rights

package
v3.33.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Dec 18, 2024 License: Apache-2.0 Imports: 11 Imported by: 0

Documentation

Overview

Package rights implements rights fetching and checking.

Index

Examples

Constants

This section is empty.

Variables

View Source
var (
	ErrNoUniversalRights = errors.DefinePermissionDenied(
		"no_universal_rights",
		"no universal rights",
	)
	ErrInsufficientUniversalRights = errors.DefinePermissionDenied(
		"insufficient_universal_rights",
		"insufficient universal rights",
		"missing",
	)
	ErrNoAdmin = errors.DefinePermissionDenied(
		"no_admin",
		"no admin",
	)
	ErrNoApplicationRights = errors.DefinePermissionDenied(
		"no_application_rights",
		"no rights for application `{uid}`",
	)
	ErrInsufficientApplicationRights = errors.DefinePermissionDenied(
		"insufficient_application_rights",
		"insufficient rights for application `{uid}`",
		"missing",
	)
	ErrNoClientRights = errors.DefinePermissionDenied(
		"no_client_rights",
		"no rights for client `{uid}`",
	)
	ErrInsufficientClientRights = errors.DefinePermissionDenied(
		"insufficient_client_rights",
		"insufficient rights for client `{uid}`",
		"missing",
	)
	ErrNoGatewayRights = errors.DefinePermissionDenied(
		"no_gateway_rights",
		"no rights for gateway `{uid}`",
	)
	ErrInsufficientGatewayRights = errors.DefinePermissionDenied(
		"insufficient_gateway_rights",
		"insufficient rights for gateway `{uid}`",
		"missing",
	)
	ErrNoOrganizationRights = errors.DefinePermissionDenied(
		"no_organization_rights",
		"no rights for organization `{uid}`",
	)
	ErrInsufficientOrganizationRights = errors.DefinePermissionDenied(
		"insufficient_organization_rights",
		"insufficient rights for organization `{uid}`",
		"missing",
	)
	ErrNoUserRights = errors.DefinePermissionDenied(
		"no_user_rights",
		"no rights for user `{uid}`",
	)
	ErrInsufficientUserRights = errors.DefinePermissionDenied(
		"insufficient_user_rights",
		"insufficient rights for user `{uid}`",
		"missing",
	)
	ErrInsufficientRights = errors.DefinePermissionDenied(
		"insufficient_rights",
		"insufficient rights for {entity_type} `{uid}`",
		"missing",
	)
)

Errors for no/insufficient rights.

Functions

func AuthInfo added in v3.12.0

func AuthInfo(ctx context.Context) (authInfo *ttnpb.AuthInfoResponse, err error)

AuthInfo lists the authentication info with universal rights, whether the caller is admin and the authentication method.

func ListApplication

func ListApplication(ctx context.Context, id *ttnpb.ApplicationIdentifiers) (rights *ttnpb.Rights, err error)

ListApplication lists the rights for the given application ID in the context.

func ListClient

func ListClient(ctx context.Context, id *ttnpb.ClientIdentifiers) (rights *ttnpb.Rights, err error)

ListClient lists the rights for the given client ID in the context.

func ListGateway

func ListGateway(ctx context.Context, id *ttnpb.GatewayIdentifiers) (rights *ttnpb.Rights, err error)

ListGateway lists the rights for the given gateway ID in the context.

func ListOrganization

func ListOrganization(ctx context.Context, id *ttnpb.OrganizationIdentifiers) (rights *ttnpb.Rights, err error)

ListOrganization lists the rights for the given organization ID in the context.

func ListUser

func ListUser(ctx context.Context, id *ttnpb.UserIdentifiers) (rights *ttnpb.Rights, err error)

ListUser lists the rights for the given user ID in the context.

func NewContext

func NewContext(ctx context.Context, rights *Rights) context.Context

NewContext returns a derived context with the given rights.

func NewContextWithAuthInfo added in v3.12.0

func NewContextWithAuthInfo(ctx context.Context, authInfo *ttnpb.AuthInfoResponse) context.Context

NewContextWithAuthInfo returns a derived context with the authInfo.

func NewContextWithAuthInfoCache added in v3.12.0

func NewContextWithAuthInfoCache(ctx context.Context) context.Context

NewContextWithAuthInfoCache returns a derived context with an authentication info cache. This should only be used for request contexts.

func NewContextWithCache

func NewContextWithCache(ctx context.Context) context.Context

NewContextWithCache returns a derived context with a rights cache. This should only be used for request contexts.

func NewContextWithFetcher

func NewContextWithFetcher(ctx context.Context, fetcher Fetcher) context.Context

NewContextWithFetcher returns a new context with the given rights fetcher.

func RequireAny

func RequireAny(ctx context.Context, ids ...*ttnpb.EntityIdentifiers) error

RequireAny checks that context contains any rights for each of the given entity identifiers.

func RequireApplication

func RequireApplication(ctx context.Context, id *ttnpb.ApplicationIdentifiers, required ...ttnpb.Right) error

RequireApplication checks that context contains the required rights for the given application ID.

Example
package main

import (
	"context"

	"go.thethings.network/lorawan-stack/v3/pkg/auth/rights"
	"go.thethings.network/lorawan-stack/v3/pkg/ttnpb"
)

func main() {
	var ( // Assume these come from a hypothetical Set RPC call.
		ctx context.Context
		dev ttnpb.EndDevice
	)

	if err := rights.RequireApplication(ctx, dev.Ids.ApplicationIds, ttnpb.Right_RIGHT_APPLICATION_DEVICES_WRITE); err != nil {
		// return nil, err
	}
}
Output:

func RequireAuthenticated added in v3.28.1

func RequireAuthenticated(ctx context.Context) error

RequireAuthenticated confirms if the authentication information within a context contains any rights, if so, the request is considered to be authenticated.

func RequireClient

func RequireClient(ctx context.Context, id *ttnpb.ClientIdentifiers, required ...ttnpb.Right) (err error)

RequireClient checks that context contains the required rights for the given client ID.

func RequireGateway

func RequireGateway(ctx context.Context, id *ttnpb.GatewayIdentifiers, required ...ttnpb.Right) (err error)

RequireGateway checks that context contains the required rights for the given gateway ID.

func RequireIsAdmin added in v3.12.0

func RequireIsAdmin(ctx context.Context) error

RequireIsAdmin checks that the context is authenticated as admin.

func RequireOrganization

func RequireOrganization(ctx context.Context, id *ttnpb.OrganizationIdentifiers, required ...ttnpb.Right) (err error)

RequireOrganization checks that context contains the required rights for the given organization ID.

func RequireUniversal added in v3.12.0

func RequireUniversal(ctx context.Context, required ...ttnpb.Right) error

RequireUniversal checks that the context contains the required universal rights.

func RequireUser

func RequireUser(ctx context.Context, id *ttnpb.UserIdentifiers, required ...ttnpb.Right) (err error)

RequireUser checks that context contains the required rights for the given user ID.

Types

type AuthInfoFetcher added in v3.12.0

type AuthInfoFetcher interface {
	AuthInfo(context.Context) (*ttnpb.AuthInfoResponse, error)
}

AuthInfoFetcher provides an interface for fetching authentication info.

type AuthInfoFetcherFunc added in v3.12.0

type AuthInfoFetcherFunc func(ctx context.Context) (*ttnpb.AuthInfoResponse, error)

AuthInfoFetcherFunc is a function thaty implements the AuthInfoFetcher interface.

func (AuthInfoFetcherFunc) AuthInfo added in v3.12.0

AuthInfo implements the Fetcher interface.

type EntityFetcher added in v3.12.0

EntityFetcher provides an interface for fetching entity rights.

type EntityFetcherFunc added in v3.12.0

type EntityFetcherFunc func(ctx context.Context, ids *ttnpb.EntityIdentifiers) (*ttnpb.Rights, error)

EntityFetcherFunc is a function that implements the EntityFetcher interface.

A EntityFetcherFunc that returns all Application rights for any Application, would look like this:

fetcher := rights.EntityFetcherFunc(func(ctx context.Context, ids *ttnpb.EntityIdentifiers) (*ttnpb.Rights, error) {
	rights := ttnpb.AllApplicationRights // Instead this usually comes from an identity server or a database.
	return &rights, nil
})

func (EntityFetcherFunc) ApplicationRights added in v3.12.0

func (f EntityFetcherFunc) ApplicationRights(ctx context.Context, ids *ttnpb.ApplicationIdentifiers) (*ttnpb.Rights, error)

ApplicationRights implements the Fetcher interface.

func (EntityFetcherFunc) ClientRights added in v3.12.0

func (f EntityFetcherFunc) ClientRights(ctx context.Context, ids *ttnpb.ClientIdentifiers) (*ttnpb.Rights, error)

ClientRights implements the Fetcher interface.

func (EntityFetcherFunc) GatewayRights added in v3.12.0

func (f EntityFetcherFunc) GatewayRights(ctx context.Context, ids *ttnpb.GatewayIdentifiers) (*ttnpb.Rights, error)

GatewayRights implements the Fetcher interface.

func (EntityFetcherFunc) OrganizationRights added in v3.12.0

func (f EntityFetcherFunc) OrganizationRights(ctx context.Context, ids *ttnpb.OrganizationIdentifiers) (*ttnpb.Rights, error)

OrganizationRights implements the Fetcher interface.

func (EntityFetcherFunc) UserRights added in v3.12.0

UserRights implements the Fetcher interface.

type Fetcher

type Fetcher interface {
	EntityFetcher
	AuthInfoFetcher
}

Fetcher provides an interface for rights fetching.

func NewAccessFetcher

func NewAccessFetcher(getConn func(ctx context.Context) *grpc.ClientConn, allowInsecure bool) Fetcher

NewAccessFetcher returns a new rights fetcher that fetches from the Access role returned by getConn. The allowInsecure argument indicates whether it's allowed to send credentials over connections without TLS.

func NewInMemoryCache

func NewInMemoryCache(fetcher Fetcher, successTTL, errorTTL time.Duration) Fetcher

NewInMemoryCache returns a new in-memory cache on top of the given fetcher. Successful responses are valid for the duration of successTTL, unsuccessful responses are valid for the duration of errorTTL.

type Map added in v3.23.0

type Map struct {
	// contains filtered or unexported fields
}

Map stores rights for a given ID.

func NewMap added in v3.23.0

func NewMap(rights map[string]*ttnpb.Rights) *Map

NewMap returns a pointer to a new Map.

func (*Map) GetRights added in v3.23.0

func (m *Map) GetRights(uid string) (*ttnpb.Rights, bool)

GetRights returns the rights stored in the map for a given UID, or nil if no value is present. The ok result indicates whether value was found in the map.

func (*Map) MissingRights added in v3.23.0

func (m *Map) MissingRights(uid string, rights ...ttnpb.Right) []ttnpb.Right

MissingRights returns the rights that are missing for the given RightsMap.

func (*Map) SetRights added in v3.23.0

func (m *Map) SetRights(uid string, rights *ttnpb.Rights)

SetRights sets the rights for the given UID.

type Rights

type Rights struct {
	ApplicationRights  Map
	ClientRights       Map
	GatewayRights      Map
	OrganizationRights Map
	UserRights         Map
}

Rights for the request.

func (*Rights) IncludesApplicationRights

func (r *Rights) IncludesApplicationRights(appUID string, rights ...ttnpb.Right) bool

IncludesApplicationRights returns whether the given rights are included for the given application.

func (*Rights) IncludesClientRights

func (r *Rights) IncludesClientRights(cliUID string, rights ...ttnpb.Right) bool

IncludesClientRights returns whether the given rights are included for the given client.

func (*Rights) IncludesGatewayRights

func (r *Rights) IncludesGatewayRights(gtwUID string, rights ...ttnpb.Right) bool

IncludesGatewayRights returns whether the given rights are included for the given gateway.

func (*Rights) IncludesOrganizationRights

func (r *Rights) IncludesOrganizationRights(orgUID string, rights ...ttnpb.Right) bool

IncludesOrganizationRights returns whether the given rights are included for the given organization.

func (*Rights) IncludesUserRights

func (r *Rights) IncludesUserRights(usrUID string, rights ...ttnpb.Right) bool

IncludesUserRights returns whether the given rights are included for the given user.

func (*Rights) MissingApplicationRights

func (r *Rights) MissingApplicationRights(appUID string, rights ...ttnpb.Right) []ttnpb.Right

MissingApplicationRights returns the rights that are missing for the given application.

func (*Rights) MissingClientRights

func (r *Rights) MissingClientRights(cliUID string, rights ...ttnpb.Right) []ttnpb.Right

MissingClientRights returns the rights that are missing for the given client.

func (*Rights) MissingGatewayRights

func (r *Rights) MissingGatewayRights(gtwUID string, rights ...ttnpb.Right) []ttnpb.Right

MissingGatewayRights returns the rights that are missing for the given gateway.

func (*Rights) MissingOrganizationRights

func (r *Rights) MissingOrganizationRights(orgUID string, rights ...ttnpb.Right) []ttnpb.Right

MissingOrganizationRights returns the rights that are missing for the given organization.

func (*Rights) MissingUserRights

func (r *Rights) MissingUserRights(usrUID string, rights ...ttnpb.Right) []ttnpb.Right

MissingUserRights returns the rights that are missing for the given user.

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL