authorization

package
v4.34.4 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Mar 10, 2022 License: Apache-2.0 Imports: 9 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func IsAuthLevelSufficient

func IsAuthLevelSufficient(authenticationLevel authentication.Level, authorizationLevel Level) bool

IsAuthLevelSufficient returns true if the current authenticationLevel is above the authorizationLevel.

func LevelToPolicy added in v4.34.0

func LevelToPolicy(level Level) (policy string)

LevelToPolicy converts a int authorization level to string policy.

Types

type AccessControlDomain

type AccessControlDomain struct {
	Name          string
	Wildcard      bool
	UserWildcard  bool
	GroupWildcard bool
}

AccessControlDomain represents an ACL domain.

func (AccessControlDomain) IsMatch

func (acd AccessControlDomain) IsMatch(subject Subject, object Object) (match bool)

IsMatch returns true if the ACL domain matches the object domain.

type AccessControlGroup

type AccessControlGroup struct {
	Name string
}

AccessControlGroup represents an ACL subject of type `group:`.

func (AccessControlGroup) IsMatch

func (acg AccessControlGroup) IsMatch(subject Subject) (match bool)

IsMatch returns true if the AccessControlGroup name matches one of the groups of the Subject.

type AccessControlResource

type AccessControlResource struct {
	Pattern *regexp.Regexp
}

AccessControlResource represents an ACL resource.

func (AccessControlResource) IsMatch

func (acr AccessControlResource) IsMatch(object Object) (match bool)

IsMatch returns true if the ACL resource match the object path.

type AccessControlRule

type AccessControlRule struct {
	Position  int
	Domains   []AccessControlDomain
	Resources []AccessControlResource
	Methods   []string
	Networks  []*net.IPNet
	Subjects  []AccessControlSubjects
	Policy    Level
}

AccessControlRule controls and represents an ACL internally.

func NewAccessControlRule

func NewAccessControlRule(pos int, rule schema.ACLRule, networksMap map[string][]*net.IPNet, networksCacheMap map[string]*net.IPNet) *AccessControlRule

NewAccessControlRule parses a schema ACL and generates an internal ACL.

func NewAccessControlRules

func NewAccessControlRules(config schema.AccessControlConfiguration) (rules []*AccessControlRule)

NewAccessControlRules converts a schema.AccessControlConfiguration into an AccessControlRule slice.

func (*AccessControlRule) IsMatch

func (acr *AccessControlRule) IsMatch(subject Subject, object Object) (match bool)

IsMatch returns true if all elements of an AccessControlRule match the object and subject.

type AccessControlSubject

type AccessControlSubject interface {
	IsMatch(subject Subject) (match bool)
}

AccessControlSubject abstracts an ACL subject of type `group:` or `user:`.

type AccessControlSubjects

type AccessControlSubjects struct {
	Subjects []AccessControlSubject
}

AccessControlSubjects represents an ACL subject.

func (*AccessControlSubjects) AddSubject

func (acs *AccessControlSubjects) AddSubject(subjectRule string)

AddSubject appends to the AccessControlSubjects based on a subject rule string.

func (AccessControlSubjects) IsMatch

func (acs AccessControlSubjects) IsMatch(subject Subject) (match bool)

IsMatch returns true if the ACL subjects match the subject properties.

type AccessControlUser

type AccessControlUser struct {
	Name string
}

AccessControlUser represents an ACL subject of type `user:`.

func (AccessControlUser) IsMatch

func (acu AccessControlUser) IsMatch(subject Subject) (match bool)

IsMatch returns true if the AccessControlUser name matches the Subject username.

type Authorizer

type Authorizer struct {
	// contains filtered or unexported fields
}

Authorizer the component in charge of checking whether a user can access a given resource.

func NewAuthorizer

func NewAuthorizer(configuration *schema.Configuration) *Authorizer

NewAuthorizer create an instance of authorizer with a given access control configuration.

func (Authorizer) GetRequiredLevel

func (p Authorizer) GetRequiredLevel(subject Subject, object Object) Level

GetRequiredLevel retrieve the required level of authorization to access the object.

func (Authorizer) GetRuleMatchResults added in v4.34.0

func (p Authorizer) GetRuleMatchResults(subject Subject, object Object) (results []RuleMatchResult)

GetRuleMatchResults iterates through the rules and produces a list of RuleMatchResult provided a subject and object.

func (Authorizer) IsSecondFactorEnabled

func (p Authorizer) IsSecondFactorEnabled() bool

IsSecondFactorEnabled return true if at least one policy is set to second factor.

type Level

type Level int

Level is the type representing an authorization level.

const (
	// Bypass bypass level.
	Bypass Level = iota
	// OneFactor one factor level.
	OneFactor Level = iota
	// TwoFactor two factor level.
	TwoFactor Level = iota
	// Denied denied level.
	Denied Level = iota
)

func PolicyToLevel

func PolicyToLevel(policy string) Level

PolicyToLevel converts a string policy to int authorization level.

type Object

type Object struct {
	Scheme string
	Domain string
	Path   string
	Method string
}

Object represents a protected object for the purposes of ACL matching.

func NewObject

func NewObject(targetURL *url.URL, method string) (object Object)

NewObject creates a new Object type from a URL and a method header.

func NewObjectRaw

func NewObjectRaw(targetURL *url.URL, method []byte) (object Object)

NewObjectRaw creates a new Object type from a URL and a method header.

func (Object) String

func (o Object) String() string

String is a string representation of the Object.

type RuleMatchResult added in v4.34.0

type RuleMatchResult struct {
	Rule *AccessControlRule

	Skipped bool

	MatchDomain        bool
	MatchResources     bool
	MatchMethods       bool
	MatchNetworks      bool
	MatchSubjects      bool
	MatchSubjectsExact bool
}

RuleMatchResult describes how well a rule matched a subject/object combo.

func (RuleMatchResult) IsMatch added in v4.34.0

func (r RuleMatchResult) IsMatch() (match bool)

IsMatch returns true if all the criteria matched.

func (RuleMatchResult) IsPotentialMatch added in v4.34.0

func (r RuleMatchResult) IsPotentialMatch() (match bool)

IsPotentialMatch returns true if the rule is potentially a match.

type Subject

type Subject struct {
	Username string
	Groups   []string
	IP       net.IP
}

Subject represents the identity of a user for the purposes of ACL matching.

func (Subject) IsAnonymous

func (s Subject) IsAnonymous() bool

IsAnonymous returns true if the Subject username and groups are empty.

func (Subject) String

func (s Subject) String() string

String returns a string representation of the Subject.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL