Documentation ¶
Index ¶
- Constants
- Variables
- func AddAdminUser(ctx context.Context, authService Service, user *model.SuperuserConfiguration) (*model.Credential, error)
- func ArnMatch(src, dst string) bool
- func Base64StringGenerator(bytes int) string
- func CreateInitialAdminUser(ctx context.Context, authService Service, metadataManger MetadataManager, ...) (*model.Credential, error)
- func CreateInitialAdminUserWithKeys(ctx context.Context, authService Service, metadataManger MetadataManager, ...) (*model.Credential, error)
- func HexStringGenerator(bytes int) string
- func IsValidAccessKeyID(key string) bool
- func KeyGenerator(length int) string
- func ListPaged(ctx context.Context, db db.Querier, retType reflect.Type, ...) (*reflect.Value, *model.Paginator, error)
- func SetupAdminUser(ctx context.Context, authService Service, ...) (*model.Credential, error)
- func SetupBaseGroups(ctx context.Context, authService Service, ts time.Time) error
- type Arn
- type Authenticator
- type AuthorizationRequest
- type AuthorizationResponse
- type BuiltinAuthenticator
- type Cache
- type ChainAuthenticator
- type CheckResult
- type CredentialSetFn
- type Credentialler
- type DBAuthService
- func (s *DBAuthService) AddCredentials(ctx context.Context, username, accessKeyID, secretAccessKey string) (*model.Credential, error)
- func (s *DBAuthService) AddUserToGroup(ctx context.Context, username, groupDisplayName string) error
- func (s *DBAuthService) AttachPolicyToGroup(ctx context.Context, policyDisplayName, groupDisplayName string) error
- func (s *DBAuthService) AttachPolicyToUser(ctx context.Context, policyDisplayName, username string) error
- func (s *DBAuthService) Authorize(ctx context.Context, req *AuthorizationRequest) (*AuthorizationResponse, error)
- func (s *DBAuthService) CreateCredentials(ctx context.Context, username string) (*model.Credential, error)
- func (s *DBAuthService) CreateGroup(ctx context.Context, group *model.Group) error
- func (s *DBAuthService) CreateUser(ctx context.Context, user *model.User) (int, error)
- func (s *DBAuthService) DB() db.Database
- func (s *DBAuthService) DeleteCredentials(ctx context.Context, username, accessKeyID string) error
- func (s *DBAuthService) DeleteGroup(ctx context.Context, groupDisplayName string) error
- func (s *DBAuthService) DeletePolicy(ctx context.Context, policyDisplayName string) error
- func (s *DBAuthService) DeleteUser(ctx context.Context, username string) error
- func (s *DBAuthService) DetachPolicyFromGroup(ctx context.Context, policyDisplayName, groupDisplayName string) error
- func (s *DBAuthService) DetachPolicyFromUser(ctx context.Context, policyDisplayName, username string) error
- func (s *DBAuthService) GetCredentials(ctx context.Context, accessKeyID string) (*model.Credential, error)
- func (s *DBAuthService) GetCredentialsForUser(ctx context.Context, username, accessKeyID string) (*model.Credential, error)
- func (s *DBAuthService) GetGroup(ctx context.Context, groupDisplayName string) (*model.Group, error)
- func (s *DBAuthService) GetPolicy(ctx context.Context, policyDisplayName string) (*model.Policy, error)
- func (s *DBAuthService) GetUser(ctx context.Context, username string) (*model.User, error)
- func (s *DBAuthService) GetUserByID(ctx context.Context, userID int) (*model.User, error)
- func (s *DBAuthService) ListEffectivePolicies(ctx context.Context, username string, params *model.PaginationParams) ([]*model.Policy, *model.Paginator, error)
- func (s *DBAuthService) ListGroupPolicies(ctx context.Context, groupDisplayName string, params *model.PaginationParams) ([]*model.Policy, *model.Paginator, error)
- func (s *DBAuthService) ListGroupUsers(ctx context.Context, groupDisplayName string, params *model.PaginationParams) ([]*model.User, *model.Paginator, error)
- func (s *DBAuthService) ListGroups(ctx context.Context, params *model.PaginationParams) ([]*model.Group, *model.Paginator, error)
- func (s *DBAuthService) ListPolicies(ctx context.Context, params *model.PaginationParams) ([]*model.Policy, *model.Paginator, error)
- func (s *DBAuthService) ListUserCredentials(ctx context.Context, username string, params *model.PaginationParams) ([]*model.Credential, *model.Paginator, error)
- func (s *DBAuthService) ListUserGroups(ctx context.Context, username string, params *model.PaginationParams) ([]*model.Group, *model.Paginator, error)
- func (s *DBAuthService) ListUserPolicies(ctx context.Context, username string, params *model.PaginationParams) ([]*model.Policy, *model.Paginator, error)
- func (s *DBAuthService) ListUsers(ctx context.Context, params *model.PaginationParams) ([]*model.User, *model.Paginator, error)
- func (s *DBAuthService) RemoveUserFromGroup(ctx context.Context, username, groupDisplayName string) error
- func (s *DBAuthService) SecretStore() crypt.SecretStore
- func (s *DBAuthService) WritePolicy(ctx context.Context, policy *model.Policy) error
- type DBMetadataManager
- type DummyCache
- func (d *DummyCache) GetCredential(accessKeyID string, setFn CredentialSetFn) (*model.Credential, error)
- func (d *DummyCache) GetUser(username string, setFn UserSetFn) (*model.User, error)
- func (d *DummyCache) GetUserByID(userID int, setFn UserSetFn) (*model.User, error)
- func (d *DummyCache) GetUserPolicies(userID string, setFn UserPoliciesSetFn) ([]*model.Policy, error)
- type LDAPAuthenticator
- type LRUCache
- func (c *LRUCache) GetCredential(accessKeyID string, setFn CredentialSetFn) (*model.Credential, error)
- func (c *LRUCache) GetUser(username string, setFn UserSetFn) (*model.User, error)
- func (c *LRUCache) GetUserByID(userID int, setFn UserSetFn) (*model.User, error)
- func (c *LRUCache) GetUserPolicies(userID string, setFn UserPoliciesSetFn) ([]*model.Policy, error)
- type MetadataManager
- type Service
- type UserPoliciesSetFn
- type UserSetFn
- Bugs
Constants ¶
const ( InstallationIDKeyName = "installation_id" SetupTimestampKeyName = "setup_timestamp" )
const ( AdminsGroup = "Admins" SuperUsersGroup = "SuperUsers" DevelopersGroup = "Developers" ViewersGroup = "Viewers" )
const AkiaAlphabet = "ABCDEFGHIJKLMNOPQRSTUVWXYZ234567" // Amazon AKIA alphabet is weird.
const InvalidUserID = -1
Variables ¶
var ( ErrNotFound = db.ErrNotFound ErrAlreadyExists = db.ErrAlreadyExists ErrNonUnique = errors.New("more than one user found") ErrInvalidArn = errors.New("invalid ARN") ErrInsufficientPermissions = errors.New("insufficient permissions") ErrNoField = errors.New("no field tagged in struct") ErrInvalidAccessKeyID = errors.New("invalid access key ID") ErrInvalidSecretAccessKey = errors.New("invalid secret access key") )
Functions ¶
func AddAdminUser ¶
func AddAdminUser(ctx context.Context, authService Service, user *model.SuperuserConfiguration) (*model.Credential, error)
func Base64StringGenerator ¶
func CreateInitialAdminUser ¶
func CreateInitialAdminUser(ctx context.Context, authService Service, metadataManger MetadataManager, username string) (*model.Credential, error)
func CreateInitialAdminUserWithKeys ¶
func CreateInitialAdminUserWithKeys(ctx context.Context, authService Service, metadataManger MetadataManager, username string, accessKeyID *string, secretAccessKey *string) (*model.Credential, error)
func HexStringGenerator ¶
func IsValidAccessKeyID ¶ added in v0.52.0
func KeyGenerator ¶
func SetupAdminUser ¶
func SetupAdminUser(ctx context.Context, authService Service, superuser *model.SuperuserConfiguration) (*model.Credential, error)
Types ¶
type Arn ¶
type Authenticator ¶ added in v0.53.0
type Authenticator interface { // AuthenticateUser authenticates a user matching username and // password and returns their ID. AuthenticateUser(ctx context.Context, username, password string) (int, error) }
Authenticator authenticates users returning an identifier for the user. (Currently it handles only username+password single-step authentication. This interface will need to change significantly in order to support challenge-response protocols.)
func NewChainAuthenticator ¶ added in v0.53.0
func NewChainAuthenticator(auth ...Authenticator) Authenticator
NewChainAuthenticator returns an Authenticator that authenticates users by trying each auth in order.
type AuthorizationRequest ¶
type AuthorizationRequest struct { Username string RequiredPermissions permissions.Node }
type AuthorizationResponse ¶
type BuiltinAuthenticator ¶ added in v0.53.0
type BuiltinAuthenticator struct {
// contains filtered or unexported fields
}
BuiltinAuthenticator authenticates users by their access key IDs and passwords stored in the auth service.
func NewBuiltinAuthenticator ¶ added in v0.53.0
func NewBuiltinAuthenticator(service Service) *BuiltinAuthenticator
func (*BuiltinAuthenticator) AuthenticateUser ¶ added in v0.53.0
type Cache ¶
type Cache interface { GetCredential(accessKeyID string, setFn CredentialSetFn) (*model.Credential, error) GetUser(username string, setFn UserSetFn) (*model.User, error) GetUserByID(userID int, setFn UserSetFn) (*model.User, error) GetUserPolicies(userID string, setFn UserPoliciesSetFn) ([]*model.Policy, error) }
type ChainAuthenticator ¶ added in v0.53.0
type ChainAuthenticator []Authenticator
ChainAuthenticator authenticates users by trying each Authenticator in order, returning the last error in case all fail.
func (ChainAuthenticator) AuthenticateUser ¶ added in v0.53.0
type CheckResult ¶ added in v0.53.1
type CheckResult int
CheckResult - the final result for the authorization is accepted only if it's CheckAllow
const ( // CheckAllow Permission allowed CheckAllow CheckResult = iota // CheckNeutral Permission neither allowed nor denied CheckNeutral // CheckDeny Permission denied CheckDeny )
type CredentialSetFn ¶
type CredentialSetFn func() (*model.Credential, error)
type Credentialler ¶ added in v0.53.0
type Credentialler interface {
GetCredentials(ctx context.Context, accessKeyID string) (*model.Credential, error)
}
Credentialler fetches S3-style credentials for access keys.
type DBAuthService ¶
type DBAuthService struct {
// contains filtered or unexported fields
}
func NewDBAuthService ¶
func NewDBAuthService(db db.Database, secretStore crypt.SecretStore, cacheConf params.ServiceCache) *DBAuthService
func (*DBAuthService) AddCredentials ¶
func (s *DBAuthService) AddCredentials(ctx context.Context, username, accessKeyID, secretAccessKey string) (*model.Credential, error)
func (*DBAuthService) AddUserToGroup ¶
func (s *DBAuthService) AddUserToGroup(ctx context.Context, username, groupDisplayName string) error
func (*DBAuthService) AttachPolicyToGroup ¶
func (s *DBAuthService) AttachPolicyToGroup(ctx context.Context, policyDisplayName, groupDisplayName string) error
func (*DBAuthService) AttachPolicyToUser ¶
func (s *DBAuthService) AttachPolicyToUser(ctx context.Context, policyDisplayName, username string) error
func (*DBAuthService) Authorize ¶
func (s *DBAuthService) Authorize(ctx context.Context, req *AuthorizationRequest) (*AuthorizationResponse, error)
func (*DBAuthService) CreateCredentials ¶
func (s *DBAuthService) CreateCredentials(ctx context.Context, username string) (*model.Credential, error)
func (*DBAuthService) CreateGroup ¶
func (*DBAuthService) CreateUser ¶
func (*DBAuthService) DB ¶
func (s *DBAuthService) DB() db.Database
func (*DBAuthService) DeleteCredentials ¶
func (s *DBAuthService) DeleteCredentials(ctx context.Context, username, accessKeyID string) error
func (*DBAuthService) DeleteGroup ¶
func (s *DBAuthService) DeleteGroup(ctx context.Context, groupDisplayName string) error
func (*DBAuthService) DeletePolicy ¶
func (s *DBAuthService) DeletePolicy(ctx context.Context, policyDisplayName string) error
func (*DBAuthService) DeleteUser ¶
func (s *DBAuthService) DeleteUser(ctx context.Context, username string) error
func (*DBAuthService) DetachPolicyFromGroup ¶
func (s *DBAuthService) DetachPolicyFromGroup(ctx context.Context, policyDisplayName, groupDisplayName string) error
func (*DBAuthService) DetachPolicyFromUser ¶
func (s *DBAuthService) DetachPolicyFromUser(ctx context.Context, policyDisplayName, username string) error
func (*DBAuthService) GetCredentials ¶
func (s *DBAuthService) GetCredentials(ctx context.Context, accessKeyID string) (*model.Credential, error)
func (*DBAuthService) GetCredentialsForUser ¶
func (s *DBAuthService) GetCredentialsForUser(ctx context.Context, username, accessKeyID string) (*model.Credential, error)
func (*DBAuthService) GetUserByID ¶
func (*DBAuthService) ListEffectivePolicies ¶
func (*DBAuthService) ListGroupPolicies ¶
func (*DBAuthService) ListGroupUsers ¶
func (*DBAuthService) ListGroups ¶
func (s *DBAuthService) ListGroups(ctx context.Context, params *model.PaginationParams) ([]*model.Group, *model.Paginator, error)
func (*DBAuthService) ListPolicies ¶
func (s *DBAuthService) ListPolicies(ctx context.Context, params *model.PaginationParams) ([]*model.Policy, *model.Paginator, error)
func (*DBAuthService) ListUserCredentials ¶
func (s *DBAuthService) ListUserCredentials(ctx context.Context, username string, params *model.PaginationParams) ([]*model.Credential, *model.Paginator, error)
func (*DBAuthService) ListUserGroups ¶
func (*DBAuthService) ListUserPolicies ¶
func (*DBAuthService) ListUsers ¶
func (s *DBAuthService) ListUsers(ctx context.Context, params *model.PaginationParams) ([]*model.User, *model.Paginator, error)
func (*DBAuthService) RemoveUserFromGroup ¶
func (s *DBAuthService) RemoveUserFromGroup(ctx context.Context, username, groupDisplayName string) error
func (*DBAuthService) SecretStore ¶
func (s *DBAuthService) SecretStore() crypt.SecretStore
func (*DBAuthService) WritePolicy ¶
type DBMetadataManager ¶
type DBMetadataManager struct {
// contains filtered or unexported fields
}
func NewDBMetadataManager ¶
func NewDBMetadataManager(version string, fixedInstallationID string, database db.Database) *DBMetadataManager
func (*DBMetadataManager) IsInitialized ¶ added in v0.43.0
func (d *DBMetadataManager) IsInitialized(ctx context.Context) (bool, error)
func (*DBMetadataManager) UpdateSetupTimestamp ¶
type DummyCache ¶
type DummyCache struct { }
func (*DummyCache) GetCredential ¶
func (d *DummyCache) GetCredential(accessKeyID string, setFn CredentialSetFn) (*model.Credential, error)
func (*DummyCache) GetUserByID ¶
func (*DummyCache) GetUserPolicies ¶
func (d *DummyCache) GetUserPolicies(userID string, setFn UserPoliciesSetFn) ([]*model.Policy, error)
type LDAPAuthenticator ¶ added in v0.53.0
type LDAPAuthenticator struct { AuthService Service MakeLDAPConn func(ctx context.Context) (*ldap.Conn, error) BindDN string BindPassword string BaseSearchRequest ldap.SearchRequest UsernameAttribute string DefaultUserGroup string // contains filtered or unexported fields }
LDAPAuthenticator authenticates users on an LDAP server. It currently supports only simple authentication.
func (*LDAPAuthenticator) AuthenticateUser ¶ added in v0.53.0
type LRUCache ¶
type LRUCache struct {
// contains filtered or unexported fields
}
func (*LRUCache) GetCredential ¶
func (c *LRUCache) GetCredential(accessKeyID string, setFn CredentialSetFn) (*model.Credential, error)
func (*LRUCache) GetUserByID ¶
func (*LRUCache) GetUserPolicies ¶
type MetadataManager ¶
type Service ¶
type Service interface { SecretStore() crypt.SecretStore // users CreateUser(ctx context.Context, user *model.User) (int, error) DeleteUser(ctx context.Context, username string) error GetUserByID(ctx context.Context, userID int) (*model.User, error) GetUser(ctx context.Context, username string) (*model.User, error) ListUsers(ctx context.Context, params *model.PaginationParams) ([]*model.User, *model.Paginator, error) // groups CreateGroup(ctx context.Context, group *model.Group) error DeleteGroup(ctx context.Context, groupDisplayName string) error GetGroup(ctx context.Context, groupDisplayName string) (*model.Group, error) ListGroups(ctx context.Context, params *model.PaginationParams) ([]*model.Group, *model.Paginator, error) // group<->user memberships AddUserToGroup(ctx context.Context, username, groupDisplayName string) error RemoveUserFromGroup(ctx context.Context, username, groupDisplayName string) error ListUserGroups(ctx context.Context, username string, params *model.PaginationParams) ([]*model.Group, *model.Paginator, error) ListGroupUsers(ctx context.Context, groupDisplayName string, params *model.PaginationParams) ([]*model.User, *model.Paginator, error) // policies WritePolicy(ctx context.Context, policy *model.Policy) error GetPolicy(ctx context.Context, policyDisplayName string) (*model.Policy, error) DeletePolicy(ctx context.Context, policyDisplayName string) error ListPolicies(ctx context.Context, params *model.PaginationParams) ([]*model.Policy, *model.Paginator, error) // credentials CreateCredentials(ctx context.Context, username string) (*model.Credential, error) AddCredentials(ctx context.Context, username, accessKeyID, secretAccessKey string) (*model.Credential, error) DeleteCredentials(ctx context.Context, username, accessKeyID string) error GetCredentialsForUser(ctx context.Context, username, accessKeyID string) (*model.Credential, error) GetCredentials(ctx context.Context, accessKeyID string) (*model.Credential, error) ListUserCredentials(ctx context.Context, username string, params *model.PaginationParams) ([]*model.Credential, *model.Paginator, error) // policy<->user attachments AttachPolicyToUser(ctx context.Context, policyDisplayName, username string) error DetachPolicyFromUser(ctx context.Context, policyDisplayName, username string) error ListUserPolicies(ctx context.Context, username string, params *model.PaginationParams) ([]*model.Policy, *model.Paginator, error) ListEffectivePolicies(ctx context.Context, username string, params *model.PaginationParams) ([]*model.Policy, *model.Paginator, error) // policy<->group attachments AttachPolicyToGroup(ctx context.Context, policyDisplayName, groupDisplayName string) error DetachPolicyFromGroup(ctx context.Context, policyDisplayName, groupDisplayName string) error ListGroupPolicies(ctx context.Context, groupDisplayName string, params *model.PaginationParams) ([]*model.Policy, *model.Paginator, error) // authorize user for an action Authorize(ctx context.Context, req *AuthorizationRequest) (*AuthorizationResponse, error) }
type UserPoliciesSetFn ¶
Notes ¶
Bugs ¶
This parser does not handle resource types. Handling resource types is
subtle: they may be separated from resource IDs by a colon OR by a slash. For an example of a resource type, see ECS[1] (uses only slash separators). That colons are an acceptable separator appears in [2], so a workaround to this limitation is to use a slash. [1] https://docs.aws.amazon.com/AmazonECS/latest/developerguide/security_iam_service-with-iam.html#security_iam_service-with-iam-id-based-policies-resources [2] https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html#arns-syntax