acl

package
v1.42.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Nov 5, 2024 License: Apache-2.0 Imports: 31 Imported by: 0

Documentation

Overview

nolint:stylecheck

Index

Constants

View Source 
const (
	// ReadPermission allows reading the specified repositories, as well as
	// managing own credentials.
	ReadPermission model.ACLPermission = "Read"
	// WritePermission allows reading and writing the specified repositories,
	// as well as managing own credentials.
	WritePermission model.ACLPermission = "Write"
	// SuperPermission allows reading, writing, and all other actions on the
	// specified repositories, as well as managing own credentials.
	SuperPermission model.ACLPermission = "Super"
	// AdminPermission allows all operations, including all reading, writing,
	// and all other actions on all repositories, and managing
	// authorization and credentials of all users.
	AdminPermission model.ACLPermission = "Admin"
)
View Source 
const (
	AdminsGroup  = "Admins"
	SupersGroup  = "Supers"
	WritersGroup = "Writers"
	ReadersGroup = "Readers"
)
View Source 
const (
	BaseURL = "/api/v1"
)
View Source 
const DefaultListenAddress = "0.0.0.0:8001"
View Source 
const DefaultMaxPerPage int = 1000

DefaultMaxPerPage is the maximum amount of results returned for paginated queries to the API

View Source 
const PolicyPrefix = "ACL(_-_)"
View Source 
const ServerPartitionKey = "aclauth"

Variables

View Source 
var (
	ErrBadConfiguration = errors.New("bad configuration")
	ErrMissingSecretKey = fmt.Errorf("%w: encrypt.secret_key cannot be empty", ErrBadConfiguration)
)
View Source 
var (
	ErrBadACLPermission = fmt.Errorf("%w: Bad ACL permission", model.ErrValidationError)
)
View Source 
var ErrInvalidAPIEndpoint = errors.New("invalid API endpoint")

Functions

func ACLToStatement 

func ACLToStatement(acl model.ACL) (model.Statements, error)

func CreateACLBaseGroups 

func CreateACLBaseGroups(ctx context.Context, authService auth.Service, ts time.Time) error

func InvalidAPIEndpointHandler 

func InvalidAPIEndpointHandler(w http.ResponseWriter, _ *http.Request)

InvalidAPIEndpointHandler returns ErrInvalidAPIEndpoint, and is currently being used to ensure that routes under the pattern it is used with in chi.Router.Mount (i.e. /api/v1) are not accessible.

func IsInitialized 

func IsInitialized(ctx context.Context, authService *AuthService) (bool, error)

func IsPolicyName 

func IsPolicyName(policyName string) bool

func IsValidAccessKeyID 

func IsValidAccessKeyID(key string) bool

func ListEffectivePolicies 

func ListEffectivePolicies(ctx context.Context, username string, params *model.PaginationParams, getEffectivePolicies effectivePoliciesGetter, cache auth.Cache) ([]*model.Policy, *model.Paginator, error)

func OapiRequestValidatorWithOptions 

func OapiRequestValidatorWithOptions(swagger *openapi3.Swagger, options *openapi3filter.Options) func(http.Handler) http.Handler

OapiRequestValidatorWithOptions Creates middleware to validate request by swagger spec. This middleware is good for net/http either since go-chi is 100% compatible with net/http. The original implementation can be found at https://github.com/deepmap/oapi-codegen/blob/master/pkg/chi-middleware/oapi_validate.go Used our own implementation in order to:

  1. Use the latest version kin-openapi (can switch back when oapi-codegen will be updated)
  2. For file upload wanted to skip body validation for two reasons: a. didn't find a way for the validator to accept any file content type b. didn't want the validator to read the complete request body for the specific request

func PolicyName 

func PolicyName(groupID string) string

PolicyName returns the policy identifier for the ACL for groupID.

func Serve 

func Serve(authService auth.Service, logger logging.Logger) http.Handler

func SetupACLServer 

func SetupACLServer(ctx context.Context, authService *AuthService) error

func Unmarshal 

func Unmarshal(c *Config) error

func ValidatePolicy 

func ValidatePolicy(policy *model.Policy) error

func WriteGroupACL 

func WriteGroupACL(ctx context.Context, svc auth.Service, groupName string, acl model.ACL, creationTime time.Time, warnIfCreate bool) error

Types

type AuthService 

type AuthService struct {
	// contains filtered or unexported fields
}

func NewAuthService 

func NewAuthService(store kv.Store, secretStore crypt.SecretStore, cacheConf params.ServiceCache) *AuthService

func (*AuthService) AddCredentials 

func (s *AuthService) AddCredentials(ctx context.Context, username, accessKeyID, secretAccessKey string) (*model.Credential, error)

func (*AuthService) AddUserToGroup 

func (s *AuthService) AddUserToGroup(ctx context.Context, username, groupDisplayName string) error

func (*AuthService) AttachPolicyToGroup 

func (s *AuthService) AttachPolicyToGroup(ctx context.Context, policyDisplayName, groupDisplayName string) error

func (*AuthService) AttachPolicyToUser 

func (s *AuthService) AttachPolicyToUser(ctx context.Context, policyDisplayName string, username string) error

func (*AuthService) Authorize 

func (s *AuthService) Authorize(ctx context.Context, req *auth.AuthorizationRequest) (*auth.AuthorizationResponse, error)

func (*AuthService) Cache 

func (s *AuthService) Cache() auth.Cache

func (*AuthService) ClaimTokenIDOnce 

func (s *AuthService) ClaimTokenIDOnce(_ context.Context, _ string, _ int64) error

func (*AuthService) CreateCredentials 

func (s *AuthService) CreateCredentials(ctx context.Context, username string) (*model.Credential, error)

func (*AuthService) CreateGroup 

func (s *AuthService) CreateGroup(ctx context.Context, group *model.Group) (*model.Group, error)

func (*AuthService) CreateUser 

func (s *AuthService) CreateUser(ctx context.Context, user *model.User) (string, error)

func (*AuthService) CreateUserExternalPrincipal 

func (s *AuthService) CreateUserExternalPrincipal(_ context.Context, _, _ string) error

func (*AuthService) DeleteCredentials 

func (s *AuthService) DeleteCredentials(ctx context.Context, username, accessKeyID string) error

func (*AuthService) DeleteGroup 

func (s *AuthService) DeleteGroup(ctx context.Context, groupID string) error

func (*AuthService) DeletePolicy 

func (s *AuthService) DeletePolicy(ctx context.Context, policyDisplayName string) error

func (*AuthService) DeleteUser 

func (s *AuthService) DeleteUser(ctx context.Context, username string) error

func (*AuthService) DeleteUserExternalPrincipal 

func (s *AuthService) DeleteUserExternalPrincipal(_ context.Context, _, _ string) error

func (*AuthService) DetachPolicyFromGroup 

func (s *AuthService) DetachPolicyFromGroup(ctx context.Context, policyDisplayName, groupDisplayName string) error

func (*AuthService) DetachPolicyFromGroupNoValidation 

func (s *AuthService) DetachPolicyFromGroupNoValidation(ctx context.Context, policyDisplayName, groupDisplayName string) error

func (*AuthService) DetachPolicyFromUser 

func (s *AuthService) DetachPolicyFromUser(ctx context.Context, policyDisplayName, username string) error

func (*AuthService) DetachPolicyFromUserNoValidation 

func (s *AuthService) DetachPolicyFromUserNoValidation(ctx context.Context, policyDisplayName, username string) error

func (*AuthService) GetCredentials 

func (s *AuthService) GetCredentials(ctx context.Context, accessKeyID string) (*model.Credential, error)

func (*AuthService) GetCredentialsForUser 

func (s *AuthService) GetCredentialsForUser(ctx context.Context, username, accessKeyID string) (*model.Credential, error)

func (*AuthService) GetExternalPrincipal 

func (s *AuthService) GetExternalPrincipal(_ context.Context, _ string) (*model.ExternalPrincipal, error)

func (*AuthService) GetGroup 

func (s *AuthService) GetGroup(ctx context.Context, groupID string) (*model.Group, error)

func (*AuthService) GetPolicy 

func (s *AuthService) GetPolicy(ctx context.Context, policyDisplayName string) (*model.Policy, error)

func (*AuthService) GetUser 

func (s *AuthService) GetUser(ctx context.Context, username string) (*model.User, error)

func (*AuthService) GetUserByEmail 

func (s *AuthService) GetUserByEmail(ctx context.Context, email string) (*model.User, error)

func (*AuthService) GetUserByExternalID 

func (s *AuthService) GetUserByExternalID(ctx context.Context, externalID string) (*model.User, error)

func (*AuthService) GetUserByID 

func (s *AuthService) GetUserByID(ctx context.Context, userID string) (*model.User, error)

func (*AuthService) IsExternalPrincipalsEnabled 

func (s *AuthService) IsExternalPrincipalsEnabled(_ context.Context) bool

func (*AuthService) ListEffectivePolicies 

func (s *AuthService) ListEffectivePolicies(ctx context.Context, username string, params *model.PaginationParams) ([]*model.Policy, *model.Paginator, error)

func (*AuthService) ListGroupPolicies 

func (s *AuthService) ListGroupPolicies(ctx context.Context, groupDisplayName string, params *model.PaginationParams) ([]*model.Policy, *model.Paginator, error)

func (*AuthService) ListGroupUsers 

func (s *AuthService) ListGroupUsers(ctx context.Context, groupID string, params *model.PaginationParams) ([]*model.User, *model.Paginator, error)

func (*AuthService) ListGroups 

func (s *AuthService) ListGroups(ctx context.Context, params *model.PaginationParams) ([]*model.Group, *model.Paginator, error)

func (*AuthService) ListKVPaged 

func (s *AuthService) ListKVPaged(ctx context.Context, protoType protoreflect.MessageType, params *model.PaginationParams, prefix []byte, secondary bool) ([]proto.Message, *model.Paginator, error)

func (*AuthService) ListPolicies 

func (s *AuthService) ListPolicies(ctx context.Context, params *model.PaginationParams) ([]*model.Policy, *model.Paginator, error)

func (*AuthService) ListUserCredentials 

func (s *AuthService) ListUserCredentials(ctx context.Context, username string, params *model.PaginationParams) ([]*model.Credential, *model.Paginator, error)

func (*AuthService) ListUserExternalPrincipals 

func (s *AuthService) ListUserExternalPrincipals(_ context.Context, _ string, _ *model.PaginationParams) ([]*model.ExternalPrincipal, *model.Paginator, error)

func (*AuthService) ListUserGroups 

func (s *AuthService) ListUserGroups(ctx context.Context, username string, params *model.PaginationParams) ([]*model.Group, *model.Paginator, error)

func (*AuthService) ListUserPolicies 

func (s *AuthService) ListUserPolicies(ctx context.Context, username string, params *model.PaginationParams) ([]*model.Policy, *model.Paginator, error)

func (*AuthService) ListUsers 

func (s *AuthService) ListUsers(ctx context.Context, params *model.PaginationParams) ([]*model.User, *model.Paginator, error)

func (*AuthService) RemoveUserFromGroup 

func (s *AuthService) RemoveUserFromGroup(ctx context.Context, username, groupID string) error

func (*AuthService) SecretStore 

func (s *AuthService) SecretStore() crypt.SecretStore

func (*AuthService) UpdateUserFriendlyName 

func (s *AuthService) UpdateUserFriendlyName(_ context.Context, _ string, _ string) error

func (*AuthService) WritePolicy 

func (s *AuthService) WritePolicy(ctx context.Context, policy *model.Policy, update bool) error

type Config 

type Config struct {
	ListenAddress string `mapstructure:"listen_address"`

	Database config.Database
	Encrypt  struct {
		SecretKey config.SecureString `mapstructure:"secret_key" validate:"required"`
	}
	Cache struct {
		Enabled bool
		Size    int
		TTL     time.Duration
		Jitter  time.Duration
	} `mapstructure:"cache"`
}

func NewConfig 

func NewConfig() (*Config, error)

func (*Config) AuthEncryptionSecret 

func (c *Config) AuthEncryptionSecret() []byte

func (*Config) Validate 

func (c *Config) Validate() error

type Controller 

type Controller struct {
	Auth auth.Service
}

func NewController 

func NewController(authService auth.Service) *Controller

func (*Controller) AddGroupMembership 

func (c *Controller) AddGroupMembership(w http.ResponseWriter, r *http.Request, groupID, userID string)

func (*Controller) AttachPolicyToGroup 

func (c *Controller) AttachPolicyToGroup(w http.ResponseWriter, r *http.Request, groupID, policyID string)

func (*Controller) AttachPolicyToUser 

func (c *Controller) AttachPolicyToUser(w http.ResponseWriter, _ *http.Request, _, _ string)

func (*Controller) ClaimTokenId 

func (c *Controller) ClaimTokenId(w http.ResponseWriter, _ *http.Request, _ apigen.ClaimTokenIdJSONRequestBody)

func (*Controller) CreateCredentials 

func (c *Controller) CreateCredentials(w http.ResponseWriter, r *http.Request, userID string, params apigen.CreateCredentialsParams)

func (*Controller) CreateGroup 

func (c *Controller) CreateGroup(w http.ResponseWriter, r *http.Request, body apigen.CreateGroupJSONRequestBody)

func (*Controller) CreatePolicy 

func (c *Controller) CreatePolicy(w http.ResponseWriter, r *http.Request, body apigen.CreatePolicyJSONRequestBody)

func (*Controller) CreateUser 

func (c *Controller) CreateUser(w http.ResponseWriter, r *http.Request, body apigen.CreateUserJSONRequestBody)

func (*Controller) CreateUserExternalPrincipal 

func (c *Controller) CreateUserExternalPrincipal(w http.ResponseWriter, _ *http.Request, _ string, _ apigen.CreateUserExternalPrincipalParams)

func (*Controller) DeleteCredentials 

func (c *Controller) DeleteCredentials(w http.ResponseWriter, r *http.Request, userID string, accessKeyID string)

func (*Controller) DeleteGroup 

func (c *Controller) DeleteGroup(w http.ResponseWriter, r *http.Request, groupID string)

func (*Controller) DeleteGroupMembership 

func (c *Controller) DeleteGroupMembership(w http.ResponseWriter, r *http.Request, groupID, userID string)

func (*Controller) DeletePolicy 

func (c *Controller) DeletePolicy(w http.ResponseWriter, _ *http.Request, _ string)

func (*Controller) DeleteUser 

func (c *Controller) DeleteUser(w http.ResponseWriter, r *http.Request, username string)

func (*Controller) DeleteUserExternalPrincipal 

func (c *Controller) DeleteUserExternalPrincipal(w http.ResponseWriter, _ *http.Request, _ string, _ apigen.DeleteUserExternalPrincipalParams)

func (*Controller) DetachPolicyFromGroup 

func (c *Controller) DetachPolicyFromGroup(w http.ResponseWriter, _ *http.Request, _, _ string)

func (*Controller) DetachPolicyFromUser 

func (c *Controller) DetachPolicyFromUser(w http.ResponseWriter, _ *http.Request, _, _ string)

func (*Controller) GetCredentials 

func (c *Controller) GetCredentials(w http.ResponseWriter, r *http.Request, accessKeyId string)

func (*Controller) GetCredentialsForUser 

func (c *Controller) GetCredentialsForUser(w http.ResponseWriter, r *http.Request, userId string, accessKeyId string)

func (*Controller) GetExternalPrincipal 

func (c *Controller) GetExternalPrincipal(w http.ResponseWriter, _ *http.Request, _ apigen.GetExternalPrincipalParams)

func (*Controller) GetGroup 

func (c *Controller) GetGroup(w http.ResponseWriter, r *http.Request, groupID string)

func (*Controller) GetPolicy 

func (c *Controller) GetPolicy(w http.ResponseWriter, r *http.Request, policyID string)

func (*Controller) GetUser 

func (c *Controller) GetUser(w http.ResponseWriter, r *http.Request, username string)

func (*Controller) GetVersion 

func (c *Controller) GetVersion(w http.ResponseWriter, _ *http.Request)

func (*Controller) HealthCheck 

func (c *Controller) HealthCheck(w http.ResponseWriter, _ *http.Request)

func (*Controller) ListGroupMembers 

func (c *Controller) ListGroupMembers(w http.ResponseWriter, r *http.Request, groupID string, params apigen.ListGroupMembersParams)

func (*Controller) ListGroupPolicies 

func (c *Controller) ListGroupPolicies(w http.ResponseWriter, r *http.Request, groupID string, params apigen.ListGroupPoliciesParams)

func (*Controller) ListGroups 

func (c *Controller) ListGroups(w http.ResponseWriter, r *http.Request, params apigen.ListGroupsParams)

func (*Controller) ListPolicies 

func (c *Controller) ListPolicies(w http.ResponseWriter, _ *http.Request, _ apigen.ListPoliciesParams)

func (*Controller) ListUserCredentials 

func (c *Controller) ListUserCredentials(w http.ResponseWriter, r *http.Request, userID string, params apigen.ListUserCredentialsParams)

func (*Controller) ListUserExternalPrincipals 

func (c *Controller) ListUserExternalPrincipals(w http.ResponseWriter, _ *http.Request, _ string, _ apigen.ListUserExternalPrincipalsParams)

func (*Controller) ListUserGroups 

func (c *Controller) ListUserGroups(w http.ResponseWriter, r *http.Request, userID string, params apigen.ListUserGroupsParams)

func (*Controller) ListUserPolicies 

func (c *Controller) ListUserPolicies(w http.ResponseWriter, r *http.Request, userID string, params apigen.ListUserPoliciesParams)

func (*Controller) ListUsers 

func (c *Controller) ListUsers(w http.ResponseWriter, r *http.Request, params apigen.ListUsersParams)

func (*Controller) UpdatePassword 

func (c *Controller) UpdatePassword(w http.ResponseWriter, _ *http.Request, _ apigen.UpdatePasswordJSONRequestBody, _ string)

func (*Controller) UpdatePolicy 

func (c *Controller) UpdatePolicy(w http.ResponseWriter, r *http.Request, body apigen.UpdatePolicyJSONRequestBody, policyID string)

func (*Controller) UpdateUserFriendlyName 

func (c *Controller) UpdateUserFriendlyName(w http.ResponseWriter, r *http.Request, body apigen.UpdateUserFriendlyNameJSONRequestBody, username string)

type HTTPClient 

type HTTPClient struct {
	SkipVerify bool          `mapstructure:"skip_verify"`
	Timeout    time.Duration `mapstructure:"timeout"`
}

type UserPredicate 

type UserPredicate func(u *model.UserData) bool

Source Files

View all Source files

Directories

Path Synopsis
cmd
acl
acl/cmd

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.