The highest tagged major version is
Documentation
¶
Index ¶
- Constants
- Variables
- func DeterminePartnerMetric(partners []string) string
- func Metrics() []xmetrics.Metric
- func PartnerKeys() []string
- func ProvideMetrics() fx.Option
- func ProvideMetricsVec() fx.Option
- type AlwaysCheck
- type AuthCapabilityCheckMeasures
- type BaseMeasuresIn
- type CapabilitiesChecker
- type CapabilitiesMap
- type CapabilitiesValidator
- type CapabilityChecker
- type ConstCheck
- type EndpointRegexCheck
- type MeasuresFactory
- type MetricValidator
- type ParsedValues
Constants ¶
const ( OutcomeLabel = "outcome" ReasonLabel = "reason" ClientIDLabel = "clientid" EndpointLabel = "endpoint" PartnerIDLabel = "partnerid" ServerLabel = "server" )
labels
const ( RejectedOutcome = "rejected" AcceptedOutcome = "accepted" // reasons TokenMissing = "auth_missing" UndeterminedPartnerID = "undetermined_partner_ID" UndeterminedCapabilities = "undetermined_capabilities" EmptyCapabilitiesList = "empty_capabilities_list" TokenMissingValues = "auth_is_missing_values" NoCapabilityChecker = "no_capability_checker" NoCapabilitiesMatch = "no_capabilities_match" EmptyParsedURL = "empty_parsed_URL" )
outcomes
const (
AuthCapabilityCheckOutcome = "auth_capability_check"
)
Names for our metrics
const (
CapabilityKey = "capabilities"
)
Variables ¶
var ( ErrNilDefaultChecker = errors.New("default checker cannot be nil") ErrEmptyEndpoint = errors.New("endpoint provided is empty") )
var ( ErrNoVals = errors.New("expected at least one value") ErrNoAuth = errors.New("couldn't get request info: authorization not found") ErrNoToken = errors.New("no token found in Auth") ErrNoValidCapabilityFound = errors.New("no valid capability for endpoint") ErrNilAttributes = errors.New("nil attributes interface") ErrNoURL = errors.New("invalid URL found in Auth") )
Functions ¶
func DeterminePartnerMetric ¶ added in v1.11.0
DeterminePartnerMetric takes a list of partners and decides what the partner metric label should be.
func Metrics ¶
Metrics returns the Metrics relevant to this package targeting our older non uber/fx applications. To initialize the metrics, use NewAuthCapabilityCheckMeasures().
func PartnerKeys ¶ added in v1.11.1
func PartnerKeys() []string
func ProvideMetrics ¶ added in v1.10.2
ProvideMetrics provides the metrics relevant to this package as uber/fx options. This is now deprecated in favor of ProvideMetricsVec.
func ProvideMetricsVec ¶ added in v1.11.5
ProvideMetricsVec provides the metrics relevant to this package as uber/fx options. The provided metrics are prometheus vectors which gives access to more advanced operations such as CurryWith(labels).
Types ¶
type AlwaysCheck ¶ added in v1.11.3
type AlwaysCheck bool
AlwaysCheck is a CapabilityChecker that always returns either true or false.
func (AlwaysCheck) Authorized ¶ added in v1.11.3
func (a AlwaysCheck) Authorized(_, _, _ string) bool
Authorized returns the saved boolean value, rather than checking the parameters given.
type AuthCapabilityCheckMeasures ¶ added in v1.6.2
AuthCapabilityCheckMeasures describes the defined metrics that will be used by clients
func NewAuthCapabilityCheckMeasures ¶ added in v1.6.2
func NewAuthCapabilityCheckMeasures(p provider.Provider) *AuthCapabilityCheckMeasures
NewAuthCapabilityCheckMeasures realizes desired metrics. It's intended to be used alongside Metrics() for our older non uber/fx applications.
type BaseMeasuresIn ¶ added in v1.11.5
type BaseMeasuresIn struct {
fx.In
Logger log.Logger
CapabilityCheckOutcome *prometheus.CounterVec `name:"auth_capability_check"`
}
BaseMeasuresIn is an uber/fx parameter with base metrics ready to be curried into child metrics based on custom labels.
type CapabilitiesChecker ¶ added in v1.11.0
type CapabilitiesChecker interface {
Check(auth bascule.Authentication, vals ParsedValues) (string, error)
}
CapabilitiesChecker is an object that can determine if a request is authorized given a bascule.Authentication object. If it's not authorized, a reason and error are given for logging and metrics.
type CapabilitiesMap ¶ added in v1.11.3
type CapabilitiesMap struct {
Checkers map[string]CapabilityChecker
DefaultChecker CapabilityChecker
}
CapabilitiesMap runs a capability check based on the value of the parsedURL, which is the key to the CapabilitiesMap's map. The parsedURL is expected to be some regex values, allowing for bucketing of urls that contain some kind of ID or otherwise variable portion of a URL.
func (CapabilitiesMap) Check ¶ added in v1.11.3
func (c CapabilitiesMap) Check(auth bascule.Authentication, vs ParsedValues) (string, error)
Check uses the parsed endpoint value to determine which CapabilityChecker to run against the capabilities in the auth provided. If there is no CapabilityChecker for the endpoint, the default is used. As long as one capability is found to be authorized by the CapabilityChecker, no error is returned.
type CapabilitiesValidator ¶ added in v1.11.0
type CapabilitiesValidator struct {
Checker CapabilityChecker
}
CapabilitiesValidator checks the capabilities provided in a bascule.Authentication object to determine if a request is authorized. It can also provide a function to be used in authorization middleware that pulls the Authentication object from a context before checking it.
func (CapabilitiesValidator) Check ¶ added in v1.11.0
func (c CapabilitiesValidator) Check(auth bascule.Authentication, _ ParsedValues) (string, error)
Check takes the needed values out of the given Authentication object in order to determine if a request is authorized. It determines this through iterating through each capability and calling the CapabilityChecker. If no capability authorizes the client for the given endpoint and method, it is unauthorized.
func (CapabilitiesValidator) CreateValidator ¶ added in v1.11.0
func (c CapabilitiesValidator) CreateValidator(errorOut bool) bascule.ValidatorFunc
CreateValidator creates a function that determines whether or not a client is authorized to make a request to an endpoint. It uses the bascule.Authentication from the context to get the information needed by the CapabilityChecker to determine authorization.
type CapabilityChecker ¶ added in v1.11.0
CapabilityChecker is an object that can determine if a capability provides authorization to the endpoint.
type ConstCheck ¶ added in v1.11.0
type ConstCheck string
ConstCheck is a basic capability checker that determines a capability is authorized if it matches the ConstCheck's string.
func (ConstCheck) Authorized ¶ added in v1.11.0
func (c ConstCheck) Authorized(capability, _, _ string) bool
Authorized validates the capability provided against the stored string.
type EndpointRegexCheck ¶ added in v1.11.0
type EndpointRegexCheck struct {
// contains filtered or unexported fields
}
EndpointRegexCheck uses a regular expression to validate an endpoint and method provided in a capability against the endpoint hit and method used for the request.
func NewEndpointRegexCheck ¶ added in v1.11.0
func NewEndpointRegexCheck(prefix string, acceptAllMethod string) (EndpointRegexCheck, error)
NewEndpointRegexCheck creates an object that implements the CapabilityChecker interface. It takes a prefix that is expected at the beginning of a capability and a string that, if provided in the capability, authorizes all methods for that endpoint. After the prefix, the EndpointRegexCheck expects there to be an endpoint regular expression and an http method - separated by a colon. The expected format of a capability is: <prefix><endpoint regex>:<method>
func (EndpointRegexCheck) Authorized ¶ added in v1.11.0
func (e EndpointRegexCheck) Authorized(capability string, urlToMatch string, methodToMatch string) bool
Authorized checks the capability against the endpoint hit and method used. If the capability has the correct prefix and is meant to be used with the method provided to access the endpoint provided, it is authorized.
type MeasuresFactory ¶ added in v1.11.5
type MeasuresFactory struct {
ServerName string
}
MeasuresFactory facilitates the creation of child metrics based on server labels.
func (MeasuresFactory) Annotated ¶ added in v1.11.5
func (m MeasuresFactory) Annotated() fx.Annotated
Annotated provides the measures as an annotated component with the name "[SERVER]_bascule_capability_measures"
func (MeasuresFactory) NewMeasures ¶ added in v1.11.5
func (m MeasuresFactory) NewMeasures(in BaseMeasuresIn) (*AuthCapabilityCheckMeasures, error)
NewMeasures builds the metric listener from the provided raw metrics.
type MetricValidator ¶ added in v1.11.0
type MetricValidator struct {
C CapabilitiesChecker
Measures *AuthCapabilityCheckMeasures
Endpoints []*regexp.Regexp
}
MetricValidator determines if a request is authorized and then updates a metric to show those results.
func (MetricValidator) CreateValidator ¶ added in v1.11.0
func (m MetricValidator) CreateValidator(errorOut bool) bascule.ValidatorFunc
CreateValidator provides a function for authorization middleware. The function parses the information needed for the CapabilitiesChecker, calls it to determine if the request is authorized, and maintains the results in a metric. The function can actually mark the request as unauthorized or just update the metric and allow the request, depending on configuration. This allows for monitoring before being more strict with authorization.
type ParsedValues ¶ added in v1.11.3
type ParsedValues struct {
// Endpoint is the string representation of a regular expression that
// matches the URL for the request. The main benefit of this string is it
// most likely won't include strings that change from one request to the
// next (ie, device ID).
Endpoint string
// Partner is a string representation of the list of partners found in the
// JWT, where:
// - any list including "*" as a partner is determined to be "wildcard".
// - when the list is <1 item, the partner is determined to be "none".
// - when the list is >1 item, the partner is determined to be "many".
// - when the list is only one item, that is the partner value.
Partner string
}
ParsedValues are values determined from the bascule Authentication.
Source Files