auth

package
v0.27.2 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Nov 1, 2024 License: MPL-2.0 Imports: 23 Imported by: 0

Documentation

Overview

Package auth package

Index

Constants

View Source 
const (
	JobTokenType              string = "job"
	ServiceAccountTokenType   string = "service_account"
	SCIMTokenType             string = "scim"
	VCSWorkspaceLinkTokenType string = "vcs_workspace_link"
)

Valid token types used as private claims for tokens issued by Tharsis. #nosec: G101 -- false flag.

Variables

This section is empty.

Functions

func FindToken 

func FindToken(r *http.Request) string

FindToken returns the bearer token from an HTTP request

func GetSubject added in v0.11.0 

func GetSubject(ctx context.Context) *string

GetSubject returns a context's subject. Return nil if no subject was found on the context.

func HandleCaller 

func HandleCaller(
	ctx context.Context,
	userHandler func(ctx context.Context, caller *UserCaller) error,
	serviceAccountHandler func(ctx context.Context, caller *ServiceAccountCaller) error,
) error

HandleCaller will invoke the provided callback based on the type of caller

func ParseUsername 

func ParseUsername(username string) string

ParseUsername parses the username, if any, from the email.

func WithApplyID added in v0.9.0 

func WithApplyID(id string) func(*constraints)

WithApplyID sets the ApplyID on constraints struct.

func WithCaller 

func WithCaller(ctx context.Context, caller Caller) context.Context

WithCaller adds the caller to the context

func WithGroupID added in v0.9.0 

func WithGroupID(id string) func(*constraints)

WithGroupID sets the GroupID on constraints struct.

func WithJobID added in v0.9.0 

func WithJobID(id string) func(*constraints)

WithJobID sets the JobID on constraints struct.

func WithNamespacePath added in v0.9.0 

func WithNamespacePath(namespacePath string) func(*constraints)

WithNamespacePath sets the Namespace on constraints struct.

func WithNamespacePaths added in v0.9.0 

func WithNamespacePaths(namespacePaths []string) func(*constraints)

WithNamespacePaths sets the NamespacePaths on constraints struct.

func WithPlanID added in v0.9.0 

func WithPlanID(id string) func(*constraints)

WithPlanID sets the PlanID on constraints struct.

func WithRunID added in v0.9.0 

func WithRunID(id string) func(*constraints)

WithRunID sets the RunID on constraints struct.

func WithRunnerID added in v0.9.0 

func WithRunnerID(id string) func(*constraints)

WithRunnerID sets the RunnerID on constraints struct.

func WithSubject added in v0.11.0 

func WithSubject(ctx context.Context, subject string) context.Context

WithSubject adds the subject string to the context

func WithTeamID added in v0.9.0 

func WithTeamID(id string) func(*constraints)

WithTeamID sets the TeamID on Constraints struct.

func WithUserID added in v0.9.0 

func WithUserID(id string) func(*constraints)

WithUserID sets the UserID on constraints struct.

func WithWorkspaceID added in v0.9.0 

func WithWorkspaceID(id string) func(*constraints)

WithWorkspaceID sets the WorkspaceID on constraints struct.

Types

type Authenticator 

type Authenticator struct {
	// contains filtered or unexported fields
}

Authenticator is used to authenticate JWT tokens

func NewAuthenticator 

func NewAuthenticator(
	userAuth *UserAuth,
	idp *IdentityProvider,
	dbClient *db.Client,
	maintenanceMonitor maintenance.Monitor,
	issuerURL string,
) *Authenticator

NewAuthenticator creates a new Authenticator instance

func (*Authenticator) Authenticate 

func (a *Authenticator) Authenticate(ctx context.Context, tokenString string, useCache bool) (Caller, error)

Authenticate verifies the token and returns a Caller

type Authorizer 

type Authorizer interface {
	GetRootNamespaces(ctx context.Context) ([]models.MembershipNamespace, error)
	RequireAccess(ctx context.Context, perms []permissions.Permission, checks ...func(*constraints)) error
	RequireAccessToInheritableResource(ctx context.Context, resourceTypes []permissions.ResourceType, checks ...func(*constraints)) error
}

Authorizer is used to authorize access to namespaces

type Caller 

type Caller interface {
	GetSubject() string
	IsAdmin() bool
	GetNamespaceAccessPolicy(ctx context.Context) (*NamespaceAccessPolicy, error)
	RequirePermission(ctx context.Context, perms permissions.Permission, checks ...func(*constraints)) error
	RequireAccessToInheritableResource(ctx context.Context, resourceType permissions.ResourceType, checks ...func(*constraints)) error
	UnauthorizedError(ctx context.Context, hasViewerAccess bool) error
}

Caller represents a subject performing an API request

func AuthorizeCaller 

func AuthorizeCaller(ctx context.Context) (Caller, error)

AuthorizeCaller verifies that a caller has been authenticated and returns the caller

func GetCaller added in v0.11.0 

func GetCaller(ctx context.Context) Caller

GetCaller returns a context's caller. Return nil if no caller was found on the context.

type IdentityProvider 

type IdentityProvider struct {
	// contains filtered or unexported fields
}

IdentityProvider is used to create and verify service account tokens

func NewIdentityProvider 

func NewIdentityProvider(jwsPlugin jws.Provider, issuerURL string) *IdentityProvider

NewIdentityProvider initializes the IdentityProvider type

func (*IdentityProvider) GenerateToken 

func (s *IdentityProvider) GenerateToken(ctx context.Context, input *TokenInput) ([]byte, error)

GenerateToken creates a new service account token

func (*IdentityProvider) VerifyToken 

func (s *IdentityProvider) VerifyToken(ctx context.Context, token string) (*VerifyTokenOutput, error)

VerifyToken verifies that the token is a valid service account token

type IdentityProviderConfig 

type IdentityProviderConfig struct {
	Issuer        string
	ClientID      string
	UsernameClaim string
	JwksURI       string
	TokenEndpoint string
	AuthEndpoint  string
}

IdentityProviderConfig encompasses the information for an identity provider

type JobCaller 

type JobCaller struct {
	JobID       string
	WorkspaceID string
	RunID       string
	// contains filtered or unexported fields
}

JobCaller represents a job subject

func (*JobCaller) GetNamespaceAccessPolicy 

func (j *JobCaller) GetNamespaceAccessPolicy(_ context.Context) (*NamespaceAccessPolicy, error)

GetNamespaceAccessPolicy returns the namespace access policy for this caller

func (*JobCaller) GetSubject 

func (j *JobCaller) GetSubject() string

GetSubject returns the subject identifier for this caller

func (*JobCaller) IsAdmin added in v0.17.0 

func (j *JobCaller) IsAdmin() bool

IsAdmin returns true if the caller is an admin

func (*JobCaller) RequireAccessToInheritableResource added in v0.9.0 

func (j *JobCaller) RequireAccessToInheritableResource(ctx context.Context, _ permissions.ResourceType, checks ...func(*constraints)) error

RequireAccessToInheritableResource will return an error if caller doesn't have permissions to inherited resources.

func (*JobCaller) RequirePermission added in v0.9.0 

func (j *JobCaller) RequirePermission(ctx context.Context, perm permissions.Permission, checks ...func(*constraints)) error

RequirePermission will return an error if the caller doesn't have the specified permissions

func (*JobCaller) UnauthorizedError added in v0.19.0 

func (j *JobCaller) UnauthorizedError(ctx context.Context, hasViewerAccess bool) error

UnauthorizedError returns the unauthorized error for this specific caller type

type MockAuthorizer 

type MockAuthorizer struct {
	mock.Mock
}

MockAuthorizer is an autogenerated mock type for the Authorizer type

func NewMockAuthorizer 

func NewMockAuthorizer(t mockConstructorTestingTNewMockAuthorizer) *MockAuthorizer

NewMockAuthorizer creates a new instance of MockAuthorizer. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.

func (*MockAuthorizer) GetRootNamespaces 

func (_m *MockAuthorizer) GetRootNamespaces(ctx context.Context) ([]models.MembershipNamespace, error)

GetRootNamespaces provides a mock function with given fields: ctx

func (*MockAuthorizer) RequireAccess added in v0.9.0 

func (_m *MockAuthorizer) RequireAccess(ctx context.Context, perms []permissions.Permission, checks ...func(*constraints)) error

RequireAccess provides a mock function with given fields: ctx, perms, checks

func (*MockAuthorizer) RequireAccessToInheritableResource added in v0.9.0 

func (_m *MockAuthorizer) RequireAccessToInheritableResource(ctx context.Context, resourceTypes []permissions.ResourceType, checks ...func(*constraints)) error

RequireAccessToInheritableResource provides a mock function with given fields: ctx, resourceTypes, checks

type MockCaller 

type MockCaller struct {
	mock.Mock
}

MockCaller is an autogenerated mock type for the Caller type

func NewMockCaller 

func NewMockCaller(t mockConstructorTestingTNewMockCaller) *MockCaller

NewMockCaller creates a new instance of MockCaller. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.

func (*MockCaller) GetNamespaceAccessPolicy 

func (_m *MockCaller) GetNamespaceAccessPolicy(ctx context.Context) (*NamespaceAccessPolicy, error)

GetNamespaceAccessPolicy provides a mock function with given fields: ctx

func (*MockCaller) GetSubject 

func (_m *MockCaller) GetSubject() string

GetSubject provides a mock function with given fields:

func (*MockCaller) IsAdmin added in v0.17.0 

func (_m *MockCaller) IsAdmin() bool

IsAdmin provides a mock function with given fields:

func (*MockCaller) RequireAccessToInheritableResource added in v0.9.0 

func (_m *MockCaller) RequireAccessToInheritableResource(ctx context.Context, resourceType permissions.ResourceType, checks ...func(*constraints)) error

RequireAccessToInheritableResource provides a mock function with given fields: ctx, resourceType, checks

func (*MockCaller) RequirePermission added in v0.9.0 

func (_m *MockCaller) RequirePermission(ctx context.Context, perms permissions.Permission, checks ...func(*constraints)) error

RequirePermission provides a mock function with given fields: ctx, perms, checks

func (*MockCaller) UnauthorizedError added in v0.19.0 

func (_m *MockCaller) UnauthorizedError(ctx context.Context, hasViewerAccess bool) error

UnauthorizedError provides a mock function with given fields: ctx, hasViewerAccess

type NamespaceAccessPolicy 

type NamespaceAccessPolicy struct {
	// RootNamespaceIDs restricts the caller to the specified root namespaces
	RootNamespaceIDs []string
	// AllowAll indicates that the caller has access to all namespaces
	AllowAll bool
}

NamespaceAccessPolicy specifies the namespaces that a caller has access to

type OIDCConfiguration 

type OIDCConfiguration struct {
	Issuer        string `json:"issuer"`
	JwksURI       string `json:"jwks_uri"`
	TokenEndpoint string `json:"token_endpoint"`
	AuthEndpoint  string `json:"authorization_endpoint"`
}

OIDCConfiguration contains the OIDC information for an identity provider

type OpenIDConfigFetcher 

type OpenIDConfigFetcher struct {
	Client *retryablehttp.Client
}

OpenIDConfigFetcher implements functions to fetch OpenID configuration from an issuer.

func NewOpenIDConfigFetcher 

func NewOpenIDConfigFetcher() *OpenIDConfigFetcher

NewOpenIDConfigFetcher returns a new NewOpenIDConfigFetcher

func (*OpenIDConfigFetcher) GetOpenIDConfig 

func (o *OpenIDConfigFetcher) GetOpenIDConfig(ctx context.Context, issuer string) (*OIDCConfiguration, error)

GetOpenIDConfig returns the IDP config from the OIDC discovery document

type SCIMCaller 

type SCIMCaller struct {
	// contains filtered or unexported fields
}

SCIMCaller represents a SCIM subject.

func NewSCIMCaller 

func NewSCIMCaller(dbClient *db.Client, maintenanceMonitor maintenance.Monitor) *SCIMCaller

NewSCIMCaller returns a new SCIM caller.

func (*SCIMCaller) GetNamespaceAccessPolicy 

func (s *SCIMCaller) GetNamespaceAccessPolicy(_ context.Context) (*NamespaceAccessPolicy, error)

GetNamespaceAccessPolicy returns the namespace access policy for this caller.

func (*SCIMCaller) GetSubject 

func (s *SCIMCaller) GetSubject() string

GetSubject returns the subject identifier for this caller.

func (*SCIMCaller) IsAdmin added in v0.17.0 

func (s *SCIMCaller) IsAdmin() bool

IsAdmin returns true if the caller is an admin.

func (*SCIMCaller) RequireAccessToInheritableResource added in v0.9.0 

func (s *SCIMCaller) RequireAccessToInheritableResource(ctx context.Context, _ permissions.ResourceType, _ ...func(*constraints)) error

RequireAccessToInheritableResource will return an error if the caller doesn't have access to the specified resource type.

func (*SCIMCaller) RequirePermission added in v0.9.0 

func (s *SCIMCaller) RequirePermission(ctx context.Context, perm permissions.Permission, checks ...func(*constraints)) error

RequirePermission will return an error if the caller doesn't have the specified permissions.

func (*SCIMCaller) UnauthorizedError added in v0.19.0 

func (s *SCIMCaller) UnauthorizedError(_ context.Context, hasViewerAccess bool) error

UnauthorizedError returns the unauthorized error for this specific caller type

type ServiceAccountCaller 

type ServiceAccountCaller struct {
	ServiceAccountPath string
	ServiceAccountID   string
	// contains filtered or unexported fields
}

ServiceAccountCaller represents a service account subject

func NewServiceAccountCaller 

func NewServiceAccountCaller(
	id,
	path string,
	authorizer Authorizer,
	dbClient *db.Client,
	maintenanceMonitor maintenance.Monitor,
) *ServiceAccountCaller

NewServiceAccountCaller returns a new ServiceAccountCaller

func (*ServiceAccountCaller) GetNamespaceAccessPolicy 

func (s *ServiceAccountCaller) GetNamespaceAccessPolicy(ctx context.Context) (*NamespaceAccessPolicy, error)

GetNamespaceAccessPolicy returns the namespace access policy for this caller

func (*ServiceAccountCaller) GetSubject 

func (s *ServiceAccountCaller) GetSubject() string

GetSubject returns the subject identifier for this caller

func (*ServiceAccountCaller) IsAdmin added in v0.17.0 

func (s *ServiceAccountCaller) IsAdmin() bool

IsAdmin returns true if the caller is an admin

func (*ServiceAccountCaller) RequireAccessToInheritableResource added in v0.9.0 

func (s *ServiceAccountCaller) RequireAccessToInheritableResource(ctx context.Context,
	resourceType permissions.ResourceType, checks ...func(*constraints)) error

RequireAccessToInheritableResource will return an error if caller doesn't have permissions to inherited resources.

func (*ServiceAccountCaller) RequirePermission added in v0.9.0 

func (s *ServiceAccountCaller) RequirePermission(ctx context.Context, perm permissions.Permission, checks ...func(*constraints)) error

RequirePermission will return an error if the caller doesn't have the specified permissions

func (*ServiceAccountCaller) UnauthorizedError added in v0.19.0 

func (s *ServiceAccountCaller) UnauthorizedError(_ context.Context, hasViewerAccess bool) error

UnauthorizedError returns the unauthorized error for this specific caller type

type SystemCaller 

type SystemCaller struct{}

SystemCaller is the caller subject for internal system calls

func (*SystemCaller) GetNamespaceAccessPolicy 

func (s *SystemCaller) GetNamespaceAccessPolicy(_ context.Context) (*NamespaceAccessPolicy, error)

GetNamespaceAccessPolicy returns the namespace access policy for this caller

func (*SystemCaller) GetSubject 

func (s *SystemCaller) GetSubject() string

GetSubject returns the subject identifier for this caller

func (*SystemCaller) IsAdmin added in v0.17.0 

func (s *SystemCaller) IsAdmin() bool

IsAdmin returns true if the caller is an admin

func (*SystemCaller) RequireAccessToInheritableResource added in v0.9.0 

func (s *SystemCaller) RequireAccessToInheritableResource(_ context.Context, _ permissions.ResourceType, _ ...func(*constraints)) error

RequireAccessToInheritableResource will return an error if the caller doesn't have access to the specified resource type

func (*SystemCaller) RequirePermission added in v0.9.0 

func (s *SystemCaller) RequirePermission(_ context.Context, _ permissions.Permission, _ ...func(*constraints)) error

RequirePermission will return an error if the caller doesn't have the specified permissions

func (*SystemCaller) UnauthorizedError added in v0.19.0 

func (s *SystemCaller) UnauthorizedError(_ context.Context, _ bool) error

UnauthorizedError returns the unauthorized error for this specific caller type

type TokenInput 

type TokenInput struct {
	Expiration *time.Time
	Claims     map[string]string
	Subject    string
	JwtID      string
}

TokenInput provides options for creating a new service account token

type UserAuth 

type UserAuth struct {
	// contains filtered or unexported fields
}

UserAuth implements JWT authentication

func NewUserAuth 

func NewUserAuth(
	ctx context.Context,
	identityProviders []IdentityProviderConfig,
	logger logger.Logger,
	dbClient *db.Client,
	maintenanceMonitor maintenance.Monitor,
) *UserAuth

NewUserAuth creates an instance of UserAuth

func (*UserAuth) Authenticate 

func (u *UserAuth) Authenticate(ctx context.Context, tokenString string, useCache bool) (*UserCaller, error)

Authenticate validates a user JWT and returns a UserCaller

func (*UserAuth) GetUsernameClaim 

func (u *UserAuth) GetUsernameClaim(token jwt.Token) (string, error)

GetUsernameClaim returns the username from a JWT token

type UserCaller 

type UserCaller struct {
	User *models.User
	// contains filtered or unexported fields
}

UserCaller represents a user subject

func NewUserCaller 

func NewUserCaller(
	user *models.User,
	authorizer Authorizer,
	dbClient *db.Client,
	maintenanceMonitor maintenance.Monitor,
) *UserCaller

NewUserCaller returns a new UserCaller

func (*UserCaller) GetNamespaceAccessPolicy 

func (u *UserCaller) GetNamespaceAccessPolicy(ctx context.Context) (*NamespaceAccessPolicy, error)

GetNamespaceAccessPolicy returns the namespace access policy for this caller

func (*UserCaller) GetSubject 

func (u *UserCaller) GetSubject() string

GetSubject returns the subject identifier for this caller

func (*UserCaller) GetTeams 

func (u *UserCaller) GetTeams(ctx context.Context) ([]models.Team, error)

GetTeams does lazy initialization of the list of teams for this user caller.

func (*UserCaller) IsAdmin added in v0.17.0 

func (u *UserCaller) IsAdmin() bool

IsAdmin returns true if the caller is an admin

func (*UserCaller) RequireAccessToInheritableResource added in v0.9.0 

func (u *UserCaller) RequireAccessToInheritableResource(ctx context.Context, resourceType permissions.ResourceType, checks ...func(*constraints)) error

RequireAccessToInheritableResource will return an error if caller doesn't have permissions to inherited resources.

func (*UserCaller) RequirePermission added in v0.9.0 

func (u *UserCaller) RequirePermission(ctx context.Context, perm permissions.Permission, checks ...func(*constraints)) error

RequirePermission will return an error if the caller doesn't have the specified permissions

func (*UserCaller) UnauthorizedError added in v0.19.0 

func (u *UserCaller) UnauthorizedError(_ context.Context, hasViewerAccess bool) error

UnauthorizedError returns the unauthorized error for this specific caller type

type VCSWorkspaceLinkCaller 

type VCSWorkspaceLinkCaller struct {
	Provider *models.VCSProvider
	Link     *models.WorkspaceVCSProviderLink
	// contains filtered or unexported fields
}

VCSWorkspaceLinkCaller represents a VCS provider subject.

func NewVCSWorkspaceLinkCaller 

func NewVCSWorkspaceLinkCaller(
	provider *models.VCSProvider,
	link *models.WorkspaceVCSProviderLink,
	dbClient *db.Client,
	maintenanceMonitor maintenance.Monitor,
) *VCSWorkspaceLinkCaller

NewVCSWorkspaceLinkCaller returns a new VCS caller.

func (*VCSWorkspaceLinkCaller) GetNamespaceAccessPolicy 

func (v *VCSWorkspaceLinkCaller) GetNamespaceAccessPolicy(_ context.Context) (*NamespaceAccessPolicy, error)

GetNamespaceAccessPolicy returns the namespace access policy for this caller.

func (*VCSWorkspaceLinkCaller) GetSubject 

func (v *VCSWorkspaceLinkCaller) GetSubject() string

GetSubject returns the subject identifier for this caller.

func (*VCSWorkspaceLinkCaller) IsAdmin added in v0.17.0 

func (v *VCSWorkspaceLinkCaller) IsAdmin() bool

IsAdmin returns true if the caller is an admin.

func (*VCSWorkspaceLinkCaller) RequireAccessToInheritableResource added in v0.9.0 

func (v *VCSWorkspaceLinkCaller) RequireAccessToInheritableResource(ctx context.Context, _ permissions.ResourceType, _ ...func(*constraints)) error

RequireAccessToInheritableResource will return an error if the caller doesn't have access to the specified resource type

func (*VCSWorkspaceLinkCaller) RequirePermission added in v0.9.0 

func (v *VCSWorkspaceLinkCaller) RequirePermission(ctx context.Context, perm permissions.Permission, checks ...func(*constraints)) error

RequirePermission will return an error if the caller doesn't have the specified permissions.

func (*VCSWorkspaceLinkCaller) UnauthorizedError added in v0.19.0 

func (v *VCSWorkspaceLinkCaller) UnauthorizedError(_ context.Context, hasViewerAccess bool) error

UnauthorizedError returns the unauthorized error for this specific caller type

type VerifyTokenOutput 

type VerifyTokenOutput struct {
	Token         jwt.Token
	PrivateClaims map[string]string
}

VerifyTokenOutput is the response from verifying a token

Source Files

View all Source files

Directories

Path Synopsis
Package permissions contains the permission sets and other related functionalities that dictate the level of access a subject has to a Tharsis resource.
 Package permissions contains the permission sets and other related functionalities that dictate the level of access a subject has to a Tharsis resource.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.