authorize

package

v0.0.0-...-955908a Latest Latest Go to latest Published: Jun 2, 2022 License: MIT Imports: 4 Imported by: 3

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/wostzone/hub

Documentation ¶

Overview ¶

Package authorize with definitions for group based authorization.

Index ¶

Constants
type Authorizer
- func NewAuthorizer(aclStore IAclStore) *Authorizer
type IAclStore
type VerifyAuthorization

Constants ¶

View Source

const (
	// GroupRoleNone indicates that the client has no particular role. It can not do anything until
	// the role is upgraded to viewer or better.
	// Subscribe permissions: none
	// Publish permissions: none
	GroupRoleNone = "none"

	// GroupRoleViewer lets a client subscribe to Thing TD and Thing Events
	// Subscribe permissions: TD, Events
	// Publish permissions: none
	GroupRoleViewer = "viewer"

	// GroupRoleOperator lets a client subscribe to Thing TD, events and publish actions
	// Subscribe permissions: TD, Events
	// Publish permissions: Actions
	GroupRoleOperator = "operator"

	// GroupRoleManager lets a client subscribe to Thing TD, events, publish actions and update configuration
	// Subscribe permissions: TD, Events
	// Publish permissions: Actions, Configuration
	GroupRoleManager = "manager"

	// GroupRoleThing indicates the client is a IoT device that can publish and subscribe
	// to Thing topics.
	// Things should only publish events and updates for Things it published the TD for.
	// Publish permissions: TD, Events
	// Subscribe permissions: Actions, Configuration
	GroupRoleThing = "thing"
)

Group roles set permissions for accessing Things that are members of the same group

View Source

const (
	// AuthRead to read a TD
	AuthRead = "read"

	// AuthEmitAction to authorize emit an action
	AuthEmitAction = "emitAction"

	// AuthPubEvent to authorize publishing of events
	AuthPubEvent = "pubEvent"

	// AuthPubPropValue to authorize publishing of property values
	AuthPubPropValue = "pubPropValues"

	// AuthPubTD to authorize publishing of a TD document
	AuthPubTD = "pubTD"

	// AuthWriteProperty to authorize writing property value
	AuthWriteProperty = "writeProperty"
)

Authorization of actions

View Source

const AclGroupAll = "all"

AclGroupAll defines the 'all' resources group

View Source

const AllGroupName = "all"

AllGroupName is the name of the group that includes all things (no need to add things separately) Users that are a member of the all group will have access to all things based on their role.

Variables ¶

This section is empty.

Functions ¶

This section is empty.

Types ¶

type Authorizer ¶

type Authorizer struct {
	// contains filtered or unexported fields
}

Authorizer handles client authorization for access to Things.

Authorization uses access control lists with group membership and roles to determine if a client is authorized to receive or post a message. This applies to all users of the message bus, regardless of how they are authenticated.

func NewAuthorizer ¶

func NewAuthorizer(aclStore IAclStore) *Authorizer

NewAuthorizer creates a new instance of the authorization handler for managing authorization.

aclStore provides the functions to read and write authorization rules

func (*Authorizer) IsPublisher ¶

func (ah *Authorizer) IsPublisher(deviceID string, thingID string) bool

IsPublisher checks if the deviceID is the publisher of the thingID. This requires that the thingID is formatted as "urn:zone:publisherID:sensorID..."" Returns true if the deviceID is the publisher of the thingID, false if not.

func (*Authorizer) Start ¶

func (ah *Authorizer) Start() error

Start the authorizer. This opens the ACL store for reading

func (*Authorizer) Stop ¶

func (ah *Authorizer) Stop()

Stop the authn handler and close the ACL and password store access.

func (*Authorizer) VerifyAuthorization ¶

func (ah *Authorizer) VerifyAuthorization(
	userID string, certOU string, thingID string, authType string) bool

VerifyAuthorization tests if the client has access to the device for the given operation The thingID is implicitly included in the 'all' group. Members of the 'all' group can access all things based on their role in that group.

username is the login name or device ID of the client seeking permission
certOU is the OU of the client seeking permission only if user is authenticate with a client certificate. "" to ignore. certsetup.OUPlugin for plugins
thingID is the ID of the Thing to access
authType is one of: AuthEmitAction|AuthPubEvent|AuthWriteProperty|AuthPubPropValue|AuthRead

This returns false if access is denied or true if authorized

func (*Authorizer) VerifyRolePermission ¶

func (ah *Authorizer) VerifyRolePermission(role string, authType string) bool

VerifyRolePermission determine if the consumer role allows the read/write operation

The viewer role has read access to properties
The operator role has access to invoke actions
The manager role has access to actions and read/write access to properties
The thing role has full read/write access to its own thing

authType describes authorization to perform: EmitAction, PublishEvent, WriteProperty, "" to read

Returns true if permission is denied, nil if granted

type IAclStore ¶

type IAclStore interface {
	// GetGroups returns a list of groups a thing or user is a member of
	GetGroups(clientID string) []string

	// GetRole returns the highest role of a user has in a list of group
	// Intended to get client permissions in case of overlapping groups
	// Returns the role
	GetRole(clientID string, groupIDs []string) string

	// Close the store
	Close()

	// Open the store
	Open() error

	// SetRole writes the role for the client in a group
	SetRole(clientID string, groupID string, role string) error

	// Remove client from a group
	Remove(clientID string, groupID string) error
}

IAclStore defines the interface of a group based ACL store

type VerifyAuthorization ¶

type VerifyAuthorization func(userID string, certOU string,
	thingID string, authType string) bool

VerifyAuthorization defines the function to authorize access to a Thing. Intended for use by all Hub services that need authorization.

userID is the ID of the authenticated user as used in the group/rule list
certOU is the user's organization when using client certificates.
thingID is the ID of the Thing the user is trying to access
authType is message when writing, eg td.MessagetypeTD,... use MessagetypeNone for reading

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL