without path suffix).

There are more details in the type doc for `admin.URLs` and in the individual handler docstrings below.

func (*Authenticator) StreamServerInterceptor

func (a *Authenticator) StreamServerInterceptor() grpc.StreamServerInterceptor

StreamServerInterceptor is the streaming variant of UnaryServerInterceptor.

func (*Authenticator) UnaryServerInterceptor

func (a *Authenticator) UnaryServerInterceptor() grpc.UnaryServerInterceptor

UnaryServerInterceptor is a middleware for setting claims on runtime server requests. It authenticates the user and acquires the claims using the bearer token in the "authorization" request metadata field. If no bearer token is found, it will still succeed, setting anonClaims on the request. The assigned claims can be retrieved using GetClaims. If the interceptor succeeds, a Claims value is guaranteed to be set on the ctx.

type AuthenticatorOptions

type AuthenticatorOptions struct {
	AuthDomain       string
	AuthClientID     string
	AuthClientSecret string
}

AuthenticatorOptions provides options for Authenticator

type Claims

type Claims interface {
	OwnerType() OwnerType
	OwnerID() string
	AuthTokenID() string
	AuthTokenModel() any
	Superuser(ctx context.Context) bool
	OrganizationPermissions(ctx context.Context, orgID string) *adminv1.OrganizationPermissions
	ProjectPermissions(ctx context.Context, orgID, projectID string) *adminv1.ProjectPermissions
}

Claims resolves permissions for a requester.

func GetClaims

func GetClaims(ctx context.Context) Claims

GetClaims retrieves Claims from a request context. It should only be used in handlers intercepted by UnaryServerInterceptor or StreamServerInterceptor.

type DeviceCodeResponse

type DeviceCodeResponse struct {
	DeviceCode              string `json:"device_code"`
	UserCode                string `json:"user_code"`
	VerificationURI         string `json:"verification_uri"`
	VerificationCompleteURI string `json:"verification_uri_complete"`
	ExpiresIn               int    `json:"expires_in"`
	PollingInterval         int    `json:"interval"`
}

DeviceCodeResponse encapsulates the response for obtaining a device code.

type OwnerType

type OwnerType string

OwnerType is an enum of types of claim owners

const (
	OwnerTypeAnon           OwnerType = "anon"
	OwnerTypeUser           OwnerType = "user"
	OwnerTypeService        OwnerType = "service"
	OwnerTypeDeployment     OwnerType = "deployment"
	OwnerTypeMagicAuthToken OwnerType = "magic_auth_token" // nolint:gosec // It's not a credential
)

type TokenRequest

type TokenRequest struct {
	GrantType  string `json:"grant_type"`
	DeviceCode string `json:"device_code"`
	ClientID   string `json:"client_id"`
}

TokenRequest encapsulates the request for obtaining an access token.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL