Documentation ¶
Index ¶
- Constants
- Variables
- func ArnMatch(src, dst string) bool
- func GenerateJWTResetPassword(secret []byte, email string, issuedAt, expiresAt time.Time) (string, error)
- func GetActionsForPolicyType(typ string) ([]string, error)
- func GetActionsForPolicyTypeOrDie(typ string) []string
- func GetUser(ctx context.Context) (*model.User, error)
- func IsValidAccessKeyID(key string) bool
- func ListEffectivePolicies(ctx context.Context, username string, params *model.PaginationParams, ...) ([]*model.Policy, *model.Paginator, error)
- func MakeStatementForPolicyType(typ string, resources []string) (model.Statements, error)
- func MakeStatementForPolicyTypeOrDie(typ string, resources []string) model.Statements
- func ValidatePolicy(policy *model.Policy) error
- func VerifyToken(secret []byte, tokenString string) (*jwt.StandardClaims, error)
- func VerifyTokenWithAudience(secret []byte, token, audience string) (*jwt.StandardClaims, error)
- func WithUser(ctx context.Context, user *model.User) context.Context
- type APIAuthService
- func (a *APIAuthService) AddCredentials(ctx context.Context, username, accessKeyID, secretAccessKey string) (*model.Credential, error)
- func (a *APIAuthService) AddUserToGroup(ctx context.Context, username, groupDisplayName string) error
- func (a *APIAuthService) AttachPolicyToGroup(ctx context.Context, policyDisplayName, groupDisplayName string) error
- func (a *APIAuthService) AttachPolicyToUser(ctx context.Context, policyDisplayName, username string) error
- func (a *APIAuthService) Authorize(ctx context.Context, req *AuthorizationRequest) (*AuthorizationResponse, error)
- func (a *APIAuthService) Cache() Cache
- func (a *APIAuthService) ClaimTokenIDOnce(ctx context.Context, tokenID string, expiresAt int64) error
- func (a *APIAuthService) CreateCredentials(ctx context.Context, username string) (*model.Credential, error)
- func (a *APIAuthService) CreateGroup(ctx context.Context, group *model.Group) error
- func (a *APIAuthService) CreateUser(ctx context.Context, user *model.User) (string, error)
- func (a *APIAuthService) DeleteCredentials(ctx context.Context, username, accessKeyID string) error
- func (a *APIAuthService) DeleteGroup(ctx context.Context, groupDisplayName string) error
- func (a *APIAuthService) DeletePolicy(ctx context.Context, policyDisplayName string) error
- func (a *APIAuthService) DeleteUser(ctx context.Context, username string) error
- func (a *APIAuthService) DetachPolicyFromGroup(ctx context.Context, policyDisplayName, groupDisplayName string) error
- func (a *APIAuthService) DetachPolicyFromUser(ctx context.Context, policyDisplayName, username string) error
- func (a *APIAuthService) GetCredentials(ctx context.Context, accessKeyID string) (*model.Credential, error)
- func (a *APIAuthService) GetCredentialsForUser(ctx context.Context, username, accessKeyID string) (*model.Credential, error)
- func (a *APIAuthService) GetGroup(ctx context.Context, groupDisplayName string) (*model.Group, error)
- func (a *APIAuthService) GetPolicy(ctx context.Context, policyDisplayName string) (*model.Policy, error)
- func (a *APIAuthService) GetUser(ctx context.Context, username string) (*model.User, error)
- func (a *APIAuthService) GetUserByEmail(ctx context.Context, email string) (*model.User, error)
- func (a *APIAuthService) GetUserByExternalID(ctx context.Context, externalID string) (*model.User, error)
- func (a *APIAuthService) GetUserByID(ctx context.Context, userID string) (*model.User, error)
- func (a *APIAuthService) InviteUser(ctx context.Context, email string) error
- func (a *APIAuthService) IsInviteSupported() bool
- func (a *APIAuthService) ListEffectivePolicies(ctx context.Context, username string, params *model.PaginationParams) ([]*model.Policy, *model.Paginator, error)
- func (a *APIAuthService) ListGroupPolicies(ctx context.Context, groupDisplayName string, params *model.PaginationParams) ([]*model.Policy, *model.Paginator, error)
- func (a *APIAuthService) ListGroupUsers(ctx context.Context, groupDisplayName string, params *model.PaginationParams) ([]*model.User, *model.Paginator, error)
- func (a *APIAuthService) ListGroups(ctx context.Context, params *model.PaginationParams) ([]*model.Group, *model.Paginator, error)
- func (a *APIAuthService) ListPolicies(ctx context.Context, params *model.PaginationParams) ([]*model.Policy, *model.Paginator, error)
- func (a *APIAuthService) ListUserCredentials(ctx context.Context, username string, params *model.PaginationParams) ([]*model.Credential, *model.Paginator, error)
- func (a *APIAuthService) ListUserGroups(ctx context.Context, username string, params *model.PaginationParams) ([]*model.Group, *model.Paginator, error)
- func (a *APIAuthService) ListUserPolicies(ctx context.Context, username string, params *model.PaginationParams) ([]*model.Policy, *model.Paginator, error)
- func (a *APIAuthService) ListUsers(ctx context.Context, params *model.PaginationParams) ([]*model.User, *model.Paginator, error)
- func (a *APIAuthService) RemoveUserFromGroup(ctx context.Context, username, groupDisplayName string) error
- func (a *APIAuthService) SecretStore() crypt.SecretStore
- func (a *APIAuthService) WritePolicy(ctx context.Context, policy *model.Policy, update bool) error
- type Arn
- type AuthService
- func (s *AuthService) AddCredentials(ctx context.Context, username, accessKeyID, secretAccessKey string) (*model.Credential, error)
- func (s *AuthService) AddUserToGroup(ctx context.Context, username, groupDisplayName string) error
- func (s *AuthService) AttachPolicyToGroup(ctx context.Context, policyDisplayName, groupDisplayName string) error
- func (s *AuthService) AttachPolicyToUser(ctx context.Context, policyDisplayName string, username string) error
- func (s *AuthService) Authorize(ctx context.Context, req *AuthorizationRequest) (*AuthorizationResponse, error)
- func (s *AuthService) Cache() Cache
- func (s *AuthService) ClaimTokenIDOnce(ctx context.Context, tokenID string, expiresAt int64) error
- func (s *AuthService) CreateCredentials(ctx context.Context, username string) (*model.Credential, error)
- func (s *AuthService) CreateGroup(ctx context.Context, group *model.Group) error
- func (s *AuthService) CreateUser(ctx context.Context, user *model.User) (string, error)
- func (s *AuthService) DeleteCredentials(ctx context.Context, username, accessKeyID string) error
- func (s *AuthService) DeleteGroup(ctx context.Context, groupDisplayName string) error
- func (s *AuthService) DeletePolicy(ctx context.Context, policyDisplayName string) error
- func (s *AuthService) DeleteUser(ctx context.Context, username string) error
- func (s *AuthService) DetachPolicyFromGroup(ctx context.Context, policyDisplayName, groupDisplayName string) error
- func (s *AuthService) DetachPolicyFromGroupNoValidation(ctx context.Context, policyDisplayName, groupDisplayName string) error
- func (s *AuthService) DetachPolicyFromUser(ctx context.Context, policyDisplayName, username string) error
- func (s *AuthService) DetachPolicyFromUserNoValidation(ctx context.Context, policyDisplayName, username string) error
- func (s *AuthService) GetCredentials(ctx context.Context, accessKeyID string) (*model.Credential, error)
- func (s *AuthService) GetCredentialsForUser(ctx context.Context, username, accessKeyID string) (*model.Credential, error)
- func (s *AuthService) GetGroup(ctx context.Context, groupDisplayName string) (*model.Group, error)
- func (s *AuthService) GetPolicy(ctx context.Context, policyDisplayName string) (*model.Policy, error)
- func (s *AuthService) GetUser(ctx context.Context, username string) (*model.User, error)
- func (s *AuthService) GetUserByEmail(ctx context.Context, email string) (*model.User, error)
- func (s *AuthService) GetUserByExternalID(ctx context.Context, externalID string) (*model.User, error)
- func (s *AuthService) GetUserByID(ctx context.Context, userID string) (*model.User, error)
- func (s *AuthService) ListEffectivePolicies(ctx context.Context, username string, params *model.PaginationParams) ([]*model.Policy, *model.Paginator, error)
- func (s *AuthService) ListGroupPolicies(ctx context.Context, groupDisplayName string, params *model.PaginationParams) ([]*model.Policy, *model.Paginator, error)
- func (s *AuthService) ListGroupUsers(ctx context.Context, groupDisplayName string, params *model.PaginationParams) ([]*model.User, *model.Paginator, error)
- func (s *AuthService) ListGroups(ctx context.Context, params *model.PaginationParams) ([]*model.Group, *model.Paginator, error)
- func (s *AuthService) ListKVPaged(ctx context.Context, protoType protoreflect.MessageType, ...) ([]proto.Message, *model.Paginator, error)
- func (s *AuthService) ListPolicies(ctx context.Context, params *model.PaginationParams) ([]*model.Policy, *model.Paginator, error)
- func (s *AuthService) ListUserCredentials(ctx context.Context, username string, params *model.PaginationParams) ([]*model.Credential, *model.Paginator, error)
- func (s *AuthService) ListUserGroups(ctx context.Context, username string, params *model.PaginationParams) ([]*model.Group, *model.Paginator, error)
- func (s *AuthService) ListUserPolicies(ctx context.Context, username string, params *model.PaginationParams) ([]*model.Policy, *model.Paginator, error)
- func (s *AuthService) ListUsers(ctx context.Context, params *model.PaginationParams) ([]*model.User, *model.Paginator, error)
- func (s *AuthService) RemoveUserFromGroup(ctx context.Context, username, groupDisplayName string) error
- func (s *AuthService) SecretStore() crypt.SecretStore
- func (s *AuthService) WritePolicy(ctx context.Context, policy *model.Policy, update bool) error
- type Authenticator
- type AuthorizationRequest
- type AuthorizationResponse
- type Authorizer
- type BuiltinAuthenticator
- type Cache
- type ChainAuthenticator
- type CheckResult
- type CommPrefs
- type CredentialSetFn
- type Credentialler
- type CredentialsCreator
- type DummyCache
- type EmailInviteHandler
- type GatewayService
- type InviteHandler
- type KVMetadataManager
- func (m *KVMetadataManager) GetCommPrefs(ctx context.Context) (CommPrefs, error)
- func (m *KVMetadataManager) GetMetadata(ctx context.Context) (map[string]string, error)
- func (m *KVMetadataManager) GetSetupState(ctx context.Context) (SetupStateName, error)
- func (m *KVMetadataManager) IsCommPrefsSet(ctx context.Context) (bool, error)
- func (m *KVMetadataManager) IsInitialized(ctx context.Context) (bool, error)
- func (m *KVMetadataManager) UpdateCommPrefs(ctx context.Context, commPrefs *CommPrefs) (string, error)
- func (m *KVMetadataManager) UpdateSetupTimestamp(ctx context.Context, ts time.Time) error
- type LRUCache
- type MetadataManager
- type Service
- type SetupStateName
- type UserPoliciesSetFn
- type UserPredicate
- type UserSetFn
- Bugs
Constants ¶
const ( InstallationIDKeyName = "installation_id" SetupTimestampKeyName = "setup_timestamp" CommPrefsSetKeyName = "comm_prefs_set" EmailKeyName = "encoded_user_email" FeatureUpdatesKeyName = "feature_updates" SecurityUpdatesKeyName = "security_updates" InstrumentationSamplesRepo = "SamplesRepo" InstrumentationQuickstart = "Quickstart" InstrumentationRun = "Run" )
const (
DefaultInvitePasswordExpiration = 6 * time.Hour
)
const (
ResetPasswordAudience = "reset_password"
)
Variables ¶
var ( ErrNotFound = kv.ErrNotFound ErrAlreadyExists = errors.New("already exists") ErrNonUnique = errors.New("more than one user found") ErrInvalidArn = errors.New("invalid ARN") ErrInsufficientPermissions = errors.New("insufficient permissions") ErrInvalidAccessKeyID = errors.New("invalid access key ID") ErrInvalidSecretAccessKey = errors.New("invalid secret access key") ErrUnexpectedStatusCode = errors.New("unexpected status code") ErrUnexpectedSigningMethod = errors.New("unexpected signing method") ErrInvalidToken = errors.New("invalid token") ErrInvalidRequest = errors.New("invalid request") ErrUserNotFound = errors.New("user not found") ErrInvalidResponse = errors.New("invalid response") )
var DockeEnvExists = "/.dockerenv"
DockeEnvExists For testing purposes
var (
ErrStatementNotFound = errors.New("statement not found")
)
Functions ¶
func GenerateJWTResetPassword ¶ added in v0.69.0
func GenerateJWTResetPassword(secret []byte, email string, issuedAt, expiresAt time.Time) (string, error)
GenerateJWTResetPassword creates a jwt token with the field subject set the email passed.
func GetActionsForPolicyType ¶ added in v0.98.0
GetActionsForPolicyType returns the actions for police type typ.
func GetActionsForPolicyTypeOrDie ¶ added in v0.98.0
func IsValidAccessKeyID ¶ added in v0.52.0
func ListEffectivePolicies ¶ added in v0.68.0
func MakeStatementForPolicyType ¶ added in v0.98.0
func MakeStatementForPolicyType(typ string, resources []string) (model.Statements, error)
MakeStatementForPolicyType returns statements for policy type typ, limited to resources.
func MakeStatementForPolicyTypeOrDie ¶ added in v0.98.0
func MakeStatementForPolicyTypeOrDie(typ string, resources []string) model.Statements
func ValidatePolicy ¶ added in v0.68.0
func VerifyToken ¶ added in v0.64.0
func VerifyToken(secret []byte, tokenString string) (*jwt.StandardClaims, error)
func VerifyTokenWithAudience ¶ added in v0.64.0
func VerifyTokenWithAudience(secret []byte, token, audience string) (*jwt.StandardClaims, error)
Types ¶
type APIAuthService ¶ added in v0.63.0
type APIAuthService struct {
// contains filtered or unexported fields
}
func NewAPIAuthService ¶ added in v0.63.0
func NewAPIAuthService(apiEndpoint, token string, secretStore crypt.SecretStore, cacheConf params.ServiceCache, emailer *email.Emailer, logger logging.Logger) (*APIAuthService, error)
func NewAPIAuthServiceWithClient ¶ added in v0.70.0
func NewAPIAuthServiceWithClient(client ClientWithResponsesInterface, secretStore crypt.SecretStore, cacheConf params.ServiceCache, logger logging.Logger) (*APIAuthService, error)
func (*APIAuthService) AddCredentials ¶ added in v0.63.0
func (a *APIAuthService) AddCredentials(ctx context.Context, username, accessKeyID, secretAccessKey string) (*model.Credential, error)
func (*APIAuthService) AddUserToGroup ¶ added in v0.63.0
func (a *APIAuthService) AddUserToGroup(ctx context.Context, username, groupDisplayName string) error
func (*APIAuthService) AttachPolicyToGroup ¶ added in v0.63.0
func (a *APIAuthService) AttachPolicyToGroup(ctx context.Context, policyDisplayName, groupDisplayName string) error
func (*APIAuthService) AttachPolicyToUser ¶ added in v0.63.0
func (a *APIAuthService) AttachPolicyToUser(ctx context.Context, policyDisplayName, username string) error
func (*APIAuthService) Authorize ¶ added in v0.63.0
func (a *APIAuthService) Authorize(ctx context.Context, req *AuthorizationRequest) (*AuthorizationResponse, error)
func (*APIAuthService) Cache ¶ added in v0.68.0
func (a *APIAuthService) Cache() Cache
func (*APIAuthService) ClaimTokenIDOnce ¶ added in v0.64.0
func (*APIAuthService) CreateCredentials ¶ added in v0.63.0
func (a *APIAuthService) CreateCredentials(ctx context.Context, username string) (*model.Credential, error)
func (*APIAuthService) CreateGroup ¶ added in v0.63.0
func (*APIAuthService) CreateUser ¶ added in v0.63.0
func (*APIAuthService) DeleteCredentials ¶ added in v0.63.0
func (a *APIAuthService) DeleteCredentials(ctx context.Context, username, accessKeyID string) error
func (*APIAuthService) DeleteGroup ¶ added in v0.63.0
func (a *APIAuthService) DeleteGroup(ctx context.Context, groupDisplayName string) error
func (*APIAuthService) DeletePolicy ¶ added in v0.63.0
func (a *APIAuthService) DeletePolicy(ctx context.Context, policyDisplayName string) error
func (*APIAuthService) DeleteUser ¶ added in v0.63.0
func (a *APIAuthService) DeleteUser(ctx context.Context, username string) error
func (*APIAuthService) DetachPolicyFromGroup ¶ added in v0.63.0
func (a *APIAuthService) DetachPolicyFromGroup(ctx context.Context, policyDisplayName, groupDisplayName string) error
func (*APIAuthService) DetachPolicyFromUser ¶ added in v0.63.0
func (a *APIAuthService) DetachPolicyFromUser(ctx context.Context, policyDisplayName, username string) error
func (*APIAuthService) GetCredentials ¶ added in v0.63.0
func (a *APIAuthService) GetCredentials(ctx context.Context, accessKeyID string) (*model.Credential, error)
func (*APIAuthService) GetCredentialsForUser ¶ added in v0.63.0
func (a *APIAuthService) GetCredentialsForUser(ctx context.Context, username, accessKeyID string) (*model.Credential, error)
func (*APIAuthService) GetUserByEmail ¶ added in v0.63.0
func (*APIAuthService) GetUserByExternalID ¶ added in v0.69.0
func (*APIAuthService) GetUserByID ¶ added in v0.63.0
func (*APIAuthService) InviteUser ¶ added in v0.69.0
func (a *APIAuthService) InviteUser(ctx context.Context, email string) error
func (*APIAuthService) IsInviteSupported ¶ added in v0.69.0
func (a *APIAuthService) IsInviteSupported() bool
func (*APIAuthService) ListEffectivePolicies ¶ added in v0.63.0
func (*APIAuthService) ListGroupPolicies ¶ added in v0.63.0
func (*APIAuthService) ListGroupUsers ¶ added in v0.63.0
func (*APIAuthService) ListGroups ¶ added in v0.63.0
func (a *APIAuthService) ListGroups(ctx context.Context, params *model.PaginationParams) ([]*model.Group, *model.Paginator, error)
func (*APIAuthService) ListPolicies ¶ added in v0.63.0
func (a *APIAuthService) ListPolicies(ctx context.Context, params *model.PaginationParams) ([]*model.Policy, *model.Paginator, error)
func (*APIAuthService) ListUserCredentials ¶ added in v0.63.0
func (a *APIAuthService) ListUserCredentials(ctx context.Context, username string, params *model.PaginationParams) ([]*model.Credential, *model.Paginator, error)
func (*APIAuthService) ListUserGroups ¶ added in v0.63.0
func (*APIAuthService) ListUserPolicies ¶ added in v0.63.0
func (*APIAuthService) ListUsers ¶ added in v0.63.0
func (a *APIAuthService) ListUsers(ctx context.Context, params *model.PaginationParams) ([]*model.User, *model.Paginator, error)
func (*APIAuthService) RemoveUserFromGroup ¶ added in v0.63.0
func (a *APIAuthService) RemoveUserFromGroup(ctx context.Context, username, groupDisplayName string) error
func (*APIAuthService) SecretStore ¶ added in v0.63.0
func (a *APIAuthService) SecretStore() crypt.SecretStore
func (*APIAuthService) WritePolicy ¶ added in v0.63.0
type Arn ¶
type AuthService ¶ added in v0.89.0
type AuthService struct { *EmailInviteHandler // contains filtered or unexported fields }
func NewAuthService ¶ added in v0.89.0
func NewAuthService(store kv.Store, secretStore crypt.SecretStore, emailer *email.Emailer, cacheConf params.ServiceCache, logger logging.Logger) *AuthService
func (*AuthService) AddCredentials ¶ added in v0.89.0
func (s *AuthService) AddCredentials(ctx context.Context, username, accessKeyID, secretAccessKey string) (*model.Credential, error)
func (*AuthService) AddUserToGroup ¶ added in v0.89.0
func (s *AuthService) AddUserToGroup(ctx context.Context, username, groupDisplayName string) error
func (*AuthService) AttachPolicyToGroup ¶ added in v0.89.0
func (s *AuthService) AttachPolicyToGroup(ctx context.Context, policyDisplayName, groupDisplayName string) error
func (*AuthService) AttachPolicyToUser ¶ added in v0.89.0
func (*AuthService) Authorize ¶ added in v0.89.0
func (s *AuthService) Authorize(ctx context.Context, req *AuthorizationRequest) (*AuthorizationResponse, error)
func (*AuthService) Cache ¶ added in v0.89.0
func (s *AuthService) Cache() Cache
func (*AuthService) ClaimTokenIDOnce ¶ added in v0.89.0
func (*AuthService) CreateCredentials ¶ added in v0.89.0
func (s *AuthService) CreateCredentials(ctx context.Context, username string) (*model.Credential, error)
func (*AuthService) CreateGroup ¶ added in v0.89.0
func (*AuthService) CreateUser ¶ added in v0.89.0
func (*AuthService) DeleteCredentials ¶ added in v0.89.0
func (s *AuthService) DeleteCredentials(ctx context.Context, username, accessKeyID string) error
func (*AuthService) DeleteGroup ¶ added in v0.89.0
func (s *AuthService) DeleteGroup(ctx context.Context, groupDisplayName string) error
func (*AuthService) DeletePolicy ¶ added in v0.89.0
func (s *AuthService) DeletePolicy(ctx context.Context, policyDisplayName string) error
func (*AuthService) DeleteUser ¶ added in v0.89.0
func (s *AuthService) DeleteUser(ctx context.Context, username string) error
func (*AuthService) DetachPolicyFromGroup ¶ added in v0.89.0
func (s *AuthService) DetachPolicyFromGroup(ctx context.Context, policyDisplayName, groupDisplayName string) error
func (*AuthService) DetachPolicyFromGroupNoValidation ¶ added in v0.89.0
func (s *AuthService) DetachPolicyFromGroupNoValidation(ctx context.Context, policyDisplayName, groupDisplayName string) error
func (*AuthService) DetachPolicyFromUser ¶ added in v0.89.0
func (s *AuthService) DetachPolicyFromUser(ctx context.Context, policyDisplayName, username string) error
func (*AuthService) DetachPolicyFromUserNoValidation ¶ added in v0.89.0
func (s *AuthService) DetachPolicyFromUserNoValidation(ctx context.Context, policyDisplayName, username string) error
func (*AuthService) GetCredentials ¶ added in v0.89.0
func (s *AuthService) GetCredentials(ctx context.Context, accessKeyID string) (*model.Credential, error)
func (*AuthService) GetCredentialsForUser ¶ added in v0.89.0
func (s *AuthService) GetCredentialsForUser(ctx context.Context, username, accessKeyID string) (*model.Credential, error)
func (*AuthService) GetUserByEmail ¶ added in v0.89.0
func (*AuthService) GetUserByExternalID ¶ added in v0.89.0
func (*AuthService) GetUserByID ¶ added in v0.89.0
GetUserByID TODO(niro): In KV ID == username, Remove this method when DB implementation is deleted
func (*AuthService) ListEffectivePolicies ¶ added in v0.89.0
func (*AuthService) ListGroupPolicies ¶ added in v0.89.0
func (*AuthService) ListGroupUsers ¶ added in v0.89.0
func (*AuthService) ListGroups ¶ added in v0.89.0
func (s *AuthService) ListGroups(ctx context.Context, params *model.PaginationParams) ([]*model.Group, *model.Paginator, error)
func (*AuthService) ListKVPaged ¶ added in v0.89.0
func (s *AuthService) ListKVPaged(ctx context.Context, protoType protoreflect.MessageType, params *model.PaginationParams, prefix []byte, secondary bool) ([]proto.Message, *model.Paginator, error)
func (*AuthService) ListPolicies ¶ added in v0.89.0
func (s *AuthService) ListPolicies(ctx context.Context, params *model.PaginationParams) ([]*model.Policy, *model.Paginator, error)
func (*AuthService) ListUserCredentials ¶ added in v0.89.0
func (s *AuthService) ListUserCredentials(ctx context.Context, username string, params *model.PaginationParams) ([]*model.Credential, *model.Paginator, error)
func (*AuthService) ListUserGroups ¶ added in v0.89.0
func (*AuthService) ListUserPolicies ¶ added in v0.89.0
func (*AuthService) ListUsers ¶ added in v0.89.0
func (s *AuthService) ListUsers(ctx context.Context, params *model.PaginationParams) ([]*model.User, *model.Paginator, error)
func (*AuthService) RemoveUserFromGroup ¶ added in v0.89.0
func (s *AuthService) RemoveUserFromGroup(ctx context.Context, username, groupDisplayName string) error
func (*AuthService) SecretStore ¶ added in v0.89.0
func (s *AuthService) SecretStore() crypt.SecretStore
func (*AuthService) WritePolicy ¶ added in v0.89.0
type Authenticator ¶ added in v0.53.0
type Authenticator interface { // AuthenticateUser authenticates a user matching username and // password and returns their ID. AuthenticateUser(ctx context.Context, username, password string) (string, error) }
Authenticator authenticates users returning an identifier for the user. (Currently it handles only username+password single-step authentication. This interface will need to change significantly in order to support challenge-response protocols.)
type AuthorizationRequest ¶
type AuthorizationRequest struct { Username string RequiredPermissions permissions.Node }
type AuthorizationResponse ¶
type Authorizer ¶ added in v0.69.0
type Authorizer interface { // Authorize checks 'req' containing user and required permissions. An error returns in case we fail perform the request. // AuthorizationResponse holds if the request allowed and Error in case we fail with additional reason as ErrInsufficientPermissions. Authorize(ctx context.Context, req *AuthorizationRequest) (*AuthorizationResponse, error) }
type BuiltinAuthenticator ¶ added in v0.53.0
type BuiltinAuthenticator struct {
// contains filtered or unexported fields
}
BuiltinAuthenticator authenticates users by their access key IDs and passwords stored in the auth service.
func NewBuiltinAuthenticator ¶ added in v0.53.0
func NewBuiltinAuthenticator(service Service) *BuiltinAuthenticator
func (*BuiltinAuthenticator) AuthenticateUser ¶ added in v0.53.0
func (*BuiltinAuthenticator) String ¶ added in v0.62.0
func (ba *BuiltinAuthenticator) String() string
type Cache ¶
type Cache interface { GetCredential(accessKeyID string, setFn CredentialSetFn) (*model.Credential, error) GetUser(key userKey, setFn UserSetFn) (*model.User, error) GetUserPolicies(userID string, setFn UserPoliciesSetFn) ([]*model.Policy, error) }
type ChainAuthenticator ¶ added in v0.53.0
type ChainAuthenticator []Authenticator
ChainAuthenticator authenticates users by trying each Authenticator in order, returning the last error in case all fail.
func (ChainAuthenticator) AuthenticateUser ¶ added in v0.53.0
type CheckResult ¶ added in v0.53.1
type CheckResult int
CheckResult - the final result for the authorization is accepted only if it's CheckAllow
const ( InvalidUserID = "" // CheckAllow Permission allowed CheckAllow CheckResult = iota // CheckNeutral Permission neither allowed nor denied CheckNeutral // CheckDeny Permission denied CheckDeny )
type CredentialSetFn ¶
type CredentialSetFn func() (*model.Credential, error)
type Credentialler ¶ added in v0.53.0
type Credentialler interface {
GetCredentials(ctx context.Context, accessKeyID string) (*model.Credential, error)
}
Credentialler fetches S3-style credentials for access keys.
type CredentialsCreator ¶ added in v0.69.0
type DummyCache ¶
type DummyCache struct{}
DummyCache dummy cache that doesn't cache
func (*DummyCache) GetCredential ¶
func (d *DummyCache) GetCredential(_ string, setFn CredentialSetFn) (*model.Credential, error)
func (*DummyCache) GetUser ¶
func (d *DummyCache) GetUser(_ userKey, setFn UserSetFn) (*model.User, error)
func (*DummyCache) GetUserPolicies ¶
func (d *DummyCache) GetUserPolicies(_ string, setFn UserPoliciesSetFn) ([]*model.Policy, error)
type EmailInviteHandler ¶ added in v0.70.0
type EmailInviteHandler struct {
// contains filtered or unexported fields
}
func NewEmailInviteHandler ¶ added in v0.70.0
func (*EmailInviteHandler) InviteUser ¶ added in v0.70.0
func (i *EmailInviteHandler) InviteUser(ctx context.Context, email string) error
func (*EmailInviteHandler) IsInviteSupported ¶ added in v0.70.0
func (i *EmailInviteHandler) IsInviteSupported() bool
type GatewayService ¶ added in v0.65.0
type InviteHandler ¶ added in v0.69.0
type KVMetadataManager ¶ added in v0.69.0
type KVMetadataManager struct {
// contains filtered or unexported fields
}
func NewKVMetadataManager ¶ added in v0.69.0
func NewKVMetadataManager(version, fixedInstallationID, kvType string, store kv.Store) *KVMetadataManager
func (*KVMetadataManager) GetCommPrefs ¶ added in v0.87.0
func (m *KVMetadataManager) GetCommPrefs(ctx context.Context) (CommPrefs, error)
func (*KVMetadataManager) GetMetadata ¶ added in v0.102.0
func (*KVMetadataManager) GetSetupState ¶ added in v0.87.0
func (m *KVMetadataManager) GetSetupState(ctx context.Context) (SetupStateName, error)
func (*KVMetadataManager) IsCommPrefsSet ¶ added in v0.105.0
func (m *KVMetadataManager) IsCommPrefsSet(ctx context.Context) (bool, error)
func (*KVMetadataManager) IsInitialized ¶ added in v0.69.0
func (m *KVMetadataManager) IsInitialized(ctx context.Context) (bool, error)
func (*KVMetadataManager) UpdateCommPrefs ¶ added in v0.87.0
func (m *KVMetadataManager) UpdateCommPrefs(ctx context.Context, commPrefs *CommPrefs) (string, error)
UpdateCommPrefs - updates the comm prefs metadata. When commPrefs is nil, we assume the setup is done and the user didn't provide any comm prefs. The data can be provided later as the web UI verifies if the comm prefs are set.
func (*KVMetadataManager) UpdateSetupTimestamp ¶ added in v0.69.0
type LRUCache ¶
type LRUCache struct {
// contains filtered or unexported fields
}
func (*LRUCache) GetCredential ¶
func (c *LRUCache) GetCredential(accessKeyID string, setFn CredentialSetFn) (*model.Credential, error)
func (*LRUCache) GetUserPolicies ¶
type MetadataManager ¶
type MetadataManager interface { IsInitialized(ctx context.Context) (bool, error) GetSetupState(ctx context.Context) (SetupStateName, error) UpdateCommPrefs(ctx context.Context, commPrefs *CommPrefs) (string, error) IsCommPrefsSet(ctx context.Context) (bool, error) UpdateSetupTimestamp(context.Context, time.Time) error GetMetadata(context.Context) (map[string]string, error) }
type Service ¶
type Service interface { InviteHandler SecretStore() crypt.SecretStore Cache() Cache // users CreateUser(ctx context.Context, user *model.User) (string, error) DeleteUser(ctx context.Context, username string) error GetUserByID(ctx context.Context, userID string) (*model.User, error) GetUser(ctx context.Context, username string) (*model.User, error) GetUserByExternalID(ctx context.Context, externalID string) (*model.User, error) GetUserByEmail(ctx context.Context, email string) (*model.User, error) ListUsers(ctx context.Context, params *model.PaginationParams) ([]*model.User, *model.Paginator, error) // groups CreateGroup(ctx context.Context, group *model.Group) error DeleteGroup(ctx context.Context, groupDisplayName string) error GetGroup(ctx context.Context, groupDisplayName string) (*model.Group, error) ListGroups(ctx context.Context, params *model.PaginationParams) ([]*model.Group, *model.Paginator, error) // group<->user memberships AddUserToGroup(ctx context.Context, username, groupDisplayName string) error RemoveUserFromGroup(ctx context.Context, username, groupDisplayName string) error ListUserGroups(ctx context.Context, username string, params *model.PaginationParams) ([]*model.Group, *model.Paginator, error) ListGroupUsers(ctx context.Context, groupDisplayName string, params *model.PaginationParams) ([]*model.User, *model.Paginator, error) // policies WritePolicy(ctx context.Context, policy *model.Policy, update bool) error GetPolicy(ctx context.Context, policyDisplayName string) (*model.Policy, error) DeletePolicy(ctx context.Context, policyDisplayName string) error ListPolicies(ctx context.Context, params *model.PaginationParams) ([]*model.Policy, *model.Paginator, error) // credentials CredentialsCreator AddCredentials(ctx context.Context, username, accessKeyID, secretAccessKey string) (*model.Credential, error) DeleteCredentials(ctx context.Context, username, accessKeyID string) error GetCredentialsForUser(ctx context.Context, username, accessKeyID string) (*model.Credential, error) GetCredentials(ctx context.Context, accessKeyID string) (*model.Credential, error) ListUserCredentials(ctx context.Context, username string, params *model.PaginationParams) ([]*model.Credential, *model.Paginator, error) // policy<->user attachments AttachPolicyToUser(ctx context.Context, policyDisplayName, username string) error DetachPolicyFromUser(ctx context.Context, policyDisplayName, username string) error ListUserPolicies(ctx context.Context, username string, params *model.PaginationParams) ([]*model.Policy, *model.Paginator, error) ListEffectivePolicies(ctx context.Context, username string, params *model.PaginationParams) ([]*model.Policy, *model.Paginator, error) // policy<->group attachments AttachPolicyToGroup(ctx context.Context, policyDisplayName, groupDisplayName string) error DetachPolicyFromGroup(ctx context.Context, policyDisplayName, groupDisplayName string) error ListGroupPolicies(ctx context.Context, groupDisplayName string, params *model.PaginationParams) ([]*model.Policy, *model.Paginator, error) Authorizer ClaimTokenIDOnce(ctx context.Context, tokenID string, expiresAt int64) error }
type SetupStateName ¶ added in v0.87.0
type SetupStateName string
const ( SetupStateInitialized SetupStateName = "initialized" SetupStateNotInitialized SetupStateName = "not_initialized" )
type UserPoliciesSetFn ¶
type UserPredicate ¶ added in v0.69.0
Notes ¶
Bugs ¶
This parser does not handle resource types. Handling resource types is
subtle: they may be separated from resource IDs by a colon OR by a slash. For an example of a resource type, see ECS[1] (uses only slash separators). That colons are an acceptable separator appears in [2], so a workaround to this limitation is to use a slash. [1] https://docs.aws.amazon.com/AmazonECS/latest/developerguide/security_iam_service-with-iam.html#security_iam_service-with-iam-id-based-policies-resources [2] https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html#arns-syntax