auth

package
v0.89.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jan 8, 2023 License: Apache-2.0 Imports: 34 Imported by: 0

Documentation

Index

Constants

View Source
const (
	InstallationIDKeyName  = "installation_id"
	SetupTimestampKeyName  = "setup_timestamp"
	CommPrefsSetKeyName    = "comm_prefs_set"
	EmailKeyName           = "encoded_user_email"
	FeatureUpdatesKeyName  = "feature_updates"
	SecurityUpdatesKeyName = "security_updates"
)
View Source
const (
	AdminsGroup     = "Admins"
	SuperUsersGroup = "SuperUsers"
	DevelopersGroup = "Developers"
	ViewersGroup    = "Viewers"
)
View Source
const (
	DefaultInvitePasswordExpiration = 6 * time.Hour
)
View Source
const (
	ResetPasswordAudience = "reset_password"
)

Variables

View Source
var (
	ErrNotFound                = kv.ErrNotFound
	ErrAlreadyExists           = errors.New("already exists")
	ErrNonUnique               = errors.New("more than one user found")
	ErrInvalidArn              = errors.New("invalid ARN")
	ErrInsufficientPermissions = errors.New("insufficient permissions")
	ErrInvalidAccessKeyID      = errors.New("invalid access key ID")
	ErrInvalidSecretAccessKey  = errors.New("invalid secret access key")
	ErrUnexpectedStatusCode    = errors.New("unexpected status code")
	ErrUnexpectedSigningMethod = errors.New("unexpected signing method")
	ErrInvalidToken            = errors.New("invalid token")
	ErrInvalidRequest          = errors.New("invalid request")
	ErrUserNotFound            = errors.New("user not found")
)

Functions

func AddAdminUser

func AddAdminUser(ctx context.Context, authService Service, user *model.SuperuserConfiguration) (*model.Credential, error)

func ArnMatch

func ArnMatch(src, dst string) bool

func CreateInitialAdminUser

func CreateInitialAdminUser(ctx context.Context, authService Service, metadataManger MetadataManager, username string) (*model.Credential, error)

func CreateInitialAdminUserWithKeys

func CreateInitialAdminUserWithKeys(ctx context.Context, authService Service, metadataManger MetadataManager, username string, accessKeyID *string, secretAccessKey *string) (*model.Credential, error)

func GenerateJWTResetPassword added in v0.69.0

func GenerateJWTResetPassword(secret []byte, email string, issuedAt, expiresAt time.Time) (string, error)

GenerateJWTResetPassword creates a jwt token with the field subject set the email passed.

func GetUser added in v0.87.0

func GetUser(ctx context.Context) (*model.User, error)

func IsValidAccessKeyID added in v0.52.0

func IsValidAccessKeyID(key string) bool

func ListEffectivePolicies added in v0.68.0

func ListEffectivePolicies(ctx context.Context, username string, params *model.PaginationParams, getEffectivePolicies effectivePoliciesGetter, cache Cache) ([]*model.Policy, *model.Paginator, error)

func SetupAdminUser

func SetupAdminUser(ctx context.Context, authService Service, superuser *model.SuperuserConfiguration) (*model.Credential, error)

func SetupBaseGroups

func SetupBaseGroups(ctx context.Context, authService Service, ts time.Time) error

func ValidatePolicy added in v0.68.0

func ValidatePolicy(policy *model.Policy) error

func VerifyToken added in v0.64.0

func VerifyToken(secret []byte, tokenString string) (*jwt.StandardClaims, error)

func VerifyTokenWithAudience added in v0.64.0

func VerifyTokenWithAudience(secret []byte, token, audience string) (*jwt.StandardClaims, error)

func WithUser added in v0.87.0

func WithUser(ctx context.Context, user *model.User) context.Context

Types

type APIAuthService added in v0.63.0

type APIAuthService struct {
	// contains filtered or unexported fields
}

func NewAPIAuthService added in v0.63.0

func NewAPIAuthService(apiEndpoint, token string, secretStore crypt.SecretStore, cacheConf params.ServiceCache, timeout *time.Duration, emailer *email.Emailer) (*APIAuthService, error)

func NewAPIAuthServiceWithClient added in v0.70.0

func NewAPIAuthServiceWithClient(client ClientWithResponsesInterface, secretStore crypt.SecretStore, cacheConf params.ServiceCache) (*APIAuthService, error)

func (*APIAuthService) AddCredentials added in v0.63.0

func (a *APIAuthService) AddCredentials(ctx context.Context, username, accessKeyID, secretAccessKey string) (*model.Credential, error)

func (*APIAuthService) AddUserToGroup added in v0.63.0

func (a *APIAuthService) AddUserToGroup(ctx context.Context, username, groupDisplayName string) error

func (*APIAuthService) AttachPolicyToGroup added in v0.63.0

func (a *APIAuthService) AttachPolicyToGroup(ctx context.Context, policyDisplayName, groupDisplayName string) error

func (*APIAuthService) AttachPolicyToUser added in v0.63.0

func (a *APIAuthService) AttachPolicyToUser(ctx context.Context, policyDisplayName, username string) error

func (*APIAuthService) Authorize added in v0.63.0

func (*APIAuthService) Cache added in v0.68.0

func (a *APIAuthService) Cache() Cache

func (*APIAuthService) ClaimTokenIDOnce added in v0.64.0

func (a *APIAuthService) ClaimTokenIDOnce(ctx context.Context, tokenID string, expiresAt int64) error

func (*APIAuthService) CreateCredentials added in v0.63.0

func (a *APIAuthService) CreateCredentials(ctx context.Context, username string) (*model.Credential, error)

func (*APIAuthService) CreateGroup added in v0.63.0

func (a *APIAuthService) CreateGroup(ctx context.Context, group *model.Group) error

func (*APIAuthService) CreateUser added in v0.63.0

func (a *APIAuthService) CreateUser(ctx context.Context, user *model.User) (string, error)

func (*APIAuthService) DeleteCredentials added in v0.63.0

func (a *APIAuthService) DeleteCredentials(ctx context.Context, username, accessKeyID string) error

func (*APIAuthService) DeleteGroup added in v0.63.0

func (a *APIAuthService) DeleteGroup(ctx context.Context, groupDisplayName string) error

func (*APIAuthService) DeletePolicy added in v0.63.0

func (a *APIAuthService) DeletePolicy(ctx context.Context, policyDisplayName string) error

func (*APIAuthService) DeleteUser added in v0.63.0

func (a *APIAuthService) DeleteUser(ctx context.Context, username string) error

func (*APIAuthService) DetachPolicyFromGroup added in v0.63.0

func (a *APIAuthService) DetachPolicyFromGroup(ctx context.Context, policyDisplayName, groupDisplayName string) error

func (*APIAuthService) DetachPolicyFromUser added in v0.63.0

func (a *APIAuthService) DetachPolicyFromUser(ctx context.Context, policyDisplayName, username string) error

func (*APIAuthService) GetCredentials added in v0.63.0

func (a *APIAuthService) GetCredentials(ctx context.Context, accessKeyID string) (*model.Credential, error)

func (*APIAuthService) GetCredentialsForUser added in v0.63.0

func (a *APIAuthService) GetCredentialsForUser(ctx context.Context, username, accessKeyID string) (*model.Credential, error)

func (*APIAuthService) GetGroup added in v0.63.0

func (a *APIAuthService) GetGroup(ctx context.Context, groupDisplayName string) (*model.Group, error)

func (*APIAuthService) GetPolicy added in v0.63.0

func (a *APIAuthService) GetPolicy(ctx context.Context, policyDisplayName string) (*model.Policy, error)

func (*APIAuthService) GetUser added in v0.63.0

func (a *APIAuthService) GetUser(ctx context.Context, username string) (*model.User, error)

func (*APIAuthService) GetUserByEmail added in v0.63.0

func (a *APIAuthService) GetUserByEmail(ctx context.Context, email string) (*model.User, error)

func (*APIAuthService) GetUserByExternalID added in v0.69.0

func (a *APIAuthService) GetUserByExternalID(ctx context.Context, externalID string) (*model.User, error)

func (*APIAuthService) GetUserByID added in v0.63.0

func (a *APIAuthService) GetUserByID(ctx context.Context, userID string) (*model.User, error)

func (*APIAuthService) HashAndUpdatePassword added in v0.63.0

func (a *APIAuthService) HashAndUpdatePassword(ctx context.Context, username string, password string) error

func (*APIAuthService) InviteUser added in v0.69.0

func (a *APIAuthService) InviteUser(ctx context.Context, email string) error

func (*APIAuthService) IsInviteSupported added in v0.69.0

func (a *APIAuthService) IsInviteSupported() bool

func (*APIAuthService) ListEffectivePolicies added in v0.63.0

func (a *APIAuthService) ListEffectivePolicies(ctx context.Context, username string, params *model.PaginationParams) ([]*model.Policy, *model.Paginator, error)

func (*APIAuthService) ListGroupPolicies added in v0.63.0

func (a *APIAuthService) ListGroupPolicies(ctx context.Context, groupDisplayName string, params *model.PaginationParams) ([]*model.Policy, *model.Paginator, error)

func (*APIAuthService) ListGroupUsers added in v0.63.0

func (a *APIAuthService) ListGroupUsers(ctx context.Context, groupDisplayName string, params *model.PaginationParams) ([]*model.User, *model.Paginator, error)

func (*APIAuthService) ListGroups added in v0.63.0

func (a *APIAuthService) ListGroups(ctx context.Context, params *model.PaginationParams) ([]*model.Group, *model.Paginator, error)

func (*APIAuthService) ListPolicies added in v0.63.0

func (a *APIAuthService) ListPolicies(ctx context.Context, params *model.PaginationParams) ([]*model.Policy, *model.Paginator, error)

func (*APIAuthService) ListUserCredentials added in v0.63.0

func (a *APIAuthService) ListUserCredentials(ctx context.Context, username string, params *model.PaginationParams) ([]*model.Credential, *model.Paginator, error)

func (*APIAuthService) ListUserGroups added in v0.63.0

func (a *APIAuthService) ListUserGroups(ctx context.Context, username string, params *model.PaginationParams) ([]*model.Group, *model.Paginator, error)

func (*APIAuthService) ListUserPolicies added in v0.63.0

func (a *APIAuthService) ListUserPolicies(ctx context.Context, username string, params *model.PaginationParams) ([]*model.Policy, *model.Paginator, error)

func (*APIAuthService) ListUsers added in v0.63.0

func (a *APIAuthService) ListUsers(ctx context.Context, params *model.PaginationParams) ([]*model.User, *model.Paginator, error)

func (*APIAuthService) RemoveUserFromGroup added in v0.63.0

func (a *APIAuthService) RemoveUserFromGroup(ctx context.Context, username, groupDisplayName string) error

func (*APIAuthService) SecretStore added in v0.63.0

func (a *APIAuthService) SecretStore() crypt.SecretStore

func (*APIAuthService) WritePolicy added in v0.63.0

func (a *APIAuthService) WritePolicy(ctx context.Context, policy *model.Policy, update bool) error

type Arn

type Arn struct {
	Partition  string
	Service    string
	Region     string
	AccountID  string
	ResourceID string
}

func ParseARN

func ParseARN(arnString string) (*Arn, error)

type AuthService added in v0.89.0

type AuthService struct {
	*EmailInviteHandler
	// contains filtered or unexported fields
}

func NewAuthService added in v0.89.0

func NewAuthService(store *kv.StoreMessage, secretStore crypt.SecretStore, emailer *email.Emailer, cacheConf params.ServiceCache, logger logging.Logger) *AuthService

func (*AuthService) AddCredentials added in v0.89.0

func (s *AuthService) AddCredentials(ctx context.Context, username, accessKeyID, secretAccessKey string) (*model.Credential, error)

func (*AuthService) AddUserToGroup added in v0.89.0

func (s *AuthService) AddUserToGroup(ctx context.Context, username, groupDisplayName string) error

func (*AuthService) AttachPolicyToGroup added in v0.89.0

func (s *AuthService) AttachPolicyToGroup(ctx context.Context, policyDisplayName, groupDisplayName string) error

func (*AuthService) AttachPolicyToUser added in v0.89.0

func (s *AuthService) AttachPolicyToUser(ctx context.Context, policyDisplayName string, username string) error

func (*AuthService) Authorize added in v0.89.0

func (*AuthService) Cache added in v0.89.0

func (s *AuthService) Cache() Cache

func (*AuthService) ClaimTokenIDOnce added in v0.89.0

func (s *AuthService) ClaimTokenIDOnce(ctx context.Context, tokenID string, expiresAt int64) error

func (*AuthService) CreateCredentials added in v0.89.0

func (s *AuthService) CreateCredentials(ctx context.Context, username string) (*model.Credential, error)

func (*AuthService) CreateGroup added in v0.89.0

func (s *AuthService) CreateGroup(ctx context.Context, group *model.Group) error

func (*AuthService) CreateUser added in v0.89.0

func (s *AuthService) CreateUser(ctx context.Context, user *model.User) (string, error)

func (*AuthService) DeleteCredentials added in v0.89.0

func (s *AuthService) DeleteCredentials(ctx context.Context, username, accessKeyID string) error

func (*AuthService) DeleteGroup added in v0.89.0

func (s *AuthService) DeleteGroup(ctx context.Context, groupDisplayName string) error

func (*AuthService) DeletePolicy added in v0.89.0

func (s *AuthService) DeletePolicy(ctx context.Context, policyDisplayName string) error

func (*AuthService) DeleteUser added in v0.89.0

func (s *AuthService) DeleteUser(ctx context.Context, username string) error

func (*AuthService) DetachPolicyFromGroup added in v0.89.0

func (s *AuthService) DetachPolicyFromGroup(ctx context.Context, policyDisplayName, groupDisplayName string) error

func (*AuthService) DetachPolicyFromGroupNoValidation added in v0.89.0

func (s *AuthService) DetachPolicyFromGroupNoValidation(ctx context.Context, policyDisplayName, groupDisplayName string) error

func (*AuthService) DetachPolicyFromUser added in v0.89.0

func (s *AuthService) DetachPolicyFromUser(ctx context.Context, policyDisplayName, username string) error

func (*AuthService) DetachPolicyFromUserNoValidation added in v0.89.0

func (s *AuthService) DetachPolicyFromUserNoValidation(ctx context.Context, policyDisplayName, username string) error

func (*AuthService) GetCredentials added in v0.89.0

func (s *AuthService) GetCredentials(ctx context.Context, accessKeyID string) (*model.Credential, error)

func (*AuthService) GetCredentialsForUser added in v0.89.0

func (s *AuthService) GetCredentialsForUser(ctx context.Context, username, accessKeyID string) (*model.Credential, error)

func (*AuthService) GetGroup added in v0.89.0

func (s *AuthService) GetGroup(ctx context.Context, groupDisplayName string) (*model.Group, error)

func (*AuthService) GetPolicy added in v0.89.0

func (s *AuthService) GetPolicy(ctx context.Context, policyDisplayName string) (*model.Policy, error)

func (*AuthService) GetUser added in v0.89.0

func (s *AuthService) GetUser(ctx context.Context, username string) (*model.User, error)

func (*AuthService) GetUserByEmail added in v0.89.0

func (s *AuthService) GetUserByEmail(ctx context.Context, email string) (*model.User, error)

func (*AuthService) GetUserByExternalID added in v0.89.0

func (s *AuthService) GetUserByExternalID(ctx context.Context, externalID string) (*model.User, error)

func (*AuthService) GetUserByID added in v0.89.0

func (s *AuthService) GetUserByID(ctx context.Context, userID string) (*model.User, error)

GetUserByID TODO(niro): In KV ID == username, Remove this method when DB implementation is deleted

func (*AuthService) HashAndUpdatePassword added in v0.89.0

func (s *AuthService) HashAndUpdatePassword(ctx context.Context, username string, password string) error

func (*AuthService) ListEffectivePolicies added in v0.89.0

func (s *AuthService) ListEffectivePolicies(ctx context.Context, username string, params *model.PaginationParams) ([]*model.Policy, *model.Paginator, error)

func (*AuthService) ListGroupPolicies added in v0.89.0

func (s *AuthService) ListGroupPolicies(ctx context.Context, groupDisplayName string, params *model.PaginationParams) ([]*model.Policy, *model.Paginator, error)

func (*AuthService) ListGroupUsers added in v0.89.0

func (s *AuthService) ListGroupUsers(ctx context.Context, groupDisplayName string, params *model.PaginationParams) ([]*model.User, *model.Paginator, error)

func (*AuthService) ListGroups added in v0.89.0

func (s *AuthService) ListGroups(ctx context.Context, params *model.PaginationParams) ([]*model.Group, *model.Paginator, error)

func (*AuthService) ListKVPaged added in v0.89.0

func (s *AuthService) ListKVPaged(ctx context.Context, protoType protoreflect.MessageType, params *model.PaginationParams, prefix []byte, secondary bool) ([]proto.Message, *model.Paginator, error)

func (*AuthService) ListPolicies added in v0.89.0

func (s *AuthService) ListPolicies(ctx context.Context, params *model.PaginationParams) ([]*model.Policy, *model.Paginator, error)

func (*AuthService) ListUserCredentials added in v0.89.0

func (s *AuthService) ListUserCredentials(ctx context.Context, username string, params *model.PaginationParams) ([]*model.Credential, *model.Paginator, error)

func (*AuthService) ListUserGroups added in v0.89.0

func (s *AuthService) ListUserGroups(ctx context.Context, username string, params *model.PaginationParams) ([]*model.Group, *model.Paginator, error)

func (*AuthService) ListUserPolicies added in v0.89.0

func (s *AuthService) ListUserPolicies(ctx context.Context, username string, params *model.PaginationParams) ([]*model.Policy, *model.Paginator, error)

func (*AuthService) ListUsers added in v0.89.0

func (s *AuthService) ListUsers(ctx context.Context, params *model.PaginationParams) ([]*model.User, *model.Paginator, error)

func (*AuthService) RemoveUserFromGroup added in v0.89.0

func (s *AuthService) RemoveUserFromGroup(ctx context.Context, username, groupDisplayName string) error

func (*AuthService) SecretStore added in v0.89.0

func (s *AuthService) SecretStore() crypt.SecretStore

func (*AuthService) WritePolicy added in v0.89.0

func (s *AuthService) WritePolicy(ctx context.Context, policy *model.Policy, update bool) error

type Authenticator added in v0.53.0

type Authenticator interface {
	// AuthenticateUser authenticates a user matching username and
	// password and returns their ID.
	AuthenticateUser(ctx context.Context, username, password string) (string, error)
}

Authenticator authenticates users returning an identifier for the user. (Currently it handles only username+password single-step authentication. This interface will need to change significantly in order to support challenge-response protocols.)

func NewChainAuthenticator added in v0.53.0

func NewChainAuthenticator(auth ...Authenticator) Authenticator

NewChainAuthenticator returns an Authenticator that authenticates users by trying each auth in order.

type AuthorizationRequest

type AuthorizationRequest struct {
	Username            string
	RequiredPermissions permissions.Node
}

type AuthorizationResponse

type AuthorizationResponse struct {
	Allowed bool
	Error   error
}

type Authorizer added in v0.69.0

type Authorizer interface {
	// Authorize checks 'req' containing user and required permissions. An error returns in case we fail perform the request.
	// AuthorizationResponse holds if the request allowed and Error in case we fail with additional reason as ErrInsufficientPermissions.
	Authorize(ctx context.Context, req *AuthorizationRequest) (*AuthorizationResponse, error)
}

type BuiltinAuthenticator added in v0.53.0

type BuiltinAuthenticator struct {
	// contains filtered or unexported fields
}

BuiltinAuthenticator authenticates users by their access key IDs and passwords stored in the auth service.

func NewBuiltinAuthenticator added in v0.53.0

func NewBuiltinAuthenticator(service Service) *BuiltinAuthenticator

func (*BuiltinAuthenticator) AuthenticateUser added in v0.53.0

func (ba *BuiltinAuthenticator) AuthenticateUser(ctx context.Context, username, password string) (string, error)

func (*BuiltinAuthenticator) String added in v0.62.0

func (ba *BuiltinAuthenticator) String() string

type Cache

type Cache interface {
	GetCredential(accessKeyID string, setFn CredentialSetFn) (*model.Credential, error)
	GetUser(key userKey, setFn UserSetFn) (*model.User, error)
	GetUserPolicies(userID string, setFn UserPoliciesSetFn) ([]*model.Policy, error)
}

type ChainAuthenticator added in v0.53.0

type ChainAuthenticator []Authenticator

ChainAuthenticator authenticates users by trying each Authenticator in order, returning the last error in case all fail.

func (ChainAuthenticator) AuthenticateUser added in v0.53.0

func (ca ChainAuthenticator) AuthenticateUser(ctx context.Context, username, password string) (string, error)

type CheckResult added in v0.53.1

type CheckResult int

CheckResult - the final result for the authorization is accepted only if it's CheckAllow

const (
	InvalidUserID = ""

	// CheckAllow Permission allowed
	CheckAllow CheckResult = iota
	// CheckNeutral Permission neither allowed nor denied
	CheckNeutral
	// CheckDeny Permission denied
	CheckDeny
)

type CommPrefs added in v0.87.0

type CommPrefs struct {
	UserEmail       string
	FeatureUpdates  bool
	SecurityUpdates bool
	InstallationID  string
}

type CredentialSetFn

type CredentialSetFn func() (*model.Credential, error)

type Credentialler added in v0.53.0

type Credentialler interface {
	GetCredentials(ctx context.Context, accessKeyID string) (*model.Credential, error)
}

Credentialler fetches S3-style credentials for access keys.

type CredentialsCreator added in v0.69.0

type CredentialsCreator interface {
	CreateCredentials(ctx context.Context, username string) (*model.Credential, error)
}

type DummyCache

type DummyCache struct{}

DummyCache dummy cache that doesn't cache

func (*DummyCache) GetCredential

func (d *DummyCache) GetCredential(_ string, setFn CredentialSetFn) (*model.Credential, error)

func (*DummyCache) GetUser

func (d *DummyCache) GetUser(_ userKey, setFn UserSetFn) (*model.User, error)

func (*DummyCache) GetUserPolicies

func (d *DummyCache) GetUserPolicies(_ string, setFn UserPoliciesSetFn) ([]*model.Policy, error)

type EmailAuthenticator added in v0.62.0

type EmailAuthenticator struct {
	AuthService Service
}

func NewEmailAuthenticator added in v0.62.0

func NewEmailAuthenticator(service Service) *EmailAuthenticator

func (EmailAuthenticator) AuthenticateUser added in v0.62.0

func (e EmailAuthenticator) AuthenticateUser(ctx context.Context, username, password string) (string, error)

func (EmailAuthenticator) String added in v0.62.0

func (e EmailAuthenticator) String() string

type EmailInviteHandler added in v0.70.0

type EmailInviteHandler struct {
	// contains filtered or unexported fields
}

func NewEmailInviteHandler added in v0.70.0

func NewEmailInviteHandler(svc Service, log logging.Logger, emailer *email.Emailer) *EmailInviteHandler

func (*EmailInviteHandler) InviteUser added in v0.70.0

func (i *EmailInviteHandler) InviteUser(ctx context.Context, email string) error

func (*EmailInviteHandler) IsInviteSupported added in v0.70.0

func (i *EmailInviteHandler) IsInviteSupported() bool

type GatewayService added in v0.65.0

type GatewayService interface {
	GetCredentials(_ context.Context, accessKey string) (*model.Credential, error)
	GetUser(ctx context.Context, username string) (*model.User, error)
	Authorize(_ context.Context, req *AuthorizationRequest) (*AuthorizationResponse, error)
}

type InviteHandler added in v0.69.0

type InviteHandler interface {
	InviteUser(ctx context.Context, email string) error
	IsInviteSupported() bool
}

type KVMetadataManager added in v0.69.0

type KVMetadataManager struct {
	// contains filtered or unexported fields
}

func NewKVMetadataManager added in v0.69.0

func NewKVMetadataManager(version, fixedInstallationID, kvType string, store kv.Store) *KVMetadataManager

func (*KVMetadataManager) GetCommPrefs added in v0.87.0

func (m *KVMetadataManager) GetCommPrefs(ctx context.Context) (CommPrefs, error)

func (*KVMetadataManager) GetSetupState added in v0.87.0

func (m *KVMetadataManager) GetSetupState(ctx context.Context, emailSubscriptionEnabled bool) (SetupStateName, error)

func (*KVMetadataManager) IsInitialized added in v0.69.0

func (m *KVMetadataManager) IsInitialized(ctx context.Context) (bool, error)

func (*KVMetadataManager) UpdateCommPrefs added in v0.87.0

func (m *KVMetadataManager) UpdateCommPrefs(ctx context.Context, commPrefs CommPrefs) (string, error)

func (*KVMetadataManager) UpdateSetupTimestamp added in v0.69.0

func (m *KVMetadataManager) UpdateSetupTimestamp(ctx context.Context, ts time.Time) error

func (*KVMetadataManager) Write added in v0.69.0

func (m *KVMetadataManager) Write(ctx context.Context) (map[string]string, error)

type LDAPAuthenticator added in v0.53.0

type LDAPAuthenticator struct {
	AuthService Service

	MakeLDAPConn      func(ctx context.Context) (*ldap.Conn, error)
	BindDN            string
	BindPassword      string
	BaseSearchRequest ldap.SearchRequest
	UsernameAttribute string
	DefaultUserGroup  string
	// contains filtered or unexported fields
}

LDAPAuthenticator authenticates users on an LDAP server. It currently supports only simple authentication.

func (*LDAPAuthenticator) AuthenticateUser added in v0.53.0

func (la *LDAPAuthenticator) AuthenticateUser(ctx context.Context, username, password string) (string, error)

func (*LDAPAuthenticator) String added in v0.62.0

func (la *LDAPAuthenticator) String() string

type LRUCache

type LRUCache struct {
	// contains filtered or unexported fields
}

func NewLRUCache

func NewLRUCache(size int, expiry, jitter time.Duration) *LRUCache

func (*LRUCache) GetCredential

func (c *LRUCache) GetCredential(accessKeyID string, setFn CredentialSetFn) (*model.Credential, error)

func (*LRUCache) GetUser

func (c *LRUCache) GetUser(key userKey, setFn UserSetFn) (*model.User, error)

func (*LRUCache) GetUserPolicies

func (c *LRUCache) GetUserPolicies(userID string, setFn UserPoliciesSetFn) ([]*model.Policy, error)

type MetadataManager

type MetadataManager interface {
	IsInitialized(ctx context.Context) (bool, error)
	GetSetupState(ctx context.Context, emailSubscriptionEnabled bool) (SetupStateName, error)
	UpdateCommPrefs(ctx context.Context, commPrefs CommPrefs) (string, error)
	UpdateSetupTimestamp(context.Context, time.Time) error
	Write(context.Context) (map[string]string, error)
}

type Service

type Service interface {
	InviteHandler

	SecretStore() crypt.SecretStore
	Cache() Cache

	// users
	CreateUser(ctx context.Context, user *model.User) (string, error)
	DeleteUser(ctx context.Context, username string) error
	GetUserByID(ctx context.Context, userID string) (*model.User, error)
	GetUser(ctx context.Context, username string) (*model.User, error)
	GetUserByExternalID(ctx context.Context, externalID string) (*model.User, error)
	GetUserByEmail(ctx context.Context, email string) (*model.User, error)
	ListUsers(ctx context.Context, params *model.PaginationParams) ([]*model.User, *model.Paginator, error)

	// groups
	CreateGroup(ctx context.Context, group *model.Group) error
	DeleteGroup(ctx context.Context, groupDisplayName string) error
	GetGroup(ctx context.Context, groupDisplayName string) (*model.Group, error)
	ListGroups(ctx context.Context, params *model.PaginationParams) ([]*model.Group, *model.Paginator, error)

	// group<->user memberships
	AddUserToGroup(ctx context.Context, username, groupDisplayName string) error
	RemoveUserFromGroup(ctx context.Context, username, groupDisplayName string) error
	ListUserGroups(ctx context.Context, username string, params *model.PaginationParams) ([]*model.Group, *model.Paginator, error)
	ListGroupUsers(ctx context.Context, groupDisplayName string, params *model.PaginationParams) ([]*model.User, *model.Paginator, error)

	// policies
	WritePolicy(ctx context.Context, policy *model.Policy, update bool) error
	GetPolicy(ctx context.Context, policyDisplayName string) (*model.Policy, error)
	DeletePolicy(ctx context.Context, policyDisplayName string) error
	ListPolicies(ctx context.Context, params *model.PaginationParams) ([]*model.Policy, *model.Paginator, error)

	// credentials
	CredentialsCreator
	AddCredentials(ctx context.Context, username, accessKeyID, secretAccessKey string) (*model.Credential, error)
	DeleteCredentials(ctx context.Context, username, accessKeyID string) error
	GetCredentialsForUser(ctx context.Context, username, accessKeyID string) (*model.Credential, error)
	GetCredentials(ctx context.Context, accessKeyID string) (*model.Credential, error)
	ListUserCredentials(ctx context.Context, username string, params *model.PaginationParams) ([]*model.Credential, *model.Paginator, error)
	HashAndUpdatePassword(ctx context.Context, username string, password string) error

	// policy<->user attachments
	AttachPolicyToUser(ctx context.Context, policyDisplayName, username string) error
	DetachPolicyFromUser(ctx context.Context, policyDisplayName, username string) error
	ListUserPolicies(ctx context.Context, username string, params *model.PaginationParams) ([]*model.Policy, *model.Paginator, error)
	ListEffectivePolicies(ctx context.Context, username string, params *model.PaginationParams) ([]*model.Policy, *model.Paginator, error)

	// policy<->group attachments
	AttachPolicyToGroup(ctx context.Context, policyDisplayName, groupDisplayName string) error
	DetachPolicyFromGroup(ctx context.Context, policyDisplayName, groupDisplayName string) error
	ListGroupPolicies(ctx context.Context, groupDisplayName string, params *model.PaginationParams) ([]*model.Policy, *model.Paginator, error)

	Authorizer

	ClaimTokenIDOnce(ctx context.Context, tokenID string, expiresAt int64) error
}

type SetupStateName added in v0.87.0

type SetupStateName string
const (
	SetupStateInitialized    SetupStateName = "initialized"
	SetupStateNotInitialized SetupStateName = "not_initialized"
	SetupStateCommPrefsDone  SetupStateName = "comm_prefs_done"
)

type UserPoliciesSetFn

type UserPoliciesSetFn func() ([]*model.Policy, error)

type UserPredicate added in v0.69.0

type UserPredicate func(u *model.UserData) bool

type UserSetFn

type UserSetFn func() (*model.User, error)

Notes

Bugs

  • This parser does not handle resource types. Handling resource types is

    subtle: they may be separated from resource IDs by a colon OR by a slash. For an
    example of a resource type, see ECS[1] (uses only slash separators). That colons
    are an acceptable separator appears in [2], so a workaround to this limitation is
    to use a slash.
    
    [1] https://docs.aws.amazon.com/AmazonECS/latest/developerguide/security_iam_service-with-iam.html#security_iam_service-with-iam-id-based-policies-resources
    [2] https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html#arns-syntax
    

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL