Documentation
¶
Overview ¶
Package ac contains management code for access control.
Index ¶
Constants ¶
const ( CREATE = "create" READ = "read" UPDATE = "update" DELETE = "delete" )
Access request types
const ( GRANTED = "granted" DENIED = "denied" )
Access request results
const EndpointLogin = api.APIRoot + "/login/"
EndpointLogin is the login endpoint definition (rooted). Handles login/
const EndpointLogout = api.APIRoot + "/logout/"
EndpointLogout is the logout endpoint URL (rooted). Handles logout/
const EndpointUser = api.APIRoot + "/user/"
EndpointUser is the user endpoint URL (rooted). Handles user/
const EndpointWhoAmI = api.APIRoot + "/whoami/"
EndpointWhoAmI is the current user endpoint URL (rooted). Handles whoami/
Variables ¶
var AccessManagementEndpointMap = map[string]api.RestEndpointInst{ EndpointUser: UserEndpointInst, }
AccessManagementEndpointMap contains endpoints which can manage access rights
var AuthHandler *auth.CookieAuthHandleFuncWrapper
AuthHandler is a wrapper object which has a HandleFunc similar to http.HandleFunc. The HandleFunc of this object should be used for all endpoint which should check for authentication and authorization.
var CallbackSessionExpired = func(w http.ResponseWriter, r *http.Request) { u, ok := AuthHandler.CheckAuth(r) AuthHandler.RemoveAuthCookie(w) user.UserSessionManager.RemoveSessionCookie(w) if ok { LogAccess("User ", u, " session expired") } origPath := r.URL.Path if r.URL.RawQuery != "" { origPath += "?" + r.URL.RawQuery } http.Redirect(w, r, fmt.Sprintf("/login.html?msg=Session+Expired&ref=%v", url.QueryEscape(origPath)), http.StatusFound) }
CallbackSessionExpired handles requests where the session has expired.
LogAccess("Unauthorized request to ", r.URL.Path, " from ", r.RemoteAddr, " (", r.UserAgent(), " Cookies: ", r.Cookies(), ")") if strings.HasPrefix(r.URL.Path, api.APIRoot) { http.Error(w, "Valid credentials required", http.StatusForbidden) } else { origPath := r.URL.Path if r.URL.RawQuery != "" { origPath += "?" + r.URL.RawQuery } http.Redirect(w, r, fmt.Sprintf("/login.html?ref=%v", url.QueryEscape(origPath)), http.StatusFound) } }
CallbackUnauthorized handles requests which are unauthorized.
var DebounceTime = 5 * time.Second
DebounceTime default debounce time for each failed logins
var DefaultAccessDB = []byte(`
/*
Access control file for EliasDB. This file controls the access rights for each user.
Rights to resources are assigned to groups. Users are assigned to groups.
This file is monitored by the server - any changes to this file are picked up
by the server immediately. Equally, any change on the server side is immediately
written to this file.
The comments in this file are for initial comprehension only. They will be
removed as soon as the users, groups or permissions are modified from the
server side.
*/
{
"groups": {
"public": {
// Page access
// ===========
"/": "-R--", // Access to the root page
// Resource access
// ===============
"/css/*": "-R--", // Access to CSS rules
"/js/*": "-R--", // Access to JavaScript files
"/img/*": "-R--", // Access to image files
"/vendor/*": "-R--", // Access to frontend libraries
// REST API access
// ===============
"/db/*": "-R--" // Access to database (read)
},
"admin": {
// REST API access
// ===============
"/db/*": "CRUD" // Access to database
}
},
"users": {
"elias": [ // Default EliasDB admin user
"public",
"admin"
],
"johndoe" : [ // Default EliasDB public user
"public"
]
}
}
`[1:])
DefaultAccessDB is the default access table for EliasDB
var LogAccess = log.Print
LogAccess is used to log access requests
var PublicAccessControlEndpointMap = map[string]api.RestEndpointInst{ EndpointLogin: LoginEndpointInst, EndpointLogout: LogoutEndpointInst, EndpointWhoAmI: WhoAmIEndpointInst, }
PublicAccessControlEndpointMap contains endpoints which should be publically available when access control is used
var UserDB *datautil.EnforcedUserDB
UserDB is the global user database which holds the password hashes and user details.
Functions ¶
func LoginEndpointInst ¶
func LoginEndpointInst() api.RestEndpointHandler
LoginEndpointInst creates a new endpoint handler. Requires a CookieAuthHandleFuncWrapper object to verify login requests.
func LogoutEndpointInst ¶
func LogoutEndpointInst() api.RestEndpointHandler
LogoutEndpointInst creates a new endpoint handler.
func UserEndpointInst ¶
func UserEndpointInst() api.RestEndpointHandler
UserEndpointInst creates a new endpoint handler.
func WhoAmIEndpointInst ¶
func WhoAmIEndpointInst() api.RestEndpointHandler
WhoAmIEndpointInst creates a new endpoint handler.
Types ¶
type AccessControlLists ¶
AccessControlLists store the access rights of groups and which users are member of which groups.
var ACL *AccessControlLists
ACL is the global AccessControlLists object which should be used to check user access rights.
func (*AccessControlLists) CheckHTTPRequest ¶
func (a *AccessControlLists) CheckHTTPRequest(w http.ResponseWriter, r *http.Request, user string) bool
CheckHTTPRequest checks the request of a given user to a resource.
Source Files