acl

package
v1.48.1 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jan 9, 2025 License: Apache-2.0 Imports: 31 Imported by: 0

Documentation

Overview

nolint:stylecheck

Index

Constants

View Source
const (
	// ReadPermission allows reading the specified repositories, as well as
	// managing own credentials.
	ReadPermission model.ACLPermission = "Read"
	// WritePermission allows reading and writing the specified repositories,
	// as well as managing own credentials.
	WritePermission model.ACLPermission = "Write"
	// SuperPermission allows reading, writing, and all other actions on the
	// specified repositories, as well as managing own credentials.
	SuperPermission model.ACLPermission = "Super"
	// AdminPermission allows all operations, including all reading, writing,
	// and all other actions on all repositories, and managing
	// authorization and credentials of all users.
	AdminPermission model.ACLPermission = "Admin"
)
View Source
const (
	AdminsGroup  = "Admins"
	SupersGroup  = "Supers"
	WritersGroup = "Writers"
	ReadersGroup = "Readers"
)
View Source
const (
	BaseURL = "/api/v1"
)
View Source
const DefaultListenAddress = "0.0.0.0:8001"
View Source
const DefaultMaxPerPage int = 1000

DefaultMaxPerPage is the maximum amount of results returned for paginated queries to the API

View Source
const PolicyPrefix = "ACL(_-_)"
View Source
const ServerPartitionKey = "aclauth"

Variables

View Source
var (
	ErrBadConfiguration = errors.New("bad configuration")
	ErrMissingSecretKey = fmt.Errorf("%w: encrypt.secret_key cannot be empty", ErrBadConfiguration)
)
View Source
var (
	ErrBadACLPermission = fmt.Errorf("%w: Bad ACL permission", model.ErrValidationError)
)
View Source
var ErrInvalidAPIEndpoint = errors.New("invalid API endpoint")

Functions

func ACLToStatement

func ACLToStatement(acl model.ACL) (model.Statements, error)

func CreateACLBaseGroups

func CreateACLBaseGroups(ctx context.Context, authService auth.Service, ts time.Time) error

func InvalidAPIEndpointHandler

func InvalidAPIEndpointHandler(w http.ResponseWriter, _ *http.Request)

InvalidAPIEndpointHandler returns ErrInvalidAPIEndpoint, and is currently being used to ensure that routes under the pattern it is used with in chi.Router.Mount (i.e. /api/v1) are not accessible.

func IsInitialized

func IsInitialized(ctx context.Context, authService *AuthService) (bool, error)

func IsPolicyName

func IsPolicyName(policyName string) bool

func IsValidAccessKeyID

func IsValidAccessKeyID(key string) bool

func ListEffectivePolicies

func ListEffectivePolicies(ctx context.Context, username string, params *model.PaginationParams, getEffectivePolicies effectivePoliciesGetter, cache auth.Cache) ([]*model.Policy, *model.Paginator, error)

func OapiRequestValidatorWithOptions

func OapiRequestValidatorWithOptions(swagger *openapi3.Swagger, options *openapi3filter.Options) func(http.Handler) http.Handler

OapiRequestValidatorWithOptions Creates middleware to validate request by swagger spec. This middleware is good for net/http either since go-chi is 100% compatible with net/http. The original implementation can be found at https://github.com/deepmap/oapi-codegen/blob/master/pkg/chi-middleware/oapi_validate.go Used our own implementation in order to:

  1. Use the latest version kin-openapi (can switch back when oapi-codegen will be updated)
  2. For file upload wanted to skip body validation for two reasons: a. didn't find a way for the validator to accept any file content type b. didn't want the validator to read the complete request body for the specific request

func PolicyName

func PolicyName(groupID string) string

PolicyName returns the policy identifier for the ACL for groupID.

func Serve

func Serve(authService auth.Service, logger logging.Logger) http.Handler

func SetupACLServer

func SetupACLServer(ctx context.Context, authService *AuthService) error

func Unmarshal

func Unmarshal(c *Config) error

func ValidatePolicy

func ValidatePolicy(policy *model.Policy) error

func WriteGroupACL

func WriteGroupACL(ctx context.Context, svc auth.Service, groupName string, acl model.ACL, creationTime time.Time, warnIfCreate bool) error

Types

type AuthService

type AuthService struct {
	// contains filtered or unexported fields
}

func NewAuthService

func NewAuthService(store kv.Store, secretStore crypt.SecretStore, cacheConf params.ServiceCache) *AuthService

func (*AuthService) AddCredentials

func (s *AuthService) AddCredentials(ctx context.Context, username, accessKeyID, secretAccessKey string) (*model.Credential, error)

func (*AuthService) AddUserToGroup

func (s *AuthService) AddUserToGroup(ctx context.Context, username, groupDisplayName string) error

func (*AuthService) AttachPolicyToGroup

func (s *AuthService) AttachPolicyToGroup(ctx context.Context, policyDisplayName, groupDisplayName string) error

func (*AuthService) AttachPolicyToUser

func (s *AuthService) AttachPolicyToUser(ctx context.Context, policyDisplayName string, username string) error

func (*AuthService) Authorize

func (*AuthService) Cache

func (s *AuthService) Cache() auth.Cache

func (*AuthService) ClaimTokenIDOnce

func (s *AuthService) ClaimTokenIDOnce(_ context.Context, _ string, _ int64) error

func (*AuthService) CreateCredentials

func (s *AuthService) CreateCredentials(ctx context.Context, username string) (*model.Credential, error)

func (*AuthService) CreateGroup

func (s *AuthService) CreateGroup(ctx context.Context, group *model.Group) (*model.Group, error)

func (*AuthService) CreateUser

func (s *AuthService) CreateUser(ctx context.Context, user *model.User) (string, error)

func (*AuthService) CreateUserExternalPrincipal

func (s *AuthService) CreateUserExternalPrincipal(_ context.Context, _, _ string) error

func (*AuthService) DeleteCredentials

func (s *AuthService) DeleteCredentials(ctx context.Context, username, accessKeyID string) error

func (*AuthService) DeleteGroup

func (s *AuthService) DeleteGroup(ctx context.Context, groupID string) error

func (*AuthService) DeletePolicy

func (s *AuthService) DeletePolicy(ctx context.Context, policyDisplayName string) error

func (*AuthService) DeleteUser

func (s *AuthService) DeleteUser(ctx context.Context, username string) error

func (*AuthService) DeleteUserExternalPrincipal

func (s *AuthService) DeleteUserExternalPrincipal(_ context.Context, _, _ string) error

func (*AuthService) DetachPolicyFromGroup

func (s *AuthService) DetachPolicyFromGroup(ctx context.Context, policyDisplayName, groupDisplayName string) error

func (*AuthService) DetachPolicyFromGroupNoValidation

func (s *AuthService) DetachPolicyFromGroupNoValidation(ctx context.Context, policyDisplayName, groupDisplayName string) error

func (*AuthService) DetachPolicyFromUser

func (s *AuthService) DetachPolicyFromUser(ctx context.Context, policyDisplayName, username string) error

func (*AuthService) DetachPolicyFromUserNoValidation

func (s *AuthService) DetachPolicyFromUserNoValidation(ctx context.Context, policyDisplayName, username string) error

func (*AuthService) GetCredentials

func (s *AuthService) GetCredentials(ctx context.Context, accessKeyID string) (*model.Credential, error)

func (*AuthService) GetCredentialsForUser

func (s *AuthService) GetCredentialsForUser(ctx context.Context, username, accessKeyID string) (*model.Credential, error)

func (*AuthService) GetExternalPrincipal

func (s *AuthService) GetExternalPrincipal(_ context.Context, _ string) (*model.ExternalPrincipal, error)

func (*AuthService) GetGroup

func (s *AuthService) GetGroup(ctx context.Context, groupID string) (*model.Group, error)

func (*AuthService) GetPolicy

func (s *AuthService) GetPolicy(ctx context.Context, policyDisplayName string) (*model.Policy, error)

func (*AuthService) GetUser

func (s *AuthService) GetUser(ctx context.Context, username string) (*model.User, error)

func (*AuthService) GetUserByEmail

func (s *AuthService) GetUserByEmail(ctx context.Context, email string) (*model.User, error)

func (*AuthService) GetUserByExternalID

func (s *AuthService) GetUserByExternalID(ctx context.Context, externalID string) (*model.User, error)

func (*AuthService) GetUserByID

func (s *AuthService) GetUserByID(ctx context.Context, userID string) (*model.User, error)

func (*AuthService) IsExternalPrincipalsEnabled

func (s *AuthService) IsExternalPrincipalsEnabled(_ context.Context) bool

func (*AuthService) ListEffectivePolicies

func (s *AuthService) ListEffectivePolicies(ctx context.Context, username string, params *model.PaginationParams) ([]*model.Policy, *model.Paginator, error)

func (*AuthService) ListGroupPolicies

func (s *AuthService) ListGroupPolicies(ctx context.Context, groupDisplayName string, params *model.PaginationParams) ([]*model.Policy, *model.Paginator, error)

func (*AuthService) ListGroupUsers

func (s *AuthService) ListGroupUsers(ctx context.Context, groupID string, params *model.PaginationParams) ([]*model.User, *model.Paginator, error)

func (*AuthService) ListGroups

func (s *AuthService) ListGroups(ctx context.Context, params *model.PaginationParams) ([]*model.Group, *model.Paginator, error)

func (*AuthService) ListKVPaged

func (s *AuthService) ListKVPaged(ctx context.Context, protoType protoreflect.MessageType, params *model.PaginationParams, prefix []byte, secondary bool) ([]proto.Message, *model.Paginator, error)

func (*AuthService) ListPolicies

func (s *AuthService) ListPolicies(ctx context.Context, params *model.PaginationParams) ([]*model.Policy, *model.Paginator, error)

func (*AuthService) ListUserCredentials

func (s *AuthService) ListUserCredentials(ctx context.Context, username string, params *model.PaginationParams) ([]*model.Credential, *model.Paginator, error)

func (*AuthService) ListUserExternalPrincipals

func (s *AuthService) ListUserExternalPrincipals(_ context.Context, _ string, _ *model.PaginationParams) ([]*model.ExternalPrincipal, *model.Paginator, error)

func (*AuthService) ListUserGroups

func (s *AuthService) ListUserGroups(ctx context.Context, username string, params *model.PaginationParams) ([]*model.Group, *model.Paginator, error)

func (*AuthService) ListUserPolicies

func (s *AuthService) ListUserPolicies(ctx context.Context, username string, params *model.PaginationParams) ([]*model.Policy, *model.Paginator, error)

func (*AuthService) ListUsers

func (s *AuthService) ListUsers(ctx context.Context, params *model.PaginationParams) ([]*model.User, *model.Paginator, error)

func (*AuthService) RemoveUserFromGroup

func (s *AuthService) RemoveUserFromGroup(ctx context.Context, username, groupID string) error

func (*AuthService) SecretStore

func (s *AuthService) SecretStore() crypt.SecretStore

func (*AuthService) UpdateUserFriendlyName

func (s *AuthService) UpdateUserFriendlyName(_ context.Context, _ string, _ string) error

func (*AuthService) WritePolicy

func (s *AuthService) WritePolicy(ctx context.Context, policy *model.Policy, update bool) error

type Config

type Config struct {
	ListenAddress string `mapstructure:"listen_address"`

	Database config.Database
	Encrypt  struct {
		SecretKey config.SecureString `mapstructure:"secret_key" validate:"required"`
	}
	Cache struct {
		Enabled bool
		Size    int
		TTL     time.Duration
		Jitter  time.Duration
	} `mapstructure:"cache"`
}

func NewConfig

func NewConfig() (*Config, error)

func (*Config) AuthEncryptionSecret

func (c *Config) AuthEncryptionSecret() []byte

func (*Config) Validate

func (c *Config) Validate() error

type Controller

type Controller struct {
	Auth auth.Service
}

func NewController

func NewController(authService auth.Service) *Controller

func (*Controller) AddGroupMembership

func (c *Controller) AddGroupMembership(w http.ResponseWriter, r *http.Request, groupID, userID string)

func (*Controller) AttachPolicyToGroup

func (c *Controller) AttachPolicyToGroup(w http.ResponseWriter, r *http.Request, groupID, policyID string)

func (*Controller) AttachPolicyToUser

func (c *Controller) AttachPolicyToUser(w http.ResponseWriter, _ *http.Request, _, _ string)

func (*Controller) ClaimTokenId

func (*Controller) CreateCredentials

func (c *Controller) CreateCredentials(w http.ResponseWriter, r *http.Request, userID string, params apigen.CreateCredentialsParams)

func (*Controller) CreateGroup

func (*Controller) CreatePolicy

func (*Controller) CreateUser

func (*Controller) CreateUserExternalPrincipal

func (c *Controller) CreateUserExternalPrincipal(w http.ResponseWriter, _ *http.Request, _ string, _ apigen.CreateUserExternalPrincipalParams)

func (*Controller) DeleteCredentials

func (c *Controller) DeleteCredentials(w http.ResponseWriter, r *http.Request, userID string, accessKeyID string)

func (*Controller) DeleteGroup

func (c *Controller) DeleteGroup(w http.ResponseWriter, r *http.Request, groupID string)

func (*Controller) DeleteGroupMembership

func (c *Controller) DeleteGroupMembership(w http.ResponseWriter, r *http.Request, groupID, userID string)

func (*Controller) DeletePolicy

func (c *Controller) DeletePolicy(w http.ResponseWriter, _ *http.Request, _ string)

func (*Controller) DeleteUser

func (c *Controller) DeleteUser(w http.ResponseWriter, r *http.Request, username string)

func (*Controller) DeleteUserExternalPrincipal

func (c *Controller) DeleteUserExternalPrincipal(w http.ResponseWriter, _ *http.Request, _ string, _ apigen.DeleteUserExternalPrincipalParams)

func (*Controller) DetachPolicyFromGroup

func (c *Controller) DetachPolicyFromGroup(w http.ResponseWriter, _ *http.Request, _, _ string)

func (*Controller) DetachPolicyFromUser

func (c *Controller) DetachPolicyFromUser(w http.ResponseWriter, _ *http.Request, _, _ string)

func (*Controller) GetCredentials

func (c *Controller) GetCredentials(w http.ResponseWriter, r *http.Request, accessKeyId string)

func (*Controller) GetCredentialsForUser

func (c *Controller) GetCredentialsForUser(w http.ResponseWriter, r *http.Request, userId string, accessKeyId string)

func (*Controller) GetExternalPrincipal

func (c *Controller) GetExternalPrincipal(w http.ResponseWriter, _ *http.Request, _ apigen.GetExternalPrincipalParams)

func (*Controller) GetGroup

func (c *Controller) GetGroup(w http.ResponseWriter, r *http.Request, groupID string)

func (*Controller) GetPolicy

func (c *Controller) GetPolicy(w http.ResponseWriter, r *http.Request, policyID string)

func (*Controller) GetUser

func (c *Controller) GetUser(w http.ResponseWriter, r *http.Request, username string)

func (*Controller) GetVersion

func (c *Controller) GetVersion(w http.ResponseWriter, _ *http.Request)

func (*Controller) HealthCheck

func (c *Controller) HealthCheck(w http.ResponseWriter, _ *http.Request)

func (*Controller) ListGroupMembers

func (c *Controller) ListGroupMembers(w http.ResponseWriter, r *http.Request, groupID string, params apigen.ListGroupMembersParams)

func (*Controller) ListGroupPolicies

func (c *Controller) ListGroupPolicies(w http.ResponseWriter, r *http.Request, groupID string, params apigen.ListGroupPoliciesParams)

func (*Controller) ListGroups

func (c *Controller) ListGroups(w http.ResponseWriter, r *http.Request, params apigen.ListGroupsParams)

func (*Controller) ListPolicies

func (*Controller) ListUserCredentials

func (c *Controller) ListUserCredentials(w http.ResponseWriter, r *http.Request, userID string, params apigen.ListUserCredentialsParams)

func (*Controller) ListUserExternalPrincipals

func (c *Controller) ListUserExternalPrincipals(w http.ResponseWriter, _ *http.Request, _ string, _ apigen.ListUserExternalPrincipalsParams)

func (*Controller) ListUserGroups

func (c *Controller) ListUserGroups(w http.ResponseWriter, r *http.Request, userID string, params apigen.ListUserGroupsParams)

func (*Controller) ListUserPolicies

func (c *Controller) ListUserPolicies(w http.ResponseWriter, r *http.Request, userID string, params apigen.ListUserPoliciesParams)

func (*Controller) ListUsers

func (c *Controller) ListUsers(w http.ResponseWriter, r *http.Request, params apigen.ListUsersParams)

func (*Controller) UpdatePassword

func (*Controller) UpdatePolicy

func (c *Controller) UpdatePolicy(w http.ResponseWriter, r *http.Request, body apigen.UpdatePolicyJSONRequestBody, policyID string)

func (*Controller) UpdateUserFriendlyName

func (c *Controller) UpdateUserFriendlyName(w http.ResponseWriter, r *http.Request, body apigen.UpdateUserFriendlyNameJSONRequestBody, username string)

type HTTPClient

type HTTPClient struct {
	SkipVerify bool          `mapstructure:"skip_verify"`
	Timeout    time.Duration `mapstructure:"timeout"`
}

type UserPredicate

type UserPredicate func(u *model.UserData) bool

Directories

Path Synopsis
cmd
acl

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL