auth

package
v0.52.1 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Oct 4, 2021 License: Apache-2.0 Imports: 24 Imported by: 0

Documentation

Index

Constants

View Source
const (
	InstallationIDKeyName = "installation_id"
	SetupTimestampKeyName = "setup_timestamp"
)
View Source
const AkiaAlphabet = "ABCDEFGHIJKLMNOPQRSTUVWXYZ234567" // Amazon AKIA alphabet is weird.

Variables

View Source
var (
	ErrNotFound                = db.ErrNotFound
	ErrAlreadyExists           = db.ErrAlreadyExists
	ErrInvalidArn              = errors.New("invalid ARN")
	ErrInsufficientPermissions = errors.New("insufficient permissions")
	ErrNoField                 = errors.New("no field tagged in struct")
	ErrInvalidAccessKeyID      = errors.New("invalid access key ID")
	ErrInvalidSecretAccessKey  = errors.New("invalid secret access key")
)

Functions

func AddAdminUser

func AddAdminUser(ctx context.Context, authService Service, user *model.SuperuserConfiguration) (*model.Credential, error)

func ArnMatch

func ArnMatch(src, dst string) bool

func Base64StringGenerator

func Base64StringGenerator(bytes int) string

func CreateInitialAdminUser

func CreateInitialAdminUser(ctx context.Context, authService Service, metadataManger MetadataManager, username string) (*model.Credential, error)

func CreateInitialAdminUserWithKeys

func CreateInitialAdminUserWithKeys(ctx context.Context, authService Service, metadataManger MetadataManager, username string, accessKeyID *string, secretAccessKey *string) (*model.Credential, error)

func HexStringGenerator

func HexStringGenerator(bytes int) string

func IsValidAccessKeyID added in v0.52.0

func IsValidAccessKeyID(key string) bool

func KeyGenerator

func KeyGenerator(length int) string

func ListPaged

func ListPaged(ctx context.Context, db db.Querier, retType reflect.Type, params *model.PaginationParams, tokenColumnName string, queryBuilder sq.SelectBuilder) (*reflect.Value, *model.Paginator, error)

func SetupAdminUser

func SetupAdminUser(ctx context.Context, authService Service, superuser *model.SuperuserConfiguration) (*model.Credential, error)

func SetupBaseGroups

func SetupBaseGroups(ctx context.Context, authService Service, ts time.Time) error

Types

type Arn

type Arn struct {
	Partition  string
	Service    string
	Region     string
	AccountID  string
	ResourceID string
}

func ParseARN

func ParseARN(arnString string) (*Arn, error)

type AuthorizationRequest

type AuthorizationRequest struct {
	Username            string
	RequiredPermissions []permissions.Permission
}

type AuthorizationResponse

type AuthorizationResponse struct {
	Allowed bool
	Error   error
}

type Cache

type Cache interface {
	GetCredential(accessKeyID string, setFn CredentialSetFn) (*model.Credential, error)
	GetUser(username string, setFn UserSetFn) (*model.User, error)
	GetUserByID(userID int, setFn UserSetFn) (*model.User, error)
	GetUserPolicies(userID string, setFn UserPoliciesSetFn) ([]*model.Policy, error)
}

type CredentialSetFn

type CredentialSetFn func() (*model.Credential, error)

type DBAuthService

type DBAuthService struct {
	// contains filtered or unexported fields
}

func NewDBAuthService

func NewDBAuthService(db db.Database, secretStore crypt.SecretStore, cacheConf params.ServiceCache) *DBAuthService

func (*DBAuthService) AddCredentials

func (s *DBAuthService) AddCredentials(ctx context.Context, username, accessKeyID, secretAccessKey string) (*model.Credential, error)

func (*DBAuthService) AddUserToGroup

func (s *DBAuthService) AddUserToGroup(ctx context.Context, username, groupDisplayName string) error

func (*DBAuthService) AttachPolicyToGroup

func (s *DBAuthService) AttachPolicyToGroup(ctx context.Context, policyDisplayName, groupDisplayName string) error

func (*DBAuthService) AttachPolicyToUser

func (s *DBAuthService) AttachPolicyToUser(ctx context.Context, policyDisplayName, username string) error

func (*DBAuthService) Authorize

func (*DBAuthService) CreateCredentials

func (s *DBAuthService) CreateCredentials(ctx context.Context, username string) (*model.Credential, error)

func (*DBAuthService) CreateGroup

func (s *DBAuthService) CreateGroup(ctx context.Context, group *model.Group) error

func (*DBAuthService) CreateUser

func (s *DBAuthService) CreateUser(ctx context.Context, user *model.User) error

func (*DBAuthService) DB

func (s *DBAuthService) DB() db.Database

func (*DBAuthService) DeleteCredentials

func (s *DBAuthService) DeleteCredentials(ctx context.Context, username, accessKeyID string) error

func (*DBAuthService) DeleteGroup

func (s *DBAuthService) DeleteGroup(ctx context.Context, groupDisplayName string) error

func (*DBAuthService) DeletePolicy

func (s *DBAuthService) DeletePolicy(ctx context.Context, policyDisplayName string) error

func (*DBAuthService) DeleteUser

func (s *DBAuthService) DeleteUser(ctx context.Context, username string) error

func (*DBAuthService) DetachPolicyFromGroup

func (s *DBAuthService) DetachPolicyFromGroup(ctx context.Context, policyDisplayName, groupDisplayName string) error

func (*DBAuthService) DetachPolicyFromUser

func (s *DBAuthService) DetachPolicyFromUser(ctx context.Context, policyDisplayName, username string) error

func (*DBAuthService) GetCredentials

func (s *DBAuthService) GetCredentials(ctx context.Context, accessKeyID string) (*model.Credential, error)

func (*DBAuthService) GetCredentialsForUser

func (s *DBAuthService) GetCredentialsForUser(ctx context.Context, username, accessKeyID string) (*model.Credential, error)

func (*DBAuthService) GetGroup

func (s *DBAuthService) GetGroup(ctx context.Context, groupDisplayName string) (*model.Group, error)

func (*DBAuthService) GetPolicy

func (s *DBAuthService) GetPolicy(ctx context.Context, policyDisplayName string) (*model.Policy, error)

func (*DBAuthService) GetUser

func (s *DBAuthService) GetUser(ctx context.Context, username string) (*model.User, error)

func (*DBAuthService) GetUserByID

func (s *DBAuthService) GetUserByID(ctx context.Context, userID int) (*model.User, error)

func (*DBAuthService) ListEffectivePolicies

func (s *DBAuthService) ListEffectivePolicies(ctx context.Context, username string, params *model.PaginationParams) ([]*model.Policy, *model.Paginator, error)

func (*DBAuthService) ListGroupPolicies

func (s *DBAuthService) ListGroupPolicies(ctx context.Context, groupDisplayName string, params *model.PaginationParams) ([]*model.Policy, *model.Paginator, error)

func (*DBAuthService) ListGroupUsers

func (s *DBAuthService) ListGroupUsers(ctx context.Context, groupDisplayName string, params *model.PaginationParams) ([]*model.User, *model.Paginator, error)

func (*DBAuthService) ListGroups

func (s *DBAuthService) ListGroups(ctx context.Context, params *model.PaginationParams) ([]*model.Group, *model.Paginator, error)

func (*DBAuthService) ListPolicies

func (s *DBAuthService) ListPolicies(ctx context.Context, params *model.PaginationParams) ([]*model.Policy, *model.Paginator, error)

func (*DBAuthService) ListUserCredentials

func (s *DBAuthService) ListUserCredentials(ctx context.Context, username string, params *model.PaginationParams) ([]*model.Credential, *model.Paginator, error)

func (*DBAuthService) ListUserGroups

func (s *DBAuthService) ListUserGroups(ctx context.Context, username string, params *model.PaginationParams) ([]*model.Group, *model.Paginator, error)

func (*DBAuthService) ListUserPolicies

func (s *DBAuthService) ListUserPolicies(ctx context.Context, username string, params *model.PaginationParams) ([]*model.Policy, *model.Paginator, error)

func (*DBAuthService) ListUsers

func (s *DBAuthService) ListUsers(ctx context.Context, params *model.PaginationParams) ([]*model.User, *model.Paginator, error)

func (*DBAuthService) RemoveUserFromGroup

func (s *DBAuthService) RemoveUserFromGroup(ctx context.Context, username, groupDisplayName string) error

func (*DBAuthService) SecretStore

func (s *DBAuthService) SecretStore() crypt.SecretStore

func (*DBAuthService) WritePolicy

func (s *DBAuthService) WritePolicy(ctx context.Context, policy *model.Policy) error

type DBMetadataManager

type DBMetadataManager struct {
	// contains filtered or unexported fields
}

func NewDBMetadataManager

func NewDBMetadataManager(version string, fixedInstallationID string, database db.Database) *DBMetadataManager

func (*DBMetadataManager) IsInitialized added in v0.43.0

func (d *DBMetadataManager) IsInitialized(ctx context.Context) (bool, error)

func (*DBMetadataManager) UpdateSetupTimestamp

func (d *DBMetadataManager) UpdateSetupTimestamp(ctx context.Context, ts time.Time) error

func (*DBMetadataManager) Write

func (d *DBMetadataManager) Write(ctx context.Context) (map[string]string, error)

type DummyCache

type DummyCache struct {
}

func (*DummyCache) GetCredential

func (d *DummyCache) GetCredential(accessKeyID string, setFn CredentialSetFn) (*model.Credential, error)

func (*DummyCache) GetUser

func (d *DummyCache) GetUser(username string, setFn UserSetFn) (*model.User, error)

func (*DummyCache) GetUserByID

func (d *DummyCache) GetUserByID(userID int, setFn UserSetFn) (*model.User, error)

func (*DummyCache) GetUserPolicies

func (d *DummyCache) GetUserPolicies(userID string, setFn UserPoliciesSetFn) ([]*model.Policy, error)

type LRUCache

type LRUCache struct {
	// contains filtered or unexported fields
}

func NewLRUCache

func NewLRUCache(size int, expiry, jitter time.Duration) *LRUCache

func (*LRUCache) GetCredential

func (c *LRUCache) GetCredential(accessKeyID string, setFn CredentialSetFn) (*model.Credential, error)

func (*LRUCache) GetUser

func (c *LRUCache) GetUser(username string, setFn UserSetFn) (*model.User, error)

func (*LRUCache) GetUserByID

func (c *LRUCache) GetUserByID(userID int, setFn UserSetFn) (*model.User, error)

func (*LRUCache) GetUserPolicies

func (c *LRUCache) GetUserPolicies(userID string, setFn UserPoliciesSetFn) ([]*model.Policy, error)

type MetadataManager

type MetadataManager interface {
	IsInitialized(ctx context.Context) (bool, error)
	UpdateSetupTimestamp(context.Context, time.Time) error
	Write(context.Context) (map[string]string, error)
}

type Service

type Service interface {
	SecretStore() crypt.SecretStore

	// users
	CreateUser(ctx context.Context, user *model.User) error
	DeleteUser(ctx context.Context, username string) error
	GetUserByID(ctx context.Context, userID int) (*model.User, error)
	GetUser(ctx context.Context, username string) (*model.User, error)
	ListUsers(ctx context.Context, params *model.PaginationParams) ([]*model.User, *model.Paginator, error)

	// groups
	CreateGroup(ctx context.Context, group *model.Group) error
	DeleteGroup(ctx context.Context, groupDisplayName string) error
	GetGroup(ctx context.Context, groupDisplayName string) (*model.Group, error)
	ListGroups(ctx context.Context, params *model.PaginationParams) ([]*model.Group, *model.Paginator, error)

	// group<->user memberships
	AddUserToGroup(ctx context.Context, username, groupDisplayName string) error
	RemoveUserFromGroup(ctx context.Context, username, groupDisplayName string) error
	ListUserGroups(ctx context.Context, username string, params *model.PaginationParams) ([]*model.Group, *model.Paginator, error)
	ListGroupUsers(ctx context.Context, groupDisplayName string, params *model.PaginationParams) ([]*model.User, *model.Paginator, error)

	// policies
	WritePolicy(ctx context.Context, policy *model.Policy) error
	GetPolicy(ctx context.Context, policyDisplayName string) (*model.Policy, error)
	DeletePolicy(ctx context.Context, policyDisplayName string) error
	ListPolicies(ctx context.Context, params *model.PaginationParams) ([]*model.Policy, *model.Paginator, error)

	// credentials
	CreateCredentials(ctx context.Context, username string) (*model.Credential, error)
	AddCredentials(ctx context.Context, username, accessKeyID, secretAccessKey string) (*model.Credential, error)
	DeleteCredentials(ctx context.Context, username, accessKeyID string) error
	GetCredentialsForUser(ctx context.Context, username, accessKeyID string) (*model.Credential, error)
	GetCredentials(ctx context.Context, accessKeyID string) (*model.Credential, error)
	ListUserCredentials(ctx context.Context, username string, params *model.PaginationParams) ([]*model.Credential, *model.Paginator, error)

	// policy<->user attachments
	AttachPolicyToUser(ctx context.Context, policyDisplayName, username string) error
	DetachPolicyFromUser(ctx context.Context, policyDisplayName, username string) error
	ListUserPolicies(ctx context.Context, username string, params *model.PaginationParams) ([]*model.Policy, *model.Paginator, error)
	ListEffectivePolicies(ctx context.Context, username string, params *model.PaginationParams) ([]*model.Policy, *model.Paginator, error)

	// policy<->group attachments
	AttachPolicyToGroup(ctx context.Context, policyDisplayName, groupDisplayName string) error
	DetachPolicyFromGroup(ctx context.Context, policyDisplayName, groupDisplayName string) error
	ListGroupPolicies(ctx context.Context, groupDisplayName string, params *model.PaginationParams) ([]*model.Policy, *model.Paginator, error)

	// authorize user for an action
	Authorize(ctx context.Context, req *AuthorizationRequest) (*AuthorizationResponse, error)
}

type UserPoliciesSetFn

type UserPoliciesSetFn func() ([]*model.Policy, error)

type UserSetFn

type UserSetFn func() (*model.User, error)

Notes

Bugs

  • This parser does not handle resource types. Handling resource types is

    subtle: they may be separated from resource IDs by a colon OR by a slash. For an
    example of a resource type, see ECS[1] (uses only slash separators). That colons
    are an acceptable separator appears in [2], so a workaround to this limitation is
    to use a slash.
    
    [1] https://docs.aws.amazon.com/AmazonECS/latest/developerguide/security_iam_service-with-iam.html#security_iam_service-with-iam-id-based-policies-resources
    [2] https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html#arns-syntax
    

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL