auth

package

v0.0.0-...-a9d0937 Latest Latest Go to latest Published: Apr 10, 2024 License: Apache-2.0 Imports: 13 Imported by: 7

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/buildbarn/bb-storage

Links

Open Source Insights

Documentation ¶

Index ¶

Variables
func AuthorizeSingleInstanceName(ctx context.Context, authorizer Authorizer, instanceName digest.InstanceName) error
func NewContextWithAuthenticationMetadata(ctx context.Context, authenticationMetadata *AuthenticationMetadata) context.Context
type AuthenticationMetadata
type Authorizer
type AuthorizerFactory
- func NewDeduplicatingAuthorizerFactory(base AuthorizerFactory) AuthorizerFactory
type BaseAuthorizerFactory
- func (f BaseAuthorizerFactory) NewAuthorizerFromConfiguration(config *pb.AuthorizerConfiguration) (Authorizer, error)

Constants ¶

This section is empty.

Variables ¶

View Source

var DefaultAuthorizerFactory = NewDeduplicatingAuthorizerFactory(BaseAuthorizerFactory{})

DefaultAuthorizerFactory constructs deduplicated authorizers based on options specified in configuration messages.

Functions ¶

func AuthorizeSingleInstanceName ¶

func AuthorizeSingleInstanceName(ctx context.Context, authorizer Authorizer, instanceName digest.InstanceName) error

AuthorizeSingleInstanceName is a convenience function to authorize a single instance name with an Authorizer.

func NewContextWithAuthenticationMetadata ¶

func NewContextWithAuthenticationMetadata(ctx context.Context, authenticationMetadata *AuthenticationMetadata) context.Context

NewContextWithAuthenticationMetadata creates a new Context object that has AuthenticationMetadata attached to it.

Types ¶

type AuthenticationMetadata ¶

type AuthenticationMetadata struct {
	// contains filtered or unexported fields
}

AuthenticationMetadata contains information on the authentication user that is performing the current operation.

func AuthenticationMetadataFromContext ¶

func AuthenticationMetadataFromContext(ctx context.Context) *AuthenticationMetadata

AuthenticationMetadataFromContext reobtains the AuthenticationMetadata that was attached to the Context object.

If the Context object contains no metadata, a default instance corresponding to the empty metadata is returned.

func MustNewAuthenticationMetadataFromProto ¶

func MustNewAuthenticationMetadataFromProto(message *auth_pb.AuthenticationMetadata) *AuthenticationMetadata

MustNewAuthenticationMetadataFromProto is identical to NewAuthenticationMetadataFromProto(), except that it panics upon failure. This method is provided for testing.

func NewAuthenticationMetadataFromProto ¶

func NewAuthenticationMetadataFromProto(message *auth_pb.AuthenticationMetadata) (*AuthenticationMetadata, error)

NewAuthenticationMetadataFromProto creates a new AuthenticationMetadata object that contains the data obtained by the gRPC Authenticator.

func NewAuthenticationMetadataFromRaw ¶

func NewAuthenticationMetadataFromRaw(metadataRaw any) (*AuthenticationMetadata, error)

NewAuthenticationMetadataFromRaw is identical to NewAuthenticationMetadataFromProto, except that it takes the metadata as a JSON-like value (i.e., a map[string]any).

func (*AuthenticationMetadata) GetFullProto ¶

func (am *AuthenticationMetadata) GetFullProto() *auth_pb.AuthenticationMetadata

GetFullProto returns the AuthenticationMetadata in Protobuf form.

func (*AuthenticationMetadata) GetPublicProto ¶

func (am *AuthenticationMetadata) GetPublicProto() (*auth_pb.AuthenticationMetadata, bool)

GetPublicProto returns the AuthenticationMetadata in Protobuf form, only containing the values that are safe to display as part of logs.

This method also returns a boolean value that indicates whether the resulting message contains any data to display. When false, it may be desirable to suppress displaying it.

func (*AuthenticationMetadata) GetRaw ¶

func (am *AuthenticationMetadata) GetRaw() map[string]any

GetRaw returns the original JSON-like value that was used to construct the AuthenticationMetadata.

func (*AuthenticationMetadata) GetTracingAttributes ¶

func (am *AuthenticationMetadata) GetTracingAttributes() []attribute.KeyValue

GetTracingAttributes returns OpenTelemetry tracing attributes that can be added to spans.

type Authorizer ¶

type Authorizer interface {
	// Authorize returns a slice of errors, in the same order as the
	// passed instance names.
	//
	// For each error, a nil value indicates that an instance name was
	// authorized.
	// A non-nil value indicates that the instance name was not authorized,
	// or that an error occurred when authorizing.
	//
	// Note that this function may block, and should not be called while
	// locks are held which may be contended.
	Authorize(ctx context.Context, instanceNames []digest.InstanceName) []error
}

Authorizer authorizes the requesting user to perform scoped actions against particular instance names.

func NewAnyAuthorizer ¶

func NewAnyAuthorizer(authorizers []Authorizer) Authorizer

NewAnyAuthorizer creates an Authorizer that forwards calls to a series of backends, permitting access to a given instance name if one or more backends do so as well.

func NewJMESPathExpressionAuthorizer ¶

func NewJMESPathExpressionAuthorizer(expression *jmespath.JMESPath) Authorizer

NewJMESPathExpressionAuthorizer creates an Authorizer that evaluates a JMESPath expression to make an authorization decision. The JMESpath expression is called with a JSON object that includes both the REv2 instance name and authentication metadata.

func NewStaticAuthorizer ¶

func NewStaticAuthorizer(matcher digest.InstanceNameMatcher) Authorizer

NewStaticAuthorizer creates a new Authorizer which allows all requests to matching instance names, ignoring context.

type AuthorizerFactory ¶

type AuthorizerFactory interface {
	// NewAuthorizerFromConfiguration constructs an authorizer based on
	// options specified in a configuration message.
	NewAuthorizerFromConfiguration(configuration *pb.AuthorizerConfiguration) (Authorizer, error)
}

AuthorizerFactory can be used to construct authorizers based on options specified in a configuration message.

func NewDeduplicatingAuthorizerFactory ¶

func NewDeduplicatingAuthorizerFactory(base AuthorizerFactory) AuthorizerFactory

NewDeduplicatingAuthorizerFactory creates a new AuthorizerFactory which returns the same Authorizer for identical configurations, which may allow for things like sharing caches.

type BaseAuthorizerFactory ¶

type BaseAuthorizerFactory struct{}

BaseAuthorizerFactory can be used to construct authorizers based on options specified in a configuration message.

func (BaseAuthorizerFactory) NewAuthorizerFromConfiguration ¶

func (f BaseAuthorizerFactory) NewAuthorizerFromConfiguration(config *pb.AuthorizerConfiguration) (Authorizer, error)

NewAuthorizerFromConfiguration constructs an authorizer based on options specified in a configuration message.

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL