msxsecurity

README

MSX Security

https://github.com/CiscoDevNet/go-msx-security

Package CiscoDevNet/go-msx-security contains a simple object that can be used to validate permissions on incoming requests. The main features are:

• validate an MSX access token
• retrieve an MSX security context
• simple RBAC operations

---

• Install
• Usage
• Private SSO Security Clients
• Example
• License

Install

With a correctly configured Go toolchain:

go get -u github.com/CiscoDevNet/go-msx-security

Private SSO Security Clients

You will need to create a private SSO security client before you use msxsecurity. First sign in to your MSX environment then either:

• open Settings->SSO Configurations->Add SSO Clients and add a new client, or
• use the MSX Swagger documentation for IDM Microservice->Security Clients->POST /idm/api/v2/clientsecurity.

This example payload is a good starting point, but be sure to change it meet your specific requirements.

{
    "clientId": "my-private-client",
    "clientSecret": "there-are-no-secrets-that-time-does-not-reveal",
    "grantTypes": [
        "password", 
        "urn:cisco:nfv:oauth:grant-type:switch-tenant", 
        "urn:cisco:nfv:oauth:grant-type:switch-user"
    ],
    "maxTokensPerUser": -1,
    "useSessionTimeout": false,
    "resourceIds": [],
    "scopes": [
        "address",
        "read",
        "phone",
        "openid",
        "profile",
        "write",
        "email",
        "tenant_hierarchy", 
        "token_details"
    ],
    "autoApproveScopes": [
        "address",
        "read",
        "phone",
        "openid",
        "profile",
        "write",
        "email",
        "tenant_hierarchy", 
        "token_details"
    ],
    "authorities": [
        "ROLE_USER"
    ],
    "accessTokenValiditySeconds": 9000,
    "refreshTokenValiditySeconds": 18000,
    "additionalInformation": {
    }
}

Example

Checkout the example directory for a simple working example.

License

MIT licensed. See the LICENSE file for details.

Documentation

Overview

Copyright (c) 2021 Cisco Systems, Inc and its affiliates All Rights reserved

Index

• type Cache
• type Config
  • func DefaultMsxSecurityConfig() Config
• type MsxSecurity
  • func NewMsxSecurity(cfg Config) *MsxSecurity
  • func (m *MsxSecurity) HasPermission(r *http.Request, perm string) (bool, User)
• type User

Types

type Cache

type Cache struct {
	Enabled         bool
	LifetimeSeconds int
}

Cache represents a cache for storing token permissions locally to speed up security actions.

type Config

type Config struct {
	SsoURL       string      // URL to User Management Service in your MSX environment.
	Cache        Cache       // Cache to use for local caching.
	TLS          *tls.Config // TLS config to use on outgoing client.
	ClientID     string      // Credential to use when speaking to MSX.
	ClientSecret string      // Credential to use when speaking to MSX.
}

Config represents the config for performing Security on the targeted MSX environment.

func DefaultMsxSecurityConfig

func DefaultMsxSecurityConfig() Config

DefaultMsxSecurityConfig returns a default config. Note this default is not secure and should not be used in a production environment.

type MsxSecurity

type MsxSecurity struct {
	Cfg    Config
	Cache  *bigcache.BigCache
	Client *http.Client
}

func NewMsxSecurity

func NewMsxSecurity(cfg Config) *MsxSecurity

NewMsxSecurity returns an MsxSecurity with default config set.

func (*MsxSecurity) HasPermission

func (m *MsxSecurity) HasPermission(r *http.Request, perm string) (bool, User)

HasPermission will return true or false given an HTTP request and target permission.

type User

type User struct {
	Permissions     []string `json:"permissions,omitempty"`
	TenantID        string   `json:"tenant_id,omitempty"`
	AssignedTenants []string `json:"assigned_tenants,omitempty"`
	Active          bool     `json:"active,omitempty"`
}