Documentation
¶
Index ¶
- Constants
- Variables
- func AddIdentityToSPIRequest(request *http.Request, requestURL string)
- func Authenticate(request *http.Request) (int, string, string)
- func CanUserAccessAllObjects(request *http.Request, orgID, objectType string) (bool, int, string)
- func CanUserCreateObject(request *http.Request, orgID string, metaData *common.MetaData) (bool, string, string)
- func CheckAddACLInputFormat(aclType string, aclInputList []common.ACLentry) (*[]common.ACLentry, error)
- func CheckObjectCanBeModifiedByUser(userID, orgID, objectType string, aclUserType string) bool
- func CheckObjectTypesCanBeAccessByGivenUser(orgID string, aclUserType string, aclUsername string) (bool, []string, error)
- func CheckRemoveACLInputFormat(aclInputList []common.ACLentry) error
- func GetACLUserType(authCode int) string
- func KeyandSecretForURL(url string) (string, string)
- func SetAuthentication(auth Authentication)
- func Start()
- func Stop()
- func ValidateSPIRequestIdentity(request *http.Request) (bool, string, string, string)
- type Authentication
- type CSSCredentials
- type CredentialInfo
- type DummyAuthenticate
- type PresetAuthenticate
- type TestAuthenticate
Constants ¶
const ( // AuthFailed is returned by Authenticate when a call to Athenticate fails AuthFailed = iota // AuthEdgeNode is returned by Authenticate when the authenticated user is an embedded ESS edge node. userID is in the format of "{destinationType}/{destinationID}" AuthEdgeNode // AuthAdmin is returned by Authenticate when the authenticated user is an org admin AuthAdmin // AuthUser is returned by Authenticate when the authenticated user is a regular user AuthUser // AuthSyncAdmin is returned by Authenticate when the authenticated user is a Sync Service Admin AuthSyncAdmin // AuthService is returned by Authenticate when the authenticated user is a Service AuthService // AuthNodeUser is returned by Authenticate when the authenticate user uses exchange nodeId and nodeToken. DestinationType is not needed as AuthNodeUser AuthNodeUser )
Auth code
const ( // Indicate this entry of ACL is for exchange user ACLUser = "user" // Indicate this entry of ACL is for exchange node ACLNode = "node" )
ACL user type
const ( // username/nodename in ACL list with ACLWriter role has read/write access ACLWriter = "aclWriter" // username/nodename in ACL list with ACLReader role has read access only ACLReader = "aclReader" // role for destinations acl ACLNA = "na" )
ACL role, only AuthAdmin and AuthSyncAdmin can modify ACL list. This is currently only be used for "objects" ACL. ACL role only applies to "objects". Use "n/a" for destination acls
const SPIRequestIdentityHeader = "X-Sync-Service-Dest"
SPIRequestIdentityHeader is the header used to send the identity in HTTP SPI requests Should only be used here and in the httpCommunication tests
Variables ¶
var Store storage.Storage
Store is a reference to the storage in use
Functions ¶
func AddIdentityToSPIRequest ¶
AddIdentityToSPIRequest Adds identity related stuff to SPI requests made by an ESS
func Authenticate ¶
Authenticate authenticates a particular HTTP request and indicates whether it is an edge node, org admin, or plain user. Also returned is the user's org and identitity. An edge node's identity is destType/destID. A service's identity is serviceOrg/arch/version/serviceName.
func CanUserAccessAllObjects ¶
CanUserAccessAllObjects checks if the user identified by the credentials in the supplied request, can read the specified object type. return values: 1) true indicates the given user can access all objects of given objectType in given orgID; false indicates can access "public" objects of given objectType in given orgID only 2) authCode 3) userID
func CanUserCreateObject ¶
func CanUserCreateObject(request *http.Request, orgID string, metaData *common.MetaData) (bool, string, string)
CanUserCreateObject checks if the user identified by the credentials in the supplied request, can create an object of the object type, and send it to the destinations in the meta data.
func CheckAddACLInputFormat ¶
func CheckAddACLInputFormat(aclType string, aclInputList []common.ACLentry) (*[]common.ACLentry, error)
CheckAddACLInputFormat checks ACL entry format.
func CheckObjectCanBeModifiedByUser ¶
CheckObjectCanBeModifiedByUser returns true if give user has ACLWriter access to given object type
func CheckObjectTypesCanBeAccessByGivenUser ¶
func CheckObjectTypesCanBeAccessByGivenUser(orgID string, aclUserType string, aclUsername string) (bool, []string, error)
CheckObjectTypesCanBeAccessByGivenUser returns a list of objectTypes that given user has access to. If first returned value is true, then the given user can access all object types
func CheckRemoveACLInputFormat ¶
CheckRemoveACLInputFormat checks ACL entry format.
func GetACLUserType ¶
GetACLUserType get ACLUserType by authCode
func KeyandSecretForURL ¶
KeyandSecretForURL returns an app key and an app secret pair to be used by the ESS when communicating with the specified URL.
func SetAuthentication ¶
func SetAuthentication(auth Authentication)
SetAuthentication is called by the code starting the Sync Service to set the Authentication implementation to be used by the Sync Service.
func ValidateSPIRequestIdentity ¶
ValidateSPIRequestIdentity validates the identity sent in a SPI request by an ESS to a CSS Returns true if the identity is ok for a SPI request, along with the orgID, destType, and destID sent in the request.
Types ¶
type Authentication ¶
type Authentication interface {
// Authenticate authenticates a particular HTTP request and indicates
// whether it is an edge node, org admin, or plain user. Also returned is the
// user's org and identitity. An edge node's identity is destType/destID. A
// service's identity is serviceOrg/version/serviceName.
Authenticate(request *http.Request) (int, string, string)
// KeyandSecretForURL returns an app key and an app secret pair to be
// used by the ESS when communicating with the specified URL.
KeyandSecretForURL(url string) (string, string)
// Start gives the Authentication implementation a chance to initialize itself
Start()
}
Authentication is the interface invoked by the Sync Service for authentication related stuff. An implementation of this interface is provided by the code starting up the Sync Service to the Sync Service core code.�type
type CSSCredentials ¶
CSSCredentials defines the appkey and appsecret used to communicate with the CSS
type CredentialInfo ¶
type CredentialInfo struct {
Username string `json:"username"`
Secret string `json:"secret"`
OrgID string `json:"orgID"`
Type string `json:"type"`
// contains filtered or unexported fields
}
CredentialInfo is the information related to an app key
type DummyAuthenticate ¶
type DummyAuthenticate struct {
// contains filtered or unexported fields
}
DummyAuthenticate is the dummy implementation of the Authenticate interface. It should NOT be used in production deployments.
This implementation ignores App secrets.
App keys for:
APIs are of the form userID@orgID or email@emailDomain@orgID.
The file {PersistentRootPath}/sync/dummy-auth.json is used to
determine if a userID is a regular user or a sync admin.
The file {PersistentRootPath}/sync/dummy-auth.json is of the form:
{
"regularUsers": [ "user1", "user2" ],
"syncAdmins": [ "admin" ]
}
The userIDs in the field regularUsers are regular users and the
userIDs in the field syncAdmins are sync-service administrators.
If a userID does not appear in the file, it is assumed to be an
admin for the specified org.
Edge nodes are of the form orgID/destType/destID
func (*DummyAuthenticate) Authenticate ¶
Authenticate authenticates a particular HTTP request and indicates whether it is an edge node, org admin, or plain user. Also returned is the user's org and identitity. An edge node's identity is destType/destID. A service's identity is serviceOrg/version/serviceName.
Note: This Authenticate implementation is for development use. App secrets
are ignored. App keys for APIs are of the form, userID@orgID or email@emailDomain@orgID. The file dummy-auth.json is used to determine if a userID is a regular user or a sync admin. If the userID does not appear there, it is assumed to be an admin for the specified org. Edge node app keys are of the form orgID/destType/destID
func (*DummyAuthenticate) KeyandSecretForURL ¶
func (auth *DummyAuthenticate) KeyandSecretForURL(url string) (string, string)
KeyandSecretForURL returns an app key and an app secret pair to be used by the ESS when communicating with the specified URL.
func (*DummyAuthenticate) Start ¶
func (auth *DummyAuthenticate) Start()
Start initializes the DummyAuthenticate struct
type PresetAuthenticate ¶
type PresetAuthenticate struct {
Credentials map[string]CredentialInfo `json:"credentials"`
// CSSCredentials is the credentials to use when communicating with the CSS
CSSCredentials CSSCredentials `json:"cssCredentials"`
}
PresetAuthenticate is an implementation of the Authenticate interface that uses a set of ids defined in the file {PersistenceRootPath}/sync/preset-auth.json.
The file {PersistenceRootPath}/sync/preset-auth.json is of the form:
{
"credentials": {
"edgeNodeKey1": {
"secret": "edgeNodeSecret1", "orgID": "orgid", "username": "destType/destID", "type": "EdgeNode"
},
"appKey1": {
"secret": "appSecret1", "orgID": "orgid", "username": "user1", "type": "admin"
}
},
"cssCredentials": { "key": "edgeNodeKey1", "secret": "edgeNodeSecret1" }
}
The credentials field is a set of JSON objects, whose key or name is an appKey. The JSON objects have fields in them for the user's appSecret, the org they are part of, their user name and their type. The values for the type field are admin, edgenode, user, syncadmin, and service. The username field for an edge node is of the form destType/destID and for a service it is of the form serviceOrg/version/serviceName.
The cssCredentials field is used to provide an ESS with the credentials it needs to communicate with the CSS via HTTP. These credentials must be in one of the elements of the above described credentials field on the CSS.
func (*PresetAuthenticate) Authenticate ¶
Authenticate authenticates a particular HTTP request and indicates whether it is an edge node, org admin, or plain user. Also returned is the user's org and identitity. An edge node's identity is destType/destID. A service's identity is serviceOrg/version/serviceName.
func (*PresetAuthenticate) KeyandSecretForURL ¶
func (auth *PresetAuthenticate) KeyandSecretForURL(url string) (string, string)
KeyandSecretForURL returns an app key and an app secret pair to be used by the ESS when communicating with the specified URL.
func (*PresetAuthenticate) Start ¶
func (auth *PresetAuthenticate) Start()
Start initializes the PresetAuthenticate struct
type TestAuthenticate ¶
type TestAuthenticate struct {
}
TestAuthenticate is the test implementation of the Authenticate interface.
func (*TestAuthenticate) Authenticate ¶
Authenticate authenticates a particular HTTP request and indicates whether it is an edge node, org admin, or plain user. Also returned is the user's org and identitity. An edge node's identity is destType/destID. A service's identity is serviceOrg/arch/version/serviceName.
Note: This Authenticate implementation is for running the tests. App secrets
are ignored. App keys for APIs are of the form, userID@orgID. It supports
the following users:
testerUser - A regular user
testerAdmin - An admin of the specified orgID
testSyncAdmin - An admin of the Sync Service
testerService1 - A service
testerService2 - A service
Edge node app keys are of the form orgID/destType/destID
func (*TestAuthenticate) KeyandSecretForURL ¶
func (auth *TestAuthenticate) KeyandSecretForURL(url string) (string, string)
KeyandSecretForURL returns an app key and an app secret pair to be used by the ESS when communicating with the specified URL.
func (*TestAuthenticate) Start ¶
func (auth *TestAuthenticate) Start()
Start initializes the Test Authentication implementation
Source Files