Documentation
¶
Overview ¶
login handles logging in users.
Index ¶
- Constants
- Variables
- func CookieFor(value *Session, r *http.Request) (*http.Cookie, error)
- func ForceAuth(h http.Handler, oauthCallbackPath string) http.Handler
- func ForceAuthMiddleware(oauthCallbackPath string) func(http.Handler) http.Handler
- func ID(r *http.Request) string
- func Init(redirectURL string, authWhiteList string, clientSecretFile string) error
- func InitWithAllow(port string, local bool, admin, edit, view allowed.Allow)
- func IsAdmin(r *http.Request) bool
- func IsEditor(r *http.Request) bool
- func IsGoogler(r *http.Request) bool
- func IsViewer(r *http.Request) bool
- func LoggedInAs(r *http.Request) string
- func LoginURL(w http.ResponseWriter, r *http.Request) string
- func LogoutHandler(w http.ResponseWriter, r *http.Request)
- func OAuth2CallbackHandler(w http.ResponseWriter, r *http.Request)
- func Restrict(allow allowed.Allow) func(http.Handler) http.Handler
- func RestrictAdminFn(h http.HandlerFunc) http.HandlerFunc
- func RestrictEditorFn(h http.HandlerFunc) http.HandlerFunc
- func RestrictFn(h http.HandlerFunc, allow allowed.Allow) http.HandlerFunc
- func RestrictViewerFn(h http.HandlerFunc) http.HandlerFunc
- func RestrictWithMessage(allow allowed.Allow, msg string) func(http.Handler) http.Handler
- func SimpleInitMust(port string, local bool)
- func StatusHandler(w http.ResponseWriter, r *http.Request)
- func UserIdentifiers(r *http.Request) (string, string)
- func ValidateBearerToken(token string) (*oauth2_api.Tokeninfo, error)
- func ViaBearerToken(r *http.Request) (string, error)
- type Session
Constants ¶
const ( COOKIE_NAME = "sktoken" SESSION_COOKIE_NAME = "sksession" DEFAULT_COOKIE_SALT = "notverysecret" // DEFAULT_REDIRECT_URL is the redirect URL to use if Init is called with DEFAULT_DOMAIN_WHITELIST. DEFAULT_REDIRECT_URL = "https://skia.org/oauth2callback/" // DEFAULT_DOMAIN_WHITELIST is a white list of domains we use frequently. DEFAULT_DOMAIN_WHITELIST = "google.com chromium.org skia.org" // DEFAULT_ADMIN_WHITELIST is the white list of users we consider admins when we can't retrieve the whitelist from metadata. DEFAULT_ADMIN_WHITELIST = "benjaminwagner@google.com borenet@google.com jcgregorio@google.com kjlubick@google.com rmistry@google.com stephana@google.com" // COOKIE_DOMAIN is the domain that are cookies attached to. COOKIE_DOMAIN = "skia.org" // LOGIN_CONFIG_FILE is the location of the login config when running in kubernetes. LOGIN_CONFIG_FILE = "/etc/skia.org/login.json" // DEFAULT_CLIENT_SECRET_FILE is the default path to the file used for OAuth2 login. DEFAULT_CLIENT_SECRET_FILE = "client_secret.json" )
Variables ¶
var ( // DEFAULT_SCOPE is the scope we request when logging in. DEFAULT_SCOPE = []string{"email"} )
var RestrictAdmin = func(h http.Handler) http.Handler { sklog.Fatal("RestrictAdmin called but not configured with InitWithAllow.") return h }
RestrictAdmin is middleware which enforces that the user is logged in as an admin before the wrapped handler is called. Filled in during InitWithAllow.
var RestrictEditor = func(h http.Handler) http.Handler { sklog.Fatal("RestrictEditor called but not configured with InitWithAllow.") return h }
RestrictEditor is middleware which enforces that the user is logged in as an editor before the wrapped handler is called. Filled in during InitWithAllow.
var RestrictViewer = func(h http.Handler) http.Handler { sklog.Fatal("RestrictViewer called but not configured with InitWithAllow.") return h }
RestrictViewer is middleware which enforces that the user is logged in as a viewer before the wrapped handler is called. Filled in during InitWithAllow.
Functions ¶
func ForceAuth ¶
ForceAuth is middleware that enforces authentication before the wrapped handler is called. oauthCallbackPath is the URL path that the user is redirected to at the end of the auth flow.
func ForceAuthMiddleware ¶
ForceAuthMiddleware does ForceAuth by returning a func that can be used as middleware.
func ID ¶
ID returns the user's ID, i.e. their opaque identifier, if they are logged in, and "" if they are not logged in.
func Init ¶
Init must be called before any other login methods.
The function first tries to load the cookie salt, client id, and client secret from GCE project level metadata. If that fails it looks for a "client_secret.json" file in the current directory to extract the client id and client secret from. If both of those fail then it returns an error.
The authWhiteList is the space separated list of domains and email addresses that are allowed to log in.
func InitWithAllow ¶
InitWithAllow initializes the login system for the default case (see docs for SimpleInitMust) and sets the admin, editor, and viewer lists. These may be nil, in which case we fall back on the default whitelists. For editors we default to denying access to everyone, and for viewers we default to allowing access to everyone.
func IsAdmin ¶
IsAdmin determines whether the user is logged in with an account on the admin whitelist. If true, user is allowed to perform admin tasks.
func IsEditor ¶
IsEditor determines whether the user is logged in with an account on the editor whitelist. If true, user is allowed to perform edits. Defaults to false if no editor whitelist is provided.
func IsViewer ¶
IsViewer determines whether the user is allowed to view this server. Defaults to true if no viewer whitelist is provided.
func LoggedInAs ¶
LoggedInAs returns the user's ID, i.e. their email address, if they are logged in, and "" if they are not logged in.
func LoginURL ¶
func LoginURL(w http.ResponseWriter, r *http.Request) string
LoginURL returns a URL that the user is to be directed to for login.
func LogoutHandler ¶
func LogoutHandler(w http.ResponseWriter, r *http.Request)
LogoutHandler logs the user out by overwriting the cookie with a blank email address.
Note that this doesn't revoke the 'email' grant, so logging in later will still be fast. Users can always visit
https://security.google.com/settings/security/permissions
to revoke any grants they make.
func OAuth2CallbackHandler ¶
func OAuth2CallbackHandler(w http.ResponseWriter, r *http.Request)
OAuth2CallbackHandler must be attached at a handler that matches the callback URL registered in the APIs Console. In this case "/oauth2callback".
func Restrict ¶
Restrict returns a middleware func which enforces that the user is logged in with an allowed account before the wrapped handler is called.
func RestrictAdminFn ¶
func RestrictAdminFn(h http.HandlerFunc) http.HandlerFunc
RestrictAdminFn wraps an http.HandlerFunc, restricting it to admins.
func RestrictEditorFn ¶
func RestrictEditorFn(h http.HandlerFunc) http.HandlerFunc
RestrictEditorFn wraps an http.HandlerFunc, restricting it to editors.
func RestrictFn ¶
func RestrictFn(h http.HandlerFunc, allow allowed.Allow) http.HandlerFunc
RestrictFn wraps an http.HandlerFunc, restricting it to the given allowed list.
func RestrictViewerFn ¶
func RestrictViewerFn(h http.HandlerFunc) http.HandlerFunc
RestrictViewerFn wraps an http.HandlerFunc, restricting it to viewers.
func RestrictWithMessage ¶
RestrictWithMessage returns a middleware func which enforces that the user is logged in with an allowed account before the wrapped handler is called. It uses the given message when a user is denied access.
func SimpleInitMust ¶
SimpleInitMust initializes the login system for the default case, which uses DEFAULT_REDIRECT_URL in prod along with the DEFAULT_DOMAIN_WHITELIST and uses a localhost'port' redirect URL if 'local' is true.
If an error occurs then the function fails fatally.
func StatusHandler ¶
func StatusHandler(w http.ResponseWriter, r *http.Request)
StatusHandler returns the login status of the user as JSON that looks like:
{
"Email": "fred@example.com",
"ID": "12342...34324",
"LoginURL": "https://..."
"IsAGoogler": false,
"IsViewer": true,
"IsEditor": true,
"IsAdmin: false
}
func UserIdentifiers ¶
UserIdentifiers returns both the email and opaque user id of the logged in user, and will return two empty strings if they are not logged in.
func ValidateBearerToken ¶
func ValidateBearerToken(token string) (*oauth2_api.Tokeninfo, error)
ValidateBearerToken takes an OAuth 2.0 Bearer token (e.g. The third part of Authorization: Bearer ya29.Elj... and polls a Google HTTP endpoint to see if is valid. This is fine in low-volumne situations, but another solution may be needed if this goes higher than a few QPS.
Source Files