Documentation ¶
Overview ¶
Package authorizerd represents the policy updater daemon.
Index ¶
- Variables
- type AccessTokenParam
- type Authorizerd
- type MappingRules
- type OAuthAccessToken
- type Option
- func WithAccessTokenParam(accessTokenParam AccessTokenParam) Option
- func WithAthenzDomains(domains ...string) Option
- func WithAthenzURL(url string) Option
- func WithCacheExp(exp time.Duration) Option
- func WithDisableJwkd() Option
- func WithDisablePolicyd() Option
- func WithDisablePubkeyd() Option
- func WithDisableRoleCert() Option
- func WithDisableRoleToken() Option
- func WithEnableJwkd() Option
- func WithEnablePolicyd() Option
- func WithEnablePubkeyd() Option
- func WithEnableRoleCert() Option
- func WithEnableRoleToken() Option
- func WithHTTPClient(c *http.Client) Option
- func WithJwkRefreshPeriod(t string) Option
- func WithJwkRetryDelay(i string) Option
- func WithJwkURLs(urls []string) Option
- func WithPolicyExpiryMargin(t string) Option
- func WithPolicyPurgePeriod(t string) Option
- func WithPolicyRefreshPeriod(t string) Option
- func WithPolicyRetryAttempts(c int) Option
- func WithPolicyRetryDelay(i string) Option
- func WithPubkeyETagExpiry(t string) Option
- func WithPubkeyETagPurgePeriod(t string) Option
- func WithPubkeyRefreshPeriod(t string) Option
- func WithPubkeyRetryDelay(i string) Option
- func WithPubkeySysAuthDomain(domain string) Option
- func WithRoleAuthHeader(h string) Option
- func WithRoleCertURIPrefix(t string) Option
- func WithTranslator(t Translator) Option
- type Principal
- type Rule
- type Translator
Constants ¶
This section is empty.
Variables ¶
var ( // ErrRoleTokenInvalid "Access denied due to invalid RoleToken" ErrRoleTokenInvalid = role.ErrRoleTokenInvalid // ErrRoleTokenExpired "Access denied due to expired RoleToken" ErrRoleTokenExpired = role.ErrRoleTokenExpired // ErrDomainMismatch "Access denied due to domain mismatch between Resource and RoleToken" ErrDomainMismatch = policy.ErrDomainMismatch // ErrDomainNotFound "Access denied due to domain not found in library cache" ErrDomainNotFound = policy.ErrDomainNotFound // ErrDomainExpired "Access denied due to expired domain policy file" ErrDomainExpired = policy.ErrDomainExpired // ErrNoMatch "Access denied due to no match to any of the assertions defined in domain policy file" ErrNoMatch = policy.ErrNoMatch // ErrInvalidPolicyResource "Access denied due to invalid/empty policy resources" ErrInvalidPolicyResource = policy.ErrInvalidPolicyResource // ErrDenyByPolicy "Access Check was explicitly denied" ErrDenyByPolicy = policy.ErrDenyByPolicy // ErrFetchPolicy "Error fetching athenz policy" ErrFetchPolicy = policy.ErrFetchPolicy // ErrInvalidParameters "Access denied due to invalid/empty action/resource values" ErrInvalidParameters = errors.New("Access denied due to invalid/empty action/resource values") // ErrInvalidCredentials "Access denied due to invalid credentials" ErrInvalidCredentials = errors.New("Access denied due to invalid credentials") )
Functions ¶
This section is empty.
Types ¶
type AccessTokenParam ¶
type AccessTokenParam struct {
// contains filtered or unexported fields
}
func NewAccessTokenParam ¶
func NewAccessTokenParam(enable bool, verifyCertThumbprint bool, certBackdateDur, certOffsetDur string, verifyClientID bool, authorizedClientIDs map[string][]string) AccessTokenParam
NewAccessTokenParam returns a new access token parameter
type Authorizerd ¶
type Authorizerd interface { // Init initializes the child daemons synchronously Init(ctx context.Context) error // Start starts the background updater of the child daemons asynchronously Start(ctx context.Context) <-chan error Verify(r *http.Request, act, res string) error Authorize(r *http.Request, act, res string) (Principal, error) VerifyAccessToken(ctx context.Context, tok, act, res string, cert *x509.Certificate) error AuthorizeAccessToken(ctx context.Context, tok, act, res string, cert *x509.Certificate) (Principal, error) VerifyRoleToken(ctx context.Context, tok, act, res string) error AuthorizeRoleToken(ctx context.Context, tok, act, res string) (Principal, error) VerifyRoleCert(ctx context.Context, peerCerts []*x509.Certificate, act, res string) error AuthorizeRoleCert(ctx context.Context, peerCerts []*x509.Certificate, act, res string) (Principal, error) GetPolicyCache(ctx context.Context) map[string]interface{} }
Authorizerd represents a daemon for user to verify the role token
func New ¶
func New(opts ...Option) (Authorizerd, error)
New creates the Authorizerd object with the options
type MappingRules ¶ added in v5.1.0
MappingRules keeps the translation rules
func NewMappingRules ¶ added in v5.1.0
func NewMappingRules(rules map[string][]Rule) (*MappingRules, error)
NewMappingRules creates the MappingRules object
type OAuthAccessToken ¶
type OAuthAccessToken interface {
ClientID() string
}
OAuthAccessToken is an interface for a principal that has a OAuthAccessToken
type Option ¶
type Option func(*authority) error
Option represents a functional option
func WithAccessTokenParam ¶
func WithAccessTokenParam(accessTokenParam AccessTokenParam) Option
WithAccessTokenParam returns a functional option that new access token parameter
func WithAthenzDomains ¶
WithAthenzDomains returns an AthenzDomains functional option
func WithAthenzURL ¶
WithAthenzURL returns an AthenzURL functional option
func WithCacheExp ¶
WithCacheExp returns a CacheExp functional option
func WithDisableJwkd ¶
func WithDisableJwkd() Option
WithDisableJwkd returns a DisableJwkd functional option
func WithDisablePolicyd ¶
func WithDisablePolicyd() Option
WithDisablePolicyd returns a DisablePolicyd functional option
func WithDisablePubkeyd ¶
func WithDisablePubkeyd() Option
WithDisablePubkeyd returns a DisablePubkeyd functional option
func WithDisableRoleCert ¶
func WithDisableRoleCert() Option
WithDisableRoleCert returns a disable rolecert functional option
func WithDisableRoleToken ¶
func WithDisableRoleToken() Option
WithDisableRoleToken returns a disable roletoken functional option
func WithEnableJwkd ¶
func WithEnableJwkd() Option
WithEnableJwkd returns an EnableJwkd functional option
func WithEnablePolicyd ¶
func WithEnablePolicyd() Option
WithEnablePolicyd returns an EnablePolicyd functional option
func WithEnablePubkeyd ¶
func WithEnablePubkeyd() Option
WithEnablePubkeyd returns an EnablePubkeyd functional option
func WithEnableRoleCert ¶
func WithEnableRoleCert() Option
WithEnableRoleCert returns a enable rolecert functional option
func WithEnableRoleToken ¶
func WithEnableRoleToken() Option
WithEnableRoleToken returns a enable roletoken functional option
func WithHTTPClient ¶
WithHTTPClient returns a HTTPClient functional option
func WithJwkRefreshPeriod ¶
WithJwkRefreshPeriod returns a JwkRefreshPeriod functional option
func WithJwkRetryDelay ¶
WithJwkRetryDelay returns a JwkRetryDelay functional option
func WithJwkURLs ¶
WithJwkURLs returns a JwkURLs functional option
func WithPolicyExpiryMargin ¶
WithPolicyExpiryMargin returns a PolicyExpiryMargin functional option
func WithPolicyPurgePeriod ¶
WithPolicyPurgePeriod returns a PolicyPurgePeriod functional option
func WithPolicyRefreshPeriod ¶
WithPolicyRefreshPeriod returns a PolicyRefreshPeriod functional option
func WithPolicyRetryAttempts ¶
WithPolicyRetryAttempts returns a PolicyRetryAttempts functional option
func WithPolicyRetryDelay ¶
WithPolicyRetryDelay returns a PolicyRetryDelay functional option
func WithPubkeyETagExpiry ¶
WithPubkeyETagExpiry returns a PubkeyETagExpiry functional option
func WithPubkeyETagPurgePeriod ¶
WithPubkeyETagPurgePeriod returns a PubkeyETagPurgePeriod functional option
func WithPubkeyRefreshPeriod ¶
WithPubkeyRefreshPeriod returns a PubkeyRefreshPeriod functional option
func WithPubkeyRetryDelay ¶
WithPubkeyRetryDelay returns a PubkeyRetryDelay functional option
func WithPubkeySysAuthDomain ¶
WithPubkeySysAuthDomain returns a PubkeySysAuthDomain functional option
func WithRoleAuthHeader ¶
WithRoleAuthHeader returns a RoleAuthHeader functional option
func WithRoleCertURIPrefix ¶
WithRoleCertURIPrefix returns a RoleCertURIPrefix functional option
func WithTranslator ¶ added in v5.1.0
func WithTranslator(t Translator) Option
WithTranslator returns a Translator functional option
type Principal ¶
type Principal interface { Name() string Roles() []string Domain() string IssueTime() int64 ExpiryTime() int64 AuthorizedRoles() []string }
Principal is an authenticated entity
Source Files ¶
Directories ¶
Path | Synopsis |
---|---|
Package access represents the processing logic of access token.
|
Package access represents the processing logic of access token. |
internal
|
|
url
Package url contains the utility functions for URL processing
|
Package url contains the utility functions for URL processing |
Package jwk represents the jwk daemon fetching logic and the interface
|
Package jwk represents the jwk daemon fetching logic and the interface |
Package policy represents the athenz policy updater fetching and verify logic and provide an interface to verify the policy data.
|
Package policy represents the athenz policy updater fetching and verify logic and provide an interface to verify the policy data. |
Package pubkey represents the public key updater fetching logic and the interface
|
Package pubkey represents the public key updater fetching logic and the interface |
Package role represents the processing logic of role token.
|
Package role represents the processing logic of role token. |