basculecaps

package

v1.1.0 Latest Latest Go to latest Published: Aug 22, 2024 License: Apache-2.0 Imports: 8 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/xmidt-org/bascule

Links

Open Source Insights

Documentation ¶

Overview ¶

Package basculecaps provide a standard format for token capabilities in the context of HTTP-based workflow. Capabilities handled by this package are expected to be of the format {prefix}{url pattern}:{method}.

The prefix can be a string literal or a regular expression. If it is a regular expression, it must not contain subexpressions. A prefix may also be the empty string.

The url pattern is expected to be a regular expression that matches request URLs that the token is authorized to access. This pattern may also be a string literal, but it cannot be blank and cannot contain subexpressions.

The method portion of the capability is a string literal that matches the request's method. The special token "all" is used to designate any regular expression. This special "all" token may be altered through configuration, but it cannot be an empty string.

Index ¶

Constants
type Approver
- func NewApprover(opts ...ApproverOption) (a *Approver, err error)
- func (a *Approver) Approve(_ context.Context, resource *http.Request, token bascule.Token) error
type ApproverOption
- func WithAllMethod(allMethod string) ApproverOption
- func WithPrefixes(prefixes ...string) ApproverOption

Constants ¶

View Source

const (
	// DefaultAllMethod is one of the default method strings that will match any HTTP method.
	DefaultAllMethod = "all"
)

Variables ¶

This section is empty.

Functions ¶

This section is empty.

Types ¶

type Approver ¶

type Approver struct {
	// contains filtered or unexported fields
}

Approver is a bascule HTTP approver that authorizes tokens with capabilities against requests.

This approver expects capabilities in tokens to be of the form <prefix><endpoing regex>:<method>.

The allowed prefixes must be set via one or more WithCapabilityPrefixes options. Prefixes may themselves contain colon delimiters and can be regular expressions without subexpressions.

func NewApprover ¶

func NewApprover(opts ...ApproverOption) (a *Approver, err error)

NewApprover creates a Approver using the supplied options. At least (1) of the configured prefixes must match an HTTP request's URL in ordered for a token to be authorized.

If no prefixes are added via WithPrefixes, then the returned approver will not authorize any requests.

func (*Approver) Approve ¶

func (a *Approver) Approve(_ context.Context, resource *http.Request, token bascule.Token) error

Approve attempts to match each capability to a configured prefix. Then, for any matched prefix, the URL regexp and method in the capability must match the resource. URLs are normalized with a leading '/'.

This method returns success (i.e. a nil error) when the first matching capability is found. If the token provided no capabilities, or if none of the token's capabilities authorized the request, this method returns bascule.ErrUnauthorized.

type ApproverOption ¶

type ApproverOption interface {
	// contains filtered or unexported methods
}

ApproverOption is a configurable option used to create an Approver.

func WithAllMethod ¶

func WithAllMethod(allMethod string) ApproverOption

WithAllMethod changes the value used to signal a match of all HTTP methods. By default, DefaultAllMethod is used.

func WithPrefixes ¶

func WithPrefixes(prefixes ...string) ApproverOption

WithPrefixes adds several prefixes used to match capabilities, e.g. x1:webpa:foo:. If no prefixes are set via this option, the approver rejects all tokens.

Note that a prefix can itself be a regular expression, but may not have any subexpressions.

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL