authorization

package
v4.35.4 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: May 11, 2022 License: Apache-2.0 Imports: 9 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

View Source
var (
	// IdentitySubexpNames is a list of valid regex subexp names.
	IdentitySubexpNames = []string{subexpNameUser, subexpNameGroup}
)

Functions

func IsAuthLevelSufficient

func IsAuthLevelSufficient(authenticationLevel authentication.Level, authorizationLevel Level) bool

IsAuthLevelSufficient returns true if the current authenticationLevel is above the authorizationLevel.

func LevelToPolicy added in v4.34.0

func LevelToPolicy(level Level) (policy string)

LevelToPolicy converts a int authorization level to string policy.

Types

type AccessControlDomain

type AccessControlDomain struct {
	Name          string
	Wildcard      bool
	UserWildcard  bool
	GroupWildcard bool
}

AccessControlDomain represents an ACL domain.

func (AccessControlDomain) IsMatch

func (acl AccessControlDomain) IsMatch(subject Subject, object Object) (match bool)

IsMatch returns true if the ACL domain matches the object domain.

func (AccessControlDomain) String added in v4.35.0

func (acl AccessControlDomain) String() string

String returns a string representation of the SubjectObjectMatcher rule.

type AccessControlDomainRegex added in v4.35.0

type AccessControlDomainRegex struct {
	Pattern         regexp.Regexp
	SubexpNameUser  int
	SubexpNameGroup int
}

AccessControlDomainRegex represents an ACL domain regex.

func (AccessControlDomainRegex) IsMatch added in v4.35.0

func (acl AccessControlDomainRegex) IsMatch(subject Subject, object Object) (match bool)

IsMatch returns true if the ACL regex matches the object domain.

func (AccessControlDomainRegex) String added in v4.35.0

func (acl AccessControlDomainRegex) String() string

String returns a text representation of a AccessControlDomainRegex.

type AccessControlDomainRegexBasic added in v4.35.0

type AccessControlDomainRegexBasic struct {
	Pattern regexp.Regexp
}

AccessControlDomainRegexBasic represents a basic domain regex SubjectObjectMatcher.

func (AccessControlDomainRegexBasic) IsMatch added in v4.35.0

func (acl AccessControlDomainRegexBasic) IsMatch(_ Subject, object Object) (match bool)

IsMatch returns true if the ACL regex matches the object domain.

func (AccessControlDomainRegexBasic) String added in v4.35.0

String returns a text representation of a AccessControlDomainRegexBasic.

type AccessControlGroup

type AccessControlGroup struct {
	Name string
}

AccessControlGroup represents an ACL subject of type `group:`.

func (AccessControlGroup) IsMatch

func (acg AccessControlGroup) IsMatch(subject Subject) (match bool)

IsMatch returns true if the AccessControlGroup name matches one of the groups of the Subject.

type AccessControlResource

type AccessControlResource struct {
	Pattern regexp.Regexp
}

AccessControlResource represents an ACL resource.

func (AccessControlResource) IsMatch

func (acr AccessControlResource) IsMatch(object Object) (match bool)

IsMatch returns true if the ACL resource match the object path.

type AccessControlRule

type AccessControlRule struct {
	Position  int
	Domains   []SubjectObjectMatcher
	Resources []AccessControlResource
	Methods   []string
	Networks  []*net.IPNet
	Subjects  []AccessControlSubjects
	Policy    Level
}

AccessControlRule controls and represents an ACL internally.

func NewAccessControlRule

func NewAccessControlRule(pos int, rule schema.ACLRule, networksMap map[string][]*net.IPNet, networksCacheMap map[string]*net.IPNet) *AccessControlRule

NewAccessControlRule parses a schema ACL and generates an internal ACL.

func NewAccessControlRules

func NewAccessControlRules(config schema.AccessControlConfiguration) (rules []*AccessControlRule)

NewAccessControlRules converts a schema.AccessControlConfiguration into an AccessControlRule slice.

func (*AccessControlRule) IsMatch

func (acr *AccessControlRule) IsMatch(subject Subject, object Object) (match bool)

IsMatch returns true if all elements of an AccessControlRule match the object and subject.

type AccessControlSubjects

type AccessControlSubjects struct {
	Subjects []SubjectMatcher
}

AccessControlSubjects represents an ACL subject.

func (*AccessControlSubjects) AddSubject

func (acs *AccessControlSubjects) AddSubject(subjectRule string)

AddSubject appends to the AccessControlSubjects based on a subject rule string.

func (AccessControlSubjects) IsMatch

func (acs AccessControlSubjects) IsMatch(subject Subject) (match bool)

IsMatch returns true if the ACL subjects match the subject properties.

type AccessControlUser

type AccessControlUser struct {
	Name string
}

AccessControlUser represents an ACL subject of type `user:`.

func (AccessControlUser) IsMatch

func (acu AccessControlUser) IsMatch(subject Subject) (match bool)

IsMatch returns true if the AccessControlUser name matches the Subject username.

type Authorizer

type Authorizer struct {
	// contains filtered or unexported fields
}

Authorizer the component in charge of checking whether a user can access a given resource.

func NewAuthorizer

func NewAuthorizer(configuration *schema.Configuration) *Authorizer

NewAuthorizer create an instance of authorizer with a given access control configuration.

func (Authorizer) GetRequiredLevel

func (p Authorizer) GetRequiredLevel(subject Subject, object Object) Level

GetRequiredLevel retrieve the required level of authorization to access the object.

func (Authorizer) GetRuleMatchResults added in v4.34.0

func (p Authorizer) GetRuleMatchResults(subject Subject, object Object) (results []RuleMatchResult)

GetRuleMatchResults iterates through the rules and produces a list of RuleMatchResult provided a subject and object.

func (Authorizer) IsSecondFactorEnabled

func (p Authorizer) IsSecondFactorEnabled() bool

IsSecondFactorEnabled return true if at least one policy is set to second factor.

type Level

type Level int

Level is the type representing an authorization level.

const (
	// Bypass bypass level.
	Bypass Level = iota
	// OneFactor one factor level.
	OneFactor Level = iota
	// TwoFactor two factor level.
	TwoFactor Level = iota
	// Denied denied level.
	Denied Level = iota
)

func PolicyToLevel

func PolicyToLevel(policy string) Level

PolicyToLevel converts a string policy to int authorization level.

type Object

type Object struct {
	Scheme string
	Domain string
	Path   string
	Method string
}

Object represents a protected object for the purposes of ACL matching.

func NewObject

func NewObject(targetURL *url.URL, method string) (object Object)

NewObject creates a new Object type from a URL and a method header.

func NewObjectRaw

func NewObjectRaw(targetURL *url.URL, method []byte) (object Object)

NewObjectRaw creates a new Object type from a URL and a method header.

func (Object) String

func (o Object) String() string

String is a string representation of the Object.

type RuleMatchResult added in v4.34.0

type RuleMatchResult struct {
	Rule *AccessControlRule

	Skipped bool

	MatchDomain        bool
	MatchResources     bool
	MatchMethods       bool
	MatchNetworks      bool
	MatchSubjects      bool
	MatchSubjectsExact bool
}

RuleMatchResult describes how well a rule matched a subject/object combo.

func (RuleMatchResult) IsMatch added in v4.34.0

func (r RuleMatchResult) IsMatch() (match bool)

IsMatch returns true if all the criteria matched.

func (RuleMatchResult) IsPotentialMatch added in v4.34.0

func (r RuleMatchResult) IsPotentialMatch() (match bool)

IsPotentialMatch returns true if the rule is potentially a match.

type Subject

type Subject struct {
	Username string
	Groups   []string
	IP       net.IP
}

Subject represents the identity of a user for the purposes of ACL matching.

func (Subject) IsAnonymous

func (s Subject) IsAnonymous() bool

IsAnonymous returns true if the Subject username and groups are empty.

func (Subject) String

func (s Subject) String() string

String returns a string representation of the Subject.

type SubjectMatcher added in v4.35.0

type SubjectMatcher interface {
	IsMatch(subject Subject) (match bool)
}

SubjectMatcher is a matcher that takes a subject.

type SubjectObjectMatcher added in v4.35.0

type SubjectObjectMatcher interface {
	IsMatch(subject Subject, object Object) (match bool)
	String() string
}

SubjectObjectMatcher is a matcher that takes both a subject and an object.

func NewAccessControlDomain added in v4.35.0

func NewAccessControlDomain(domain string) SubjectObjectMatcher

NewAccessControlDomain creates a new SubjectObjectMatcher that matches the domain as a basic string.

func NewAccessControlDomainRegex added in v4.35.0

func NewAccessControlDomainRegex(pattern regexp.Regexp) SubjectObjectMatcher

NewAccessControlDomainRegex creates a new SubjectObjectMatcher that matches the domain either in a basic way or dynamic User/Group subexpression group way.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL