identity

package
v0.0.0-...-9324e0a Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Feb 6, 2026 License: AGPL-3.0 Imports: 7 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func ValidateAuthenticationMethod 

func ValidateAuthenticationMethod(authenticationMethod string) error

ValidateAuthenticationMethod returns an api.StatusError with http.StatusBadRequest if the given authentication method is not recognised.

Types

type Cache 

type Cache struct {
	// contains filtered or unexported fields
}

Cache represents a thread-safe in-memory cache of the credentials of identities in the database.

Certificates are keyed on the certificate fingerprint. Secrets are keyed on the bearer identity identifier. It is necessary to separate server, client and metrics certificates because of their different handling during authentication. For example, metrics certificates are not considered for authentication unless the API route is under /1.0/metrics. Additionally, it is crucial that authentication can identify server certificates without a database call (because establishing a database connection requires authentication).

func (*Cache) GetClientCertificates 

func (c *Cache) GetClientCertificates(fingerprints ...string) map[string]x509.Certificate

GetClientCertificates returns matching client certificates.

func (*Cache) GetMetricsCertificates 

func (c *Cache) GetMetricsCertificates(fingerprints ...string) map[string]x509.Certificate

GetMetricsCertificates returns matching metrics certificates.

func (*Cache) GetSecret 

func (c *Cache) GetSecret(bearerIdentityUUID string) ([]byte, error)

GetSecret returns the secret of a bearer identity by their UUID.

func (*Cache) GetServerCertificates 

func (c *Cache) GetServerCertificates(fingerprints ...string) map[string]x509.Certificate

GetServerCertificates returns matching server certificates.

func (*Cache) ReplaceAll 

func (c *Cache) ReplaceAll(serverCerts map[string]*x509.Certificate, clientCerts map[string]*x509.Certificate, metricsCerts map[string]*x509.Certificate, secrets map[string][]byte)

ReplaceAll deletes all credentials from the cache and replaces them with the given values.

type CertificateClient 

type CertificateClient struct {
	// contains filtered or unexported fields
}

CertificateClient represents an identity that authenticates using TLS certificates and whose permissions are managed via group membership. It supports both caching and fine-grained permissions but is not an admin by default.

func (CertificateClient) AuthenticationMethod 

func (CertificateClient) AuthenticationMethod() string

AuthenticationMethod indicates that client certificates authenticate using TLS.

func (CertificateClient) Code 

func (CertificateClient) Code() int64

Code returns the identity type code for this identity type.

func (CertificateClient) IsAdmin 

func (CertificateClient) IsAdmin() bool

IsAdmin returns false by default.

func (CertificateClient) IsFineGrained 

func (CertificateClient) IsFineGrained() bool

IsFineGrained indicates that this identity uses fine-grained permissions.

func (CertificateClient) IsPending 

func (CertificateClient) IsPending() bool

IsPending returns false by default.

func (CertificateClient) LegacyCertificateType 

func (CertificateClient) LegacyCertificateType() (certificate.Type, error)

LegacyCertificateType returns the legacy certificate type for this identity type. If (-1, error) is returned, it indicates that the identity type does not correspond to a legacy certificate type.

func (CertificateClient) Name 

func (CertificateClient) Name() string

Name returns the API name of this identity type.

type CertificateClientPending 

type CertificateClientPending struct {
	// contains filtered or unexported fields
}

CertificateClientPending represents an identity for which a token has been issued but who has not yet authenticated with LXD. It supports fine-grained permission management (e.g. the identity can be added to groups while in a pending state, allowing the token holder to assume the correct permissions when they eventually use the token to gain trust).

func (CertificateClientPending) AuthenticationMethod 

func (CertificateClientPending) AuthenticationMethod() string

AuthenticationMethod indicates that pending client certificates authenticate using TLS.

func (CertificateClientPending) Code 

func (CertificateClientPending) Code() int64

Code returns the identity type code for this identity type.

func (CertificateClientPending) IsAdmin 

func (CertificateClientPending) IsAdmin() bool

IsAdmin returns false by default.

func (CertificateClientPending) IsFineGrained 

func (CertificateClientPending) IsFineGrained() bool

IsFineGrained indicates that this identity uses fine-grained permissions.

func (CertificateClientPending) IsPending 

func (CertificateClientPending) IsPending() bool

IsPending indicates that this identity is pending.

func (CertificateClientPending) LegacyCertificateType 

func (CertificateClientPending) LegacyCertificateType() (certificate.Type, error)

LegacyCertificateType returns the legacy certificate type for this identity type. If (-1, error) is returned, it indicates that the identity type does not correspond to a legacy certificate type.

func (CertificateClientPending) Name 

func (CertificateClientPending) Name() string

Name returns the API name of this identity type.

type CertificateClientRestricted 

type CertificateClientRestricted struct {
	// contains filtered or unexported fields
}

CertificateClientRestricted represents an identity that authenticates using TLS certificates and is not privileged. It supports caching but does not support fine-grained permissions and is not an admin.

func (CertificateClientRestricted) AuthenticationMethod 

func (CertificateClientRestricted) AuthenticationMethod() string

AuthenticationMethod indicates that restricted client certificates authenticate using TLS.

func (CertificateClientRestricted) Code 

func (CertificateClientRestricted) Code() int64

Code returns the identity type code for this identity type.

func (CertificateClientRestricted) IsAdmin 

func (CertificateClientRestricted) IsAdmin() bool

IsAdmin returns false by default.

func (CertificateClientRestricted) IsFineGrained 

func (CertificateClientRestricted) IsFineGrained() bool

IsFineGrained returns false by default.

func (CertificateClientRestricted) IsPending 

func (CertificateClientRestricted) IsPending() bool

IsPending returns false by default.

func (CertificateClientRestricted) LegacyCertificateType 

func (CertificateClientRestricted) LegacyCertificateType() (certificate.Type, error)

LegacyCertificateType returns the legacy certificate type for this identity type.

func (CertificateClientRestricted) Name 

func (CertificateClientRestricted) Name() string

Name returns the API name of this identity type.

type CertificateClientUnrestricted 

type CertificateClientUnrestricted struct {
	// contains filtered or unexported fields
}

CertificateClientUnrestricted represents an identity that authenticates using TLS certificates and is privileged with administrator access. It supports caching, has admin privileges, but does not support fine-grained permissions.

func (CertificateClientUnrestricted) AuthenticationMethod 

func (CertificateClientUnrestricted) AuthenticationMethod() string

AuthenticationMethod indicates that unrestricted client certificates authenticate using TLS.

func (CertificateClientUnrestricted) Code 

func (CertificateClientUnrestricted) Code() int64

Code returns the identity type code for this identity type.

func (CertificateClientUnrestricted) IsAdmin 

func (CertificateClientUnrestricted) IsAdmin() bool

IsAdmin indicates that this identity type has administrator privileges (unrestricted).

func (CertificateClientUnrestricted) IsFineGrained 

func (CertificateClientUnrestricted) IsFineGrained() bool

IsFineGrained returns false by default.

func (CertificateClientUnrestricted) IsPending 

func (CertificateClientUnrestricted) IsPending() bool

IsPending returns false by default.

func (CertificateClientUnrestricted) LegacyCertificateType 

func (CertificateClientUnrestricted) LegacyCertificateType() (certificate.Type, error)

LegacyCertificateType returns the legacy certificate type for this identity type.

func (CertificateClientUnrestricted) Name 

func (CertificateClientUnrestricted) Name() string

Name returns the API name of this identity type.

type CertificateMetricsRestricted 

type CertificateMetricsRestricted struct {
	// contains filtered or unexported fields
}

CertificateMetricsRestricted represents an identity that can view metrics and is not privileged.

func (CertificateMetricsRestricted) AuthenticationMethod 

func (CertificateMetricsRestricted) AuthenticationMethod() string

AuthenticationMethod indicates that restricted metrics certificates authenticate using TLS.

func (CertificateMetricsRestricted) Code 

func (CertificateMetricsRestricted) Code() int64

Code returns the identity type code for this identity type.

func (CertificateMetricsRestricted) IsAdmin 

func (CertificateMetricsRestricted) IsAdmin() bool

IsAdmin returns false by default.

func (CertificateMetricsRestricted) IsFineGrained 

func (CertificateMetricsRestricted) IsFineGrained() bool

IsFineGrained returns false by default.

func (CertificateMetricsRestricted) IsPending 

func (CertificateMetricsRestricted) IsPending() bool

IsPending returns false by default.

func (CertificateMetricsRestricted) LegacyCertificateType 

func (CertificateMetricsRestricted) LegacyCertificateType() (certificate.Type, error)

LegacyCertificateType returns the legacy certificate type for this identity type.

func (CertificateMetricsRestricted) Name 

func (CertificateMetricsRestricted) Name() string

Name returns the API name of this identity type.

type CertificateMetricsUnrestricted 

type CertificateMetricsUnrestricted struct {
	// contains filtered or unexported fields
}

CertificateMetricsUnrestricted represents an identity that can view metrics and is privileged.

func (CertificateMetricsUnrestricted) AuthenticationMethod 

func (CertificateMetricsUnrestricted) AuthenticationMethod() string

AuthenticationMethod indicates that unrestricted metrics certificates authenticate using TLS.

func (CertificateMetricsUnrestricted) Code 

func (CertificateMetricsUnrestricted) Code() int64

Code returns the identity type code for this identity type.

func (CertificateMetricsUnrestricted) IsAdmin 

func (CertificateMetricsUnrestricted) IsAdmin() bool

IsAdmin returns false by default.

func (CertificateMetricsUnrestricted) IsFineGrained 

func (CertificateMetricsUnrestricted) IsFineGrained() bool

IsFineGrained returns false by default.

func (CertificateMetricsUnrestricted) IsPending 

func (CertificateMetricsUnrestricted) IsPending() bool

IsPending returns false by default.

func (CertificateMetricsUnrestricted) LegacyCertificateType 

func (CertificateMetricsUnrestricted) LegacyCertificateType() (certificate.Type, error)

LegacyCertificateType returns the legacy certificate type for this identity type.

func (CertificateMetricsUnrestricted) Name 

func (CertificateMetricsUnrestricted) Name() string

Name returns the API name of this identity type.

type CertificateServer 

type CertificateServer struct {
	// contains filtered or unexported fields
}

CertificateServer represents cluster member authentication using TLS certificates. It has administrator privileges and supports caching but does not support fine-grained permissions.

func (CertificateServer) AuthenticationMethod 

func (CertificateServer) AuthenticationMethod() string

AuthenticationMethod indicates that server certificates authenticate using TLS.

func (CertificateServer) Code 

func (CertificateServer) Code() int64

Code returns the identity type code for this identity type.

func (CertificateServer) IsAdmin 

func (CertificateServer) IsAdmin() bool

IsAdmin indicates that this identity type has administrator privileges (unrestricted).

func (CertificateServer) IsFineGrained 

func (CertificateServer) IsFineGrained() bool

IsFineGrained returns false by default.

func (CertificateServer) IsPending 

func (CertificateServer) IsPending() bool

IsPending returns false by default.

func (CertificateServer) LegacyCertificateType 

func (CertificateServer) LegacyCertificateType() (certificate.Type, error)

LegacyCertificateType returns the legacy certificate type for this identity type.

func (CertificateServer) Name 

func (CertificateServer) Name() string

Name returns the API name of this identity type.

type DevLXDTokenBearer 

type DevLXDTokenBearer struct {
	// contains filtered or unexported fields
}

DevLXDTokenBearer represents an identity that authenticates using a token issued by LXD and whose permissions are managed via group membership. The token is only valid for the DevLXD API. It supports both caching and fine-grained permissions but is not an admin by default.

func (DevLXDTokenBearer) AuthenticationMethod 

func (DevLXDTokenBearer) AuthenticationMethod() string

AuthenticationMethod indicates that identities of this type authenticate via bearer token.

func (DevLXDTokenBearer) Code 

func (DevLXDTokenBearer) Code() int64

Code returns the database code for DevLXDTokenBearer.

func (DevLXDTokenBearer) IsAdmin 

func (DevLXDTokenBearer) IsAdmin() bool

IsAdmin returns false by default.

func (DevLXDTokenBearer) IsFineGrained 

func (DevLXDTokenBearer) IsFineGrained() bool

IsFineGrained indicates that this identity uses fine-grained permissions.

func (DevLXDTokenBearer) IsPending 

func (DevLXDTokenBearer) IsPending() bool

IsPending returns false by default.

func (DevLXDTokenBearer) LegacyCertificateType 

func (DevLXDTokenBearer) LegacyCertificateType() (certificate.Type, error)

LegacyCertificateType returns the legacy certificate type for this identity type. If (-1, error) is returned, it indicates that the identity type does not correspond to a legacy certificate type.

func (DevLXDTokenBearer) Name 

func (DevLXDTokenBearer) Name() string

Name returns the name of the DevLXDTokenBearer identity type.

type OIDCClient 

type OIDCClient struct {
	// contains filtered or unexported fields
}

OIDCClient represents an identity that authenticates using OpenID Connect (OIDC). It supports caching and fine-grained permissions but is not an admin by default.

func (OIDCClient) AuthenticationMethod 

func (OIDCClient) AuthenticationMethod() string

AuthenticationMethod indicates that OIDC clients authenticate using OIDC.

func (OIDCClient) Code 

func (OIDCClient) Code() int64

Code returns the identity type code for this identity type.

func (OIDCClient) IsAdmin 

func (OIDCClient) IsAdmin() bool

IsAdmin returns false by default.

func (OIDCClient) IsFineGrained 

func (OIDCClient) IsFineGrained() bool

IsFineGrained indicates that this identity uses fine-grained permissions.

func (OIDCClient) IsPending 

func (OIDCClient) IsPending() bool

IsPending returns false by default.

func (OIDCClient) LegacyCertificateType 

func (OIDCClient) LegacyCertificateType() (certificate.Type, error)

LegacyCertificateType returns the legacy certificate type for this identity type. If (-1, error) is returned, it indicates that the identity type does not correspond to a legacy certificate type.

func (OIDCClient) Name 

func (OIDCClient) Name() string

Name returns the API name of this identity type.

type Type 

type Type interface {
	// AuthenticationMethod returns the authentication method used by this identity type.
	AuthenticationMethod() string

	// Code returns the identity type code for this identity type.
	Code() int64

	// IsAdmin returns true if this identity type has administrator privileges (unrestricted).
	IsAdmin() bool

	// IsFineGrained returns true if this identity type supports fine-grained permissions (managed via group ownership).
	IsFineGrained() bool

	// IsPending returns true if this identity type is a pending variant.
	IsPending() bool

	// LegacyCertificateType returns the legacy certificate type for this identity type.
	// If an error is returned, it indicates that the identity type does not correspond to a legacy certificate type.
	LegacyCertificateType() (certificate.Type, error)

	// Name returns the API name of this identity type.
	Name() string
}

Type represents an identity type in LXD. It defines the methods that all identity types must implement to provide authentication, authorization, and caching behavior.

To add a new identity type: 1. Add a new identity type code const below. 2. Add a new struct that implements this interface. 3. Add new type to [types] slice. 4. Add an API type in shared/api/auth.go. 5. Implement db functions in db/cluster/identities.go (if needed).

func New 

func New(name string) (Type, error)

New creates a new identity type based on the provided identity type string. It validates the identity type string and returns the appropriate identity type struct that implements the Type interface. It returns http.StatusBadRequest wrapped in api.StatusErrorf if the identity type is not recognized.

func NewFromCode 

func NewFromCode(code int64) (Type, error)

NewFromCode creates a new identity type based on the provided identity type code. It validates the identity type code and returns the appropriate identity type struct that implements the Type interface. It returns http.StatusInternalServerError wrapped in api.StatusErrorf if the identity type is not recognized. Prefer New over this function when validating identity types from input, as New returns http.StatusBadRequest for unrecognized types. This function is used in the implementation of [query.IntegerScanner] for [IdentityType] when reading from the database.

func Types 

func Types() []Type

Types returns a slice of all identity types that implement the Type interface. The returned slice must not be modified by callers.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.