basculechecks

package
v0.11.6 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jul 20, 2023 License: Apache-2.0 Imports: 11 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	OutcomeLabel   = "outcome"
	ReasonLabel    = "reason"
	ClientIDLabel  = "clientid"
	EndpointLabel  = "endpoint"
	MethodLabel    = "method"
	PartnerIDLabel = "partnerid"
	ServerLabel    = "server"
)

labels

View Source 
const (
	// outcomes
	RejectedOutcome = "rejected"
	AcceptedOutcome = "accepted"
	// reasons
	UnknownReason            = "unknown"
	TokenMissing             = "auth_missing"
	UndeterminedPartnerID    = "undetermined_partner_ID"
	UndeterminedCapabilities = "undetermined_capabilities"
	EmptyCapabilitiesList    = "empty_capabilities_list"
	MissingValues            = "auth_is_missing_values"
	NoEndpointChecker        = "no_capability_checker"
	NoCapabilitiesMatch      = "no_capabilities_match"
	EmptyParsedURL           = "empty_parsed_URL"
	// partners
	NonePartner     = "none"
	WildcardPartner = "wildcard"
	ManyPartner     = "many"
	// endpoints
	NoneEndpoint          = "no_endpoints"
	NotRecognizedEndpoint = "not_recognized"
)

label values

View Source 
const (
	AuthCapabilityCheckOutcome = "auth_capability_check"
)

Names for our metrics

View Source 
const Wildcard = "*"

Variables

View Source 
var (
	ErrNilDefaultChecker = errors.New("default checker cannot be nil")
	ErrEmptyEndpoint     = errWithReason{
							// contains filtered or unexported fields
	}
)
View Source 
var (
	ErrNoAuth = errors.New("couldn't get request info: authorization not found")
	ErrNoVals = errWithReason{
				// contains filtered or unexported fields
	}
	ErrNoToken = errWithReason{
				// contains filtered or unexported fields
	}
	ErrNoValidCapabilityFound = errWithReason{
								// contains filtered or unexported fields
	}
	ErrNilAttributes = errWithReason{
						// contains filtered or unexported fields
	}
	ErrNoMethod = errWithReason{
				// contains filtered or unexported fields
	}
	ErrNoURL = errWithReason{
				// contains filtered or unexported fields
	}
	ErrGettingCapabilities = errWithReason{
							// contains filtered or unexported fields
	}
	ErrCapabilityNotStringSlice = errWithReason{
								// contains filtered or unexported fields
	}
)
View Source 
var (
	ErrNilChecker        = errors.New("capabilities checker cannot be nil")
	ErrNilMeasures       = errors.New("measures cannot be nil")
	ErrGettingPartnerIDs = errWithReason{
							// contains filtered or unexported fields
	}
	ErrPartnerIDsNotStringSlice = errWithReason{
								// contains filtered or unexported fields
	}
)

Functions

func AllowAll 

func AllowAll() bascule.ValidatorFunc

AllowAll returns a Validator that never returns an error.

func AttributeList 

func AttributeList(keys []string, checks ...func(context.Context, []interface{}) error) bascule.ValidatorFunc

AttributeList returns a Validator that runs checks against the content found in the key given. It runs every check and returns all errors it finds.

func CapabilityKeys 

func CapabilityKeys() []string

CapabilityKeys is the default location of capabilities in a bascule Token's Attributes.

func DeterminePartnerMetric 

func DeterminePartnerMetric(partners []string) string

DeterminePartnerMetric takes a list of partners and decides what the partner metric label should be.

func NonEmptyPrincipal 

func NonEmptyPrincipal() bascule.ValidatorFunc

NonEmptyPrincipal returns a Validator that checks that the token's Principal isn't an empty string.

func NonEmptyType 

func NonEmptyType() bascule.ValidatorFunc

NonEmptyType returns a Validator that checks that the token's type isn't an empty string.

func PartnerKeys 

func PartnerKeys() []string

PartnerKeys is the location of the list of allowed partners in a bascule Token's Attributes.

func ProvideCapabilitiesMapValidator 

func ProvideCapabilitiesMapValidator(key string) fx.Option

ProvideCapabilitiesMapValidator is an uber fx Provide() function that builds a MetricValidator that uses a CapabilitiesMap and ConstChecks, using the configuration found at the key provided.

func ProvideMetricValidator 

func ProvideMetricValidator(optional bool) fx.Option

ProvideMetricValidator is an uber fx Provide() function that builds a MetricValidator given the dependencies needed.

func ProvideMetrics 

func ProvideMetrics() fx.Option

ProvideMetrics provides the metrics relevant to this package as uber/fx options.

func ProvideRegexCapabilitiesValidator 

func ProvideRegexCapabilitiesValidator(key string) fx.Option

ProvideRegexCapabilitiesValidator is an uber fx Provide() function that builds a MetricValidator that uses a CapabilitiesValidator and RegexEndpointCheck, using the configuration found at the key provided.

func ValidType 

func ValidType(validTypes []string) bascule.ValidatorFunc

ValidType returns a Validator that checks that the token's type is one of the given valid types.

Types

type AlwaysEndpointCheck 

type AlwaysEndpointCheck bool

AlwaysEndpointCheck is a EndpointChecker that always returns either true or false.

func (AlwaysEndpointCheck) Authorized 

func (a AlwaysEndpointCheck) Authorized(_, _, _ string) bool

Authorized returns the saved boolean value, rather than checking the parameters given.

func (AlwaysEndpointCheck) Name 

func (a AlwaysEndpointCheck) Name() string

Name returns the endpoint check's name.

type AuthCapabilityCheckMeasures 

type AuthCapabilityCheckMeasures struct {
	fx.In

	CapabilityCheckOutcome *prometheus.CounterVec `name:"auth_capability_check"`
}

AuthCapabilityCheckMeasures describes the defined metrics that will be used by clients.

type CapabilitiesChecker 

type CapabilitiesChecker interface {
	CheckAuthentication(auth bascule.Authentication, vals ParsedValues) error
}

CapabilitiesChecker is an object that can determine if a request is authorized given a bascule.Authentication object. If it's not authorized, an 

error is given for logging and metrics.

type CapabilitiesCheckerOut 

type CapabilitiesCheckerOut struct {
	fx.Out
	Checker CapabilitiesChecker
	Options []MetricOption `group:"bascule_capability_options,flatten"`
}

CapabilitiesCheckerOut is a struct returned by New() functions that help to create a CapabilitiesChecker and as a byproduct also create some MetricOptions.

func NewCapabilitiesMap 

func NewCapabilitiesMap(config CapabilitiesMapConfig) (CapabilitiesCheckerOut, error)

NewCapabilitiesMap parses the CapabilitiesMapConfig provided into a CapabilitiesMap. The same regular expression provided for the map are also needed for labels for a MetricValidator, so an option to be used for that is also created.

func NewCapabilitiesValidator 

func NewCapabilitiesValidator(config CapabilitiesValidatorConfig) (CapabilitiesCheckerOut, error)

NewCapabilitiesValidator uses the provided config to create an RegexEndpointCheck and wrap it in a CapabilitiesValidator. Metric Options are also created for a Metric Validator by parsing the type to determine if the metric validator should only monitor and compiling endpoints into Regexps.

type CapabilitiesMap 

type CapabilitiesMap struct {
	Checkers       map[string]EndpointChecker
	DefaultChecker EndpointChecker
	KeyPath        []string
}

CapabilitiesMap runs a capability check based on the value of the parsedURL, which is the key to the CapabilitiesMap's map. The parsedURL is expected to be some regex values, allowing for bucketing of urls that contain some kind of ID or otherwise variable portion of a URL.

func (CapabilitiesMap) CheckAuthentication 

func (c CapabilitiesMap) CheckAuthentication(auth bascule.Authentication, vs ParsedValues) error

CheckAuthentication uses the parsed endpoint value to determine which EndpointChecker to run against the capabilities in the auth provided. If there is no EndpointChecker for the endpoint, the default is used. As long as one capability is found to be authorized by the EndpointChecker, no error is returned.

type CapabilitiesMapConfig 

type CapabilitiesMapConfig struct {
	Endpoints map[string]string
	Default   string
}

CapabilitiesMapConfig includes the values needed to set up a map capability checker. The checker will verify that one of the capabilities in a provided JWT match the string meant for that endpoint exactly. A CapabilitiesMap set up with this will use the default KeyPath.

type CapabilitiesValidator 

type CapabilitiesValidator struct {
	Checker  EndpointChecker
	KeyPath  []string
	ErrorOut bool
}

CapabilitiesValidator checks the capabilities provided in a bascule.Authentication object to determine if a request is authorized. It can also provide a function to be used in authorization middleware that pulls the Authentication object from a context before checking it.

func (CapabilitiesValidator) Check 

func (c CapabilitiesValidator) Check(ctx context.Context, _ bascule.Token) error

Check determines whether or not a client is authorized to make a request to an endpoint. It uses the bascule.Authentication from the context to get the information needed by the EndpointChecker to determine authorization.

func (CapabilitiesValidator) CheckAuthentication 

func (c CapabilitiesValidator) CheckAuthentication(auth bascule.Authentication, _ ParsedValues) error

CheckAuthentication takes the needed values out of the given Authentication object in order to determine if a request is authorized. It determines this through iterating through each capability and calling the EndpointChecker. If no capability authorizes the client for the given endpoint and method, it is unauthorized.

type CapabilitiesValidatorConfig 

type CapabilitiesValidatorConfig struct {
	Type            string
	Prefix          string
	AcceptAllMethod string
	EndpointBuckets []string
}

CapabilitiesValidatorConfig is input that can be used to build a CapabilitiesValidator and some metric options for a MetricValidator. A CapabilitiesValidator set up with this will use the default KeyPath and an EndpointRegexCheck.

type ConstEndpointCheck 

type ConstEndpointCheck string

ConstEndpointCheck is a basic EndpointChecker that determines a capability is authorized if it matches the ConstCheck's string.

func (ConstEndpointCheck) Authorized 

func (c ConstEndpointCheck) Authorized(capability, _, _ string) bool

Authorized validates the capability provided against the stored string.

func (ConstEndpointCheck) Name 

func (c ConstEndpointCheck) Name() string

Name returns the endpoint check's name.

type EndpointChecker 

type EndpointChecker interface {
	Authorized(value string, reqURL string, method string) bool
	Name() string
}

EndpointChecker is an object that can determine if a value provides authorization to the endpoint.

type MetricOption 

type MetricOption func(*MetricValidator)

MetricOption provides a way to configure a MetricValidator.

func MonitorOnly 

func MonitorOnly() MetricOption

MonitorOnly modifies the MetricValidator to never return an error when the Check() function is called.

func WithEndpoints 

func WithEndpoints(e []*regexp.Regexp) MetricOption

WithEndpoints provides the endpoint buckets to use in the endpoint metric label. The endpoint bucket found for a request is also passed to the CapabilitiesChecker.

func WithServer 

func WithServer(s string) MetricOption

WithServer provides the server name to be used in the metric label.

type MetricValidator 

type MetricValidator struct {
	// contains filtered or unexported fields
}

MetricValidator determines if a request is authorized and then updates a metric to show those results.

func NewMetricValidator 

func NewMetricValidator(checker CapabilitiesChecker, measures *AuthCapabilityCheckMeasures, options ...MetricOption) (*MetricValidator, error)

NewMetricValidator creates a MetricValidator given a CapabilitiesChecker, measures, and options to configure it. The checker and measures cannot be nil.

func (MetricValidator) Check 

func (m MetricValidator) Check(ctx context.Context, _ bascule.Token) error

Check is a function for authorization middleware. The function parses the information needed for the CapabilitiesChecker, calls it to determine if the request is authorized, and maintains the results in a metric. The function can mark the request as unauthorized or only update the metric and allow the request, depending on configuration. This allows for monitoring before being more strict with authorization.

type MetricValidatorIn 

type MetricValidatorIn struct {
	fx.In
	Checker  CapabilitiesChecker
	Measures AuthCapabilityCheckMeasures
	Options  []MetricOption `group:"bascule_capability_options"`
}

MetricValidatorIn contains the objects needed to create a MetricValidator, wired with uber fx.

type ParsedValues 

type ParsedValues struct {
	// Endpoint is the string representation of a regular expression that
	// matches the URL for the request.  The main benefit of this string is it
	// most likely won't include values that change from one request to the next
	// (ie, device ID).
	Endpoint string
}

ParsedValues are values determined from the bascule Authentication.

type Reasoner 

type Reasoner interface {
	Reason() string
}

Reasoner is an error that provides a failure reason to use as a value for a metric label.

type RegexEndpointCheck 

type RegexEndpointCheck struct {
	// contains filtered or unexported fields
}

RegexEndpointCheck uses a regular expression to validate an endpoint and method provided in a capability against the endpoint hit and method used for the request.

func NewRegexEndpointCheck 

func NewRegexEndpointCheck(prefix string, acceptAllMethod string) (RegexEndpointCheck, error)

NewRegexEndpointCheck creates an object that implements the EndpointChecker interface. It takes a prefix that is expected at the beginning of a capability and a string that, if provided in the capability, authorizes all methods for that endpoint. After the prefix, the RegexEndpointCheck expects there to be an endpoint regular expression and an http method - separated by a colon. The expected format of a capability is: <prefix><endpoint regex>:<method> Note, the endpoint url path and the capabilities substring (used for authorization) will be normalized to have a leading `/` if missing.

func (RegexEndpointCheck) Authorized 

func (r RegexEndpointCheck) Authorized(capability string, urlToMatch string, methodToMatch string) bool

Authorized checks the capability against the endpoint hit and method used. If the capability has the correct prefix and is meant to be used with the method provided to access the endpoint provided, it is authorized.

func (RegexEndpointCheck) Name 

func (e RegexEndpointCheck) Name() string

Name returns the endpoint check's name.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.