Documentation ¶
Overview ¶
Package auth provides authentication and authorization capability
Index ¶
- Constants
- Variables
- func ContextWithAccount(ctx context.Context, account *Account) context.Context
- func VerifyAccess(rules []*Rule, acc *Account, res *Resource) error
- type Access
- type Account
- type Auth
- type GenerateOption
- type GenerateOptions
- type Option
- func Addrs(addrs ...string) Option
- func ClientToken(token *Token) Option
- func Credentials(id, secret string) Option
- func Issuer(i string) Option
- func Logger(l logger.Logger) Option
- func LoginURL(url string) Option
- func Meter(m meter.Meter) Option
- func Name(n string) Option
- func PrivateKey(key string) Option
- func PublicKey(key string) Option
- func Store(s store.Store) Option
- func Tracer(t tracer.Tracer) Option
- type Options
- type Resource
- type Rule
- type RulesOption
- type RulesOptions
- type Token
- type TokenOption
- type TokenOptions
- type VerifyOption
- type VerifyOptions
Constants ¶
const ( // BearerScheme used for Authorization header BearerScheme = "Bearer " // ScopePublic is the scope applied to a rule to allow access to the public ScopePublic = "" // ScopeAccount is the scope applied to a rule to limit to users with any valid account ScopeAccount = "*" )
Variables ¶
var ( // DefaultAuth holds default auth implementation DefaultAuth Auth = NewAuth() // ErrInvalidToken is when the token provided is not valid ErrInvalidToken = errors.New("invalid token provided") // ErrForbidden is when a user does not have the necessary scope to access a resource ErrForbidden = errors.New("resource forbidden") )
Functions ¶
func ContextWithAccount ¶
ContextWithAccount sets the account in the context
func VerifyAccess ¶
VerifyAccess an account has access to a resource using the rules provided. If the account does not have access an error will be returned. If there are no rules provided which match the resource, an error will be returned
Types ¶
type Account ¶
type Account struct { // Metadata any other associated metadata Metadata metadata.Metadata `json:"metadata"` // ID of the account e.g. email or id ID string `json:"id"` // Type of the account, e.g. service Type string `json:"type"` // Issuer of the account Issuer string `json:"issuer"` // Secret for the account, e.g. the password Secret string `json:"secret"` // Scopes the account has access to Scopes []string `json:"scopes"` }
Account provided by an auth provider
func AccountFromContext ¶
AccountFromContext gets the account from the context, which is set by the auth wrapper at the start of a call. If the account is not set, a nil account will be returned. The error is only returned when there was a problem retrieving an account
type Auth ¶
type Auth interface { // Init the auth Init(opts ...Option) error // Options set for auth Options() Options // Generate a new account Generate(id string, opts ...GenerateOption) (*Account, error) // Verify an account has access to a resource using the rules Verify(acc *Account, res *Resource, opts ...VerifyOption) error // Inspect a token Inspect(token string) (*Account, error) // Token generated using refresh token or credentials Token(opts ...TokenOption) (*Token, error) // Grant access to a resource Grant(rule *Rule) error // Revoke access to a resource Revoke(rule *Rule) error // Rules returns all the rules used to verify requests Rules(...RulesOption) ([]*Rule, error) // String returns the name of the implementation String() string }
Auth provides authentication and authorization
type GenerateOption ¶
type GenerateOption func(o *GenerateOptions)
GenerateOption func
func WithMetadata ¶
func WithMetadata(md metadata.Metadata) GenerateOption
WithMetadata for the generated account
func WithProvider ¶
func WithProvider(p string) GenerateOption
WithProvider for the generated account
type GenerateOptions ¶
type GenerateOptions struct { Metadata metadata.Metadata Provider string Type string Secret string Issuer string Scopes []string }
GenerateOptions struct
func NewGenerateOptions ¶
func NewGenerateOptions(opts ...GenerateOption) GenerateOptions
NewGenerateOptions from a slice of options
type Option ¶
type Option func(o *Options)
Option func
func ClientToken ¶
ClientToken sets the auth token to use when making requests
type Options ¶
type Options struct { // Context holds the external options Context context.Context // Meter used for metrics Meter meter.Meter // Logger used for logging Logger logger.Logger // Tracer used for tracing Tracer tracer.Tracer // Store used for stre data Store store.Store // Token is the services token used to authenticate itself Token *Token // LoginURL is the relative url path where a user can login LoginURL string // PrivateKey for encoding JWTs PrivateKey string // PublicKey for decoding JWTs PublicKey string // Secret is used to authenticate the service Secret string // ID is the services auth ID ID string // Issuer of the service's account Issuer string // Name holds the auth name Name string // Addrs sets the addresses of auth Addrs []string }
Options struct holds auth options
func NewOptions ¶
NewOptions creates Options struct from slice of options
type Resource ¶
type Resource struct { // Name of the resource, e.g. go.micro.service.notes Name string `json:"name"` // Type of resource, e.g. service Type string `json:"type"` // Endpoint resource e.g NotesService.Create Endpoint string `json:"endpoint"` }
Resource is an entity such as a user or
type Rule ¶
type Rule struct { // Resource that rule belongs to Resource *Resource // ID of the rule ID string // Scope of the rule Scope string // Access flag allow/deny Access Access // Priority holds the rule priority Priority int32 }
Rule is used to verify access to a resource
type RulesOption ¶
type RulesOption func(o *RulesOptions)
RulesOption func
func RulesContext ¶
func RulesContext(ctx context.Context) RulesOption
RulesContext pass rules context
func RulesNamespace ¶
func RulesNamespace(ns string) RulesOption
RulesNamespace sets the rule namespace
type RulesOptions ¶
RulesOptions struct
type Token ¶
type Token struct { // Time of token creation Created time.Time `json:"created"` // Time of token expiry Expiry time.Time `json:"expiry"` // The token to be used for accessing resources AccessToken string `json:"access_token"` // RefreshToken to be used to generate a new token RefreshToken string `json:"refresh_token"` }
Token can be short or long lived
type TokenOption ¶
type TokenOption func(o *TokenOptions)
TokenOption func
func WithCredentials ¶
func WithCredentials(id, secret string) TokenOption
WithCredentials sets tye id and secret
func WithTokenIssuer ¶
func WithTokenIssuer(iss string) TokenOption
WithTokenIssuer sets the token issuer option
type TokenOptions ¶
type TokenOptions struct { ID string Secret string RefreshToken string Issuer string Expiry time.Duration }
TokenOptions struct
func NewTokenOptions ¶
func NewTokenOptions(opts ...TokenOption) TokenOptions
NewTokenOptions from a slice of options
type VerifyOption ¶
type VerifyOption func(o *VerifyOptions)
VerifyOption func
func VerifyContext ¶
func VerifyContext(ctx context.Context) VerifyOption
VerifyContext pass context to verify
func VerifyNamespace ¶
func VerifyNamespace(ns string) VerifyOption
VerifyNamespace sets thhe namespace for verify
type VerifyOptions ¶
VerifyOptions struct