auth

package
v2.8.1 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Mar 8, 2022 License: Apache-2.0 Imports: 4 Imported by: 0

Documentation

Overview

Package auth defines a standard interface for request access controllers.

An access controller has a simple interface with a single `Authorized` method which checks that a given request is authorized to perform one or more actions on one or more resources. This method should return a non-nil error if the request is not authorized.

An implementation registers its access controller by name with a constructor which accepts an options map for configuring the access controller.

options := map[string]interface{}{"sillySecret": "whysosilly?"}
accessController, _ := auth.GetAccessController("silly", options)

This `accessController` can then be used in a request handler like so:

func updateOrder(w http.ResponseWriter, r *http.Request) {
	orderNumber := r.FormValue("orderNumber")
	resource := auth.Resource{Type: "customerOrder", Name: orderNumber}
	access := auth.Access{Resource: resource, Action: "update"}

	if ctx, err := accessController.Authorized(ctx, access); err != nil {
		if challenge, ok := err.(auth.Challenge) {
			// Let the challenge write the response.
			challenge.SetHeaders(r, w)
			w.WriteHeader(http.StatusUnauthorized)
			return
		} else {
			// Some other error.
		}
	}
}

Index

Constants

View Source
const (
	// UserKey is used to get the user object from
	// a user context
	UserKey = "auth.user"

	// UserNameKey is used to get the user name from
	// a user context
	UserNameKey = "auth.user.name"
)

Variables

View Source
var (
	// ErrInvalidCredential is returned when the auth token does not authenticate correctly.
	ErrInvalidCredential = errors.New("invalid authorization credential")

	// ErrAuthenticationFailure returned when authentication fails.
	ErrAuthenticationFailure = errors.New("authentication failure")
)

Functions

func Register

func Register(name string, initFunc InitFunc) error

Register is used to register an InitFunc for an AccessController backend with the given name.

func WithResources added in v2.6.0

func WithResources(ctx context.Context, resources []Resource) context.Context

WithResources returns a context with the authorized resources.

func WithUser

func WithUser(ctx context.Context, user UserInfo) context.Context

WithUser returns a context with the authorized user info.

Types

type Access

type Access struct {
	Resource
	Action string
}

Access describes a specific action that is requested or allowed for a given resource.

type AccessController

type AccessController interface {
	// Authorized returns a non-nil error if the context is granted access and
	// returns a new authorized context. If one or more Access structs are
	// provided, the requested access will be compared with what is available
	// to the context. The given context will contain a "http.request" key with
	// a `*http.Request` value. If the error is non-nil, access should always
	// be denied. The error may be of type Challenge, in which case the caller
	// may have the Challenge handle the request or choose what action to take
	// based on the Challenge header or response status. The returned context
	// object should have a "auth.user" value set to a UserInfo struct.
	Authorized(ctx context.Context, access ...Access) (context.Context, error)
}

AccessController controls access to registry resources based on a request and required access levels for a request. Implementations can support both complete denial and http authorization challenges.

func GetAccessController

func GetAccessController(name string, options map[string]interface{}) (AccessController, error)

GetAccessController constructs an AccessController with the given options using the named backend.

type Challenge

type Challenge interface {
	error

	// SetHeaders prepares the request to conduct a challenge response by
	// adding the an HTTP challenge header on the response message. Callers
	// are expected to set the appropriate HTTP status code (e.g. 401)
	// themselves.
	SetHeaders(r *http.Request, w http.ResponseWriter)
}

Challenge is a special error type which is used for HTTP 401 Unauthorized responses and is able to write the response with WWW-Authenticate challenge header values based on the error.

type CredentialAuthenticator added in v2.5.0

type CredentialAuthenticator interface {
	AuthenticateUser(username, password string) error
}

CredentialAuthenticator is an object which is able to authenticate credentials

type InitFunc

type InitFunc func(options map[string]interface{}) (AccessController, error)

InitFunc is the type of an AccessController factory function and is used to register the constructor for different AccesController backends.

type Resource

type Resource struct {
	Type  string
	Class string
	Name  string
}

Resource describes a resource by type and name.

func AuthorizedResources added in v2.6.0

func AuthorizedResources(ctx context.Context) []Resource

AuthorizedResources returns the list of resources which have been authorized for this request.

type UserInfo

type UserInfo struct {
	Name string
}

UserInfo carries information about an autenticated/authorized client.

Directories

Path Synopsis
Package htpasswd provides a simple authentication scheme that checks for the user credential hash in an htpasswd formatted file in a configuration-determined location.
Package htpasswd provides a simple authentication scheme that checks for the user credential hash in an htpasswd formatted file in a configuration-determined location.
Package silly provides a simple authentication scheme that checks for the existence of an Authorization header and issues access if is present and non-empty.
Package silly provides a simple authentication scheme that checks for the existence of an Authorization header and issues access if is present and non-empty.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL