Documentation ¶
Overview ¶
Package warden implements endpoints capable of making access control decisions based on Access Control Policies
Index ¶
- Constants
- func OAuth2TokenIntrospectionFactory(config *compose.Config, storage interface{}, strategy interface{}) interface{}
- func TokenFromRequest(r *http.Request) string
- type HTTPWarden
- func (w *HTTPWarden) IsAllowed(ctx context.Context, a *firewall.AccessRequest) error
- func (w *HTTPWarden) SetClient(c *clientcredentials.Config)
- func (w *HTTPWarden) TokenAllowed(ctx context.Context, token string, a *firewall.TokenAccessRequest, ...) (*firewall.Context, error)
- func (w *HTTPWarden) TokenFromRequest(r *http.Request) string
- type LocalWarden
- type TokenValidator
- type WardenHandler
Constants ¶
const ( // TokenAllowedHandlerPath points to the token access request validation endpoint. TokenAllowedHandlerPath = "/warden/token/allowed" // AllowedHandlerPath points to the access request validation endpoint. AllowedHandlerPath = "/warden/allowed" )
Variables ¶
This section is empty.
Functions ¶
func OAuth2TokenIntrospectionFactory ¶ added in v0.9.12
func TokenFromRequest ¶
Types ¶
type HTTPWarden ¶
func (*HTTPWarden) IsAllowed ¶
func (w *HTTPWarden) IsAllowed(ctx context.Context, a *firewall.AccessRequest) error
IsAllowed checks if an arbitrary subject is allowed to perform an action on a resource.
The HTTP API is documented at http://docs.hydra13.apiary.io/#reference/warden:-access-control-for-resource-providers/check-if-a-subject-is-allowed-to-do-something
func (*HTTPWarden) SetClient ¶
func (w *HTTPWarden) SetClient(c *clientcredentials.Config)
func (*HTTPWarden) TokenAllowed ¶
func (w *HTTPWarden) TokenAllowed(ctx context.Context, token string, a *firewall.TokenAccessRequest, scopes ...string) (*firewall.Context, error)
TokenAllowed checks if a token is valid and if the token owner is allowed to perform an action on a resource. This endpoint requires a token, a scope, a resource name, an action name and a context.
The HTTP API is documented at http://docs.hydra13.apiary.io/#reference/warden:-access-control-for-resource-providers/check-if-an-access-tokens-subject-is-allowed-to-do-something
func (*HTTPWarden) TokenFromRequest ¶
func (w *HTTPWarden) TokenFromRequest(r *http.Request) string
type LocalWarden ¶
type LocalWarden struct { Warden ladon.Warden OAuth2 fosite.OAuth2Provider Groups group.Manager AccessTokenLifespan time.Duration Issuer string L logrus.FieldLogger }
func (*LocalWarden) IsAllowed ¶
func (w *LocalWarden) IsAllowed(ctx context.Context, a *firewall.AccessRequest) error
func (*LocalWarden) TokenAllowed ¶
func (w *LocalWarden) TokenAllowed(ctx context.Context, token string, a *firewall.TokenAccessRequest, scopes ...string) (*firewall.Context, error)
func (*LocalWarden) TokenFromRequest ¶
func (w *LocalWarden) TokenFromRequest(r *http.Request) string
type TokenValidator ¶ added in v0.9.12
type TokenValidator struct { oauth2.CoreStrategy oauth2.CoreStorage ScopeStrategy fosite.ScopeStrategy }
func (*TokenValidator) IntrospectToken ¶ added in v0.9.12
func (c *TokenValidator) IntrospectToken(ctx context.Context, token string, tokenType fosite.TokenType, accessRequest fosite.AccessRequester, scopes []string) (err error)
type WardenHandler ¶
WardenHandler is capable of handling HTTP request and validating access tokens and access requests.
func NewHandler ¶
func NewHandler(c *config.Config, router *httprouter.Router) *WardenHandler
func (*WardenHandler) Allowed ¶
func (h *WardenHandler) Allowed(w http.ResponseWriter, r *http.Request, _ httprouter.Params)
swagger:route POST /warden/allowed warden doesWardenAllowAccessRequest
Check if an access request is valid (without providing an access token)
Checks if a subject (typically a user or a service) is allowed to perform an action on a resource. This endpoint requires a subject, a resource name, an action name and a context. If the subject is not allowed to perform the action on the resource, this endpoint returns a 200 response with `{ "allowed": false}`, otherwise `{ "allowed": true }` is returned.
The subject making the request needs to be assigned to a policy containing:
``` { "resources": ["rn:hydra:warden:allowed"], "actions": ["decide"], "effect": "allow" } ``` Consumes: - application/json Produces: - application/json Schemes: http, https Security: oauth2: hydra.warden Responses: 200: wardenAccessRequestResponse 401: genericError 403: genericError 500: genericError
func (*WardenHandler) SetRoutes ¶
func (h *WardenHandler) SetRoutes(r *httprouter.Router)
func (*WardenHandler) TokenAllowed ¶
func (h *WardenHandler) TokenAllowed(w http.ResponseWriter, r *http.Request, _ httprouter.Params)
swagger:route POST /warden/token/allowed warden doesWardenAllowTokenAccessRequest
Check if an access request is valid (providing an access token)
Checks if a token is valid and if the token subject is allowed to perform an action on a resource. This endpoint requires a token, a scope, a resource name, an action name and a context.
If a token is expired/invalid, has not been granted the requested scope or the subject is not allowed to perform the action on the resource, this endpoint returns a 200 response with `{ "allowed": false}`.
Extra data set through the `accessTokenExtra` field in the consent flow will be included in the response.
The subject making the request needs to be assigned to a policy containing:
``` { "resources": ["rn:hydra:warden:token:allowed"], "actions": ["decide"], "effect": "allow" } ``` Consumes: - application/json Produces: - application/json Schemes: http, https Security: oauth2: hydra.warden Responses: 200: wardenTokenAccessRequestResponse 401: genericError 403: genericError 500: genericError