Documentation ¶
Overview ¶
Package auth package
Index ¶
- Constants
- func FindToken(r *http.Request) string
- func HandleCaller(ctx context.Context, ...) error
- func ParseUsername(username string) string
- func WithApplyID(id string) func(*constraints)
- func WithCaller(ctx context.Context, caller Caller) context.Context
- func WithGroupID(id string) func(*constraints)
- func WithJobID(id string) func(*constraints)
- func WithNamespacePath(namespacePath string) func(*constraints)
- func WithNamespacePaths(namespacePaths []string) func(*constraints)
- func WithPlanID(id string) func(*constraints)
- func WithRunID(id string) func(*constraints)
- func WithRunnerID(id string) func(*constraints)
- func WithTeamID(id string) func(*constraints)
- func WithUserID(id string) func(*constraints)
- func WithWorkspaceID(id string) func(*constraints)
- type Authenticator
- type Authorizer
- type Caller
- type IdentityProvider
- type IdentityProviderConfig
- type JobCaller
- func (j *JobCaller) GetNamespaceAccessPolicy(_ context.Context) (*NamespaceAccessPolicy, error)
- func (j *JobCaller) GetSubject() string
- func (j *JobCaller) RequireAccessToInheritableResource(ctx context.Context, _ permissions.ResourceType, checks ...func(*constraints)) error
- func (j *JobCaller) RequirePermission(ctx context.Context, perm permissions.Permission, checks ...func(*constraints)) error
- type MockAuthorizer
- func (_m *MockAuthorizer) GetRootNamespaces(ctx context.Context) ([]models.MembershipNamespace, error)
- func (_m *MockAuthorizer) RequireAccess(ctx context.Context, perms []permissions.Permission, ...) error
- func (_m *MockAuthorizer) RequireAccessToInheritableResource(ctx context.Context, resourceTypes []permissions.ResourceType, ...) error
- type MockCaller
- func (_m *MockCaller) GetNamespaceAccessPolicy(ctx context.Context) (*NamespaceAccessPolicy, error)
- func (_m *MockCaller) GetSubject() string
- func (_m *MockCaller) RequireAccessToInheritableResource(ctx context.Context, resourceType permissions.ResourceType, ...) error
- func (_m *MockCaller) RequirePermission(ctx context.Context, perms permissions.Permission, ...) error
- type NamespaceAccessPolicy
- type OIDCConfiguration
- type OpenIDConfigFetcher
- type SCIMCaller
- func (s *SCIMCaller) GetNamespaceAccessPolicy(_ context.Context) (*NamespaceAccessPolicy, error)
- func (s *SCIMCaller) GetSubject() string
- func (s *SCIMCaller) RequireAccessToInheritableResource(ctx context.Context, _ permissions.ResourceType, _ ...func(*constraints)) error
- func (s *SCIMCaller) RequirePermission(ctx context.Context, perm permissions.Permission, checks ...func(*constraints)) error
- type ServiceAccountCaller
- func (s *ServiceAccountCaller) GetNamespaceAccessPolicy(ctx context.Context) (*NamespaceAccessPolicy, error)
- func (s *ServiceAccountCaller) GetSubject() string
- func (s *ServiceAccountCaller) RequireAccessToInheritableResource(ctx context.Context, resourceType permissions.ResourceType, ...) error
- func (s *ServiceAccountCaller) RequirePermission(ctx context.Context, perm permissions.Permission, checks ...func(*constraints)) error
- type SystemCaller
- func (s *SystemCaller) GetNamespaceAccessPolicy(_ context.Context) (*NamespaceAccessPolicy, error)
- func (s *SystemCaller) GetSubject() string
- func (s *SystemCaller) RequireAccessToInheritableResource(_ context.Context, _ permissions.ResourceType, _ ...func(*constraints)) error
- func (s *SystemCaller) RequirePermission(_ context.Context, _ permissions.Permission, _ ...func(*constraints)) error
- type TokenInput
- type UserAuth
- type UserCaller
- func (u *UserCaller) GetNamespaceAccessPolicy(ctx context.Context) (*NamespaceAccessPolicy, error)
- func (u *UserCaller) GetSubject() string
- func (u *UserCaller) GetTeams(ctx context.Context) ([]models.Team, error)
- func (u *UserCaller) RequireAccessToInheritableResource(ctx context.Context, resourceType permissions.ResourceType, ...) error
- func (u *UserCaller) RequirePermission(ctx context.Context, perm permissions.Permission, checks ...func(*constraints)) error
- type VCSWorkspaceLinkCaller
- func (v *VCSWorkspaceLinkCaller) GetNamespaceAccessPolicy(_ context.Context) (*NamespaceAccessPolicy, error)
- func (v *VCSWorkspaceLinkCaller) GetSubject() string
- func (v *VCSWorkspaceLinkCaller) RequireAccessToInheritableResource(ctx context.Context, _ permissions.ResourceType, _ ...func(*constraints)) error
- func (v *VCSWorkspaceLinkCaller) RequirePermission(ctx context.Context, perm permissions.Permission, checks ...func(*constraints)) error
- type VerifyTokenOutput
Constants ¶
const ( JobTokenType string = "job" ServiceAccountTokenType string = "service_account" SCIMTokenType string = "scim" VCSWorkspaceLinkTokenType string = "vcs_workspace_link" )
Valid token types used as private claims for tokens issued by Tharsis. #nosec: G101 -- false flag.
Variables ¶
This section is empty.
Functions ¶
func HandleCaller ¶
func HandleCaller( ctx context.Context, userHandler func(ctx context.Context, caller *UserCaller) error, serviceAccountHandler func(ctx context.Context, caller *ServiceAccountCaller) error, ) error
HandleCaller will invoke the provided callback based on the type of caller
func ParseUsername ¶
ParseUsername parses the username, if any, from the email.
func WithApplyID ¶ added in v0.9.0
func WithApplyID(id string) func(*constraints)
WithApplyID sets the ApplyID on constraints struct.
func WithCaller ¶
WithCaller adds the caller to the context
func WithGroupID ¶ added in v0.9.0
func WithGroupID(id string) func(*constraints)
WithGroupID sets the GroupID on constraints struct.
func WithJobID ¶ added in v0.9.0
func WithJobID(id string) func(*constraints)
WithJobID sets the JobID on constraints struct.
func WithNamespacePath ¶ added in v0.9.0
func WithNamespacePath(namespacePath string) func(*constraints)
WithNamespacePath sets the Namespace on constraints struct.
func WithNamespacePaths ¶ added in v0.9.0
func WithNamespacePaths(namespacePaths []string) func(*constraints)
WithNamespacePaths sets the NamespacePaths on constraints struct.
func WithPlanID ¶ added in v0.9.0
func WithPlanID(id string) func(*constraints)
WithPlanID sets the PlanID on constraints struct.
func WithRunID ¶ added in v0.9.0
func WithRunID(id string) func(*constraints)
WithRunID sets the RunID on constraints struct.
func WithRunnerID ¶ added in v0.9.0
func WithRunnerID(id string) func(*constraints)
WithRunnerID sets the RunnerID on constraints struct.
func WithTeamID ¶ added in v0.9.0
func WithTeamID(id string) func(*constraints)
WithTeamID sets the TeamID on Constraints struct.
func WithUserID ¶ added in v0.9.0
func WithUserID(id string) func(*constraints)
WithUserID sets the UserID on constraints struct.
func WithWorkspaceID ¶ added in v0.9.0
func WithWorkspaceID(id string) func(*constraints)
WithWorkspaceID sets the WorkspaceID on constraints struct.
Types ¶
type Authenticator ¶
type Authenticator struct {
// contains filtered or unexported fields
}
Authenticator is used to authenticate JWT tokens
func NewAuthenticator ¶
func NewAuthenticator(userAuth *UserAuth, idp *IdentityProvider, dbClient *db.Client, issuerURL string) *Authenticator
NewAuthenticator creates a new Authenticator instance
func (*Authenticator) Authenticate ¶
func (a *Authenticator) Authenticate(ctx context.Context, tokenString string, useCache bool) (Caller, error)
Authenticate verifies the token and returns a Caller
type Authorizer ¶
type Authorizer interface { GetRootNamespaces(ctx context.Context) ([]models.MembershipNamespace, error) RequireAccess(ctx context.Context, perms []permissions.Permission, checks ...func(*constraints)) error RequireAccessToInheritableResource(ctx context.Context, resourceTypes []permissions.ResourceType, checks ...func(*constraints)) error }
Authorizer is used to authorize access to namespaces
type Caller ¶
type Caller interface { GetSubject() string GetNamespaceAccessPolicy(ctx context.Context) (*NamespaceAccessPolicy, error) RequirePermission(ctx context.Context, perms permissions.Permission, checks ...func(*constraints)) error RequireAccessToInheritableResource(ctx context.Context, resourceType permissions.ResourceType, checks ...func(*constraints)) error }
Caller represents a subject performing an API request
type IdentityProvider ¶
type IdentityProvider struct {
// contains filtered or unexported fields
}
IdentityProvider is used to create and verify service account tokens
func NewIdentityProvider ¶
func NewIdentityProvider(jwsPlugin jwsprovider.JWSProvider, issuerURL string) *IdentityProvider
NewIdentityProvider initializes the IdentityProvider type
func (*IdentityProvider) GenerateToken ¶
func (s *IdentityProvider) GenerateToken(ctx context.Context, input *TokenInput) ([]byte, error)
GenerateToken creates a new service account token
func (*IdentityProvider) VerifyToken ¶
func (s *IdentityProvider) VerifyToken(ctx context.Context, token string) (*VerifyTokenOutput, error)
VerifyToken verifies that the token is a valid service account token
type IdentityProviderConfig ¶
type IdentityProviderConfig struct { Issuer string ClientID string UsernameClaim string JwksURI string TokenEndpoint string AuthEndpoint string }
IdentityProviderConfig encompasses the information for an identity provider
type JobCaller ¶
type JobCaller struct { JobID string WorkspaceID string RunID string // contains filtered or unexported fields }
JobCaller represents a job subject
func (*JobCaller) GetNamespaceAccessPolicy ¶
func (j *JobCaller) GetNamespaceAccessPolicy(_ context.Context) (*NamespaceAccessPolicy, error)
GetNamespaceAccessPolicy returns the namespace access policy for this caller
func (*JobCaller) GetSubject ¶
GetSubject returns the subject identifier for this caller
func (*JobCaller) RequireAccessToInheritableResource ¶ added in v0.9.0
func (j *JobCaller) RequireAccessToInheritableResource(ctx context.Context, _ permissions.ResourceType, checks ...func(*constraints)) error
RequireAccessToInheritableResource will return an error if caller doesn't have permissions to inherited resources.
func (*JobCaller) RequirePermission ¶ added in v0.9.0
func (j *JobCaller) RequirePermission(ctx context.Context, perm permissions.Permission, checks ...func(*constraints)) error
RequirePermission will return an error if the caller doesn't have the specified permissions
type MockAuthorizer ¶
MockAuthorizer is an autogenerated mock type for the Authorizer type
func NewMockAuthorizer ¶
func NewMockAuthorizer(t mockConstructorTestingTNewMockAuthorizer) *MockAuthorizer
NewMockAuthorizer creates a new instance of MockAuthorizer. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
func (*MockAuthorizer) GetRootNamespaces ¶
func (_m *MockAuthorizer) GetRootNamespaces(ctx context.Context) ([]models.MembershipNamespace, error)
GetRootNamespaces provides a mock function with given fields: ctx
func (*MockAuthorizer) RequireAccess ¶ added in v0.9.0
func (_m *MockAuthorizer) RequireAccess(ctx context.Context, perms []permissions.Permission, checks ...func(*constraints)) error
RequireAccess provides a mock function with given fields: ctx, perms, checks
func (*MockAuthorizer) RequireAccessToInheritableResource ¶ added in v0.9.0
func (_m *MockAuthorizer) RequireAccessToInheritableResource(ctx context.Context, resourceTypes []permissions.ResourceType, checks ...func(*constraints)) error
RequireAccessToInheritableResource provides a mock function with given fields: ctx, resourceTypes, checks
type MockCaller ¶
MockCaller is an autogenerated mock type for the Caller type
func NewMockCaller ¶
func NewMockCaller(t mockConstructorTestingTNewMockCaller) *MockCaller
NewMockCaller creates a new instance of MockCaller. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
func (*MockCaller) GetNamespaceAccessPolicy ¶
func (_m *MockCaller) GetNamespaceAccessPolicy(ctx context.Context) (*NamespaceAccessPolicy, error)
GetNamespaceAccessPolicy provides a mock function with given fields: ctx
func (*MockCaller) GetSubject ¶
func (_m *MockCaller) GetSubject() string
GetSubject provides a mock function with given fields:
func (*MockCaller) RequireAccessToInheritableResource ¶ added in v0.9.0
func (_m *MockCaller) RequireAccessToInheritableResource(ctx context.Context, resourceType permissions.ResourceType, checks ...func(*constraints)) error
RequireAccessToInheritableResource provides a mock function with given fields: ctx, resourceType, checks
func (*MockCaller) RequirePermission ¶ added in v0.9.0
func (_m *MockCaller) RequirePermission(ctx context.Context, perms permissions.Permission, checks ...func(*constraints)) error
RequirePermission provides a mock function with given fields: ctx, perms, checks
type NamespaceAccessPolicy ¶
type NamespaceAccessPolicy struct { // RootNamespaceIDs restricts the caller to the specified root namespaces RootNamespaceIDs []string // AllowAll indicates that the caller has access to all namespaces AllowAll bool }
NamespaceAccessPolicy specifies the namespaces that a caller has access to
type OIDCConfiguration ¶
type OIDCConfiguration struct { Issuer string `json:"issuer"` JwksURI string `json:"jwks_uri"` TokenEndpoint string `json:"token_endpoint"` AuthEndpoint string `json:"authorization_endpoint"` }
OIDCConfiguration contains the OIDC information for an identity provider
type OpenIDConfigFetcher ¶
type OpenIDConfigFetcher struct {
Client *retryablehttp.Client
}
OpenIDConfigFetcher implements functions to fetch OpenID configuration from an issuer.
func NewOpenIDConfigFetcher ¶
func NewOpenIDConfigFetcher() *OpenIDConfigFetcher
NewOpenIDConfigFetcher returns a new NewOpenIDConfigFetcher
func (*OpenIDConfigFetcher) GetOpenIDConfig ¶
func (o *OpenIDConfigFetcher) GetOpenIDConfig(ctx context.Context, issuer string) (*OIDCConfiguration, error)
GetOpenIDConfig returns the IDP config from the OIDC discovery document
type SCIMCaller ¶
type SCIMCaller struct {
// contains filtered or unexported fields
}
SCIMCaller represents a SCIM subject.
func NewSCIMCaller ¶
func NewSCIMCaller(dbClient *db.Client) *SCIMCaller
NewSCIMCaller returns a new SCIM caller.
func (*SCIMCaller) GetNamespaceAccessPolicy ¶
func (s *SCIMCaller) GetNamespaceAccessPolicy(_ context.Context) (*NamespaceAccessPolicy, error)
GetNamespaceAccessPolicy returns the namespace access policy for this caller.
func (*SCIMCaller) GetSubject ¶
func (s *SCIMCaller) GetSubject() string
GetSubject returns the subject identifier for this caller.
func (*SCIMCaller) RequireAccessToInheritableResource ¶ added in v0.9.0
func (s *SCIMCaller) RequireAccessToInheritableResource(ctx context.Context, _ permissions.ResourceType, _ ...func(*constraints)) error
RequireAccessToInheritableResource will return an error if the caller doesn't have access to the specified resource type.
func (*SCIMCaller) RequirePermission ¶ added in v0.9.0
func (s *SCIMCaller) RequirePermission(ctx context.Context, perm permissions.Permission, checks ...func(*constraints)) error
RequirePermission will return an error if the caller doesn't have the specified permissions.
type ServiceAccountCaller ¶
type ServiceAccountCaller struct { ServiceAccountPath string ServiceAccountID string // contains filtered or unexported fields }
ServiceAccountCaller represents a service account subject
func NewServiceAccountCaller ¶
func NewServiceAccountCaller(id string, path string, authorizer Authorizer, dbClient *db.Client) *ServiceAccountCaller
NewServiceAccountCaller returns a new ServiceAccountCaller
func (*ServiceAccountCaller) GetNamespaceAccessPolicy ¶
func (s *ServiceAccountCaller) GetNamespaceAccessPolicy(ctx context.Context) (*NamespaceAccessPolicy, error)
GetNamespaceAccessPolicy returns the namespace access policy for this caller
func (*ServiceAccountCaller) GetSubject ¶
func (s *ServiceAccountCaller) GetSubject() string
GetSubject returns the subject identifier for this caller
func (*ServiceAccountCaller) RequireAccessToInheritableResource ¶ added in v0.9.0
func (s *ServiceAccountCaller) RequireAccessToInheritableResource(ctx context.Context, resourceType permissions.ResourceType, checks ...func(*constraints)) error
RequireAccessToInheritableResource will return an error if caller doesn't have permissions to inherited resources.
func (*ServiceAccountCaller) RequirePermission ¶ added in v0.9.0
func (s *ServiceAccountCaller) RequirePermission(ctx context.Context, perm permissions.Permission, checks ...func(*constraints)) error
RequirePermission will return an error if the caller doesn't have the specified permissions
type SystemCaller ¶
type SystemCaller struct{}
SystemCaller is the caller subject for internal system calls
func (*SystemCaller) GetNamespaceAccessPolicy ¶
func (s *SystemCaller) GetNamespaceAccessPolicy(_ context.Context) (*NamespaceAccessPolicy, error)
GetNamespaceAccessPolicy returns the namespace access policy for this caller
func (*SystemCaller) GetSubject ¶
func (s *SystemCaller) GetSubject() string
GetSubject returns the subject identifier for this caller
func (*SystemCaller) RequireAccessToInheritableResource ¶ added in v0.9.0
func (s *SystemCaller) RequireAccessToInheritableResource(_ context.Context, _ permissions.ResourceType, _ ...func(*constraints)) error
RequireAccessToInheritableResource will return an error if the caller doesn't have access to the specified resource type
func (*SystemCaller) RequirePermission ¶ added in v0.9.0
func (s *SystemCaller) RequirePermission(_ context.Context, _ permissions.Permission, _ ...func(*constraints)) error
RequirePermission will return an error if the caller doesn't have the specified permissions
type TokenInput ¶
type TokenInput struct { Expiration *time.Time Claims map[string]string Subject string JwtID string }
TokenInput provides options for creating a new service account token
type UserAuth ¶
type UserAuth struct {
// contains filtered or unexported fields
}
UserAuth implements JWT authentication
func NewUserAuth ¶
func NewUserAuth( ctx context.Context, identityProviders []IdentityProviderConfig, logger logger.Logger, dbClient *db.Client, ) *UserAuth
NewUserAuth creates an instance of UserAuth
func (*UserAuth) Authenticate ¶
func (u *UserAuth) Authenticate(ctx context.Context, tokenString string, useCache bool) (*UserCaller, error)
Authenticate validates a user JWT and returns a UserCaller
type UserCaller ¶
UserCaller represents a user subject
func NewUserCaller ¶
func NewUserCaller(user *models.User, authorizer Authorizer, dbClient *db.Client) *UserCaller
NewUserCaller returns a new UserCaller
func (*UserCaller) GetNamespaceAccessPolicy ¶
func (u *UserCaller) GetNamespaceAccessPolicy(ctx context.Context) (*NamespaceAccessPolicy, error)
GetNamespaceAccessPolicy returns the namespace access policy for this caller
func (*UserCaller) GetSubject ¶
func (u *UserCaller) GetSubject() string
GetSubject returns the subject identifier for this caller
func (*UserCaller) GetTeams ¶
GetTeams does lazy initialization of the list of teams for this user caller.
func (*UserCaller) RequireAccessToInheritableResource ¶ added in v0.9.0
func (u *UserCaller) RequireAccessToInheritableResource(ctx context.Context, resourceType permissions.ResourceType, checks ...func(*constraints)) error
RequireAccessToInheritableResource will return an error if caller doesn't have permissions to inherited resources.
func (*UserCaller) RequirePermission ¶ added in v0.9.0
func (u *UserCaller) RequirePermission(ctx context.Context, perm permissions.Permission, checks ...func(*constraints)) error
RequirePermission will return an error if the caller doesn't have the specified permissions
type VCSWorkspaceLinkCaller ¶
type VCSWorkspaceLinkCaller struct { Provider *models.VCSProvider Link *models.WorkspaceVCSProviderLink // contains filtered or unexported fields }
VCSWorkspaceLinkCaller represents a VCS provider subject.
func NewVCSWorkspaceLinkCaller ¶
func NewVCSWorkspaceLinkCaller(provider *models.VCSProvider, link *models.WorkspaceVCSProviderLink, dbClient *db.Client) *VCSWorkspaceLinkCaller
NewVCSWorkspaceLinkCaller returns a new VCS caller.
func (*VCSWorkspaceLinkCaller) GetNamespaceAccessPolicy ¶
func (v *VCSWorkspaceLinkCaller) GetNamespaceAccessPolicy(_ context.Context) (*NamespaceAccessPolicy, error)
GetNamespaceAccessPolicy returns the namespace access policy for this caller.
func (*VCSWorkspaceLinkCaller) GetSubject ¶
func (v *VCSWorkspaceLinkCaller) GetSubject() string
GetSubject returns the subject identifier for this caller.
func (*VCSWorkspaceLinkCaller) RequireAccessToInheritableResource ¶ added in v0.9.0
func (v *VCSWorkspaceLinkCaller) RequireAccessToInheritableResource(ctx context.Context, _ permissions.ResourceType, _ ...func(*constraints)) error
RequireAccessToInheritableResource will return an error if the caller doesn't have access to the specified resource type
func (*VCSWorkspaceLinkCaller) RequirePermission ¶ added in v0.9.0
func (v *VCSWorkspaceLinkCaller) RequirePermission(ctx context.Context, perm permissions.Permission, checks ...func(*constraints)) error
RequirePermission will return an error if the caller doesn't have the specified permissions.
Source Files ¶
Directories ¶
Path | Synopsis |
---|---|
Package permissions contains the permission sets and other related functionalities that dictate the level of access a subject has to a Tharsis resource.
|
Package permissions contains the permission sets and other related functionalities that dictate the level of access a subject has to a Tharsis resource. |