authorization

package
v0.4.46 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Apr 23, 2024 License: Apache-2.0 Imports: 23 Imported by: 0

Documentation

Index

Constants

View Source 
const EveryoneGroup = "everyone"

All users are implicitly part of this group.

Variables

This section is empty.

Functions

func CreateMiddlewareAuthFunction 

func CreateMiddlewareAuthFunction(authServices []AuthService) grpc_auth.AuthFunc

CreateMiddlewareAuthFunction returns an authentication function that combines the given authentication services. That function returns success if any service successfully authenticates the user, and an error if all services fail to authenticate. The services in authServices are tried one at a time in sequence. Successful authentication short-circuits the process.

If authentication succeeds, the username returned by the authentication service is added to the request context for logging purposes.

func WithPrincipal 

func WithPrincipal(ctx context.Context, principal Principal) context.Context

WithPrincipal returns a new context containing a principal that is a child to the given context.

Types

type AnonymousAuthService 

type AnonymousAuthService struct{}

func (AnonymousAuthService) Authenticate 

func (AnonymousAuthService) Authenticate(ctx context.Context) (Principal, error)

func (*AnonymousAuthService) Name 

func (authService *AnonymousAuthService) Name() string

type AuthService 

type AuthService interface {
	Authenticate(ctx context.Context) (Principal, error)
	Name() string
}

AuthService represents a method of authentication for the gRPC API. Each implementation represents a particular method, e.g., username/password or OpenID. The gRPC server may be started with multiple AuthService to give several options for authentication.

type BasicAuthService 

type BasicAuthService struct {
	// contains filtered or unexported fields
}

func NewBasicAuthService 

func NewBasicAuthService(users map[string]configuration.UserInfo) *BasicAuthService

func (*BasicAuthService) Authenticate 

func (authService *BasicAuthService) Authenticate(ctx context.Context) (Principal, error)

func (*BasicAuthService) Name 

func (authService *BasicAuthService) Name() string

type CacheData 

type CacheData struct {
	Name  string `json:"name"`
	Valid bool   `json:"valid"`
}

type KubernetesNativeAuthService 

type KubernetesNativeAuthService struct {
	KidMappingFileLocation string
	TokenCache             *cache.Cache
	InvalidTokenExpiry     int64
	TokenReviewer          TokenReviewer
	Clock                  clock.Clock
}

func NewKubernetesNativeAuthService 

func NewKubernetesNativeAuthService(config configuration.KubernetesAuthConfig) KubernetesNativeAuthService

func (*KubernetesNativeAuthService) Authenticate 

func (authService *KubernetesNativeAuthService) Authenticate(ctx context.Context) (Principal, error)

func (*KubernetesNativeAuthService) Name 

func (authService *KubernetesNativeAuthService) Name() string

type KubernetesTokenReviewer 

type KubernetesTokenReviewer struct{}

func (*KubernetesTokenReviewer) ReviewToken 

func (reviewer *KubernetesTokenReviewer) ReviewToken(ctx context.Context, clusterUrl string, token string, ca []byte) (*authv1.TokenReview, error)

type OpenIdAuthService 

type OpenIdAuthService struct {
	// contains filtered or unexported fields
}

func NewOpenIdAuthService 

func NewOpenIdAuthService(verifier *oidc.IDTokenVerifier, groupsClaim string) *OpenIdAuthService

func NewOpenIdAuthServiceForProvider 

func NewOpenIdAuthServiceForProvider(ctx context.Context, config *configuration.OpenIdAuthenticationConfig) (*OpenIdAuthService, error)

func (*OpenIdAuthService) Authenticate 

func (authService *OpenIdAuthService) Authenticate(ctx context.Context) (Principal, error)

func (*OpenIdAuthService) Name 

func (authService *OpenIdAuthService) Name() string

type Owned 

type Owned interface {
	GetUserOwners() []string
	GetGroupOwners() []string
}

type PermissionChecker 

type PermissionChecker interface {
	UserHasPermission(ctx context.Context, perm permission.Permission) bool
	UserOwns(ctx context.Context, obj Owned) (owned bool, ownershipGroups []string)
}

type PermissionClaimQueries 

type PermissionClaimQueries map[permission.Permission]string

type Principal 

type Principal interface {
	GetName() string
	GetGroupNames() []string
	IsInGroup(group string) bool
	HasScope(scope string) bool
	HasClaim(claim string) bool
}

Principal represents an entity that can be authenticated (e.g., a user). Each principal has a name associated with it and may be part of one or more groups. Scopes and claims are as defined in OpenId.

func GetPrincipal 

func GetPrincipal(ctx context.Context) Principal

GetPrincipal returns the principal (e.g., a user) contained in a context. The principal is assumed to be stored as a ctx.Value. If no principal can be found, a principal representing an anonymous (unauthenticated) user is returned.

type PrincipalPermissionChecker 

type PrincipalPermissionChecker struct {
	// contains filtered or unexported fields
}

func NewPrincipalPermissionChecker 

func NewPrincipalPermissionChecker(
	permissionGroupMap map[permission.Permission][]string,
	permissionScopeMap map[permission.Permission][]string,
	permissionClaimMap map[permission.Permission][]string,
) *PrincipalPermissionChecker

func (*PrincipalPermissionChecker) UserHasPermission 

func (checker *PrincipalPermissionChecker) UserHasPermission(ctx context.Context, perm permission.Permission) bool

UserHasPermission returns true if the principal contained in the context has the given permission, which is determined by checking if any of the groups, scopes, or claims associated with the principal has that permission.

func (*PrincipalPermissionChecker) UserOwns 

func (checker *PrincipalPermissionChecker) UserOwns(ctx context.Context, obj Owned) (owned bool, ownershipGroups []string)

UserOwns check if obj is owned by the principal contained in the context, or by a group of which the principal is a member. If obj is owned by a group of which the principal is a member, this method also returns the list of groups that own the object and that the principal is a member of. If obj is owned by the principal in the context, no groups are returned.

TODO Should we always return the groups (even if the principal owns obj directly)?

type StaticPrincipal 

type StaticPrincipal struct {
	// contains filtered or unexported fields
}

Default implementation of the Principal interface. Here, static refers to the fact that the principal doesn't change once it has been created.

func NewStaticPrincipal 

func NewStaticPrincipal(name string, groups []string) *StaticPrincipal

func NewStaticPrincipalWithScopesAndClaims 

func NewStaticPrincipalWithScopesAndClaims(name string, groups []string, scopes []string, claims []string) *StaticPrincipal

func (*StaticPrincipal) GetGroupNames 

func (p *StaticPrincipal) GetGroupNames() []string

func (*StaticPrincipal) GetName 

func (p *StaticPrincipal) GetName() string

func (*StaticPrincipal) HasClaim 

func (p *StaticPrincipal) HasClaim(claim string) bool

func (*StaticPrincipal) HasScope 

func (p *StaticPrincipal) HasScope(scope string) bool

func (*StaticPrincipal) IsInGroup 

func (p *StaticPrincipal) IsInGroup(group string) bool

type TokenReviewer 

type TokenReviewer interface {
	ReviewToken(ctx context.Context, clusterUrl string, token string, ca []byte) (*authv1.TokenReview, error)
}

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.