authorization

package
v4.37.3 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Dec 8, 2022 License: Apache-2.0 Imports: 10 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

View Source
var (
	// IdentitySubexpNames is a list of valid regex subexp names.
	IdentitySubexpNames = []string{subexpNameUser, subexpNameGroup}
)

Functions

func IsAuthLevelSufficient

func IsAuthLevelSufficient(authenticationLevel authentication.Level, authorizationLevel Level) bool

IsAuthLevelSufficient returns true if the current authenticationLevel is above the authorizationLevel.

func LevelToString added in v4.36.3

func LevelToString(level Level) (policy string)

LevelToString converts a int authorization level to string policy.

Types

type AccessControlDomain

type AccessControlDomain struct {
	Matcher StringSubjectMatcher
}

AccessControlDomain represents an ACL domain.

func NewAccessControlDomain added in v4.35.0

func NewAccessControlDomain(domain string) (subjcets bool, rule AccessControlDomain)

NewAccessControlDomain creates a new SubjectObjectMatcher that matches the domain as a basic string.

func NewAccessControlDomainRegex added in v4.35.0

func NewAccessControlDomainRegex(pattern regexp.Regexp) (subjects bool, rule AccessControlDomain)

NewAccessControlDomainRegex creates a new SubjectObjectMatcher that matches the domain either in a basic way or dynamic User/Group subexpression group way.

func (AccessControlDomain) IsMatch

func (acl AccessControlDomain) IsMatch(subject Subject, object Object) (match bool)

IsMatch returns true if the ACL domain matches the object domain.

type AccessControlDomainMatcher added in v4.36.0

type AccessControlDomainMatcher struct {
	Name          string
	Wildcard      bool
	UserWildcard  bool
	GroupWildcard bool
}

AccessControlDomainMatcher is the basic domain matcher.

func (AccessControlDomainMatcher) IsMatch added in v4.36.0

func (m AccessControlDomainMatcher) IsMatch(domain string, subject Subject) (match bool)

IsMatch returns true if this rule matches.

type AccessControlGroup

type AccessControlGroup struct {
	Name string
}

AccessControlGroup represents an ACL subject of type `group:`.

func (AccessControlGroup) IsMatch

func (acg AccessControlGroup) IsMatch(subject Subject) (match bool)

IsMatch returns true if the AccessControlGroup name matches one of the groups of the Subject.

type AccessControlQuery added in v4.37.0

type AccessControlQuery struct {
	Rules []ObjectMatcher
}

AccessControlQuery represents an ACL query args rule.

func NewAccessControlQuery added in v4.37.0

func NewAccessControlQuery(config [][]schema.ACLQueryRule) (rules []AccessControlQuery)

NewAccessControlQuery creates a new AccessControlQuery rule type.

func (AccessControlQuery) IsMatch added in v4.37.0

func (acq AccessControlQuery) IsMatch(object Object) (isMatch bool)

IsMatch returns true if this rule matches the object.

type AccessControlQueryMatcherEqual added in v4.37.0

type AccessControlQueryMatcherEqual struct {
	// contains filtered or unexported fields
}

AccessControlQueryMatcherEqual is a rule type that checks the equality of a query parameter.

func (AccessControlQueryMatcherEqual) IsMatch added in v4.37.0

func (acl AccessControlQueryMatcherEqual) IsMatch(object Object) (isMatch bool)

IsMatch returns true if this rule matches the object.

type AccessControlQueryMatcherPattern added in v4.37.0

type AccessControlQueryMatcherPattern struct {
	// contains filtered or unexported fields
}

AccessControlQueryMatcherPattern is a rule type that checks a query parameter against regex.

func (AccessControlQueryMatcherPattern) IsMatch added in v4.37.0

func (acl AccessControlQueryMatcherPattern) IsMatch(object Object) (isMatch bool)

IsMatch returns true if this rule matches the object.

type AccessControlQueryMatcherPresent added in v4.37.0

type AccessControlQueryMatcherPresent struct {
	// contains filtered or unexported fields
}

AccessControlQueryMatcherPresent is a rule type that checks the presence of a query parameter.

func (AccessControlQueryMatcherPresent) IsMatch added in v4.37.0

func (acl AccessControlQueryMatcherPresent) IsMatch(object Object) (isMatch bool)

IsMatch returns true if this rule matches the object.

type AccessControlResource

type AccessControlResource struct {
	Matcher StringSubjectMatcher
}

AccessControlResource represents an ACL resource that matches without named groups.

func NewAccessControlResource added in v4.36.0

func NewAccessControlResource(pattern regexp.Regexp) (subjects bool, rule AccessControlResource)

NewAccessControlResource creates a AccessControlResource or AccessControlResourceGroup.

func (AccessControlResource) IsMatch

func (acl AccessControlResource) IsMatch(subject Subject, object Object) (match bool)

IsMatch returns true if the ACL resource match the object path.

type AccessControlRule

type AccessControlRule struct {
	HasSubjects bool

	Position  int
	Domains   []AccessControlDomain
	Resources []AccessControlResource
	Query     []AccessControlQuery
	Methods   []string
	Networks  []*net.IPNet
	Subjects  []AccessControlSubjects
	Policy    Level
}

AccessControlRule controls and represents an ACL internally.

func NewAccessControlRule

func NewAccessControlRule(pos int, rule schema.ACLRule, networksMap map[string][]*net.IPNet, networksCacheMap map[string]*net.IPNet) *AccessControlRule

NewAccessControlRule parses a schema ACL and generates an internal ACL.

func NewAccessControlRules

func NewAccessControlRules(config schema.AccessControlConfiguration) (rules []*AccessControlRule)

NewAccessControlRules converts a schema.AccessControlConfiguration into an AccessControlRule slice.

func (*AccessControlRule) IsMatch

func (acr *AccessControlRule) IsMatch(subject Subject, object Object) (match bool)

IsMatch returns true if all elements of an AccessControlRule match the object and subject.

func (*AccessControlRule) MatchesDomains added in v4.37.0

func (acr *AccessControlRule) MatchesDomains(subject Subject, object Object) (matches bool)

MatchesDomains returns true if the rule matches the domains.

func (*AccessControlRule) MatchesMethods added in v4.37.0

func (acr *AccessControlRule) MatchesMethods(object Object) (match bool)

MatchesMethods returns true if the rule matches the method.

func (*AccessControlRule) MatchesNetworks added in v4.37.0

func (acr *AccessControlRule) MatchesNetworks(subject Subject) (match bool)

MatchesNetworks returns true if the rule matches the networks.

func (*AccessControlRule) MatchesQuery added in v4.37.0

func (acr *AccessControlRule) MatchesQuery(object Object) (match bool)

MatchesQuery returns true if the rule matches the query arguments.

func (*AccessControlRule) MatchesResources added in v4.37.0

func (acr *AccessControlRule) MatchesResources(subject Subject, object Object) (matches bool)

MatchesResources returns true if the rule matches the resources.

func (*AccessControlRule) MatchesSubjectExact added in v4.37.0

func (acr *AccessControlRule) MatchesSubjectExact(subject Subject) (match bool)

MatchesSubjectExact returns true if the rule matches the subjects exactly.

func (*AccessControlRule) MatchesSubjects added in v4.37.0

func (acr *AccessControlRule) MatchesSubjects(subject Subject) (match bool)

MatchesSubjects returns true if the rule matches the subjects.

type AccessControlSubjects

type AccessControlSubjects struct {
	Subjects []SubjectMatcher
}

AccessControlSubjects represents an ACL subject.

func (*AccessControlSubjects) AddSubject

func (acs *AccessControlSubjects) AddSubject(subjectRule string)

AddSubject appends to the AccessControlSubjects based on a subject rule string.

func (*AccessControlSubjects) IsMatch

func (acs *AccessControlSubjects) IsMatch(subject Subject) (match bool)

IsMatch returns true if the ACL subjects match the subject properties.

type AccessControlUser

type AccessControlUser struct {
	Name string
}

AccessControlUser represents an ACL subject of type `user:`.

func (AccessControlUser) IsMatch

func (acu AccessControlUser) IsMatch(subject Subject) (match bool)

IsMatch returns true if the AccessControlUser name matches the Subject username.

type Authorizer

type Authorizer struct {
	// contains filtered or unexported fields
}

Authorizer the component in charge of checking whether a user can access a given resource.

func NewAuthorizer

func NewAuthorizer(config *schema.Configuration) (authorizer *Authorizer)

NewAuthorizer create an instance of authorizer with a given access control config.

func (Authorizer) GetRequiredLevel

func (p Authorizer) GetRequiredLevel(subject Subject, object Object) (hasSubjects bool, level Level)

GetRequiredLevel retrieve the required level of authorization to access the object.

func (Authorizer) GetRuleMatchResults added in v4.34.0

func (p Authorizer) GetRuleMatchResults(subject Subject, object Object) (results []RuleMatchResult)

GetRuleMatchResults iterates through the rules and produces a list of RuleMatchResult provided a subject and object.

func (Authorizer) IsSecondFactorEnabled

func (p Authorizer) IsSecondFactorEnabled() bool

IsSecondFactorEnabled return true if at least one policy is set to second factor.

type Level

type Level int

Level is the type representing an authorization level.

const (
	// Bypass bypass level.
	Bypass Level = iota
	// OneFactor one factor level.
	OneFactor
	// TwoFactor two factor level.
	TwoFactor
	// Denied denied level.
	Denied
)

func StringToLevel added in v4.36.3

func StringToLevel(policy string) Level

StringToLevel converts a string policy to int authorization level.

type Object

type Object struct {
	URL *url.URL

	Domain string
	Path   string
	Method string
}

Object represents a protected object for the purposes of ACL matching.

func NewObject

func NewObject(targetURL *url.URL, method string) (object Object)

NewObject creates a new Object type from a URL and a method header.

func NewObjectRaw

func NewObjectRaw(targetURL *url.URL, method []byte) (object Object)

NewObjectRaw creates a new Object type from a URL and a method header.

func (Object) String

func (o Object) String() string

String is a string representation of the Object.

type ObjectMatcher added in v4.37.0

type ObjectMatcher interface {
	IsMatch(object Object) (match bool)
}

ObjectMatcher is a matcher that takes an object.

func NewAccessControlQueryObjectMatcher added in v4.37.0

func NewAccessControlQueryObjectMatcher(rule schema.ACLQueryRule) (matcher ObjectMatcher, err error)

NewAccessControlQueryObjectMatcher creates a new ObjectMatcher rule type from a schema.ACLQueryRule.

type RegexpGroupStringSubjectMatcher added in v4.36.0

type RegexpGroupStringSubjectMatcher struct {
	Pattern         regexp.Regexp
	SubexpNameUser  int
	SubexpNameGroup int
}

RegexpGroupStringSubjectMatcher matches the input string against the pattern taking into account Subexp groups.

func (RegexpGroupStringSubjectMatcher) IsMatch added in v4.36.0

func (r RegexpGroupStringSubjectMatcher) IsMatch(input string, subject Subject) (match bool)

IsMatch returns true if the underlying pattern matches the input given the subject.

func (RegexpGroupStringSubjectMatcher) String added in v4.36.0

String returns the pattern string.

type RegexpStringSubjectMatcher added in v4.36.0

type RegexpStringSubjectMatcher struct {
	Pattern regexp.Regexp
}

RegexpStringSubjectMatcher just matches the input string against the pattern.

func (RegexpStringSubjectMatcher) IsMatch added in v4.36.0

func (r RegexpStringSubjectMatcher) IsMatch(input string, _ Subject) (match bool)

IsMatch returns true if the underlying pattern matches the input.

func (RegexpStringSubjectMatcher) String added in v4.36.0

String returns the pattern string.

type RuleMatchResult added in v4.34.0

type RuleMatchResult struct {
	Rule *AccessControlRule

	Skipped bool

	MatchDomain        bool
	MatchResources     bool
	MatchQuery         bool
	MatchMethods       bool
	MatchNetworks      bool
	MatchSubjects      bool
	MatchSubjectsExact bool
}

RuleMatchResult describes how well a rule matched a subject/object combo.

func (RuleMatchResult) IsMatch added in v4.34.0

func (r RuleMatchResult) IsMatch() (match bool)

IsMatch returns true if all the criteria matched.

func (RuleMatchResult) IsPotentialMatch added in v4.34.0

func (r RuleMatchResult) IsPotentialMatch() (match bool)

IsPotentialMatch returns true if the rule is potentially a match.

type StringSubjectMatcher added in v4.36.0

type StringSubjectMatcher interface {
	IsMatch(input string, subject Subject) (match bool)
}

StringSubjectMatcher is a matcher that takes an input string and subject.

type Subject

type Subject struct {
	Username string
	Groups   []string
	IP       net.IP
}

Subject represents the identity of a user for the purposes of ACL matching.

func (Subject) IsAnonymous

func (s Subject) IsAnonymous() bool

IsAnonymous returns true if the Subject username and groups are empty.

func (Subject) String

func (s Subject) String() string

String returns a string representation of the Subject.

type SubjectMatcher added in v4.35.0

type SubjectMatcher interface {
	IsMatch(subject Subject) (match bool)
}

SubjectMatcher is a matcher that takes a subject.

type SubjectObjectMatcher added in v4.35.0

type SubjectObjectMatcher interface {
	IsMatch(subject Subject, object Object) (match bool)
}

SubjectObjectMatcher is a matcher that takes both a subject and an object.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL