auth

package
v0.7.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Mar 22, 2023 License: MPL-2.0 Imports: 21 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	JobTokenType              string = "job"
	ServiceAccountTokenType   string = "service_account"
	SCIMTokenType             string = "scim"
	VCSWorkspaceLinkTokenType string = "vcs_workspace_link"
)

Valid token types used as private claims for tokens issued by Tharsis. #nosec: G101 -- false flag.

Variables

This section is empty.

Functions

func FindToken 

func FindToken(r *http.Request) string

FindToken returns the bearer token from an HTTP request

func HandleCaller 

func HandleCaller(
	ctx context.Context,
	userHandler func(ctx context.Context, caller *UserCaller) error,
	serviceAccountHandler func(ctx context.Context, caller *ServiceAccountCaller) error,
) error

HandleCaller will invoke the provided callback based on the type of caller

func ParseUsername 

func ParseUsername(username string) string

ParseUsername parses the username, if any, from the email.

func WithCaller 

func WithCaller(ctx context.Context, caller Caller) context.Context

WithCaller adds the caller to the context

Types

type Authenticator 

type Authenticator struct {
	// contains filtered or unexported fields
}

Authenticator is used to authenticate JWT tokens

func NewAuthenticator 

func NewAuthenticator(userAuth *UserAuth, idp *IdentityProvider, dbClient *db.Client, issuerURL string) *Authenticator

NewAuthenticator creates a new Authenticator instance

func (*Authenticator) Authenticate 

func (a *Authenticator) Authenticate(ctx context.Context, tokenString string, useCache bool) (Caller, error)

Authenticate verifies the token and returns a Caller

type Authorizer 

type Authorizer interface {
	GetRootNamespaces(ctx context.Context) ([]models.MembershipNamespace, error)
	RequireAccessToGroup(ctx context.Context, groupID string, accessLevel models.Role) error
	RequireAccessToWorkspace(ctx context.Context, workspaceID string, accessLevel models.Role) error
	RequireAccessToNamespace(ctx context.Context, namespacePath string, accessLevel models.Role) error
	RequireViewerAccessToGroups(ctx context.Context, groups []models.Group) error
	RequireViewerAccessToWorkspaces(ctx context.Context, workspaces []models.Workspace) error
	RequireViewerAccessToNamespaces(ctx context.Context, requiredNamespaces []string) error
	RequireAccessToInheritedGroupResource(ctx context.Context, groupID string) error
	RequireAccessToInheritedNamespaceResource(ctx context.Context, namespace string) error
}

Authorizer is used to authorize access to namespaces

type Caller 

type Caller interface {
	GetSubject() string
	GetNamespaceAccessPolicy(ctx context.Context) (*NamespaceAccessPolicy, error)
	RequireAccessToNamespace(ctx context.Context, namespacePath string, accessLevel models.Role) error
	RequireViewerAccessToGroups(ctx context.Context, groups []models.Group) error
	RequireViewerAccessToWorkspaces(ctx context.Context, workspaces []models.Workspace) error
	RequireViewerAccessToNamespaces(ctx context.Context, namespaces []string) error
	RequireAccessToGroup(ctx context.Context, groupID string, accessLevel models.Role) error
	RequireAccessToWorkspace(ctx context.Context, workspaceID string, accessLevel models.Role) error
	RequireAccessToInheritedGroupResource(ctx context.Context, groupID string) error
	RequireAccessToInheritedNamespaceResource(ctx context.Context, namespace string) error
	RequireRunWriteAccess(ctx context.Context, runID string) error
	RequirePlanWriteAccess(ctx context.Context, planID string) error
	RequireApplyWriteAccess(ctx context.Context, applyID string) error
	RequireJobWriteAccess(ctx context.Context, jobID string) error
	RequireTeamCreateAccess(ctx context.Context) error
	RequireTeamUpdateAccess(ctx context.Context, teamID string) error
	RequireTeamDeleteAccess(ctx context.Context, teamID string) error
	RequireUserCreateAccess(ctx context.Context) error
	RequireUserUpdateAccess(ctx context.Context, userID string) error
	RequireUserDeleteAccess(ctx context.Context, userID string) error
}

Caller represents a subject performing an API request

func AuthorizeCaller 

func AuthorizeCaller(ctx context.Context) (Caller, error)

AuthorizeCaller verifies that a caller has been authenticated and returns the caller

type IdentityProvider 

type IdentityProvider struct {
	// contains filtered or unexported fields
}

IdentityProvider is used to create and verify service account tokens

func NewIdentityProvider 

func NewIdentityProvider(jwsPlugin jwsprovider.JWSProvider, issuerURL string) *IdentityProvider

NewIdentityProvider initializes the IdentityProvider type

func (*IdentityProvider) GenerateToken 

func (s *IdentityProvider) GenerateToken(ctx context.Context, input *TokenInput) ([]byte, error)

GenerateToken creates a new service account token

func (*IdentityProvider) VerifyToken 

func (s *IdentityProvider) VerifyToken(ctx context.Context, token string) (*VerifyTokenOutput, error)

VerifyToken verifies that the token is a valid service account token

type IdentityProviderConfig 

type IdentityProviderConfig struct {
	Issuer        string
	ClientID      string
	UsernameClaim string
	JwksURI       string
	TokenEndpoint string
	AuthEndpoint  string
}

IdentityProviderConfig encompasses the information for an identity provider

type JobCaller 

type JobCaller struct {
	JobID       string
	WorkspaceID string
	RunID       string
	// contains filtered or unexported fields
}

JobCaller represents a job subject

func (*JobCaller) GetNamespaceAccessPolicy 

func (j *JobCaller) GetNamespaceAccessPolicy(ctx context.Context) (*NamespaceAccessPolicy, error)

GetNamespaceAccessPolicy returns the namespace access policy for this caller

func (*JobCaller) GetSubject 

func (j *JobCaller) GetSubject() string

GetSubject returns the subject identifier for this caller

func (*JobCaller) RequireAccessToGroup 

func (j *JobCaller) RequireAccessToGroup(ctx context.Context, groupID string, accessLevel models.Role) error

RequireAccessToGroup will return an error if the caller doesn't have the required access level on the specified group

func (*JobCaller) RequireAccessToInheritedGroupResource 

func (j *JobCaller) RequireAccessToInheritedGroupResource(ctx context.Context, groupID string) error

RequireAccessToInheritedGroupResource will return an error if the caller doesn't have viewer access on any namespace within the namespace hierarchy

func (*JobCaller) RequireAccessToInheritedNamespaceResource 

func (j *JobCaller) RequireAccessToInheritedNamespaceResource(ctx context.Context, namespace string) error

RequireAccessToInheritedNamespaceResource will return an error if the caller doesn't have viewer access on any namespace within the namespace hierarchy

func (*JobCaller) RequireAccessToNamespace 

func (j *JobCaller) RequireAccessToNamespace(ctx context.Context, namespacePath string, accessLevel models.Role) error

RequireAccessToNamespace will return an error if the caller doesn't have the specified access level

func (*JobCaller) RequireAccessToWorkspace 

func (j *JobCaller) RequireAccessToWorkspace(ctx context.Context, workspaceID string, accessLevel models.Role) error

RequireAccessToWorkspace will return an error if the caller doesn't have the required access level on the specified workspace

func (*JobCaller) RequireApplyWriteAccess 

func (j *JobCaller) RequireApplyWriteAccess(ctx context.Context, applyID string) error

RequireApplyWriteAccess will return an error if the caller doesn't have permission to update apply state

func (*JobCaller) RequireJobWriteAccess 

func (j *JobCaller) RequireJobWriteAccess(ctx context.Context, jobID string) error

RequireJobWriteAccess will return an error if the caller doesn't have permission to update the state of the specified job

func (*JobCaller) RequirePlanWriteAccess 

func (j *JobCaller) RequirePlanWriteAccess(ctx context.Context, planID string) error

RequirePlanWriteAccess will return an error if the caller doesn't have permission to update plan state

func (*JobCaller) RequireRunWriteAccess 

func (j *JobCaller) RequireRunWriteAccess(ctx context.Context, runID string) error

RequireRunWriteAccess will return an error if the caller doesn't have permission to update run state

func (*JobCaller) RequireTeamCreateAccess 

func (j *JobCaller) RequireTeamCreateAccess(ctx context.Context) error

RequireTeamCreateAccess will return an error if the specified access is not allowed to the indicated team.

func (*JobCaller) RequireTeamDeleteAccess 

func (j *JobCaller) RequireTeamDeleteAccess(ctx context.Context, teamID string) error

RequireTeamDeleteAccess will return an error if the specified access is not allowed to the indicated team.

func (*JobCaller) RequireTeamUpdateAccess 

func (j *JobCaller) RequireTeamUpdateAccess(ctx context.Context, teamID string) error

RequireTeamUpdateAccess will return an error if the specified access is not allowed to the indicated team.

func (*JobCaller) RequireUserCreateAccess 

func (j *JobCaller) RequireUserCreateAccess(ctx context.Context) error

RequireUserCreateAccess will return an error if the specified caller is not allowed to create users.

func (*JobCaller) RequireUserDeleteAccess 

func (j *JobCaller) RequireUserDeleteAccess(ctx context.Context, userID string) error

RequireUserDeleteAccess will return an error if the specified caller is not allowed to delete a user.

func (*JobCaller) RequireUserUpdateAccess 

func (j *JobCaller) RequireUserUpdateAccess(ctx context.Context, userID string) error

RequireUserUpdateAccess will return an error if the specified caller is not allowed to update a user.

func (*JobCaller) RequireViewerAccessToGroups 

func (j *JobCaller) RequireViewerAccessToGroups(ctx context.Context, groups []models.Group) error

RequireViewerAccessToGroups will return an error if the caller doesn't have viewer access to all the specified groups

func (*JobCaller) RequireViewerAccessToNamespaces 

func (j *JobCaller) RequireViewerAccessToNamespaces(ctx context.Context, namespaces []string) error

RequireViewerAccessToNamespaces will return an error if the caller doesn't have viewer access to the specified list of namespaces

func (*JobCaller) RequireViewerAccessToWorkspaces 

func (j *JobCaller) RequireViewerAccessToWorkspaces(ctx context.Context, workspaces []models.Workspace) error

RequireViewerAccessToWorkspaces will return an error if the caller doesn't have viewer access on the specified workspace

type MockAuthorizer 

type MockAuthorizer struct {
	mock.Mock
}

MockAuthorizer is an autogenerated mock type for the Authorizer type

func NewMockAuthorizer 

func NewMockAuthorizer(t mockConstructorTestingTNewMockAuthorizer) *MockAuthorizer

NewMockAuthorizer creates a new instance of MockAuthorizer. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.

func (*MockAuthorizer) GetRootNamespaces 

func (_m *MockAuthorizer) GetRootNamespaces(ctx context.Context) ([]models.MembershipNamespace, error)

GetRootNamespaces provides a mock function with given fields: ctx

func (*MockAuthorizer) RequireAccessToGroup 

func (_m *MockAuthorizer) RequireAccessToGroup(ctx context.Context, groupID string, accessLevel models.Role) error

RequireAccessToGroup provides a mock function with given fields: ctx, groupID, accessLevel

func (*MockAuthorizer) RequireAccessToInheritedGroupResource 

func (_m *MockAuthorizer) RequireAccessToInheritedGroupResource(ctx context.Context, groupID string) error

RequireAccessToInheritedGroupResource provides a mock function with given fields: ctx, groupID

func (*MockAuthorizer) RequireAccessToInheritedNamespaceResource 

func (_m *MockAuthorizer) RequireAccessToInheritedNamespaceResource(ctx context.Context, namespace string) error

RequireAccessToInheritedNamespaceResource provides a mock function with given fields: ctx, namespace

func (*MockAuthorizer) RequireAccessToNamespace 

func (_m *MockAuthorizer) RequireAccessToNamespace(ctx context.Context, namespacePath string, accessLevel models.Role) error

RequireAccessToNamespace provides a mock function with given fields: ctx, namespacePath, accessLevel

func (*MockAuthorizer) RequireAccessToWorkspace 

func (_m *MockAuthorizer) RequireAccessToWorkspace(ctx context.Context, workspaceID string, accessLevel models.Role) error

RequireAccessToWorkspace provides a mock function with given fields: ctx, workspaceID, accessLevel

func (*MockAuthorizer) RequireViewerAccessToGroups 

func (_m *MockAuthorizer) RequireViewerAccessToGroups(ctx context.Context, groups []models.Group) error

RequireViewerAccessToGroups provides a mock function with given fields: ctx, groups

func (*MockAuthorizer) RequireViewerAccessToNamespaces 

func (_m *MockAuthorizer) RequireViewerAccessToNamespaces(ctx context.Context, requiredNamespaces []string) error

RequireViewerAccessToNamespaces provides a mock function with given fields: ctx, requiredNamespaces

func (*MockAuthorizer) RequireViewerAccessToWorkspaces 

func (_m *MockAuthorizer) RequireViewerAccessToWorkspaces(ctx context.Context, workspaces []models.Workspace) error

RequireViewerAccessToWorkspaces provides a mock function with given fields: ctx, workspaces

type MockCaller 

type MockCaller struct {
	mock.Mock
}

MockCaller is an autogenerated mock type for the Caller type

func NewMockCaller 

func NewMockCaller(t mockConstructorTestingTNewMockCaller) *MockCaller

NewMockCaller creates a new instance of MockCaller. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.

func (*MockCaller) GetNamespaceAccessPolicy 

func (_m *MockCaller) GetNamespaceAccessPolicy(ctx context.Context) (*NamespaceAccessPolicy, error)

GetNamespaceAccessPolicy provides a mock function with given fields: ctx

func (*MockCaller) GetSubject 

func (_m *MockCaller) GetSubject() string

GetSubject provides a mock function with given fields:

func (*MockCaller) RequireAccessToGroup 

func (_m *MockCaller) RequireAccessToGroup(ctx context.Context, groupID string, accessLevel models.Role) error

RequireAccessToGroup provides a mock function with given fields: ctx, groupID, accessLevel

func (*MockCaller) RequireAccessToInheritedGroupResource 

func (_m *MockCaller) RequireAccessToInheritedGroupResource(ctx context.Context, groupID string) error

RequireAccessToInheritedGroupResource provides a mock function with given fields: ctx, groupID

func (*MockCaller) RequireAccessToInheritedNamespaceResource 

func (_m *MockCaller) RequireAccessToInheritedNamespaceResource(ctx context.Context, namespace string) error

RequireAccessToInheritedNamespaceResource provides a mock function with given fields: ctx, namespace

func (*MockCaller) RequireAccessToNamespace 

func (_m *MockCaller) RequireAccessToNamespace(ctx context.Context, namespacePath string, accessLevel models.Role) error

RequireAccessToNamespace provides a mock function with given fields: ctx, namespacePath, accessLevel

func (*MockCaller) RequireAccessToWorkspace 

func (_m *MockCaller) RequireAccessToWorkspace(ctx context.Context, workspaceID string, accessLevel models.Role) error

RequireAccessToWorkspace provides a mock function with given fields: ctx, workspaceID, accessLevel

func (*MockCaller) RequireApplyWriteAccess 

func (_m *MockCaller) RequireApplyWriteAccess(ctx context.Context, applyID string) error

RequireApplyWriteAccess provides a mock function with given fields: ctx, applyID

func (*MockCaller) RequireJobWriteAccess 

func (_m *MockCaller) RequireJobWriteAccess(ctx context.Context, jobID string) error

RequireJobWriteAccess provides a mock function with given fields: ctx, jobID

func (*MockCaller) RequirePlanWriteAccess 

func (_m *MockCaller) RequirePlanWriteAccess(ctx context.Context, planID string) error

RequirePlanWriteAccess provides a mock function with given fields: ctx, planID

func (*MockCaller) RequireRunWriteAccess 

func (_m *MockCaller) RequireRunWriteAccess(ctx context.Context, runID string) error

RequireRunWriteAccess provides a mock function with given fields: ctx, runID

func (*MockCaller) RequireTeamCreateAccess 

func (_m *MockCaller) RequireTeamCreateAccess(ctx context.Context) error

RequireTeamCreateAccess provides a mock function with given fields: ctx

func (*MockCaller) RequireTeamDeleteAccess 

func (_m *MockCaller) RequireTeamDeleteAccess(ctx context.Context, teamID string) error

RequireTeamDeleteAccess provides a mock function with given fields: ctx, teamID

func (*MockCaller) RequireTeamUpdateAccess 

func (_m *MockCaller) RequireTeamUpdateAccess(ctx context.Context, teamID string) error

RequireTeamUpdateAccess provides a mock function with given fields: ctx, teamID

func (*MockCaller) RequireUserCreateAccess 

func (_m *MockCaller) RequireUserCreateAccess(ctx context.Context) error

RequireUserCreateAccess provides a mock function with given fields: ctx

func (*MockCaller) RequireUserDeleteAccess 

func (_m *MockCaller) RequireUserDeleteAccess(ctx context.Context, userID string) error

RequireUserDeleteAccess provides a mock function with given fields: ctx, userID

func (*MockCaller) RequireUserUpdateAccess 

func (_m *MockCaller) RequireUserUpdateAccess(ctx context.Context, userID string) error

RequireUserUpdateAccess provides a mock function with given fields: ctx, userID

func (*MockCaller) RequireViewerAccessToGroups 

func (_m *MockCaller) RequireViewerAccessToGroups(ctx context.Context, groups []models.Group) error

RequireViewerAccessToGroups provides a mock function with given fields: ctx, groups

func (*MockCaller) RequireViewerAccessToNamespaces 

func (_m *MockCaller) RequireViewerAccessToNamespaces(ctx context.Context, namespaces []string) error

RequireViewerAccessToNamespaces provides a mock function with given fields: ctx, namespaces

func (*MockCaller) RequireViewerAccessToWorkspaces 

func (_m *MockCaller) RequireViewerAccessToWorkspaces(ctx context.Context, workspaces []models.Workspace) error

RequireViewerAccessToWorkspaces provides a mock function with given fields: ctx, workspaces

type NamespaceAccessPolicy 

type NamespaceAccessPolicy struct {
	// RootNamespaceIDs restricts the caller to the specified root namespaces
	RootNamespaceIDs []string
	// AllowAll indicates that the caller has access to all namespaces
	AllowAll bool
}

NamespaceAccessPolicy specifies the namespaces that a caller has access to

type OIDCConfiguration 

type OIDCConfiguration struct {
	Issuer        string `json:"issuer"`
	JwksURI       string `json:"jwks_uri"`
	TokenEndpoint string `json:"token_endpoint"`
	AuthEndpoint  string `json:"authorization_endpoint"`
}

OIDCConfiguration contains the OIDC information for an identity provider

type OpenIDConfigFetcher 

type OpenIDConfigFetcher struct {
	Client *retryablehttp.Client
}

OpenIDConfigFetcher implements functions to fetch OpenID configuration from an issuer.

func NewOpenIDConfigFetcher 

func NewOpenIDConfigFetcher() *OpenIDConfigFetcher

NewOpenIDConfigFetcher returns a new NewOpenIDConfigFetcher

func (*OpenIDConfigFetcher) GetOpenIDConfig 

func (o *OpenIDConfigFetcher) GetOpenIDConfig(ctx context.Context, issuer string) (*OIDCConfiguration, error)

GetOpenIDConfig returns the IDP config from the OIDC discovery document

type SCIMCaller 

type SCIMCaller struct {
	// contains filtered or unexported fields
}

SCIMCaller represents a SCIM subject.

func NewSCIMCaller 

func NewSCIMCaller(dbClient *db.Client) *SCIMCaller

NewSCIMCaller returns a new SCIM caller.

func (*SCIMCaller) GetNamespaceAccessPolicy 

func (s *SCIMCaller) GetNamespaceAccessPolicy(ctx context.Context) (*NamespaceAccessPolicy, error)

GetNamespaceAccessPolicy returns the namespace access policy for this caller.

func (*SCIMCaller) GetSubject 

func (s *SCIMCaller) GetSubject() string

GetSubject returns the subject identifier for this caller.

func (*SCIMCaller) RequireAccessToGroup 

func (s *SCIMCaller) RequireAccessToGroup(ctx context.Context, groupID string, accessLevel models.Role) error

RequireAccessToGroup will return an error if the caller doesn't have the required access level on the specified group.

func (*SCIMCaller) RequireAccessToInheritedGroupResource 

func (s *SCIMCaller) RequireAccessToInheritedGroupResource(ctx context.Context, groupID string) error

RequireAccessToInheritedGroupResource will return an error if the caller doesn't have viewer access on any namespace within the namespace hierarchy.

func (*SCIMCaller) RequireAccessToInheritedNamespaceResource 

func (s *SCIMCaller) RequireAccessToInheritedNamespaceResource(ctx context.Context, namespace string) error

RequireAccessToInheritedNamespaceResource will return an error if the caller doesn't have viewer access on any namespace within the namespace hierarchy.

func (*SCIMCaller) RequireAccessToNamespace 

func (s *SCIMCaller) RequireAccessToNamespace(ctx context.Context, namespacePath string, accessLevel models.Role) error

RequireAccessToNamespace will return an error if the caller doesn't have the specified access level.

func (*SCIMCaller) RequireAccessToWorkspace 

func (s *SCIMCaller) RequireAccessToWorkspace(ctx context.Context, workspaceID string, accessLevel models.Role) error

RequireAccessToWorkspace will return an error if the caller doesn't have the required access level on the specified workspace.

func (*SCIMCaller) RequireApplyWriteAccess 

func (s *SCIMCaller) RequireApplyWriteAccess(ctx context.Context, applyID string) error

RequireApplyWriteAccess will return an error if the caller doesn't have permission to update apply state.

func (*SCIMCaller) RequireJobWriteAccess 

func (s *SCIMCaller) RequireJobWriteAccess(ctx context.Context, jobID string) error

RequireJobWriteAccess will return an error if the caller doesn't have permission to update the state of the specified job.

func (*SCIMCaller) RequirePlanWriteAccess 

func (s *SCIMCaller) RequirePlanWriteAccess(ctx context.Context, planID string) error

RequirePlanWriteAccess will return an error if the caller doesn't have permission to update plan state.

func (*SCIMCaller) RequireRunWriteAccess 

func (s *SCIMCaller) RequireRunWriteAccess(ctx context.Context, runID string) error

RequireRunWriteAccess will return an error if the caller doesn't have permission to update run state.

func (*SCIMCaller) RequireTeamCreateAccess 

func (s *SCIMCaller) RequireTeamCreateAccess(ctx context.Context) error

RequireTeamCreateAccess will return an error if the specified access is not allowed to the indicated team.

func (*SCIMCaller) RequireTeamDeleteAccess 

func (s *SCIMCaller) RequireTeamDeleteAccess(ctx context.Context, teamID string) error

RequireTeamDeleteAccess will return an error if the specified access is not allowed to the indicated team.

func (*SCIMCaller) RequireTeamUpdateAccess 

func (s *SCIMCaller) RequireTeamUpdateAccess(ctx context.Context, teamID string) error

RequireTeamUpdateAccess will return an error if the specified access is not allowed to the indicated team.

func (*SCIMCaller) RequireUserCreateAccess 

func (s *SCIMCaller) RequireUserCreateAccess(ctx context.Context) error

RequireUserCreateAccess will return an error if the specified caller is not allowed to create users.

func (*SCIMCaller) RequireUserDeleteAccess 

func (s *SCIMCaller) RequireUserDeleteAccess(ctx context.Context, userID string) error

RequireUserDeleteAccess will return an error if the specified caller is not allowed to delete a user.

func (*SCIMCaller) RequireUserUpdateAccess 

func (s *SCIMCaller) RequireUserUpdateAccess(ctx context.Context, userID string) error

RequireUserUpdateAccess will return an error if the specified caller is not allowed to update a user.

func (*SCIMCaller) RequireViewerAccessToGroups 

func (s *SCIMCaller) RequireViewerAccessToGroups(ctx context.Context, groups []models.Group) error

RequireViewerAccessToGroups will return an error if the caller doesn't have the required access level on the specified group.

func (*SCIMCaller) RequireViewerAccessToNamespaces 

func (s *SCIMCaller) RequireViewerAccessToNamespaces(ctx context.Context, namespaces []string) error

RequireViewerAccessToNamespaces will return an error if the caller doesn't have viewer access to the specified list of namespaces.

func (*SCIMCaller) RequireViewerAccessToWorkspaces 

func (s *SCIMCaller) RequireViewerAccessToWorkspaces(ctx context.Context, workspaces []models.Workspace) error

RequireViewerAccessToWorkspaces will return an error if the caller doesn't have viewer access on the specified workspace.

type ServiceAccountCaller 

type ServiceAccountCaller struct {
	ServiceAccountPath string
	ServiceAccountID   string
	// contains filtered or unexported fields
}

ServiceAccountCaller represents a service account subject

func NewServiceAccountCaller 

func NewServiceAccountCaller(id string, path string, authorizer Authorizer) *ServiceAccountCaller

NewServiceAccountCaller returns a new ServiceAccountCaller

func (*ServiceAccountCaller) GetNamespaceAccessPolicy 

func (s *ServiceAccountCaller) GetNamespaceAccessPolicy(ctx context.Context) (*NamespaceAccessPolicy, error)

GetNamespaceAccessPolicy returns the namespace access policy for this caller

func (*ServiceAccountCaller) GetSubject 

func (s *ServiceAccountCaller) GetSubject() string

GetSubject returns the subject identifier for this caller

func (*ServiceAccountCaller) RequireAccessToGroup 

func (s *ServiceAccountCaller) RequireAccessToGroup(ctx context.Context, groupID string, accessLevel models.Role) error

RequireAccessToGroup will return an error if the caller doesn't have the required access level on the specified group

func (*ServiceAccountCaller) RequireAccessToInheritedGroupResource 

func (s *ServiceAccountCaller) RequireAccessToInheritedGroupResource(ctx context.Context, groupID string) error

RequireAccessToInheritedGroupResource will return an error if the caller doesn't have viewer access on any namespace within the namespace hierarchy

func (*ServiceAccountCaller) RequireAccessToInheritedNamespaceResource 

func (s *ServiceAccountCaller) RequireAccessToInheritedNamespaceResource(ctx context.Context, namespace string) error

RequireAccessToInheritedNamespaceResource will return an error if the caller doesn't have viewer access on any namespace within the namespace hierarchy

func (*ServiceAccountCaller) RequireAccessToNamespace 

func (s *ServiceAccountCaller) RequireAccessToNamespace(ctx context.Context, namespacePath string, accessLevel models.Role) error

RequireAccessToNamespace will return an error if the caller doesn't have the specified access level

func (*ServiceAccountCaller) RequireAccessToWorkspace 

func (s *ServiceAccountCaller) RequireAccessToWorkspace(ctx context.Context, workspaceID string, accessLevel models.Role) error

RequireAccessToWorkspace will return an error if the caller doesn't have the required access level on the specified workspace

func (*ServiceAccountCaller) RequireApplyWriteAccess 

func (s *ServiceAccountCaller) RequireApplyWriteAccess(ctx context.Context, applyID string) error

RequireApplyWriteAccess will return an error if the caller doesn't have permission to update apply state

func (*ServiceAccountCaller) RequireJobWriteAccess 

func (s *ServiceAccountCaller) RequireJobWriteAccess(ctx context.Context, jobID string) error

RequireJobWriteAccess will return an error if the caller doesn't have permission to update the state of the specified job

func (*ServiceAccountCaller) RequirePlanWriteAccess 

func (s *ServiceAccountCaller) RequirePlanWriteAccess(ctx context.Context, planID string) error

RequirePlanWriteAccess will return an error if the caller doesn't have permission to update plan state

func (*ServiceAccountCaller) RequireRunWriteAccess 

func (s *ServiceAccountCaller) RequireRunWriteAccess(ctx context.Context, runID string) error

RequireRunWriteAccess will return an error if the caller doesn't have permission to update run state

func (*ServiceAccountCaller) RequireTeamCreateAccess 

func (s *ServiceAccountCaller) RequireTeamCreateAccess(ctx context.Context) error

RequireTeamCreateAccess will return an error if the specified access is not allowed to the indicated team. Currently, this method makes some simplifying assumptions that will need to change once orgs are implemented.

func (*ServiceAccountCaller) RequireTeamDeleteAccess 

func (s *ServiceAccountCaller) RequireTeamDeleteAccess(ctx context.Context, teamID string) error

RequireTeamDeleteAccess will return an error if the specified access is not allowed to the indicated team. Currently, this method makes some simplifying assumptions that will need to change once orgs are implemented.

func (*ServiceAccountCaller) RequireTeamUpdateAccess 

func (s *ServiceAccountCaller) RequireTeamUpdateAccess(ctx context.Context, teamID string) error

RequireTeamUpdateAccess will return an error if the specified access is not allowed to the indicated team. Currently, this method makes some simplifying assumptions that will need to change once orgs are implemented.

func (*ServiceAccountCaller) RequireUserCreateAccess 

func (s *ServiceAccountCaller) RequireUserCreateAccess(ctx context.Context) error

RequireUserCreateAccess will return an error if the specified caller is not allowed to create users.

func (*ServiceAccountCaller) RequireUserDeleteAccess 

func (s *ServiceAccountCaller) RequireUserDeleteAccess(ctx context.Context, userID string) error

RequireUserDeleteAccess will return an error if the specified caller is not allowed to delete a user.

func (*ServiceAccountCaller) RequireUserUpdateAccess 

func (s *ServiceAccountCaller) RequireUserUpdateAccess(ctx context.Context, userID string) error

RequireUserUpdateAccess will return an error if the specified caller is not allowed to update a user.

func (*ServiceAccountCaller) RequireViewerAccessToGroups 

func (s *ServiceAccountCaller) RequireViewerAccessToGroups(ctx context.Context, groups []models.Group) error

RequireViewerAccessToGroups will return an error if the caller doesn't have viewer access to all the specified groups

func (*ServiceAccountCaller) RequireViewerAccessToNamespaces 

func (s *ServiceAccountCaller) RequireViewerAccessToNamespaces(ctx context.Context, namespaces []string) error

RequireViewerAccessToNamespaces will return an error if the caller doesn't have viewer access to the specified list of namespaces

func (*ServiceAccountCaller) RequireViewerAccessToWorkspaces 

func (s *ServiceAccountCaller) RequireViewerAccessToWorkspaces(ctx context.Context, workspaces []models.Workspace) error

RequireViewerAccessToWorkspaces will return an error if the caller doesn't have viewer access on the specified workspace

type SystemCaller 

type SystemCaller struct{}

SystemCaller is the caller subject for internal system calls

func (*SystemCaller) GetNamespaceAccessPolicy 

func (s *SystemCaller) GetNamespaceAccessPolicy(ctx context.Context) (*NamespaceAccessPolicy, error)

GetNamespaceAccessPolicy returns the namespace access policy for this caller

func (*SystemCaller) GetSubject 

func (s *SystemCaller) GetSubject() string

GetSubject returns the subject identifier for this caller

func (*SystemCaller) RequireAccessToGroup 

func (s *SystemCaller) RequireAccessToGroup(ctx context.Context, groupID string, accessLevel models.Role) error

RequireAccessToGroup will return an error if the caller doesn't have the required access level on the specified group

func (*SystemCaller) RequireAccessToInheritedGroupResource 

func (s *SystemCaller) RequireAccessToInheritedGroupResource(ctx context.Context, groupID string) error

RequireAccessToInheritedGroupResource will return an error if the caller doesn't have viewer access on any namespace within the namespace hierarchy

func (*SystemCaller) RequireAccessToInheritedNamespaceResource 

func (s *SystemCaller) RequireAccessToInheritedNamespaceResource(ctx context.Context, namespace string) error

RequireAccessToInheritedNamespaceResource will return an error if the caller doesn't have viewer access on any namespace within the namespace hierarchy

func (*SystemCaller) RequireAccessToNamespace 

func (s *SystemCaller) RequireAccessToNamespace(ctx context.Context, namespacePath string, accessLevel models.Role) error

RequireAccessToNamespace will return an error if the caller doesn't have the specified access level

func (*SystemCaller) RequireAccessToWorkspace 

func (s *SystemCaller) RequireAccessToWorkspace(ctx context.Context, workspaceID string, accessLevel models.Role) error

RequireAccessToWorkspace will return an error if the caller doesn't have the required access level on the specified workspace

func (*SystemCaller) RequireApplyWriteAccess 

func (s *SystemCaller) RequireApplyWriteAccess(ctx context.Context, applyID string) error

RequireApplyWriteAccess will return an error if the caller doesn't have permission to update apply state

func (*SystemCaller) RequireJobWriteAccess 

func (s *SystemCaller) RequireJobWriteAccess(ctx context.Context, jobID string) error

RequireJobWriteAccess will return an error if the caller doesn't have permission to update the state of the specified job

func (*SystemCaller) RequirePlanWriteAccess 

func (s *SystemCaller) RequirePlanWriteAccess(ctx context.Context, planID string) error

RequirePlanWriteAccess will return an error if the caller doesn't have permission to update plan state

func (*SystemCaller) RequireRunWriteAccess 

func (s *SystemCaller) RequireRunWriteAccess(ctx context.Context, runID string) error

RequireRunWriteAccess will return an error if the caller doesn't have permission to update run state

func (*SystemCaller) RequireTeamCreateAccess 

func (s *SystemCaller) RequireTeamCreateAccess(ctx context.Context) error

RequireTeamCreateAccess will return an error if the caller does not have permission for the specified access on the specified team.

func (*SystemCaller) RequireTeamDeleteAccess 

func (s *SystemCaller) RequireTeamDeleteAccess(ctx context.Context, teamID string) error

RequireTeamDeleteAccess will return an error if the caller does not have permission for the specified access on the specified team.

func (*SystemCaller) RequireTeamUpdateAccess 

func (s *SystemCaller) RequireTeamUpdateAccess(ctx context.Context, teamID string) error

RequireTeamUpdateAccess will return an error if the caller does not have permission for the specified access on the specified team.

func (*SystemCaller) RequireUserCreateAccess 

func (s *SystemCaller) RequireUserCreateAccess(ctx context.Context) error

RequireUserCreateAccess will return an error if the specified caller is not allowed to create users.

func (*SystemCaller) RequireUserDeleteAccess 

func (s *SystemCaller) RequireUserDeleteAccess(ctx context.Context, userID string) error

RequireUserDeleteAccess will return an error if the specified caller is not allowed to delete a user.

func (*SystemCaller) RequireUserUpdateAccess 

func (s *SystemCaller) RequireUserUpdateAccess(ctx context.Context, userID string) error

RequireUserUpdateAccess will return an error if the specified caller is not allowed to update a user.

func (*SystemCaller) RequireViewerAccessToGroups 

func (s *SystemCaller) RequireViewerAccessToGroups(ctx context.Context, groups []models.Group) error

RequireViewerAccessToGroups will return an error if the caller doesn't have viewer access to all the specified groups

func (*SystemCaller) RequireViewerAccessToNamespaces 

func (s *SystemCaller) RequireViewerAccessToNamespaces(ctx context.Context, namespaces []string) error

RequireViewerAccessToNamespaces will return an error if the caller doesn't have viewer access to the specified list of namespaces

func (*SystemCaller) RequireViewerAccessToWorkspaces 

func (s *SystemCaller) RequireViewerAccessToWorkspaces(ctx context.Context, workspaces []models.Workspace) error

RequireViewerAccessToWorkspaces will return an error if the caller doesn't have viewer access on the specified workspace

type TokenInput 

type TokenInput struct {
	Expiration *time.Time
	Claims     map[string]string
	Subject    string
	JwtID      string
}

TokenInput provides options for creating a new service account token

type UserAuth 

type UserAuth struct {
	// contains filtered or unexported fields
}

UserAuth implements JWT authentication

func NewUserAuth 

func NewUserAuth(
	ctx context.Context,
	identityProviders []IdentityProviderConfig,
	logger logger.Logger,
	dbClient *db.Client,
) *UserAuth

NewUserAuth creates an instance of UserAuth

func (*UserAuth) Authenticate 

func (u *UserAuth) Authenticate(ctx context.Context, tokenString string, useCache bool) (*UserCaller, error)

Authenticate validates a user JWT and returns a UserCaller

func (*UserAuth) GetUsernameClaim 

func (u *UserAuth) GetUsernameClaim(token jwt.Token) (string, error)

GetUsernameClaim returns the username from a JWT token

type UserCaller 

type UserCaller struct {
	User *models.User
	// contains filtered or unexported fields
}

UserCaller represents a user subject

func NewUserCaller 

func NewUserCaller(user *models.User, authorizer Authorizer, dbClient *db.Client) *UserCaller

NewUserCaller returns a new UserCaller

func (*UserCaller) GetNamespaceAccessPolicy 

func (u *UserCaller) GetNamespaceAccessPolicy(ctx context.Context) (*NamespaceAccessPolicy, error)

GetNamespaceAccessPolicy returns the namespace access policy for this caller

func (*UserCaller) GetSubject 

func (u *UserCaller) GetSubject() string

GetSubject returns the subject identifier for this caller

func (*UserCaller) GetTeams 

func (u *UserCaller) GetTeams(ctx context.Context) ([]models.Team, error)

GetTeams does lazy initialization of the list of teams for this user caller.

func (*UserCaller) RequireAccessToGroup 

func (u *UserCaller) RequireAccessToGroup(ctx context.Context, groupID string, accessLevel models.Role) error

RequireAccessToGroup will return an error if the caller doesn't have the required access level on the specified group

func (*UserCaller) RequireAccessToInheritedGroupResource 

func (u *UserCaller) RequireAccessToInheritedGroupResource(ctx context.Context, groupID string) error

RequireAccessToInheritedGroupResource will return an error if the caller doesn't have viewer access on any namespace within the namespace hierarchy

func (*UserCaller) RequireAccessToInheritedNamespaceResource 

func (u *UserCaller) RequireAccessToInheritedNamespaceResource(ctx context.Context, namespace string) error

RequireAccessToInheritedNamespaceResource will return an error if the caller doesn't have viewer access on any namespace within the namespace hierarchy

func (*UserCaller) RequireAccessToNamespace 

func (u *UserCaller) RequireAccessToNamespace(ctx context.Context, namespacePath string, accessLevel models.Role) error

RequireAccessToNamespace will return an error if the caller doesn't have the specified access level

func (*UserCaller) RequireAccessToWorkspace 

func (u *UserCaller) RequireAccessToWorkspace(ctx context.Context, workspaceID string, accessLevel models.Role) error

RequireAccessToWorkspace will return an error if the caller doesn't have the required access level on the specified workspace

func (*UserCaller) RequireApplyWriteAccess 

func (u *UserCaller) RequireApplyWriteAccess(ctx context.Context, applyID string) error

RequireApplyWriteAccess will return an error if the caller doesn't have permission to update apply state

func (*UserCaller) RequireJobWriteAccess 

func (u *UserCaller) RequireJobWriteAccess(ctx context.Context, jobID string) error

RequireJobWriteAccess will return an error if the caller doesn't have permission to update the state of the specified job

func (*UserCaller) RequirePlanWriteAccess 

func (u *UserCaller) RequirePlanWriteAccess(ctx context.Context, planID string) error

RequirePlanWriteAccess will return an error if the caller doesn't have permission to update plan state

func (*UserCaller) RequireRunWriteAccess 

func (u *UserCaller) RequireRunWriteAccess(ctx context.Context, runID string) error

RequireRunWriteAccess will return an error if the caller doesn't have permission to update run state

func (*UserCaller) RequireTeamCreateAccess 

func (u *UserCaller) RequireTeamCreateAccess(ctx context.Context) error

RequireTeamCreateAccess will return an error if the specified access is not allowed to the indicated team. For now, only admins are allowed to create a team. Eventually, org admins and SCIM will be allowed to create and delete teams.

func (*UserCaller) RequireTeamDeleteAccess 

func (u *UserCaller) RequireTeamDeleteAccess(ctx context.Context, teamID string) error

RequireTeamDeleteAccess will return an error if the specified access is not allowed to the indicated team. For now, only admins are allowed to delete a team. Eventually, org admins and SCIM will be allowed to create and delete teams.

func (*UserCaller) RequireTeamUpdateAccess 

func (u *UserCaller) RequireTeamUpdateAccess(ctx context.Context, teamID string) error

RequireTeamUpdateAccess will return an error if the specified access is not allowed to the indicated team.

func (*UserCaller) RequireUserCreateAccess 

func (u *UserCaller) RequireUserCreateAccess(ctx context.Context) error

RequireUserCreateAccess will return an error if the specified caller is not allowed to create users.

func (*UserCaller) RequireUserDeleteAccess 

func (u *UserCaller) RequireUserDeleteAccess(ctx context.Context, userID string) error

RequireUserDeleteAccess will return an error if the specified caller is not allowed to delete a user.

func (*UserCaller) RequireUserUpdateAccess 

func (u *UserCaller) RequireUserUpdateAccess(ctx context.Context, userID string) error

RequireUserUpdateAccess will return an error if the specified caller is not allowed to update a user.

func (*UserCaller) RequireViewerAccessToGroups 

func (u *UserCaller) RequireViewerAccessToGroups(ctx context.Context, groups []models.Group) error

RequireViewerAccessToGroups will return an error if the caller doesn't have viewer access to all the specified groups

func (*UserCaller) RequireViewerAccessToNamespaces 

func (u *UserCaller) RequireViewerAccessToNamespaces(ctx context.Context, namespaces []string) error

RequireViewerAccessToNamespaces will return an error if the caller doesn't have viewer access to the specified list of namespaces

func (*UserCaller) RequireViewerAccessToWorkspaces 

func (u *UserCaller) RequireViewerAccessToWorkspaces(ctx context.Context, workspaces []models.Workspace) error

RequireViewerAccessToWorkspaces will return an error if the caller doesn't have viewer access on the specified workspace

type VCSWorkspaceLinkCaller 

type VCSWorkspaceLinkCaller struct {
	Provider *models.VCSProvider
	Link     *models.WorkspaceVCSProviderLink
	// contains filtered or unexported fields
}

VCSWorkspaceLinkCaller represents a VCS provider subject.

func NewVCSWorkspaceLinkCaller 

func NewVCSWorkspaceLinkCaller(provider *models.VCSProvider, link *models.WorkspaceVCSProviderLink, dbClient *db.Client) *VCSWorkspaceLinkCaller

NewVCSWorkspaceLinkCaller returns a new VCS caller.

func (*VCSWorkspaceLinkCaller) GetNamespaceAccessPolicy 

func (v *VCSWorkspaceLinkCaller) GetNamespaceAccessPolicy(ctx context.Context) (*NamespaceAccessPolicy, error)

GetNamespaceAccessPolicy returns the namespace access policy for this caller.

func (*VCSWorkspaceLinkCaller) GetSubject 

func (v *VCSWorkspaceLinkCaller) GetSubject() string

GetSubject returns the subject identifier for this caller.

func (*VCSWorkspaceLinkCaller) RequireAccessToGroup 

func (v *VCSWorkspaceLinkCaller) RequireAccessToGroup(ctx context.Context, groupID string, accessLevel models.Role) error

RequireAccessToGroup will return an error if the caller doesn't have the required access level on the specified group.

func (*VCSWorkspaceLinkCaller) RequireAccessToInheritedGroupResource 

func (v *VCSWorkspaceLinkCaller) RequireAccessToInheritedGroupResource(ctx context.Context, groupID string) error

RequireAccessToInheritedGroupResource will return an error if the caller doesn't have viewer access on any namespace within the namespace hierarchy.

func (*VCSWorkspaceLinkCaller) RequireAccessToInheritedNamespaceResource 

func (v *VCSWorkspaceLinkCaller) RequireAccessToInheritedNamespaceResource(ctx context.Context, namespace string) error

RequireAccessToInheritedNamespaceResource will return an error if the caller doesn't have viewer access on any namespace within the namespace hierarchy.

func (*VCSWorkspaceLinkCaller) RequireAccessToNamespace 

func (v *VCSWorkspaceLinkCaller) RequireAccessToNamespace(ctx context.Context, namespacePath string, accessLevel models.Role) error

RequireAccessToNamespace will return an error if the caller doesn't have the specified access level.

func (*VCSWorkspaceLinkCaller) RequireAccessToWorkspace 

func (v *VCSWorkspaceLinkCaller) RequireAccessToWorkspace(ctx context.Context, workspaceID string, accessLevel models.Role) error

RequireAccessToWorkspace will return an error if the caller doesn't have the required access level on the specified workspace.

func (*VCSWorkspaceLinkCaller) RequireApplyWriteAccess 

func (v *VCSWorkspaceLinkCaller) RequireApplyWriteAccess(ctx context.Context, applyID string) error

RequireApplyWriteAccess will return an error if the caller doesn't have permission to update apply state.

func (*VCSWorkspaceLinkCaller) RequireJobWriteAccess 

func (v *VCSWorkspaceLinkCaller) RequireJobWriteAccess(ctx context.Context, jobID string) error

RequireJobWriteAccess will return an error if the caller doesn't have permission to update the state of the specified job.

func (*VCSWorkspaceLinkCaller) RequirePlanWriteAccess 

func (v *VCSWorkspaceLinkCaller) RequirePlanWriteAccess(ctx context.Context, planID string) error

RequirePlanWriteAccess will return an error if the caller doesn't have permission to update plan state.

func (*VCSWorkspaceLinkCaller) RequireRunWriteAccess 

func (v *VCSWorkspaceLinkCaller) RequireRunWriteAccess(ctx context.Context, runID string) error

RequireRunWriteAccess will return an error if the caller doesn't have permission to update run state.

func (*VCSWorkspaceLinkCaller) RequireTeamCreateAccess 

func (v *VCSWorkspaceLinkCaller) RequireTeamCreateAccess(ctx context.Context) error

RequireTeamCreateAccess will return an error if the specified access is not allowed to the indicated team.

func (*VCSWorkspaceLinkCaller) RequireTeamDeleteAccess 

func (v *VCSWorkspaceLinkCaller) RequireTeamDeleteAccess(ctx context.Context, teamID string) error

RequireTeamDeleteAccess will return an error if the specified access is not allowed to the indicated team.

func (*VCSWorkspaceLinkCaller) RequireTeamUpdateAccess 

func (v *VCSWorkspaceLinkCaller) RequireTeamUpdateAccess(ctx context.Context, teamID string) error

RequireTeamUpdateAccess will return an error if the specified access is not allowed to the indicated team.

func (*VCSWorkspaceLinkCaller) RequireUserCreateAccess 

func (v *VCSWorkspaceLinkCaller) RequireUserCreateAccess(ctx context.Context) error

RequireUserCreateAccess will return an error if the specified caller is not allowed to create users.

func (*VCSWorkspaceLinkCaller) RequireUserDeleteAccess 

func (v *VCSWorkspaceLinkCaller) RequireUserDeleteAccess(ctx context.Context, userID string) error

RequireUserDeleteAccess will return an error if the specified caller is not allowed to delete a user.

func (*VCSWorkspaceLinkCaller) RequireUserUpdateAccess 

func (v *VCSWorkspaceLinkCaller) RequireUserUpdateAccess(ctx context.Context, userID string) error

RequireUserUpdateAccess will return an error if the specified caller is not allowed to update a user.

func (*VCSWorkspaceLinkCaller) RequireViewerAccessToGroups 

func (v *VCSWorkspaceLinkCaller) RequireViewerAccessToGroups(ctx context.Context, groups []models.Group) error

RequireViewerAccessToGroups will return an error if the caller doesn't have the required access level on the specified group.

func (*VCSWorkspaceLinkCaller) RequireViewerAccessToNamespaces 

func (v *VCSWorkspaceLinkCaller) RequireViewerAccessToNamespaces(ctx context.Context, namespaces []string) error

RequireViewerAccessToNamespaces will return an error if the caller doesn't have viewer access to the specified list of namespaces.

func (*VCSWorkspaceLinkCaller) RequireViewerAccessToWorkspaces 

func (v *VCSWorkspaceLinkCaller) RequireViewerAccessToWorkspaces(ctx context.Context, workspaces []models.Workspace) error

RequireViewerAccessToWorkspaces will return an error if the caller doesn't have viewer access on the specified workspace.

type VerifyTokenOutput 

type VerifyTokenOutput struct {
	Token         jwt.Token
	PrivateClaims map[string]string
}

VerifyTokenOutput is the response from verifying a token

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.