Documentation ¶
Index ¶
- Constants
- Variables
- func AddAdminUser(ctx context.Context, authService Service, user *model.SuperuserConfiguration) (*model.Credential, error)
- func ArnMatch(src, dst string) bool
- func CreateInitialAdminUser(ctx context.Context, authService Service, metadataManger MetadataManager, ...) (*model.Credential, error)
- func CreateInitialAdminUserWithKeys(ctx context.Context, authService Service, metadataManger MetadataManager, ...) (*model.Credential, error)
- func GenerateJWTResetPassword(secret []byte, email string, issuedAt, expiresAt time.Time) (string, error)
- func IsValidAccessKeyID(key string) bool
- func ListEffectivePolicies(ctx context.Context, username string, params *model.PaginationParams, ...) ([]*model.Policy, *model.Paginator, error)
- func SetupAdminUser(ctx context.Context, authService Service, ...) (*model.Credential, error)
- func SetupBaseGroups(ctx context.Context, authService Service, ts time.Time) error
- func ValidatePolicy(policy *model.Policy) error
- func VerifyToken(secret []byte, tokenString string) (*jwt.StandardClaims, error)
- func VerifyTokenWithAudience(secret []byte, token, audience string) (*jwt.StandardClaims, error)
- type APIAuthService
- func (a *APIAuthService) AddCredentials(ctx context.Context, username, accessKeyID, secretAccessKey string) (*model.Credential, error)
- func (a *APIAuthService) AddUserToGroup(ctx context.Context, username, groupDisplayName string) error
- func (a *APIAuthService) AttachPolicyToGroup(ctx context.Context, policyDisplayName, groupDisplayName string) error
- func (a *APIAuthService) AttachPolicyToUser(ctx context.Context, policyDisplayName, username string) error
- func (a *APIAuthService) Authorize(ctx context.Context, req *AuthorizationRequest) (*AuthorizationResponse, error)
- func (a *APIAuthService) Cache() Cache
- func (a *APIAuthService) ClaimTokenIDOnce(ctx context.Context, tokenID string, expiresAt int64) error
- func (a *APIAuthService) CreateCredentials(ctx context.Context, username string) (*model.Credential, error)
- func (a *APIAuthService) CreateGroup(ctx context.Context, group *model.Group) error
- func (a *APIAuthService) CreateUser(ctx context.Context, user *model.User) (string, error)
- func (a *APIAuthService) DeleteCredentials(ctx context.Context, username, accessKeyID string) error
- func (a *APIAuthService) DeleteGroup(ctx context.Context, groupDisplayName string) error
- func (a *APIAuthService) DeletePolicy(ctx context.Context, policyDisplayName string) error
- func (a *APIAuthService) DeleteUser(ctx context.Context, username string) error
- func (a *APIAuthService) DetachPolicyFromGroup(ctx context.Context, policyDisplayName, groupDisplayName string) error
- func (a *APIAuthService) DetachPolicyFromUser(ctx context.Context, policyDisplayName, username string) error
- func (a *APIAuthService) GetCredentials(ctx context.Context, accessKeyID string) (*model.Credential, error)
- func (a *APIAuthService) GetCredentialsForUser(ctx context.Context, username, accessKeyID string) (*model.Credential, error)
- func (a *APIAuthService) GetGroup(ctx context.Context, groupDisplayName string) (*model.Group, error)
- func (a *APIAuthService) GetPolicy(ctx context.Context, policyDisplayName string) (*model.Policy, error)
- func (a *APIAuthService) GetUser(ctx context.Context, username string) (*model.User, error)
- func (a *APIAuthService) GetUserByEmail(ctx context.Context, email string) (*model.User, error)
- func (a *APIAuthService) GetUserByExternalID(ctx context.Context, externalID string) (*model.User, error)
- func (a *APIAuthService) GetUserByID(ctx context.Context, userID string) (*model.User, error)
- func (a *APIAuthService) HashAndUpdatePassword(ctx context.Context, username string, password string) error
- func (a *APIAuthService) InviteUser(ctx context.Context, email string) error
- func (a *APIAuthService) IsInviteSupported() bool
- func (a *APIAuthService) ListEffectivePolicies(ctx context.Context, username string, params *model.PaginationParams) ([]*model.Policy, *model.Paginator, error)
- func (a *APIAuthService) ListGroupPolicies(ctx context.Context, groupDisplayName string, params *model.PaginationParams) ([]*model.Policy, *model.Paginator, error)
- func (a *APIAuthService) ListGroupUsers(ctx context.Context, groupDisplayName string, params *model.PaginationParams) ([]*model.User, *model.Paginator, error)
- func (a *APIAuthService) ListGroups(ctx context.Context, params *model.PaginationParams) ([]*model.Group, *model.Paginator, error)
- func (a *APIAuthService) ListPolicies(ctx context.Context, params *model.PaginationParams) ([]*model.Policy, *model.Paginator, error)
- func (a *APIAuthService) ListUserCredentials(ctx context.Context, username string, params *model.PaginationParams) ([]*model.Credential, *model.Paginator, error)
- func (a *APIAuthService) ListUserGroups(ctx context.Context, username string, params *model.PaginationParams) ([]*model.Group, *model.Paginator, error)
- func (a *APIAuthService) ListUserPolicies(ctx context.Context, username string, params *model.PaginationParams) ([]*model.Policy, *model.Paginator, error)
- func (a *APIAuthService) ListUsers(ctx context.Context, params *model.PaginationParams) ([]*model.User, *model.Paginator, error)
- func (a *APIAuthService) RemoveUserFromGroup(ctx context.Context, username, groupDisplayName string) error
- func (a *APIAuthService) SecretStore() crypt.SecretStore
- func (a *APIAuthService) WritePolicy(ctx context.Context, policy *model.Policy) error
- type Arn
- type Authenticator
- type AuthorizationRequest
- type AuthorizationResponse
- type Authorizer
- type BuiltinAuthenticator
- type Cache
- type ChainAuthenticator
- type CheckResult
- type CredentialSetFn
- type Credentialler
- type CredentialsCreator
- type DummyCache
- type EmailAuthenticator
- type EmailInviteHandler
- type GatewayService
- type InviteHandler
- type KVAuthService
- func (s *KVAuthService) AddCredentials(ctx context.Context, username, accessKeyID, secretAccessKey string) (*model.Credential, error)
- func (s *KVAuthService) AddUserToGroup(ctx context.Context, username, groupDisplayName string) error
- func (s *KVAuthService) AttachPolicyToGroup(ctx context.Context, policyDisplayName, groupDisplayName string) error
- func (s *KVAuthService) AttachPolicyToUser(ctx context.Context, policyDisplayName string, username string) error
- func (s *KVAuthService) Authorize(ctx context.Context, req *AuthorizationRequest) (*AuthorizationResponse, error)
- func (s *KVAuthService) Cache() Cache
- func (s *KVAuthService) ClaimTokenIDOnce(ctx context.Context, tokenID string, expiresAt int64) error
- func (s *KVAuthService) CreateCredentials(ctx context.Context, username string) (*model.Credential, error)
- func (s *KVAuthService) CreateGroup(ctx context.Context, group *model.Group) error
- func (s *KVAuthService) CreateUser(ctx context.Context, user *model.User) (string, error)
- func (s *KVAuthService) DeleteCredentials(ctx context.Context, username, accessKeyID string) error
- func (s *KVAuthService) DeleteGroup(ctx context.Context, groupDisplayName string) error
- func (s *KVAuthService) DeletePolicy(ctx context.Context, policyDisplayName string) error
- func (s *KVAuthService) DeleteUser(ctx context.Context, username string) error
- func (s *KVAuthService) DetachPolicyFromGroup(ctx context.Context, policyDisplayName, groupDisplayName string) error
- func (s *KVAuthService) DetachPolicyFromGroupNoValidation(ctx context.Context, policyDisplayName, groupDisplayName string) error
- func (s *KVAuthService) DetachPolicyFromUser(ctx context.Context, policyDisplayName, username string) error
- func (s *KVAuthService) DetachPolicyFromUserNoValidation(ctx context.Context, policyDisplayName, username string) error
- func (s *KVAuthService) GetCredentials(ctx context.Context, accessKeyID string) (*model.Credential, error)
- func (s *KVAuthService) GetCredentialsForUser(ctx context.Context, username, accessKeyID string) (*model.Credential, error)
- func (s *KVAuthService) GetGroup(ctx context.Context, groupDisplayName string) (*model.Group, error)
- func (s *KVAuthService) GetPolicy(ctx context.Context, policyDisplayName string) (*model.Policy, error)
- func (s *KVAuthService) GetUser(ctx context.Context, username string) (*model.User, error)
- func (s *KVAuthService) GetUserByEmail(ctx context.Context, email string) (*model.User, error)
- func (s *KVAuthService) GetUserByExternalID(ctx context.Context, externalID string) (*model.User, error)
- func (s *KVAuthService) GetUserByID(ctx context.Context, userID string) (*model.User, error)
- func (s *KVAuthService) HashAndUpdatePassword(ctx context.Context, username string, password string) error
- func (s *KVAuthService) ListEffectivePolicies(ctx context.Context, username string, params *model.PaginationParams) ([]*model.Policy, *model.Paginator, error)
- func (s *KVAuthService) ListGroupPolicies(ctx context.Context, groupDisplayName string, params *model.PaginationParams) ([]*model.Policy, *model.Paginator, error)
- func (s *KVAuthService) ListGroupUsers(ctx context.Context, groupDisplayName string, params *model.PaginationParams) ([]*model.User, *model.Paginator, error)
- func (s *KVAuthService) ListGroups(ctx context.Context, params *model.PaginationParams) ([]*model.Group, *model.Paginator, error)
- func (s *KVAuthService) ListKVPaged(ctx context.Context, protoType protoreflect.MessageType, ...) ([]proto.Message, *model.Paginator, error)
- func (s *KVAuthService) ListPolicies(ctx context.Context, params *model.PaginationParams) ([]*model.Policy, *model.Paginator, error)
- func (s *KVAuthService) ListUserCredentials(ctx context.Context, username string, params *model.PaginationParams) ([]*model.Credential, *model.Paginator, error)
- func (s *KVAuthService) ListUserGroups(ctx context.Context, username string, params *model.PaginationParams) ([]*model.Group, *model.Paginator, error)
- func (s *KVAuthService) ListUserPolicies(ctx context.Context, username string, params *model.PaginationParams) ([]*model.Policy, *model.Paginator, error)
- func (s *KVAuthService) ListUsers(ctx context.Context, params *model.PaginationParams) ([]*model.User, *model.Paginator, error)
- func (s *KVAuthService) RemoveUserFromGroup(ctx context.Context, username, groupDisplayName string) error
- func (s *KVAuthService) SecretStore() crypt.SecretStore
- func (s *KVAuthService) WritePolicy(ctx context.Context, policy *model.Policy) error
- type KVMetadataManager
- type LDAPAuthenticator
- type LRUCache
- type MetadataManager
- type Service
- type UserPoliciesSetFn
- type UserPredicate
- type UserSetFn
- Bugs
Constants ¶
const ( InstallationIDKeyName = "installation_id" SetupTimestampKeyName = "setup_timestamp" )
const ( AdminsGroup = "Admins" SuperUsersGroup = "SuperUsers" DevelopersGroup = "Developers" ViewersGroup = "Viewers" )
const (
DefaultInvitePasswordExpiration = 6 * time.Hour
)
const (
ResetPasswordAudience = "reset_password"
)
Variables ¶
var ( ErrNotFound = kv.ErrNotFound ErrAlreadyExists = errors.New("already exists") ErrNonUnique = errors.New("more than one user found") ErrInvalidArn = errors.New("invalid ARN") ErrInsufficientPermissions = errors.New("insufficient permissions") ErrInvalidAccessKeyID = errors.New("invalid access key ID") ErrInvalidSecretAccessKey = errors.New("invalid secret access key") ErrUnexpectedStatusCode = errors.New("unexpected status code") ErrUnexpectedSigningMethod = errors.New("unexpected signing method") ErrInvalidToken = errors.New("invalid token") ErrInvalidRequest = errors.New("invalid request") )
Functions ¶
func AddAdminUser ¶
func AddAdminUser(ctx context.Context, authService Service, user *model.SuperuserConfiguration) (*model.Credential, error)
func CreateInitialAdminUser ¶
func CreateInitialAdminUser(ctx context.Context, authService Service, metadataManger MetadataManager, username string) (*model.Credential, error)
func CreateInitialAdminUserWithKeys ¶
func CreateInitialAdminUserWithKeys(ctx context.Context, authService Service, metadataManger MetadataManager, username string, accessKeyID *string, secretAccessKey *string) (*model.Credential, error)
func GenerateJWTResetPassword ¶ added in v0.69.0
func GenerateJWTResetPassword(secret []byte, email string, issuedAt, expiresAt time.Time) (string, error)
GenerateJWTResetPassword creates a jwt token with the field subject set the email passed.
func IsValidAccessKeyID ¶ added in v0.52.0
func ListEffectivePolicies ¶ added in v0.68.0
func SetupAdminUser ¶
func SetupAdminUser(ctx context.Context, authService Service, superuser *model.SuperuserConfiguration) (*model.Credential, error)
func SetupBaseGroups ¶
func ValidatePolicy ¶ added in v0.68.0
func VerifyToken ¶ added in v0.64.0
func VerifyToken(secret []byte, tokenString string) (*jwt.StandardClaims, error)
func VerifyTokenWithAudience ¶ added in v0.64.0
func VerifyTokenWithAudience(secret []byte, token, audience string) (*jwt.StandardClaims, error)
Types ¶
type APIAuthService ¶ added in v0.63.0
type APIAuthService struct {
// contains filtered or unexported fields
}
func NewAPIAuthService ¶ added in v0.63.0
func NewAPIAuthService(apiEndpoint, token string, secretStore crypt.SecretStore, cacheConf params.ServiceCache, timeout *time.Duration, emailer *email.Emailer) (*APIAuthService, error)
func NewAPIAuthServiceWithClient ¶ added in v0.70.0
func NewAPIAuthServiceWithClient(client ClientWithResponsesInterface, secretStore crypt.SecretStore, cacheConf params.ServiceCache) (*APIAuthService, error)
func (*APIAuthService) AddCredentials ¶ added in v0.63.0
func (a *APIAuthService) AddCredentials(ctx context.Context, username, accessKeyID, secretAccessKey string) (*model.Credential, error)
func (*APIAuthService) AddUserToGroup ¶ added in v0.63.0
func (a *APIAuthService) AddUserToGroup(ctx context.Context, username, groupDisplayName string) error
func (*APIAuthService) AttachPolicyToGroup ¶ added in v0.63.0
func (a *APIAuthService) AttachPolicyToGroup(ctx context.Context, policyDisplayName, groupDisplayName string) error
func (*APIAuthService) AttachPolicyToUser ¶ added in v0.63.0
func (a *APIAuthService) AttachPolicyToUser(ctx context.Context, policyDisplayName, username string) error
func (*APIAuthService) Authorize ¶ added in v0.63.0
func (a *APIAuthService) Authorize(ctx context.Context, req *AuthorizationRequest) (*AuthorizationResponse, error)
func (*APIAuthService) Cache ¶ added in v0.68.0
func (a *APIAuthService) Cache() Cache
func (*APIAuthService) ClaimTokenIDOnce ¶ added in v0.64.0
func (*APIAuthService) CreateCredentials ¶ added in v0.63.0
func (a *APIAuthService) CreateCredentials(ctx context.Context, username string) (*model.Credential, error)
func (*APIAuthService) CreateGroup ¶ added in v0.63.0
func (*APIAuthService) CreateUser ¶ added in v0.63.0
func (*APIAuthService) DeleteCredentials ¶ added in v0.63.0
func (a *APIAuthService) DeleteCredentials(ctx context.Context, username, accessKeyID string) error
func (*APIAuthService) DeleteGroup ¶ added in v0.63.0
func (a *APIAuthService) DeleteGroup(ctx context.Context, groupDisplayName string) error
func (*APIAuthService) DeletePolicy ¶ added in v0.63.0
func (a *APIAuthService) DeletePolicy(ctx context.Context, policyDisplayName string) error
func (*APIAuthService) DeleteUser ¶ added in v0.63.0
func (a *APIAuthService) DeleteUser(ctx context.Context, username string) error
func (*APIAuthService) DetachPolicyFromGroup ¶ added in v0.63.0
func (a *APIAuthService) DetachPolicyFromGroup(ctx context.Context, policyDisplayName, groupDisplayName string) error
func (*APIAuthService) DetachPolicyFromUser ¶ added in v0.63.0
func (a *APIAuthService) DetachPolicyFromUser(ctx context.Context, policyDisplayName, username string) error
func (*APIAuthService) GetCredentials ¶ added in v0.63.0
func (a *APIAuthService) GetCredentials(ctx context.Context, accessKeyID string) (*model.Credential, error)
func (*APIAuthService) GetCredentialsForUser ¶ added in v0.63.0
func (a *APIAuthService) GetCredentialsForUser(ctx context.Context, username, accessKeyID string) (*model.Credential, error)
func (*APIAuthService) GetUserByEmail ¶ added in v0.63.0
func (*APIAuthService) GetUserByExternalID ¶ added in v0.69.0
func (*APIAuthService) GetUserByID ¶ added in v0.63.0
func (*APIAuthService) HashAndUpdatePassword ¶ added in v0.63.0
func (*APIAuthService) InviteUser ¶ added in v0.69.0
func (a *APIAuthService) InviteUser(ctx context.Context, email string) error
func (*APIAuthService) IsInviteSupported ¶ added in v0.69.0
func (a *APIAuthService) IsInviteSupported() bool
func (*APIAuthService) ListEffectivePolicies ¶ added in v0.63.0
func (*APIAuthService) ListGroupPolicies ¶ added in v0.63.0
func (*APIAuthService) ListGroupUsers ¶ added in v0.63.0
func (*APIAuthService) ListGroups ¶ added in v0.63.0
func (a *APIAuthService) ListGroups(ctx context.Context, params *model.PaginationParams) ([]*model.Group, *model.Paginator, error)
func (*APIAuthService) ListPolicies ¶ added in v0.63.0
func (a *APIAuthService) ListPolicies(ctx context.Context, params *model.PaginationParams) ([]*model.Policy, *model.Paginator, error)
func (*APIAuthService) ListUserCredentials ¶ added in v0.63.0
func (a *APIAuthService) ListUserCredentials(ctx context.Context, username string, params *model.PaginationParams) ([]*model.Credential, *model.Paginator, error)
func (*APIAuthService) ListUserGroups ¶ added in v0.63.0
func (*APIAuthService) ListUserPolicies ¶ added in v0.63.0
func (*APIAuthService) ListUsers ¶ added in v0.63.0
func (a *APIAuthService) ListUsers(ctx context.Context, params *model.PaginationParams) ([]*model.User, *model.Paginator, error)
func (*APIAuthService) RemoveUserFromGroup ¶ added in v0.63.0
func (a *APIAuthService) RemoveUserFromGroup(ctx context.Context, username, groupDisplayName string) error
func (*APIAuthService) SecretStore ¶ added in v0.63.0
func (a *APIAuthService) SecretStore() crypt.SecretStore
func (*APIAuthService) WritePolicy ¶ added in v0.63.0
type Arn ¶
type Authenticator ¶ added in v0.53.0
type Authenticator interface { // AuthenticateUser authenticates a user matching username and // password and returns their ID. AuthenticateUser(ctx context.Context, username, password string) (string, error) }
Authenticator authenticates users returning an identifier for the user. (Currently it handles only username+password single-step authentication. This interface will need to change significantly in order to support challenge-response protocols.)
func NewChainAuthenticator ¶ added in v0.53.0
func NewChainAuthenticator(auth ...Authenticator) Authenticator
NewChainAuthenticator returns an Authenticator that authenticates users by trying each auth in order.
type AuthorizationRequest ¶
type AuthorizationRequest struct { Username string RequiredPermissions permissions.Node }
type AuthorizationResponse ¶
type Authorizer ¶ added in v0.69.0
type Authorizer interface { // Authorize checks 'req' containing user and required permissions. An error returns in case we fail perform the request. // AuthorizationResponse holds if the request allowed and Error in case we fail with additional reason as ErrInsufficientPermissions. Authorize(ctx context.Context, req *AuthorizationRequest) (*AuthorizationResponse, error) }
type BuiltinAuthenticator ¶ added in v0.53.0
type BuiltinAuthenticator struct {
// contains filtered or unexported fields
}
BuiltinAuthenticator authenticates users by their access key IDs and passwords stored in the auth service.
func NewBuiltinAuthenticator ¶ added in v0.53.0
func NewBuiltinAuthenticator(service Service) *BuiltinAuthenticator
func (*BuiltinAuthenticator) AuthenticateUser ¶ added in v0.53.0
func (*BuiltinAuthenticator) String ¶ added in v0.62.0
func (ba *BuiltinAuthenticator) String() string
type Cache ¶
type Cache interface { GetCredential(accessKeyID string, setFn CredentialSetFn) (*model.Credential, error) GetUser(key userKey, setFn UserSetFn) (*model.User, error) GetUserPolicies(userID string, setFn UserPoliciesSetFn) ([]*model.Policy, error) }
type ChainAuthenticator ¶ added in v0.53.0
type ChainAuthenticator []Authenticator
ChainAuthenticator authenticates users by trying each Authenticator in order, returning the last error in case all fail.
func (ChainAuthenticator) AuthenticateUser ¶ added in v0.53.0
type CheckResult ¶ added in v0.53.1
type CheckResult int
CheckResult - the final result for the authorization is accepted only if it's CheckAllow
const ( InvalidUserID = "" // CheckAllow Permission allowed CheckAllow CheckResult = iota // CheckNeutral Permission neither allowed nor denied CheckNeutral // CheckDeny Permission denied CheckDeny )
type CredentialSetFn ¶
type CredentialSetFn func() (*model.Credential, error)
type Credentialler ¶ added in v0.53.0
type Credentialler interface {
GetCredentials(ctx context.Context, accessKeyID string) (*model.Credential, error)
}
Credentialler fetches S3-style credentials for access keys.
type CredentialsCreator ¶ added in v0.69.0
type DummyCache ¶
type DummyCache struct{}
DummyCache dummy cache that doesn't cache
func (*DummyCache) GetCredential ¶
func (d *DummyCache) GetCredential(_ string, setFn CredentialSetFn) (*model.Credential, error)
func (*DummyCache) GetUser ¶
func (d *DummyCache) GetUser(_ userKey, setFn UserSetFn) (*model.User, error)
func (*DummyCache) GetUserPolicies ¶
func (d *DummyCache) GetUserPolicies(_ string, setFn UserPoliciesSetFn) ([]*model.Policy, error)
type EmailAuthenticator ¶ added in v0.62.0
type EmailAuthenticator struct {
AuthService Service
}
func NewEmailAuthenticator ¶ added in v0.62.0
func NewEmailAuthenticator(service Service) *EmailAuthenticator
func (EmailAuthenticator) AuthenticateUser ¶ added in v0.62.0
func (EmailAuthenticator) String ¶ added in v0.62.0
func (e EmailAuthenticator) String() string
type EmailInviteHandler ¶ added in v0.70.0
type EmailInviteHandler struct {
// contains filtered or unexported fields
}
func NewEmailInviteHandler ¶ added in v0.70.0
func (*EmailInviteHandler) InviteUser ¶ added in v0.70.0
func (i *EmailInviteHandler) InviteUser(ctx context.Context, email string) error
func (*EmailInviteHandler) IsInviteSupported ¶ added in v0.70.0
func (i *EmailInviteHandler) IsInviteSupported() bool
type GatewayService ¶ added in v0.65.0
type InviteHandler ¶ added in v0.69.0
type KVAuthService ¶ added in v0.68.0
type KVAuthService struct { *EmailInviteHandler // contains filtered or unexported fields }
func NewKVAuthService ¶ added in v0.68.0
func NewKVAuthService(store *kv.StoreMessage, secretStore crypt.SecretStore, emailer *email.Emailer, cacheConf params.ServiceCache, logger logging.Logger) *KVAuthService
func (*KVAuthService) AddCredentials ¶ added in v0.68.0
func (s *KVAuthService) AddCredentials(ctx context.Context, username, accessKeyID, secretAccessKey string) (*model.Credential, error)
func (*KVAuthService) AddUserToGroup ¶ added in v0.68.0
func (s *KVAuthService) AddUserToGroup(ctx context.Context, username, groupDisplayName string) error
func (*KVAuthService) AttachPolicyToGroup ¶ added in v0.68.0
func (s *KVAuthService) AttachPolicyToGroup(ctx context.Context, policyDisplayName, groupDisplayName string) error
func (*KVAuthService) AttachPolicyToUser ¶ added in v0.68.0
func (*KVAuthService) Authorize ¶ added in v0.68.0
func (s *KVAuthService) Authorize(ctx context.Context, req *AuthorizationRequest) (*AuthorizationResponse, error)
func (*KVAuthService) Cache ¶ added in v0.68.0
func (s *KVAuthService) Cache() Cache
func (*KVAuthService) ClaimTokenIDOnce ¶ added in v0.68.0
func (*KVAuthService) CreateCredentials ¶ added in v0.68.0
func (s *KVAuthService) CreateCredentials(ctx context.Context, username string) (*model.Credential, error)
func (*KVAuthService) CreateGroup ¶ added in v0.68.0
func (*KVAuthService) CreateUser ¶ added in v0.68.0
func (*KVAuthService) DeleteCredentials ¶ added in v0.68.0
func (s *KVAuthService) DeleteCredentials(ctx context.Context, username, accessKeyID string) error
func (*KVAuthService) DeleteGroup ¶ added in v0.68.0
func (s *KVAuthService) DeleteGroup(ctx context.Context, groupDisplayName string) error
func (*KVAuthService) DeletePolicy ¶ added in v0.68.0
func (s *KVAuthService) DeletePolicy(ctx context.Context, policyDisplayName string) error
func (*KVAuthService) DeleteUser ¶ added in v0.68.0
func (s *KVAuthService) DeleteUser(ctx context.Context, username string) error
func (*KVAuthService) DetachPolicyFromGroup ¶ added in v0.68.0
func (s *KVAuthService) DetachPolicyFromGroup(ctx context.Context, policyDisplayName, groupDisplayName string) error
func (*KVAuthService) DetachPolicyFromGroupNoValidation ¶ added in v0.68.0
func (s *KVAuthService) DetachPolicyFromGroupNoValidation(ctx context.Context, policyDisplayName, groupDisplayName string) error
func (*KVAuthService) DetachPolicyFromUser ¶ added in v0.68.0
func (s *KVAuthService) DetachPolicyFromUser(ctx context.Context, policyDisplayName, username string) error
func (*KVAuthService) DetachPolicyFromUserNoValidation ¶ added in v0.68.0
func (s *KVAuthService) DetachPolicyFromUserNoValidation(ctx context.Context, policyDisplayName, username string) error
func (*KVAuthService) GetCredentials ¶ added in v0.68.0
func (s *KVAuthService) GetCredentials(ctx context.Context, accessKeyID string) (*model.Credential, error)
func (*KVAuthService) GetCredentialsForUser ¶ added in v0.68.0
func (s *KVAuthService) GetCredentialsForUser(ctx context.Context, username, accessKeyID string) (*model.Credential, error)
func (*KVAuthService) GetUserByEmail ¶ added in v0.68.0
func (*KVAuthService) GetUserByExternalID ¶ added in v0.69.0
func (*KVAuthService) GetUserByID ¶ added in v0.68.0
GetUserByID TODO(niro): In KV ID == username, Remove this method when DB implementation is deleted
func (*KVAuthService) HashAndUpdatePassword ¶ added in v0.68.0
func (*KVAuthService) ListEffectivePolicies ¶ added in v0.68.0
func (*KVAuthService) ListGroupPolicies ¶ added in v0.68.0
func (*KVAuthService) ListGroupUsers ¶ added in v0.68.0
func (*KVAuthService) ListGroups ¶ added in v0.68.0
func (s *KVAuthService) ListGroups(ctx context.Context, params *model.PaginationParams) ([]*model.Group, *model.Paginator, error)
func (*KVAuthService) ListKVPaged ¶ added in v0.68.0
func (s *KVAuthService) ListKVPaged(ctx context.Context, protoType protoreflect.MessageType, params *model.PaginationParams, prefix []byte, secondary bool) ([]proto.Message, *model.Paginator, error)
func (*KVAuthService) ListPolicies ¶ added in v0.68.0
func (s *KVAuthService) ListPolicies(ctx context.Context, params *model.PaginationParams) ([]*model.Policy, *model.Paginator, error)
func (*KVAuthService) ListUserCredentials ¶ added in v0.68.0
func (s *KVAuthService) ListUserCredentials(ctx context.Context, username string, params *model.PaginationParams) ([]*model.Credential, *model.Paginator, error)
func (*KVAuthService) ListUserGroups ¶ added in v0.68.0
func (*KVAuthService) ListUserPolicies ¶ added in v0.68.0
func (*KVAuthService) ListUsers ¶ added in v0.68.0
func (s *KVAuthService) ListUsers(ctx context.Context, params *model.PaginationParams) ([]*model.User, *model.Paginator, error)
func (*KVAuthService) RemoveUserFromGroup ¶ added in v0.68.0
func (s *KVAuthService) RemoveUserFromGroup(ctx context.Context, username, groupDisplayName string) error
func (*KVAuthService) SecretStore ¶ added in v0.68.0
func (s *KVAuthService) SecretStore() crypt.SecretStore
func (*KVAuthService) WritePolicy ¶ added in v0.68.0
type KVMetadataManager ¶ added in v0.69.0
type KVMetadataManager struct {
// contains filtered or unexported fields
}
func NewKVMetadataManager ¶ added in v0.69.0
func NewKVMetadataManager(version, fixedInstallationID, kvType string, store kv.Store) *KVMetadataManager
func (*KVMetadataManager) IsInitialized ¶ added in v0.69.0
func (m *KVMetadataManager) IsInitialized(ctx context.Context) (bool, error)
func (*KVMetadataManager) UpdateSetupTimestamp ¶ added in v0.69.0
type LDAPAuthenticator ¶ added in v0.53.0
type LDAPAuthenticator struct { AuthService Service MakeLDAPConn func(ctx context.Context) (*ldap.Conn, error) BindDN string BindPassword string BaseSearchRequest ldap.SearchRequest UsernameAttribute string DefaultUserGroup string // contains filtered or unexported fields }
LDAPAuthenticator authenticates users on an LDAP server. It currently supports only simple authentication.
func (*LDAPAuthenticator) AuthenticateUser ¶ added in v0.53.0
func (*LDAPAuthenticator) String ¶ added in v0.62.0
func (la *LDAPAuthenticator) String() string
type LRUCache ¶
type LRUCache struct {
// contains filtered or unexported fields
}
func (*LRUCache) GetCredential ¶
func (c *LRUCache) GetCredential(accessKeyID string, setFn CredentialSetFn) (*model.Credential, error)
func (*LRUCache) GetUserPolicies ¶
type MetadataManager ¶
type Service ¶
type Service interface { InviteHandler SecretStore() crypt.SecretStore Cache() Cache // users CreateUser(ctx context.Context, user *model.User) (string, error) DeleteUser(ctx context.Context, username string) error GetUserByID(ctx context.Context, userID string) (*model.User, error) GetUser(ctx context.Context, username string) (*model.User, error) GetUserByExternalID(ctx context.Context, externalID string) (*model.User, error) GetUserByEmail(ctx context.Context, email string) (*model.User, error) ListUsers(ctx context.Context, params *model.PaginationParams) ([]*model.User, *model.Paginator, error) // groups CreateGroup(ctx context.Context, group *model.Group) error DeleteGroup(ctx context.Context, groupDisplayName string) error GetGroup(ctx context.Context, groupDisplayName string) (*model.Group, error) ListGroups(ctx context.Context, params *model.PaginationParams) ([]*model.Group, *model.Paginator, error) // group<->user memberships AddUserToGroup(ctx context.Context, username, groupDisplayName string) error RemoveUserFromGroup(ctx context.Context, username, groupDisplayName string) error ListUserGroups(ctx context.Context, username string, params *model.PaginationParams) ([]*model.Group, *model.Paginator, error) ListGroupUsers(ctx context.Context, groupDisplayName string, params *model.PaginationParams) ([]*model.User, *model.Paginator, error) // policies WritePolicy(ctx context.Context, policy *model.Policy) error GetPolicy(ctx context.Context, policyDisplayName string) (*model.Policy, error) DeletePolicy(ctx context.Context, policyDisplayName string) error ListPolicies(ctx context.Context, params *model.PaginationParams) ([]*model.Policy, *model.Paginator, error) // credentials CredentialsCreator AddCredentials(ctx context.Context, username, accessKeyID, secretAccessKey string) (*model.Credential, error) DeleteCredentials(ctx context.Context, username, accessKeyID string) error GetCredentialsForUser(ctx context.Context, username, accessKeyID string) (*model.Credential, error) GetCredentials(ctx context.Context, accessKeyID string) (*model.Credential, error) ListUserCredentials(ctx context.Context, username string, params *model.PaginationParams) ([]*model.Credential, *model.Paginator, error) HashAndUpdatePassword(ctx context.Context, username string, password string) error // policy<->user attachments AttachPolicyToUser(ctx context.Context, policyDisplayName, username string) error DetachPolicyFromUser(ctx context.Context, policyDisplayName, username string) error ListUserPolicies(ctx context.Context, username string, params *model.PaginationParams) ([]*model.Policy, *model.Paginator, error) ListEffectivePolicies(ctx context.Context, username string, params *model.PaginationParams) ([]*model.Policy, *model.Paginator, error) // policy<->group attachments AttachPolicyToGroup(ctx context.Context, policyDisplayName, groupDisplayName string) error DetachPolicyFromGroup(ctx context.Context, policyDisplayName, groupDisplayName string) error ListGroupPolicies(ctx context.Context, groupDisplayName string, params *model.PaginationParams) ([]*model.Policy, *model.Paginator, error) Authorizer ClaimTokenIDOnce(ctx context.Context, tokenID string, expiresAt int64) error }
type UserPoliciesSetFn ¶
type UserPredicate ¶ added in v0.69.0
Notes ¶
Bugs ¶
This parser does not handle resource types. Handling resource types is
subtle: they may be separated from resource IDs by a colon OR by a slash. For an example of a resource type, see ECS[1] (uses only slash separators). That colons are an acceptable separator appears in [2], so a workaround to this limitation is to use a slash. [1] https://docs.aws.amazon.com/AmazonECS/latest/developerguide/security_iam_service-with-iam.html#security_iam_service-with-iam-id-based-policies-resources [2] https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html#arns-syntax