auth

package
v1.44.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Dec 10, 2024 License: Apache-2.0 Imports: 35 Imported by: 0

Documentation

Index

Constants

View Source
const (
	BasicPartitionKey     = "basicAuth"
	SuperAdminKey         = "superAdmin"
	MaxUsers              = 1
	MaxCredentialsPerUser = 1
)
View Source
const (
	InstallationIDKeyName  = "installation_id"
	SetupTimestampKeyName  = "setup_timestamp"
	CommPrefsSetKeyName    = "comm_prefs_set"
	EmailKeyName           = "encoded_user_email"
	FeatureUpdatesKeyName  = "feature_updates"
	SecurityUpdatesKeyName = "security_updates"

	InstrumentationSamplesRepo = "SamplesRepo"
	InstrumentationQuickstart  = "Quickstart"
	InstrumentationRun         = "Run"
)
View Source
const (
	UserNotAllowed = "not allowed"
	InvalidUserID  = ""
	MaxPage        = 1000
	// CheckAllow Permission allowed
	CheckAllow CheckResult = iota
	// CheckNeutral Permission neither allowed nor denied
	CheckNeutral
	// CheckDeny Permission denied
	CheckDeny
)

Variables

View Source
var (
	ErrNotFound                = kv.ErrNotFound
	ErrAlreadyExists           = errors.New("already exists")
	ErrNonUnique               = errors.New("more than one user found")
	ErrInvalidArn              = errors.New("invalid ARN")
	ErrInsufficientPermissions = errors.New("insufficient permissions")
	ErrInvalidAccessKeyID      = errors.New("invalid access key ID")
	ErrInvalidSecretAccessKey  = errors.New("invalid secret access key")
	ErrUnexpectedStatusCode    = errors.New("unexpected status code")
	ErrUnexpectedSigningMethod = errors.New("unexpected signing method")
	ErrInvalidToken            = errors.New("invalid token")
	ErrInvalidRequest          = errors.New("invalid request")
	ErrUserNotFound            = errors.New("user not found")
	ErrInvalidResponse         = errors.New("invalid response")
	ErrNotImplemented          = errors.New("not implemented")
	ErrMigrationNotPossible    = errors.New("auth migration not possible")
)
View Source
var DockeEnvExists = "/.dockerenv"

DockeEnvExists For testing purposes

View Source
var (
	ErrStatementNotFound = errors.New("statement not found")
)

Functions

func ArnMatch

func ArnMatch(src, dst string) bool

func GetActionsForPolicyType added in v0.98.0

func GetActionsForPolicyType(typ string) ([]string, error)

GetActionsForPolicyType returns the actions for police type typ.

func GetActionsForPolicyTypeOrDie added in v0.98.0

func GetActionsForPolicyTypeOrDie(typ string) []string

func GetUser added in v0.87.0

func GetUser(ctx context.Context) (*model.User, error)

func MakeStatementForPolicyType added in v0.98.0

func MakeStatementForPolicyType(typ string, resources []string) (model.Statements, error)

MakeStatementForPolicyType returns statements for policy type typ, limited to resources.

func MakeStatementForPolicyTypeOrDie added in v0.98.0

func MakeStatementForPolicyTypeOrDie(typ string, resources []string) model.Statements

func ObserveDuration added in v1.28.0

func ObserveDuration(operation string, duration time.Duration, success bool)

func VerifyToken added in v0.64.0

func VerifyToken(secret []byte, tokenString string) (*jwt.StandardClaims, error)

func WithUser added in v0.87.0

func WithUser(ctx context.Context, user *model.User) context.Context

Types

type APIAuthService added in v0.63.0

type APIAuthService struct {
	// contains filtered or unexported fields
}

func NewAPIAuthService added in v0.63.0

func NewAPIAuthService(apiEndpoint, token string, externalPrincipalseEnabled bool, secretStore crypt.SecretStore, cacheConf params.ServiceCache, logger logging.Logger) (*APIAuthService, error)

func NewAPIAuthServiceWithClient added in v0.70.0

func NewAPIAuthServiceWithClient(client ClientWithResponsesInterface, externalPrincipalseEnabled bool, secretStore crypt.SecretStore, cacheConf params.ServiceCache, logger logging.Logger) (*APIAuthService, error)

func (*APIAuthService) AddCredentials added in v0.63.0

func (a *APIAuthService) AddCredentials(ctx context.Context, username, accessKeyID, secretAccessKey string) (*model.Credential, error)

func (*APIAuthService) AddUserToGroup added in v0.63.0

func (a *APIAuthService) AddUserToGroup(ctx context.Context, username, groupID string) error

func (*APIAuthService) AttachPolicyToGroup added in v0.63.0

func (a *APIAuthService) AttachPolicyToGroup(ctx context.Context, policyDisplayName, groupID string) error

func (*APIAuthService) AttachPolicyToUser added in v0.63.0

func (a *APIAuthService) AttachPolicyToUser(ctx context.Context, policyDisplayName, username string) error

func (*APIAuthService) Authorize added in v0.63.0

func (*APIAuthService) Cache added in v0.68.0

func (a *APIAuthService) Cache() Cache

func (*APIAuthService) CheckHealth added in v1.1.0

func (a *APIAuthService) CheckHealth(ctx context.Context, logger logging.Logger, timeout time.Duration) error

func (*APIAuthService) ClaimTokenIDOnce added in v0.64.0

func (a *APIAuthService) ClaimTokenIDOnce(ctx context.Context, tokenID string, expiresAt int64) error

func (*APIAuthService) CreateCredentials added in v0.63.0

func (a *APIAuthService) CreateCredentials(ctx context.Context, username string) (*model.Credential, error)

func (*APIAuthService) CreateGroup added in v0.63.0

func (a *APIAuthService) CreateGroup(ctx context.Context, group *model.Group) (*model.Group, error)

func (*APIAuthService) CreateUser added in v0.63.0

func (a *APIAuthService) CreateUser(ctx context.Context, user *model.User) (string, error)

func (*APIAuthService) CreateUserExternalPrincipal added in v1.14.0

func (a *APIAuthService) CreateUserExternalPrincipal(ctx context.Context, userID, principalID string) error

func (*APIAuthService) DeleteCredentials added in v0.63.0

func (a *APIAuthService) DeleteCredentials(ctx context.Context, username, accessKeyID string) error

func (*APIAuthService) DeleteGroup added in v0.63.0

func (a *APIAuthService) DeleteGroup(ctx context.Context, groupID string) error

func (*APIAuthService) DeletePolicy added in v0.63.0

func (a *APIAuthService) DeletePolicy(ctx context.Context, policyDisplayName string) error

func (*APIAuthService) DeleteUser added in v0.63.0

func (a *APIAuthService) DeleteUser(ctx context.Context, username string) error

func (*APIAuthService) DeleteUserExternalPrincipal added in v1.14.0

func (a *APIAuthService) DeleteUserExternalPrincipal(ctx context.Context, userID, principalID string) error

func (*APIAuthService) DetachPolicyFromGroup added in v0.63.0

func (a *APIAuthService) DetachPolicyFromGroup(ctx context.Context, policyDisplayName, groupID string) error

func (*APIAuthService) DetachPolicyFromUser added in v0.63.0

func (a *APIAuthService) DetachPolicyFromUser(ctx context.Context, policyDisplayName, username string) error

func (*APIAuthService) GetCredentials added in v0.63.0

func (a *APIAuthService) GetCredentials(ctx context.Context, accessKeyID string) (*model.Credential, error)

func (*APIAuthService) GetCredentialsForUser added in v0.63.0

func (a *APIAuthService) GetCredentialsForUser(ctx context.Context, username, accessKeyID string) (*model.Credential, error)

func (*APIAuthService) GetExternalPrincipal added in v1.14.1

func (a *APIAuthService) GetExternalPrincipal(ctx context.Context, principalID string) (*model.ExternalPrincipal, error)

func (*APIAuthService) GetGroup added in v0.63.0

func (a *APIAuthService) GetGroup(ctx context.Context, groupID string) (*model.Group, error)

func (*APIAuthService) GetPolicy added in v0.63.0

func (a *APIAuthService) GetPolicy(ctx context.Context, policyDisplayName string) (*model.Policy, error)

func (*APIAuthService) GetUser added in v0.63.0

func (a *APIAuthService) GetUser(ctx context.Context, username string) (*model.User, error)

func (*APIAuthService) GetUserByEmail added in v0.63.0

func (a *APIAuthService) GetUserByEmail(ctx context.Context, email string) (*model.User, error)

func (*APIAuthService) GetUserByExternalID added in v0.69.0

func (a *APIAuthService) GetUserByExternalID(ctx context.Context, externalID string) (*model.User, error)

func (*APIAuthService) GetUserByID added in v0.63.0

func (a *APIAuthService) GetUserByID(ctx context.Context, userID string) (*model.User, error)

func (*APIAuthService) InviteUser added in v0.69.0

func (a *APIAuthService) InviteUser(ctx context.Context, email string) error

func (*APIAuthService) IsExternalPrincipalsEnabled added in v1.14.0

func (a *APIAuthService) IsExternalPrincipalsEnabled(_ context.Context) bool

func (*APIAuthService) ListEffectivePolicies added in v0.63.0

func (a *APIAuthService) ListEffectivePolicies(ctx context.Context, username string, params *model.PaginationParams) ([]*model.Policy, *model.Paginator, error)

func (*APIAuthService) ListGroupPolicies added in v0.63.0

func (a *APIAuthService) ListGroupPolicies(ctx context.Context, groupID string, params *model.PaginationParams) ([]*model.Policy, *model.Paginator, error)

func (*APIAuthService) ListGroupUsers added in v0.63.0

func (a *APIAuthService) ListGroupUsers(ctx context.Context, groupID string, params *model.PaginationParams) ([]*model.User, *model.Paginator, error)

func (*APIAuthService) ListGroups added in v0.63.0

func (a *APIAuthService) ListGroups(ctx context.Context, params *model.PaginationParams) ([]*model.Group, *model.Paginator, error)

func (*APIAuthService) ListPolicies added in v0.63.0

func (a *APIAuthService) ListPolicies(ctx context.Context, params *model.PaginationParams) ([]*model.Policy, *model.Paginator, error)

func (*APIAuthService) ListUserCredentials added in v0.63.0

func (a *APIAuthService) ListUserCredentials(ctx context.Context, username string, params *model.PaginationParams) ([]*model.Credential, *model.Paginator, error)

func (*APIAuthService) ListUserExternalPrincipals added in v1.14.0

func (a *APIAuthService) ListUserExternalPrincipals(ctx context.Context, userID string, params *model.PaginationParams) ([]*model.ExternalPrincipal, *model.Paginator, error)

func (*APIAuthService) ListUserGroups added in v0.63.0

func (a *APIAuthService) ListUserGroups(ctx context.Context, username string, params *model.PaginationParams) ([]*model.Group, *model.Paginator, error)

func (*APIAuthService) ListUserPolicies added in v0.63.0

func (a *APIAuthService) ListUserPolicies(ctx context.Context, username string, params *model.PaginationParams) ([]*model.Policy, *model.Paginator, error)

func (*APIAuthService) ListUsers added in v0.63.0

func (a *APIAuthService) ListUsers(ctx context.Context, params *model.PaginationParams) ([]*model.User, *model.Paginator, error)

func (*APIAuthService) RemoveUserFromGroup added in v0.63.0

func (a *APIAuthService) RemoveUserFromGroup(ctx context.Context, username, groupID string) error

func (*APIAuthService) SecretStore added in v0.63.0

func (a *APIAuthService) SecretStore() crypt.SecretStore

func (*APIAuthService) UpdateUserFriendlyName added in v1.16.0

func (a *APIAuthService) UpdateUserFriendlyName(ctx context.Context, userID string, friendlyName string) error

func (*APIAuthService) WritePolicy added in v0.63.0

func (a *APIAuthService) WritePolicy(ctx context.Context, policy *model.Policy, update bool) error

type Arn

type Arn struct {
	Partition  string
	Service    string
	Region     string
	AccountID  string
	ResourceID string
}

func ParseARN

func ParseARN(arnString string) (*Arn, error)

type Authenticator added in v0.53.0

type Authenticator interface {
	// AuthenticateUser authenticates a user matching username and
	// password and returns their ID.
	AuthenticateUser(ctx context.Context, username, password string) (string, error)
}

Authenticator authenticates users returning an identifier for the user. (Currently it handles only username+password single-step authentication. This interface will need to change significantly in order to support challenge-response protocols.)

type AuthorizationRequest

type AuthorizationRequest struct {
	Username            string
	RequiredPermissions permissions.Node
}

type AuthorizationResponse

type AuthorizationResponse struct {
	Allowed bool
	Error   error
}

type Authorizer added in v0.69.0

type Authorizer interface {
	// Authorize checks 'req' containing user and required permissions. An error returns in case we fail perform the request.
	// AuthorizationResponse holds if the request allowed and Error in case we fail with additional reason as ErrInsufficientPermissions.
	Authorize(ctx context.Context, req *AuthorizationRequest) (*AuthorizationResponse, error)
}

type BasicAuthService added in v1.32.0

type BasicAuthService struct {
	// contains filtered or unexported fields
}

func NewBasicAuthService added in v1.32.0

func NewBasicAuthService(store kv.Store, secretStore crypt.SecretStore, cacheConf params.ServiceCache, logger logging.Logger) *BasicAuthService

func (*BasicAuthService) AddCredentials added in v1.32.0

func (s *BasicAuthService) AddCredentials(ctx context.Context, username, accessKeyID, secretAccessKey string) (*model.Credential, error)

func (*BasicAuthService) AddUserToGroup added in v1.32.0

func (s *BasicAuthService) AddUserToGroup(_ context.Context, _, _ string) error

func (*BasicAuthService) AttachPolicyToGroup added in v1.32.0

func (s *BasicAuthService) AttachPolicyToGroup(_ context.Context, _, _ string) error

func (*BasicAuthService) AttachPolicyToUser added in v1.32.0

func (s *BasicAuthService) AttachPolicyToUser(_ context.Context, _, _ string) error

func (*BasicAuthService) Authorize added in v1.32.0

func (*BasicAuthService) Cache added in v1.32.0

func (s *BasicAuthService) Cache() Cache

func (*BasicAuthService) ClaimTokenIDOnce added in v1.32.0

func (s *BasicAuthService) ClaimTokenIDOnce(_ context.Context, _ string, _ int64) error

func (*BasicAuthService) CreateCredentials added in v1.32.0

func (s *BasicAuthService) CreateCredentials(ctx context.Context, username string) (*model.Credential, error)

func (*BasicAuthService) CreateGroup added in v1.32.0

func (s *BasicAuthService) CreateGroup(_ context.Context, _ *model.Group) (*model.Group, error)

func (*BasicAuthService) CreateUser added in v1.32.0

func (s *BasicAuthService) CreateUser(ctx context.Context, user *model.User) (string, error)

func (*BasicAuthService) CreateUserExternalPrincipal added in v1.32.0

func (s *BasicAuthService) CreateUserExternalPrincipal(_ context.Context, _, _ string) error

func (*BasicAuthService) DeleteCredentials added in v1.32.0

func (s *BasicAuthService) DeleteCredentials(_ context.Context, _, _ string) error

func (*BasicAuthService) DeleteGroup added in v1.32.0

func (s *BasicAuthService) DeleteGroup(_ context.Context, _ string) error

func (*BasicAuthService) DeletePolicy added in v1.32.0

func (s *BasicAuthService) DeletePolicy(_ context.Context, _ string) error

func (*BasicAuthService) DeleteUser added in v1.32.0

func (s *BasicAuthService) DeleteUser(ctx context.Context, username string) error

func (*BasicAuthService) DeleteUserExternalPrincipal added in v1.32.0

func (s *BasicAuthService) DeleteUserExternalPrincipal(_ context.Context, _, _ string) error

func (*BasicAuthService) DetachPolicyFromGroup added in v1.32.0

func (s *BasicAuthService) DetachPolicyFromGroup(_ context.Context, _, _ string) error

func (*BasicAuthService) DetachPolicyFromUser added in v1.32.0

func (s *BasicAuthService) DetachPolicyFromUser(_ context.Context, _, _ string) error

func (*BasicAuthService) GetCredentials added in v1.32.0

func (s *BasicAuthService) GetCredentials(ctx context.Context, accessKeyID string) (*model.Credential, error)

func (*BasicAuthService) GetCredentialsForUser added in v1.32.0

func (s *BasicAuthService) GetCredentialsForUser(ctx context.Context, username, accessKeyID string) (*model.Credential, error)

func (*BasicAuthService) GetExternalPrincipal added in v1.32.0

func (s *BasicAuthService) GetExternalPrincipal(_ context.Context, _ string) (*model.ExternalPrincipal, error)

func (*BasicAuthService) GetGroup added in v1.32.0

func (s *BasicAuthService) GetGroup(_ context.Context, _ string) (*model.Group, error)

func (*BasicAuthService) GetPolicy added in v1.32.0

func (s *BasicAuthService) GetPolicy(_ context.Context, _ string) (*model.Policy, error)

func (*BasicAuthService) GetUser added in v1.32.0

func (s *BasicAuthService) GetUser(ctx context.Context, username string) (*model.User, error)

func (*BasicAuthService) GetUserByEmail added in v1.32.0

func (s *BasicAuthService) GetUserByEmail(_ context.Context, _ string) (*model.User, error)

func (*BasicAuthService) GetUserByExternalID added in v1.32.0

func (s *BasicAuthService) GetUserByExternalID(_ context.Context, _ string) (*model.User, error)

func (*BasicAuthService) GetUserByID added in v1.32.0

func (s *BasicAuthService) GetUserByID(_ context.Context, _ string) (*model.User, error)

func (*BasicAuthService) IsExternalPrincipalsEnabled added in v1.32.0

func (s *BasicAuthService) IsExternalPrincipalsEnabled(_ context.Context) bool

func (*BasicAuthService) ListEffectivePolicies added in v1.32.0

func (s *BasicAuthService) ListEffectivePolicies(_ context.Context, _ string, _ *model.PaginationParams) ([]*model.Policy, *model.Paginator, error)

func (*BasicAuthService) ListGroupPolicies added in v1.32.0

func (*BasicAuthService) ListGroupUsers added in v1.32.0

func (*BasicAuthService) ListGroups added in v1.32.0

func (*BasicAuthService) ListPolicies added in v1.32.0

func (*BasicAuthService) ListUserCredentials added in v1.32.0

func (*BasicAuthService) ListUserExternalPrincipals added in v1.32.0

func (s *BasicAuthService) ListUserExternalPrincipals(_ context.Context, _ string, _ *model.PaginationParams) ([]*model.ExternalPrincipal, *model.Paginator, error)

func (*BasicAuthService) ListUserGroups added in v1.32.0

func (*BasicAuthService) ListUserPolicies added in v1.32.0

func (*BasicAuthService) ListUsers added in v1.32.0

func (*BasicAuthService) Migrate added in v1.33.0

func (s *BasicAuthService) Migrate(ctx context.Context) (string, error)

Migrate tries to perform migration of existing lakeFS server to basic auth

func (*BasicAuthService) RemoveUserFromGroup added in v1.32.0

func (s *BasicAuthService) RemoveUserFromGroup(_ context.Context, _, _ string) error

func (*BasicAuthService) SecretStore added in v1.32.0

func (s *BasicAuthService) SecretStore() crypt.SecretStore

func (*BasicAuthService) UpdateUserFriendlyName added in v1.32.0

func (s *BasicAuthService) UpdateUserFriendlyName(_ context.Context, _ string, _ string) error

func (*BasicAuthService) WritePolicy added in v1.32.0

func (s *BasicAuthService) WritePolicy(_ context.Context, _ *model.Policy, _ bool) error

type BuiltinAuthenticator added in v0.53.0

type BuiltinAuthenticator struct {
	// contains filtered or unexported fields
}

BuiltinAuthenticator authenticates users by their access key IDs and passwords stored in the auth service.

func NewBuiltinAuthenticator added in v0.53.0

func NewBuiltinAuthenticator(service Service) *BuiltinAuthenticator

func (*BuiltinAuthenticator) AuthenticateUser added in v0.53.0

func (ba *BuiltinAuthenticator) AuthenticateUser(ctx context.Context, username, password string) (string, error)

func (*BuiltinAuthenticator) String added in v0.62.0

func (ba *BuiltinAuthenticator) String() string

type Cache

type Cache interface {
	GetCredential(accessKeyID string, setFn CredentialSetFn) (*model.Credential, error)
	GetUser(key UserKey, setFn UserSetFn) (*model.User, error)
	GetUserPolicies(userID string, setFn UserPoliciesSetFn) ([]*model.Policy, error)
}

type ChainAuthenticator added in v0.53.0

type ChainAuthenticator []Authenticator

ChainAuthenticator authenticates users by trying each Authenticator in order, returning the last error in case all fail.

func (ChainAuthenticator) AuthenticateUser added in v0.53.0

func (ca ChainAuthenticator) AuthenticateUser(ctx context.Context, username, password string) (string, error)

type CheckResult added in v0.53.1

type CheckResult int

CheckResult - the final result for the authorization is accepted only if it's CheckAllow

func CheckPermissions added in v1.32.0

func CheckPermissions(ctx context.Context, node permissions.Node, username string, policies []*model.Policy, permAudit *MissingPermissions) CheckResult

type CommPrefs added in v0.87.0

type CommPrefs struct {
	UserEmail       string
	FeatureUpdates  bool
	SecurityUpdates bool
	InstallationID  string
}

type CredentialSetFn

type CredentialSetFn func() (*model.Credential, error)

type Credentialler added in v0.53.0

type Credentialler interface {
	GetCredentials(ctx context.Context, accessKeyID string) (*model.Credential, error)
}

Credentialler fetches S3-style credentials for access keys.

type CredentialsCreator added in v0.69.0

type CredentialsCreator interface {
	CreateCredentials(ctx context.Context, username string) (*model.Credential, error)
}

type DummyCache

type DummyCache struct{}

DummyCache dummy cache that doesn't cache

func (*DummyCache) GetCredential

func (d *DummyCache) GetCredential(_ string, setFn CredentialSetFn) (*model.Credential, error)

func (*DummyCache) GetUser

func (d *DummyCache) GetUser(_ UserKey, setFn UserSetFn) (*model.User, error)

func (*DummyCache) GetUserPolicies

func (d *DummyCache) GetUserPolicies(_ string, setFn UserPoliciesSetFn) ([]*model.Policy, error)

type EmailInviter added in v0.111.0

type EmailInviter interface {
	InviteUser(ctx context.Context, email string) error
}

type ExternalPrincipalsService added in v1.14.0

type ExternalPrincipalsService interface {
	IsExternalPrincipalsEnabled(ctx context.Context) bool
	CreateUserExternalPrincipal(ctx context.Context, userID, principalID string) error
	DeleteUserExternalPrincipal(ctx context.Context, userID, principalID string) error
	GetExternalPrincipal(ctx context.Context, principalID string) (*model.ExternalPrincipal, error)
	ListUserExternalPrincipals(ctx context.Context, userID string, params *model.PaginationParams) ([]*model.ExternalPrincipal, *model.Paginator, error)
}

ExternalPrincipalsService is an interface for managing external principals (e.g. IAM users, groups, etc.) It's part of the AuthService api's and is used as an administrative API to that service.

type GatewayService added in v0.65.0

type GatewayService interface {
	GetCredentials(_ context.Context, accessKey string) (*model.Credential, error)
	GetUser(ctx context.Context, username string) (*model.User, error)
	Authorize(_ context.Context, req *AuthorizationRequest) (*AuthorizationResponse, error)
}

type KVMetadataManager added in v0.69.0

type KVMetadataManager struct {
	// contains filtered or unexported fields
}

func NewKVMetadataManager added in v0.69.0

func NewKVMetadataManager(version, fixedInstallationID, kvType string, store kv.Store) *KVMetadataManager

func (*KVMetadataManager) GetCommPrefs added in v0.87.0

func (m *KVMetadataManager) GetCommPrefs(ctx context.Context) (CommPrefs, error)

func (*KVMetadataManager) GetMetadata added in v0.102.0

func (m *KVMetadataManager) GetMetadata(ctx context.Context) (map[string]string, error)

func (*KVMetadataManager) GetSetupState added in v0.87.0

func (m *KVMetadataManager) GetSetupState(ctx context.Context) (SetupStateName, error)

func (*KVMetadataManager) IsCommPrefsSet added in v0.105.0

func (m *KVMetadataManager) IsCommPrefsSet(ctx context.Context) (bool, error)

func (*KVMetadataManager) IsInitialized added in v0.69.0

func (m *KVMetadataManager) IsInitialized(ctx context.Context) (bool, error)

func (*KVMetadataManager) UpdateCommPrefs added in v0.87.0

func (m *KVMetadataManager) UpdateCommPrefs(ctx context.Context, commPrefs *CommPrefs) (string, error)

UpdateCommPrefs - updates the comm prefs metadata. When commPrefs is nil, we assume the setup is done and the user didn't provide any comm prefs. The data can be provided later as the web UI verifies if the comm prefs are set.

func (*KVMetadataManager) UpdateSetupTimestamp added in v0.69.0

func (m *KVMetadataManager) UpdateSetupTimestamp(ctx context.Context, ts time.Time) error

type LRUCache

type LRUCache struct {
	// contains filtered or unexported fields
}

func NewLRUCache

func NewLRUCache(size int, expiry, jitter time.Duration) *LRUCache

func (*LRUCache) GetCredential

func (c *LRUCache) GetCredential(accessKeyID string, setFn CredentialSetFn) (*model.Credential, error)

func (*LRUCache) GetUser

func (c *LRUCache) GetUser(key UserKey, setFn UserSetFn) (*model.User, error)

func (*LRUCache) GetUserPolicies

func (c *LRUCache) GetUserPolicies(userID string, setFn UserPoliciesSetFn) ([]*model.Policy, error)

type MetadataManager

type MetadataManager interface {
	IsInitialized(ctx context.Context) (bool, error)
	GetSetupState(ctx context.Context) (SetupStateName, error)
	UpdateCommPrefs(ctx context.Context, commPrefs *CommPrefs) (string, error)
	IsCommPrefsSet(ctx context.Context) (bool, error)
	UpdateSetupTimestamp(context.Context, time.Time) error
	GetMetadata(context.Context) (map[string]string, error)
}

type MissingPermissions added in v1.43.0

type MissingPermissions struct {
	// Denied is a list of actions the user was denied for the attempt.
	Denied []string
	// Unauthorized is a list of actions the user did not have for the attempt.
	Unauthorized []string
}

func (*MissingPermissions) String added in v1.43.0

func (n *MissingPermissions) String() string

type Service

type Service interface {
	SecretStore() crypt.SecretStore
	Cache() Cache

	// users
	CreateUser(ctx context.Context, user *model.User) (string, error)
	DeleteUser(ctx context.Context, username string) error
	GetUserByID(ctx context.Context, userID string) (*model.User, error)
	GetUser(ctx context.Context, username string) (*model.User, error)
	GetUserByExternalID(ctx context.Context, externalID string) (*model.User, error)
	GetUserByEmail(ctx context.Context, email string) (*model.User, error)
	ListUsers(ctx context.Context, params *model.PaginationParams) ([]*model.User, *model.Paginator, error)
	UpdateUserFriendlyName(ctx context.Context, userID string, friendlyName string) error

	ExternalPrincipalsService

	// groups
	CreateGroup(ctx context.Context, group *model.Group) (*model.Group, error)
	DeleteGroup(ctx context.Context, groupID string) error
	GetGroup(ctx context.Context, groupID string) (*model.Group, error)
	ListGroups(ctx context.Context, params *model.PaginationParams) ([]*model.Group, *model.Paginator, error)

	// group<->user memberships
	AddUserToGroup(ctx context.Context, username, groupID string) error
	RemoveUserFromGroup(ctx context.Context, username, groupID string) error
	ListUserGroups(ctx context.Context, username string, params *model.PaginationParams) ([]*model.Group, *model.Paginator, error)
	ListGroupUsers(ctx context.Context, groupID string, params *model.PaginationParams) ([]*model.User, *model.Paginator, error)

	// policies
	WritePolicy(ctx context.Context, policy *model.Policy, update bool) error
	GetPolicy(ctx context.Context, policyDisplayName string) (*model.Policy, error)
	DeletePolicy(ctx context.Context, policyDisplayName string) error
	ListPolicies(ctx context.Context, params *model.PaginationParams) ([]*model.Policy, *model.Paginator, error)

	// credentials
	CredentialsCreator
	AddCredentials(ctx context.Context, username, accessKeyID, secretAccessKey string) (*model.Credential, error)
	DeleteCredentials(ctx context.Context, username, accessKeyID string) error
	GetCredentialsForUser(ctx context.Context, username, accessKeyID string) (*model.Credential, error)
	GetCredentials(ctx context.Context, accessKeyID string) (*model.Credential, error)
	ListUserCredentials(ctx context.Context, username string, params *model.PaginationParams) ([]*model.Credential, *model.Paginator, error)

	// policy<->user attachments
	AttachPolicyToUser(ctx context.Context, policyDisplayName, username string) error
	DetachPolicyFromUser(ctx context.Context, policyDisplayName, username string) error
	ListUserPolicies(ctx context.Context, username string, params *model.PaginationParams) ([]*model.Policy, *model.Paginator, error)
	ListEffectivePolicies(ctx context.Context, username string, params *model.PaginationParams) ([]*model.Policy, *model.Paginator, error)

	// policy<->group attachments
	AttachPolicyToGroup(ctx context.Context, policyDisplayName, groupID string) error
	DetachPolicyFromGroup(ctx context.Context, policyDisplayName, groupID string) error
	ListGroupPolicies(ctx context.Context, groupID string, params *model.PaginationParams) ([]*model.Policy, *model.Paginator, error)

	Authorizer

	ClaimTokenIDOnce(ctx context.Context, tokenID string, expiresAt int64) error
}

type ServiceAndInviter added in v1.28.0

type ServiceAndInviter interface {
	Service
	EmailInviter
}

type SetupStateName added in v0.87.0

type SetupStateName string
const (
	SetupStateInitialized    SetupStateName = "initialized"
	SetupStateNotInitialized SetupStateName = "not_initialized"
)

type UserKey added in v1.32.0

type UserKey struct {
	Username   string
	ExternalID string
	Email      string
	// contains filtered or unexported fields
}

type UserPoliciesSetFn

type UserPoliciesSetFn func() ([]*model.Policy, error)

type UserSetFn

type UserSetFn func() (*model.User, error)

Notes

Bugs

  • This parser does not handle resource types. Handling resource types is

    subtle: they may be separated from resource IDs by a colon OR by a slash. For an
    example of a resource type, see ECS[1] (uses only slash separators). That colons
    are an acceptable separator appears in [2], so a workaround to this limitation is
    to use a slash.
    
    [1] https://docs.aws.amazon.com/AmazonECS/latest/developerguide/security_iam_service-with-iam.html#security_iam_service-with-iam-id-based-policies-resources
    [2] https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html#arns-syntax
    

Directories

Path Synopsis
Package mock is a generated GoMock package.
Package mock is a generated GoMock package.
oidc
encoding
Package encoding defines Claims for interoperable external services to use in JWTs.
Package encoding defines Claims for interoperable external services to use in JWTs.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL