Documentation ¶
Overview ¶
Package gopherpolicy provides integration between goslo.policy and Gophercloud for services that need to validate OpenStack tokens and check permissions.
Index ¶
- type Cacher
- type Enforcer
- type Token
- func (t *Token) ApplicationCredentialID() string
- func (t *Token) Check(rule string) bool
- func (t *Token) DomainScopeName() string
- func (t *Token) DomainScopeUUID() string
- func (t *Token) ProjectScopeDomainName() string
- func (t *Token) ProjectScopeDomainUUID() string
- func (t *Token) ProjectScopeName() string
- func (t *Token) ProjectScopeUUID() string
- func (t *Token) Require(w http.ResponseWriter, rule string) bool
- func (t *Token) UserDomainName() string
- func (t *Token) UserDomainUUID() string
- func (t *Token) UserName() string
- func (t *Token) UserUUID() string
- type TokenResult
- type TokenValidator
- type Validator
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type Cacher ¶
type Cacher interface { // StoreTokenPayload attempts to store the token payload corresponding to the // given credentials in the cache. Implementations shall treat `credentials` // as an opaque string and only use it as a cache key. StoreTokenPayload(credentials string, payload []byte) // LoadTokenPayload attempts to retrieve the payload for the given credentials // from the cache. If there nothing cached for these credentials, or if the // retrieval fails, nil shall be returned. LoadTokenPayload(credentials string) []byte }
Cacher is the generic interface for a token cache.
func InMemoryCacher ¶
func InMemoryCacher() Cacher
InMemoryCacher builds a Cacher that stores token payloads in memory. At most 256 token payloads will be cached, so this will never use more than 4-8 MiB of memory.
type Enforcer ¶
Enforcer contains the Enforce method that struct Token requires to check access permissions. This interface is satisfied by struct Enforcer from goslo.policy.
type Token ¶
type Token struct { // The enforcer that checks access permissions for this client token. Usually // an instance of struct Enforcer from goslo.policy. Usually inherited from // struct TokenValidator. Enforcer Enforcer // When AuthN succeeds, contains information about the client token which can // be used to check access permissions. Context policy.Context // When AuthN succeeds, contains a fully-initialized ProviderClient with which // this process can use the OpenStack API on behalf of the authenticated user. ProviderClient *gophercloud.ProviderClient // When AuthN fails, contains the deferred AuthN error. Err error // contains filtered or unexported fields }
Token represents a validated Keystone v3 token. It is returned from Validator.CheckToken().
func (*Token) ApplicationCredentialID ¶
ApplicationCredentialID returns the ID of the application credential that was used to create this token, or "" if the token was created through a different authentication method.
func (*Token) DomainScopeName ¶
DomainScopeName returns the name of this token's domain scope, or "" if the token is invalid or not scoped to a domain.
func (*Token) DomainScopeUUID ¶
DomainScopeUUID returns the UUID of this token's domain scope, or "" if the token is invalid or not scoped to a domain.
func (*Token) ProjectScopeDomainName ¶
ProjectScopeDomainName returns the name of this token's project scope domain, or "" if the token is invalid or not scoped to a project.
func (*Token) ProjectScopeDomainUUID ¶
ProjectScopeDomainUUID returns the UUID of this token's project scope domain, or "" if the token is invalid or not scoped to a project.
func (*Token) ProjectScopeName ¶
ProjectScopeName returns the name of this token's project scope, or "" if the token is invalid or not scoped to a project.
func (*Token) ProjectScopeUUID ¶
ProjectScopeUUID returns the UUID of this token's project scope, or "" if the token is invalid or not scoped to a project.
func (*Token) Require ¶
func (t *Token) Require(w http.ResponseWriter, rule string) bool
Require checks if the given token has the given permission according to the policy.json that is in effect. If not, an error response is written and false is returned.
func (*Token) UserDomainName ¶
UserDomainName returns the name of the domain containing the user for whom this token was issued, or "" if the token was invalid.
func (*Token) UserDomainUUID ¶
UserDomainUUID returns the UUID of the domain containing the user for whom this token was issued, or "" if the token was invalid.
type TokenResult ¶
type TokenResult interface { ExtractInto(value any) error Extract() (*tokens.Token, error) ExtractServiceCatalog() (*tokens.ServiceCatalog, error) }
TokenResult is the interface type for the argument of TokenValidator.TokenFromGophercloudResult().
Notable implementors are tokens.CreateResult or tokens.GetResult from package github.com/gophercloud/gophercloud/openstack/identity/v3/tokens.
type TokenValidator ¶
type TokenValidator struct { IdentityV3 *gophercloud.ServiceClient // Enforcer can also be initialized with the LoadPolicyFile method. Enforcer Enforcer // Cacher can be used to cache validated tokens. Cacher Cacher }
TokenValidator combines an Identity v3 client to validate tokens (AuthN), and a policy.Enforcer to check access permissions (AuthZ).
func (*TokenValidator) CheckCredentials ¶
func (v *TokenValidator) CheckCredentials(cacheKey string, check func() TokenResult) *Token
CheckCredentials is a more generic version of CheckToken that can also be used when the user supplies credentials instead of a Keystone token.
The `check` argument contains the logic for actually checking the user's credentials, usually by calling tokens.Create() or tokens.Get() from package github.com/gophercloud/gophercloud/openstack/identity/v3/tokens.
The `cacheKey` argument shall be a string that identifies the given credentials. This key is used for caching the TokenResult in `v.Cacher` if that is non-nil.
func (*TokenValidator) CheckToken ¶
func (v *TokenValidator) CheckToken(r *http.Request) *Token
CheckToken checks the validity of the request's X-Auth-Token in Keystone, and returns a Token instance for checking authorization. Any errors that occur during this function are deferred until Require() is called.
func (*TokenValidator) LoadPolicyFile ¶
func (v *TokenValidator) LoadPolicyFile(path string) error
LoadPolicyFile creates v.Enforcer from the given policy file.
func (*TokenValidator) TokenFromGophercloudResult ¶
func (v *TokenValidator) TokenFromGophercloudResult(result TokenResult) *Token
TokenFromGophercloudResult creates a Token instance from a gophercloud Result from the tokens.Create() or tokens.Get() requests from package github.com/gophercloud/gophercloud/openstack/identity/v3/tokens.
type Validator ¶
type Validator interface { // CheckToken checks the validity of the request's X-Auth-Token in Keystone, and // returns a Token instance for checking authorization. Any errors that occur // during this function are deferred until Token.Require() is called. CheckToken(r *http.Request) *Token }
Validator is the interface provided by TokenValidator. Application code should prefer to reference this interface to allow for substituation by a test double (such as type mock.Validator).