Documentation ¶
Overview ¶
Package rights implements rights fetching and checking.
Index ¶
- Variables
- func AuthInfo(ctx context.Context) (authInfo *ttnpb.AuthInfoResponse, err error)
- func ListApplication(ctx context.Context, id *ttnpb.ApplicationIdentifiers) (rights *ttnpb.Rights, err error)
- func ListClient(ctx context.Context, id *ttnpb.ClientIdentifiers) (rights *ttnpb.Rights, err error)
- func ListGateway(ctx context.Context, id *ttnpb.GatewayIdentifiers) (rights *ttnpb.Rights, err error)
- func ListOrganization(ctx context.Context, id *ttnpb.OrganizationIdentifiers) (rights *ttnpb.Rights, err error)
- func ListUser(ctx context.Context, id *ttnpb.UserIdentifiers) (rights *ttnpb.Rights, err error)
- func NewContext(ctx context.Context, rights *Rights) context.Context
- func NewContextWithAuthInfo(ctx context.Context, authInfo *ttnpb.AuthInfoResponse) context.Context
- func NewContextWithAuthInfoCache(ctx context.Context) context.Context
- func NewContextWithCache(ctx context.Context) context.Context
- func NewContextWithFetcher(ctx context.Context, fetcher Fetcher) context.Context
- func RequireAny(ctx context.Context, ids ...*ttnpb.EntityIdentifiers) error
- func RequireApplication(ctx context.Context, id *ttnpb.ApplicationIdentifiers, required ...ttnpb.Right) error
- func RequireAuthenticated(ctx context.Context) error
- func RequireClient(ctx context.Context, id *ttnpb.ClientIdentifiers, required ...ttnpb.Right) (err error)
- func RequireGateway(ctx context.Context, id *ttnpb.GatewayIdentifiers, required ...ttnpb.Right) (err error)
- func RequireIsAdmin(ctx context.Context) error
- func RequireOrganization(ctx context.Context, id *ttnpb.OrganizationIdentifiers, ...) (err error)
- func RequireUniversal(ctx context.Context, required ...ttnpb.Right) error
- func RequireUser(ctx context.Context, id *ttnpb.UserIdentifiers, required ...ttnpb.Right) (err error)
- type AuthInfoFetcher
- type AuthInfoFetcherFunc
- type EntityFetcher
- type EntityFetcherFunc
- func (f EntityFetcherFunc) ApplicationRights(ctx context.Context, ids *ttnpb.ApplicationIdentifiers) (*ttnpb.Rights, error)
- func (f EntityFetcherFunc) ClientRights(ctx context.Context, ids *ttnpb.ClientIdentifiers) (*ttnpb.Rights, error)
- func (f EntityFetcherFunc) GatewayRights(ctx context.Context, ids *ttnpb.GatewayIdentifiers) (*ttnpb.Rights, error)
- func (f EntityFetcherFunc) OrganizationRights(ctx context.Context, ids *ttnpb.OrganizationIdentifiers) (*ttnpb.Rights, error)
- func (f EntityFetcherFunc) UserRights(ctx context.Context, ids *ttnpb.UserIdentifiers) (*ttnpb.Rights, error)
- type Fetcher
- type Map
- type Rights
- func (r *Rights) IncludesApplicationRights(appUID string, rights ...ttnpb.Right) bool
- func (r *Rights) IncludesClientRights(cliUID string, rights ...ttnpb.Right) bool
- func (r *Rights) IncludesGatewayRights(gtwUID string, rights ...ttnpb.Right) bool
- func (r *Rights) IncludesOrganizationRights(orgUID string, rights ...ttnpb.Right) bool
- func (r *Rights) IncludesUserRights(usrUID string, rights ...ttnpb.Right) bool
- func (r *Rights) MissingApplicationRights(appUID string, rights ...ttnpb.Right) []ttnpb.Right
- func (r *Rights) MissingClientRights(cliUID string, rights ...ttnpb.Right) []ttnpb.Right
- func (r *Rights) MissingGatewayRights(gtwUID string, rights ...ttnpb.Right) []ttnpb.Right
- func (r *Rights) MissingOrganizationRights(orgUID string, rights ...ttnpb.Right) []ttnpb.Right
- func (r *Rights) MissingUserRights(usrUID string, rights ...ttnpb.Right) []ttnpb.Right
Examples ¶
Constants ¶
This section is empty.
Variables ¶
var ( ErrNoUniversalRights = errors.DefinePermissionDenied( "no_universal_rights", "no universal rights", ) ErrInsufficientUniversalRights = errors.DefinePermissionDenied( "insufficient_universal_rights", "insufficient universal rights", "missing", ) ErrNoAdmin = errors.DefinePermissionDenied( "no_admin", "no admin", ) ErrNoApplicationRights = errors.DefinePermissionDenied( "no_application_rights", "no rights for application `{uid}`", ) ErrInsufficientApplicationRights = errors.DefinePermissionDenied( "insufficient_application_rights", "insufficient rights for application `{uid}`", "missing", ) ErrNoClientRights = errors.DefinePermissionDenied( "no_client_rights", "no rights for client `{uid}`", ) ErrInsufficientClientRights = errors.DefinePermissionDenied( "insufficient_client_rights", "insufficient rights for client `{uid}`", "missing", ) ErrNoGatewayRights = errors.DefinePermissionDenied( "no_gateway_rights", "no rights for gateway `{uid}`", ) ErrInsufficientGatewayRights = errors.DefinePermissionDenied( "insufficient_gateway_rights", "insufficient rights for gateway `{uid}`", "missing", ) ErrNoOrganizationRights = errors.DefinePermissionDenied( "no_organization_rights", "no rights for organization `{uid}`", ) ErrInsufficientOrganizationRights = errors.DefinePermissionDenied( "insufficient_organization_rights", "insufficient rights for organization `{uid}`", "missing", ) ErrNoUserRights = errors.DefinePermissionDenied( "no_user_rights", "no rights for user `{uid}`", ) ErrInsufficientUserRights = errors.DefinePermissionDenied( "insufficient_user_rights", "insufficient rights for user `{uid}`", "missing", ) ErrInsufficientRights = errors.DefinePermissionDenied( "insufficient_rights", "insufficient rights for {entity_type} `{uid}`", "missing", ) )
Errors for no/insufficient rights.
Functions ¶
func AuthInfo ¶ added in v3.12.0
func AuthInfo(ctx context.Context) (authInfo *ttnpb.AuthInfoResponse, err error)
AuthInfo lists the authentication info with universal rights, whether the caller is admin and the authentication method.
func ListApplication ¶
func ListApplication(ctx context.Context, id *ttnpb.ApplicationIdentifiers) (rights *ttnpb.Rights, err error)
ListApplication lists the rights for the given application ID in the context.
func ListClient ¶
ListClient lists the rights for the given client ID in the context.
func ListGateway ¶
func ListGateway(ctx context.Context, id *ttnpb.GatewayIdentifiers) (rights *ttnpb.Rights, err error)
ListGateway lists the rights for the given gateway ID in the context.
func ListOrganization ¶
func ListOrganization(ctx context.Context, id *ttnpb.OrganizationIdentifiers) (rights *ttnpb.Rights, err error)
ListOrganization lists the rights for the given organization ID in the context.
func NewContext ¶
NewContext returns a derived context with the given rights.
func NewContextWithAuthInfo ¶ added in v3.12.0
NewContextWithAuthInfo returns a derived context with the authInfo.
func NewContextWithAuthInfoCache ¶ added in v3.12.0
NewContextWithAuthInfoCache returns a derived context with an authentication info cache. This should only be used for request contexts.
func NewContextWithCache ¶
NewContextWithCache returns a derived context with a rights cache. This should only be used for request contexts.
func NewContextWithFetcher ¶
NewContextWithFetcher returns a new context with the given rights fetcher.
func RequireAny ¶
func RequireAny(ctx context.Context, ids ...*ttnpb.EntityIdentifiers) error
RequireAny checks that context contains any rights for each of the given entity identifiers.
func RequireApplication ¶
func RequireApplication(ctx context.Context, id *ttnpb.ApplicationIdentifiers, required ...ttnpb.Right) error
RequireApplication checks that context contains the required rights for the given application ID.
Example ¶
package main import ( "context" "go.thethings.network/lorawan-stack/v3/pkg/auth/rights" "go.thethings.network/lorawan-stack/v3/pkg/ttnpb" ) func main() { var ( // Assume these come from a hypothetical Set RPC call. ctx context.Context dev ttnpb.EndDevice ) if err := rights.RequireApplication(ctx, dev.Ids.ApplicationIds, ttnpb.Right_RIGHT_APPLICATION_DEVICES_WRITE); err != nil { // return nil, err } }
Output:
func RequireAuthenticated ¶ added in v3.28.1
RequireAuthenticated confirms if the authentication information within a context contains any rights, if so, the request is considered to be authenticated.
func RequireClient ¶
func RequireClient(ctx context.Context, id *ttnpb.ClientIdentifiers, required ...ttnpb.Right) (err error)
RequireClient checks that context contains the required rights for the given client ID.
func RequireGateway ¶
func RequireGateway(ctx context.Context, id *ttnpb.GatewayIdentifiers, required ...ttnpb.Right) (err error)
RequireGateway checks that context contains the required rights for the given gateway ID.
func RequireIsAdmin ¶ added in v3.12.0
RequireIsAdmin checks that the context is authenticated as admin.
func RequireOrganization ¶
func RequireOrganization(ctx context.Context, id *ttnpb.OrganizationIdentifiers, required ...ttnpb.Right) (err error)
RequireOrganization checks that context contains the required rights for the given organization ID.
func RequireUniversal ¶ added in v3.12.0
RequireUniversal checks that the context contains the required universal rights.
func RequireUser ¶
func RequireUser(ctx context.Context, id *ttnpb.UserIdentifiers, required ...ttnpb.Right) (err error)
RequireUser checks that context contains the required rights for the given user ID.
Types ¶
type AuthInfoFetcher ¶ added in v3.12.0
type AuthInfoFetcher interface {
AuthInfo(context.Context) (*ttnpb.AuthInfoResponse, error)
}
AuthInfoFetcher provides an interface for fetching authentication info.
type AuthInfoFetcherFunc ¶ added in v3.12.0
type AuthInfoFetcherFunc func(ctx context.Context) (*ttnpb.AuthInfoResponse, error)
AuthInfoFetcherFunc is a function thaty implements the AuthInfoFetcher interface.
func (AuthInfoFetcherFunc) AuthInfo ¶ added in v3.12.0
func (f AuthInfoFetcherFunc) AuthInfo(ctx context.Context) (*ttnpb.AuthInfoResponse, error)
AuthInfo implements the Fetcher interface.
type EntityFetcher ¶ added in v3.12.0
type EntityFetcher interface { ApplicationRights(context.Context, *ttnpb.ApplicationIdentifiers) (*ttnpb.Rights, error) ClientRights(context.Context, *ttnpb.ClientIdentifiers) (*ttnpb.Rights, error) GatewayRights(context.Context, *ttnpb.GatewayIdentifiers) (*ttnpb.Rights, error) OrganizationRights(context.Context, *ttnpb.OrganizationIdentifiers) (*ttnpb.Rights, error) UserRights(context.Context, *ttnpb.UserIdentifiers) (*ttnpb.Rights, error) }
EntityFetcher provides an interface for fetching entity rights.
type EntityFetcherFunc ¶ added in v3.12.0
type EntityFetcherFunc func(ctx context.Context, ids *ttnpb.EntityIdentifiers) (*ttnpb.Rights, error)
EntityFetcherFunc is a function that implements the EntityFetcher interface.
A EntityFetcherFunc that returns all Application rights for any Application, would look like this:
fetcher := rights.EntityFetcherFunc(func(ctx context.Context, ids *ttnpb.EntityIdentifiers) (*ttnpb.Rights, error) { rights := ttnpb.AllApplicationRights // Instead this usually comes from an identity server or a database. return &rights, nil })
func (EntityFetcherFunc) ApplicationRights ¶ added in v3.12.0
func (f EntityFetcherFunc) ApplicationRights(ctx context.Context, ids *ttnpb.ApplicationIdentifiers) (*ttnpb.Rights, error)
ApplicationRights implements the Fetcher interface.
func (EntityFetcherFunc) ClientRights ¶ added in v3.12.0
func (f EntityFetcherFunc) ClientRights(ctx context.Context, ids *ttnpb.ClientIdentifiers) (*ttnpb.Rights, error)
ClientRights implements the Fetcher interface.
func (EntityFetcherFunc) GatewayRights ¶ added in v3.12.0
func (f EntityFetcherFunc) GatewayRights(ctx context.Context, ids *ttnpb.GatewayIdentifiers) (*ttnpb.Rights, error)
GatewayRights implements the Fetcher interface.
func (EntityFetcherFunc) OrganizationRights ¶ added in v3.12.0
func (f EntityFetcherFunc) OrganizationRights(ctx context.Context, ids *ttnpb.OrganizationIdentifiers) (*ttnpb.Rights, error)
OrganizationRights implements the Fetcher interface.
func (EntityFetcherFunc) UserRights ¶ added in v3.12.0
func (f EntityFetcherFunc) UserRights(ctx context.Context, ids *ttnpb.UserIdentifiers) (*ttnpb.Rights, error)
UserRights implements the Fetcher interface.
type Fetcher ¶
type Fetcher interface { EntityFetcher AuthInfoFetcher }
Fetcher provides an interface for rights fetching.
func NewAccessFetcher ¶
func NewAccessFetcher(getConn func(ctx context.Context) *grpc.ClientConn, allowInsecure bool) Fetcher
NewAccessFetcher returns a new rights fetcher that fetches from the Access role returned by getConn. The allowInsecure argument indicates whether it's allowed to send credentials over connections without TLS.
func NewInMemoryCache ¶
NewInMemoryCache returns a new in-memory cache on top of the given fetcher. Successful responses are valid for the duration of successTTL, unsuccessful responses are valid for the duration of errorTTL.
type Map ¶ added in v3.23.0
type Map struct {
// contains filtered or unexported fields
}
Map stores rights for a given ID.
func (*Map) GetRights ¶ added in v3.23.0
GetRights returns the rights stored in the map for a given UID, or nil if no value is present. The ok result indicates whether value was found in the map.
func (*Map) MissingRights ¶ added in v3.23.0
MissingRights returns the rights that are missing for the given RightsMap.
type Rights ¶
type Rights struct { ApplicationRights Map ClientRights Map GatewayRights Map OrganizationRights Map UserRights Map }
Rights for the request.
func (*Rights) IncludesApplicationRights ¶
IncludesApplicationRights returns whether the given rights are included for the given application.
func (*Rights) IncludesClientRights ¶
IncludesClientRights returns whether the given rights are included for the given client.
func (*Rights) IncludesGatewayRights ¶
IncludesGatewayRights returns whether the given rights are included for the given gateway.
func (*Rights) IncludesOrganizationRights ¶
IncludesOrganizationRights returns whether the given rights are included for the given organization.
func (*Rights) IncludesUserRights ¶
IncludesUserRights returns whether the given rights are included for the given user.
func (*Rights) MissingApplicationRights ¶
MissingApplicationRights returns the rights that are missing for the given application.
func (*Rights) MissingClientRights ¶
MissingClientRights returns the rights that are missing for the given client.
func (*Rights) MissingGatewayRights ¶
MissingGatewayRights returns the rights that are missing for the given gateway.
func (*Rights) MissingOrganizationRights ¶
MissingOrganizationRights returns the rights that are missing for the given organization.