authdb

package
Version: v0.0.0-...-678bb0e Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Aug 8, 2017 License: Apache-2.0 Imports: 12 Imported by: 0

Documentation

Overview

Package authdb contains definition of Authentication Database (aka AuthDB).

Authentication Database represents all data used when authorizing incoming requests and handling authentication related tasks: user groups, IP whitelists, OAuth client ID whitelist, etc.

This package defines a general interface and few its implementations.

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func NewDBCache

func NewDBCache(updater DBCacheUpdater) func(c context.Context) (DB, error)

NewDBCache returns a provider of DB instances that uses local memory to cache DB instances for 5-10 seconds. It uses supplied callback to refetch DB from some permanent storage when cache expires.

Even though the return value is technically a function, treat it as a heavy stateful object, since it has the cache of DB in its closure.

Types

type DB

type DB interface {
	// IsAllowedOAuthClientID returns true if given OAuth2 client_id can be used
	// to authenticate access for given email.
	IsAllowedOAuthClientID(c context.Context, email, clientID string) (bool, error)

	// IsMember returns true if the given identity belongs to any of the groups.
	//
	// Unknown groups are considered empty. May return errors if underlying
	// datastore has issues.
	IsMember(c context.Context, id identity.Identity, groups ...string) (bool, error)

	// GetCertificates returns a bundle with certificates of a trusted signer.
	//
	// Returns (nil, nil) if the given signer is not trusted.
	//
	// Returns errors (usually transient) if the bundle can't be fetched.
	GetCertificates(c context.Context, id identity.Identity) (*signing.PublicCertificates, error)

	// GetWhitelistForIdentity returns name of the IP whitelist to use to check
	// IP of requests from given `ident`.
	//
	// It's used to restrict access for certain account to certain IP subnets.
	//
	// Returns ("", nil) if `ident` is not IP restricted.
	GetWhitelistForIdentity(c context.Context, ident identity.Identity) (string, error)

	// IsInWhitelist returns true if IP address belongs to given named
	// IP whitelist.
	//
	// IP whitelist is a set of IP subnets. Unknown IP whitelists are considered
	// empty. May return errors if underlying datastore has issues.
	IsInWhitelist(c context.Context, ip net.IP, whitelist string) (bool, error)

	// GetAuthServiceURL returns root URL ("https://<host>") of the auth service.
	//
	// Returns an error if the DB implementation is not using an auth service.
	GetAuthServiceURL(c context.Context) (string, error)

	// GetTokenServiceURL returns root URL ("https://<host>") of the token server.
	//
	// Returns an error if the DB implementation doesn't know how to retrieve it.
	//
	// Returns ("", nil) if the token server URL is not configured.
	GetTokenServiceURL(c context.Context) (string, error)
}

DB is interface to access a database of authorization related information.

It is static read only object that represent snapshot of auth data at some moment in time.

type DBCacheUpdater

type DBCacheUpdater func(c context.Context, prev DB) (DB, error)

DBCacheUpdater knows how to update local in-memory copy of DB.

Used by NewDBCache.

type ErroringDB

type ErroringDB struct {
	Error error // returned by all calls
}

ErroringDB implements DB by forbidding all access and returning errors.

func (ErroringDB) GetAuthServiceURL

func (db ErroringDB) GetAuthServiceURL(c context.Context) (string, error)

GetAuthServiceURL returns root URL ("https://<host>") of the auth service.

func (ErroringDB) GetCertificates

GetCertificates returns a bundle with certificates of a trusted signer.

func (ErroringDB) GetTokenServiceURL

func (db ErroringDB) GetTokenServiceURL(c context.Context) (string, error)

GetTokenServiceURL returns root URL ("https://<host>") of the token service.

func (ErroringDB) GetWhitelistForIdentity

func (db ErroringDB) GetWhitelistForIdentity(c context.Context, ident identity.Identity) (string, error)

GetWhitelistForIdentity returns name of the IP whitelist to use to check IP of requests from given `ident`.

It's used to restrict access for certain account to certain IP subnets.

Returns ("", nil) if `ident` is not IP restricted.

func (ErroringDB) IsAllowedOAuthClientID

func (db ErroringDB) IsAllowedOAuthClientID(c context.Context, email, clientID string) (bool, error)

IsAllowedOAuthClientID returns true if given OAuth2 client_id can be used to authenticate access for given email.

func (ErroringDB) IsInWhitelist

func (db ErroringDB) IsInWhitelist(c context.Context, ip net.IP, whitelist string) (bool, error)

IsInWhitelist returns true if IP address belongs to given named IP whitelist.

IP whitelist is a set of IP subnets. Unknown IP whitelists are considered empty. May return errors if underlying datastore has issues.

func (ErroringDB) IsMember

func (db ErroringDB) IsMember(c context.Context, id identity.Identity, groups ...string) (bool, error)

IsMember returns true if the given identity belongs to any of the groups.

Unknown groups are considered empty. May return errors if underlying datastore has issues.

type SnapshotDB

type SnapshotDB struct {
	AuthServiceURL string // where it was fetched from
	Rev            int64  // its revision number
	// contains filtered or unexported fields
}

SnapshotDB implements DB using AuthDB proto message.

Use NewSnapshotDB to create new instances. Don't touch public fields of existing instances.

func NewSnapshotDB

func NewSnapshotDB(authDB *protocol.AuthDB, authServiceURL string, rev int64) (*SnapshotDB, error)

NewSnapshotDB creates new instance of SnapshotDB.

It does some preprocessing to speed up subsequent checks. Return errors if it encounters inconsistencies.

func (*SnapshotDB) GetAuthServiceURL

func (db *SnapshotDB) GetAuthServiceURL(c context.Context) (string, error)

GetAuthServiceURL returns root URL ("https://<host>") of the auth service the snapshot was fetched from.

This is needed to implement authdb.DB interface.

func (*SnapshotDB) GetCertificates

func (db *SnapshotDB) GetCertificates(c context.Context, signerID identity.Identity) (*signing.PublicCertificates, error)

GetCertificates returns a bundle with certificates of a trusted signer.

func (*SnapshotDB) GetTokenServiceURL

func (db *SnapshotDB) GetTokenServiceURL(c context.Context) (string, error)

GetTokenServiceURL returns root URL ("https://<host>") of the token server.

This is needed to implement authdb.DB interface.

func (*SnapshotDB) GetWhitelistForIdentity

func (db *SnapshotDB) GetWhitelistForIdentity(c context.Context, ident identity.Identity) (string, error)

GetWhitelistForIdentity returns name of the IP whitelist to use to check IP of requests from given `ident`.

It's used to restrict access for certain account to certain IP subnets.

Returns ("", nil) if `ident` is not IP restricted.

func (*SnapshotDB) IsAllowedOAuthClientID

func (db *SnapshotDB) IsAllowedOAuthClientID(c context.Context, email, clientID string) (bool, error)

IsAllowedOAuthClientID returns true if given OAuth2 client_id can be used to authenticate access for given email.

func (*SnapshotDB) IsInWhitelist

func (db *SnapshotDB) IsInWhitelist(c context.Context, ip net.IP, whitelist string) (bool, error)

IsInWhitelist returns true if IP address belongs to given named IP whitelist.

IP whitelist is a set of IP subnets. Unknown IP whitelists are considered empty. May return errors if underlying datastore has issues.

func (*SnapshotDB) IsMember

func (db *SnapshotDB) IsMember(c context.Context, id identity.Identity, groups ...string) (bool, error)

IsMember returns true if the given identity belongs to any of the groups.

Unknown groups are considered empty. May return errors if underlying datastore has issues.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL