ipnauth

package
v1.69.0-pre Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jun 12, 2024 License: BSD-3-Clause Imports: 17 Imported by: 5

Documentation

Overview

Package ipnauth controls access to the LocalAPI.

Index

Constants

This section is empty.

Variables

View Source
var ErrNotImplemented = errors.New("not implemented for GOOS=" + runtime.GOOS)

ErrNotImplemented is returned by ConnIdentity.WindowsToken when it is not implemented for the current GOOS.

Functions

func LookupUserFromID

func LookupUserFromID(logf logger.Logf, uid string) (*user.User, error)

LookupUserFromID is a wrapper around os/user.LookupId that works around some issues on Windows. On non-Windows platforms it's identical to user.LookupId.

Types

type ConnIdentity

type ConnIdentity struct {
	// contains filtered or unexported fields
}

ConnIdentity represents the owner of a localhost TCP or unix socket connection connecting to the LocalAPI.

func GetConnIdentity

func GetConnIdentity(_ logger.Logf, c net.Conn) (ci *ConnIdentity, err error)

GetConnIdentity extracts the identity information from the connection based on the user who owns the other end of the connection. and couldn't. The returned connIdentity has NotWindows set to true.

func (*ConnIdentity) Creds

func (ci *ConnIdentity) Creds() *peercred.Creds

func (*ConnIdentity) IsReadonlyConn

func (ci *ConnIdentity) IsReadonlyConn(operatorUID string, logf logger.Logf) bool

IsReadonlyConn reports whether the connection should be considered read-only, meaning it's not allowed to change the state of the node.

Read-only also means it's not allowed to access sensitive information, which admittedly doesn't follow from the name. Consider this "IsUnprivileged". Also, Windows doesn't use this. For Windows it always returns false.

TODO(bradfitz): rename it? Also make Windows use this.

func (*ConnIdentity) IsUnixSock

func (ci *ConnIdentity) IsUnixSock() bool

func (*ConnIdentity) Pid

func (ci *ConnIdentity) Pid() int

func (*ConnIdentity) WindowsToken added in v1.44.3

func (ci *ConnIdentity) WindowsToken() (WindowsToken, error)

WindowsToken is unsupported when GOOS != windows and always returns ErrNotImplemented.

func (*ConnIdentity) WindowsUserID

func (ci *ConnIdentity) WindowsUserID() ipn.WindowsUserID

WindowsUserID returns the local machine's userid of the connection if it's on Windows. Otherwise it returns the empty string.

It's suitable for passing to LookupUserFromID (os/user.LookupId) on any operating system.

type WindowsToken added in v1.44.3

type WindowsToken interface {
	io.Closer
	// EqualUIDs reports whether other refers to the same user ID as the receiver.
	EqualUIDs(other WindowsToken) bool
	// IsAdministrator reports whether the receiver is a member of the built-in
	// Administrators group, or else an error. Use IsElevated to determine whether
	// the receiver is actually utilizing administrative rights.
	IsAdministrator() (bool, error)
	// IsUID reports whether the receiver's user ID matches uid.
	IsUID(uid ipn.WindowsUserID) bool
	// UID returns the ipn.WindowsUserID associated with the receiver, or else
	// an error.
	UID() (ipn.WindowsUserID, error)
	// IsElevated reports whether the receiver is currently executing as an
	// elevated administrative user.
	IsElevated() bool
	// IsLocalSystem reports whether the receiver is the built-in SYSTEM user.
	IsLocalSystem() bool
	// UserDir returns the special directory identified by folderID as associated
	// with the receiver. folderID must be one of the KNOWNFOLDERID values from
	// the x/sys/windows package, serialized as a stringified GUID.
	UserDir(folderID string) (string, error)
	// Username returns the user name associated with the receiver.
	Username() (string, error)
}

WindowsToken represents the current security context of a Windows user.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL