Documentation ¶
Overview ¶
Package identchecker wraps the functionality in the bakery package to add support for authentication via third party caveats.
Index ¶
Constants ¶
const Everyone = "everyone"
Everyone is recognized by ACLAuthorizer as the name of a group that has everyone in it.
Variables ¶
var ( // OpenAuthorizer is an Authorizer implementation that will authorize all operations without question. OpenAuthorizer openAuthorizer // ClosedAuthorizer is an Authorizer implementation that will return ErrPermissionDenied // on all authorization requests. ClosedAuthorizer closedAuthorizer )
var LoginOp = bakery.Op{
Entity: "login",
Action: "login",
}
LoginOp represents a login (authentication) operation. A macaroon that is associated with this operation generally carries authentication information with it.
Functions ¶
This section is empty.
Types ¶
type ACLAuthorizer ¶
type ACLAuthorizer struct { // GetACL returns the ACL that applies to the given operation, // and reports whether non-authenticated users should // be allowed access when the ACL contains "everyone". // // If an entity cannot be found or the action is not recognised, // GetACLs should return an empty ACL but no error. GetACL func(ctx context.Context, op bakery.Op) (acl []string, allowPublic bool, err error) }
ACLAuthorizer is an Authorizer implementation that will check access control list (ACL) membership of users. It uses GetACL to find out the ACLs that apply to the requested operations and will authorize an operation if an ACL contains the group "everyone" or if the context contains an AuthInfo (see ContextWithAuthInfo) that holds an Identity that implements ACLIdentity and its Allow method returns true for the ACL.
func (ACLAuthorizer) Authorize ¶
func (a ACLAuthorizer) Authorize(ctx context.Context, ident Identity, ops []bakery.Op) (allowed []bool, caveats []checkers.Caveat, err error)
Authorize implements Authorizer.Authorize by calling ident.Allow to determine whether the identity is a member of the ACLs associated with the given operations.
type ACLIdentity ¶
type ACLIdentity interface { Identity // Allow reports whether the user should be allowed to access // any of the users or groups in the given ACL slice. Allow(ctx context.Context, acl []string) (bool, error) }
ACLIdentity may be implemented by Identity implementions to report group membership information. See ACLAuthorizer for details.
type AuthChecker ¶
type AuthChecker struct {
// contains filtered or unexported fields
}
AuthChecker authorizes operations with respect to a user's request.
func (*AuthChecker) Allow ¶
Allow checks that the authorizer's request is authorized to perform all the given operations.
If all the operations are allowed, an AuthInfo is returned holding details of the decision.
If an operation was not allowed, an error will be returned which may be *bakery.DischargeRequiredError holding the operations that remain to be authorized in order to allow authorization to proceed.
type AuthInfo ¶
type AuthInfo struct { *bakery.AuthInfo // Identity holds information on the authenticated user as returned // from IdentityClient. It may be nil after a // successful authorization if LoginOp access was not required. Identity Identity }
AuthInfo information about an authorization decision.
type Authorizer ¶
type Authorizer interface { // Authorize checks whether the given identity (which will be nil // when there is no authenticated user) is allowed to perform // the given operations. It should return an error only when // the authorization cannot be determined, not when the // user has been denied access. // // On success, each element of allowed holds whether the respective // element of ops has been allowed, and caveats holds any additional // third party caveats that apply. // If allowed is shorter then ops, the additional elements are assumed to // be false. Authorize(ctx context.Context, id Identity, ops []bakery.Op) (allowed []bool, caveats []checkers.Caveat, err error) }
Authorizer is used to check whether a given user is allowed to perform a set of operations.
type AuthorizerFunc ¶
type AuthorizerFunc func(ctx context.Context, id Identity, op bakery.Op) (bool, []checkers.Caveat, error)
AuthorizerFunc implements a simplified version of Authorizer that operates on a single operation at a time.
type Bakery ¶
func NewBakery ¶
func NewBakery(p BakeryParams) *Bakery
NewBakery returns a new Bakery instance which combines an Oven with a Checker for the convenience of callers that wish to use both together.
type BakeryParams ¶
type BakeryParams struct { // Checker holds the checker used to check first party caveats. // If this is nil, New will use checkers.New(nil). Checker bakery.FirstPartyCaveatChecker // RootKeyStore holds the root key store to use. If you need to // use a different root key store for different operations, // you'll need to pass a RootKeyStoreForOps value to NewOven // directly. // // If this is nil, New will use NewMemRootKeyStore(). // Note that that is almost certain insufficient for production services // that are spread across multiple instances or that need // to persist keys across restarts. RootKeyStore bakery.RootKeyStore // Locator is used to find out information on third parties when // adding third party caveats. If this is nil, no non-local third // party caveats can be added. Locator bakery.ThirdPartyLocator // Key holds the private key of the oven. If this is nil, // no third party caveats may be added. Key *bakery.KeyPair // IdentityClient holds the identity implementation to use for // authentication. If this is nil, no authentication will be possible. IdentityClient IdentityClient // Authorizer is used to check whether an authenticated user is // allowed to perform operations. If it is nil, New will // use ClosedAuthorizer. // // The identity parameter passed to Authorizer.Allow will // always have been obtained from a call to // IdentityClient.DeclaredIdentity. Authorizer Authorizer // Location holds the location to use when creating new macaroons. Location string // Logger is used to log checker operations. If it is nil, // DefaultLogger("bakery.identchecker") will be used. Logger bakery.Logger }
BakeryParams holds a selection of parameters for the Oven and the Checker created by New.
For more fine-grained control of parameters, create the Oven or Checker directly.
The zero value is OK to use, but won't allow any authentication or third party caveats to be added.
type Checker ¶
type Checker struct {
// contains filtered or unexported fields
}
Checker is similar to bakery.Checker but also knows about authentication, and can use an authenticated identity to authorize operations.
func NewChecker ¶
func NewChecker(p CheckerParams) *Checker
NewChecker returns a new Checker using the given parameters.
func (*Checker) Auth ¶
func (c *Checker) Auth(mss ...macaroon.Slice) *AuthChecker
Auth makes a new AuthChecker instance using the given macaroons to inform authorization decisions. The identity is authenticated only once, the first time any method of the AuthChecker is called, using the context passed in then.
To find out any declared identity without requiring a login, use Allow(ctx); to require authentication but no additional operations, use Allow(ctx, LoginOp).
type CheckerParams ¶
type CheckerParams struct { // MacaroonVerifier is used to retrieve macaroon root keys // and other associated information. MacaroonVerifier bakery.MacaroonVerifier // Checker is used to check first party caveats when authorizing. // If this is nil NewChecker will use checkers.New(nil). Checker bakery.FirstPartyCaveatChecker // OpsAuthorizer is used to check whether operations are authorized // by some other already-authorized operation. If it is nil, // NewChecker will assume no operation is authorized by any // operation except itself. OpsAuthorizer bakery.OpsAuthorizer // IdentityClient is used for interactions with the external // identity service used for authentication. // // If this is nil, no authentication will be possible. IdentityClient IdentityClient // Authorizer is used to check whether an authenticated user is // allowed to perform operations. If it is nil, NewChecker will // use ClosedAuthorizer. // // The identity parameter passed to Authorizer.Allow will // always have been obtained from a call to // IdentityClient.DeclaredIdentity. Authorizer Authorizer // Logger is used to log checker operations. If it is nil, // DefaultLogger("bakery.identchecker") will be used. Logger bakery.Logger }
CheckerParams holds parameters for NewChecker. The only mandatory parameter is MacaroonVerifier.
type Identity ¶
type Identity interface { // Id returns the id of the user, which may be an // opaque blob with no human meaning. // An id is only considered to be unique // with a given domain. Id() string // Domain holds the domain of the user. This // will be empty if the user was authenticated // directly with the identity provider. Domain() string }
Identity holds identity information declared in a first party caveat added when discharging a third party caveat.
type IdentityClient ¶
type IdentityClient interface { // IdentityFromContext returns the identity based on information in the context. // If it cannot determine the identity based on the context, then it // should return a set of caveats containing a third party caveat that, // when discharged, can be used to obtain the identity with DeclaredIdentity. // // It should only return an error if it cannot check the identity // (for example because of a database access error) - it's // OK to return all zero values when there's // no identity found and no third party to address caveats to. IdentityFromContext(ctx context.Context) (Identity, []checkers.Caveat, error) // DeclaredIdentity parses the identity declaration from the given // declared attributes. // TODO take the set of first party caveat conditions instead? DeclaredIdentity(ctx context.Context, declared map[string]string) (Identity, error) }
IdentityClient represents an abstract identity manager. User identities can be based on local informaton (for example HTTP basic auth) or by reference to an external trusted third party (an identity manager).
type SimpleIdentity ¶
type SimpleIdentity string
SimpleIdentity implements a simple form of identity where the user is represented by a string.
func (SimpleIdentity) Allow ¶
Allow implements ACLIdentity by allowing the identity access to ACL members that are equal to id. That is, some user u is considered a member of group u and no other.
func (SimpleIdentity) Domain ¶
func (SimpleIdentity) Domain() string
Domain implements Identity.Domain by always returning the empty domain.