README
¶
Authlib types
The types package is a dependency free set of types and interfaces that most consumers should depend on. Using this package will avoid accidentally relying on internal implementation details and interfaces.
Documentation
¶
Index ¶
- Constants
- Variables
- func CloudNamespaceFormatter(id int64) string
- func IsIdentityType(typ IdentityType, expected ...IdentityType) bool
- func NamespaceMatches(namespace, expected string) bool
- func NewTypeID(typ IdentityType, identifier string) string
- func OrgNamespaceFormatter(id int64) string
- func ValidateCheckRequest(req CheckRequest) error
- func ValidateListRequest(req ListRequest) error
- func WithAuthInfo(ctx context.Context, auth AuthInfo) context.Context
- type AccessChecker
- type AccessClient
- type AccessLister
- type AuthInfo
- type BatchCheckItem
- type BatchCheckRequest
- type BatchCheckResponse
- type BatchCheckResult
- type CheckRequest
- type CheckResponse
- type IdentityType
- type ItemChecker
- type ListRequest
- type NamespaceFormatter
- type NamespaceInfo
- type NoopZookie
- type Zookie
Constants ¶
View Source
const MaxBatchCheckItems = 50
MaxBatchCheckItems is the maximum number of checks allowed in a single BatchCheckRequest
Variables ¶
View Source
var ( ErrNamespaceMismatch = errors.New("namespace mismatch") ErrMissingRequestGroup = errors.New("missing request group") ErrMissingRequestResource = errors.New("missing request resource") ErrMissingRequestVerb = errors.New("missing request verb") // BatchCheck validation errors ErrTooManyChecks = errors.New("too many checks in batch request, maximum is 50") ErrEmptyCorrelationID = errors.New("correlation ID cannot be empty") ErrDuplicateCorrelationID = errors.New("duplicate correlation ID in batch request") )
View Source
var (
ErrInvalidTypedID = errors.New("auth.identity.invalid-typed-id")
)
Functions ¶
func CloudNamespaceFormatter ¶
func IsIdentityType ¶
func IsIdentityType(typ IdentityType, expected ...IdentityType) bool
IsIdentityType returns true if type matches any expected identity type
func NamespaceMatches ¶
NamespaceMatches check if provided namespace matches the expected one. This function always cosider the namespace to match if namespace is `*`.
func NewTypeID ¶
func NewTypeID(typ IdentityType, identifier string) string
func OrgNamespaceFormatter ¶
OrgNamespaceFormatter is the namespace format used in on-prem deployments
func ValidateCheckRequest ¶
func ValidateCheckRequest(req CheckRequest) error
func ValidateListRequest ¶
func ValidateListRequest(req ListRequest) error
Types ¶
type AccessChecker ¶
type AccessChecker interface {
// Check checks whether the user can perform the given action for all requests
// NOTE, the authz system does not know the folder where each resource is stored
// the folder must be passed into the system when folder authorization is required
Check(ctx context.Context, info AuthInfo, req CheckRequest, folder string) (CheckResponse, error)
}
type AccessClient ¶
type AccessClient interface {
AccessChecker
AccessLister
}
func FixedAccessClient ¶
func FixedAccessClient(allowed bool) AccessClient
A simple client that always returns the same value
type AccessLister ¶
type AccessLister interface {
// Deprecated: Use BatchCheck instead. Compile generates a function to check
// whether the id has access to items matching a request.
// This is particularly useful when you want to verify access to a list of resources.
// Returns nil if there is no access to any matching items
Compile(ctx context.Context, info AuthInfo, req ListRequest) (ItemChecker, Zookie, error)
// BatchCheck performs multiple access checks in a single request.
// Checks can span different Group/Resource combinations.
// Maximum of 50 checks per request.
BatchCheck(ctx context.Context, info AuthInfo, req BatchCheckRequest) (BatchCheckResponse, error)
}
type AuthInfo ¶
type AuthInfo interface {
// GetUID returns a unique value for a particular identity that will change
// if the user is removed from the system and another user is added with
// the same name.
// This will be in the form: <IdentityType>:<Identifier>
GetUID() string
// GetIdentifier returns only the Identifier part.
// For some identity types this can be empty e.g. Anonymous.
GetIdentifier() string
// GetIdentityType returns the identity type.
GetIdentityType() IdentityType
// GetNamespace returns a namespace in the form of '<type>-<id>', '*' means all namespaces.
// In Grafana it the type can be either org or stacks.
GetNamespace() string
// GetGroups returns the names of the groups the identity is a member of
// This is unused for now.
GetGroups() []string
// GetExtra can contain any additional information that the authenticator
// thought was interesting. One example would be scopes on a token.
// Keys in this map should be namespaced to the authenticator or
// authenticator/authorizer pair making use of them.
// For instance: "example.org/foo" instead of "foo"
// This is a map[string][]string because it needs to be serializeable into
// a SubjectAccessReviewSpec.authorization.k8s.io for proper authorization
// delegation flows
// In order to faithfully round-trip through an impersonation flow, these keys
// MUST be lowercase.
GetExtra() map[string][]string
// GetSubject return the subject for authenticated identity.
// This will be in the form: <IdentityType>:<Identifier> and will use deprecated
// integer id as the identitifier.
GetSubject() string
// GetAudience returns the audience.
GetAudience() []string
// GetTokenPermissions returns Grafana permissions that authenticated access token can perform.
GetTokenPermissions() []string
// GetTokenDelegatedPermissions returns Grafana permissions that can be performed on-behalf of another identity
GetTokenDelegatedPermissions() []string
// GetName returns the name that can be shown to identify the identity
// This may be a configured display name, an email, or (worst case) a ID
GetName() string
// GetEmail returns the email.
// This is only set for users.
GetEmail() string
// GetEmailVerified returns if the email has been verified.
// This is only set for users
GetEmailVerified() bool
// GetUsername returns the username.
// This is only set for users.
GetUsername() string
// GetAuthenticatedBy is the original method used to authenticate the identity.
// Examples: password, oauth_azuread, etc
GetAuthenticatedBy() string
// GetIDToken returns the singed id token used during authentication.
// Will be empty if authencation was performed only using access token.
GetIDToken() string
}
AuthInfo provides access to the requested authnz info This includes the identity and access types. This interface is also designed to fulfil the kubernetes user requirements: https://github.com/kubernetes/apiserver/blob/master/pkg/authentication/user/user.go#L20
type BatchCheckItem ¶
type BatchCheckItem struct {
// CorrelationID is a unique identifier to correlate this check with its result.
// Must be a non-empty string unique within the batch request.
CorrelationID string
// The requested access verb.
Verb string
// API group (dashboards.grafana.app)
Group string
// ~Kind eg dashboards
Resource string
// tenant isolation
Namespace string
// The specific resource name
Name string
// Optional subresource
Subresource string
// For non-resource requests, this will be the requested URL path
Path string
// Folder is the parent folder of the resource
Folder string
// FreshnessTimestamp is the timestamp when the resource was last modified.
// If provided, the server should skip cache for this item if the cached result
// is older than this timestamp. This ensures freshness for recently modified resources.
FreshnessTimestamp time.Time
}
BatchCheckItem represents a single check in a batch request. Each item must have a unique CorrelationID to match with its result.
type BatchCheckRequest ¶
type BatchCheckRequest struct {
// Checks is the list of individual check items to perform.
// Maximum of 50 items allowed.
Checks []BatchCheckItem
// SkipCache forces the access checker to skip any caching layer for all checks.
SkipCache bool
}
BatchCheckRequest contains multiple checks to be performed at once. Maximum of 50 checks per request.
func (*BatchCheckRequest) Validate ¶
func (r *BatchCheckRequest) Validate() error
Validate validates the BatchCheckRequest ensuring: - No more than 50 checks per request - All correlation IDs are non-empty and unique - All check items have required fields (Group, Resource, Verb)
type BatchCheckResponse ¶
type BatchCheckResponse struct {
// Results maps each CorrelationID to its check result.
Results map[string]BatchCheckResult
}
BatchCheckResponse contains results for all checks in a batch request.
type BatchCheckResult ¶
type BatchCheckResult struct {
// Allowed is true if the request is allowed, false otherwise.
Allowed bool
// Error contains any error that occurred during the check.
Error error
}
BatchCheckResult represents the result of a single check in a batch.
type CheckRequest ¶
type CheckRequest struct {
// The requested access verb.
// this includes get, list, watch, create, update, patch, delete, deletecollection, and proxy,
// or the lowercased HTTP verb associated with non-API requests (this includes get, put, post, patch, and delete)
Verb string
// API group (dashboards.grafana.app)
Group string
// ~Kind eg dashboards
Resource string
// tenant isolation
Namespace string
// The specific resource
// In grafana, this was historically called "UID", but in k8s, it is the name
Name string
// Optional subresource
Subresource string
// For non-resource requests, this will be the requested URL path
Path string
// SkipCache forces the access checker to skip any caching layer
SkipCache bool
}
CheckRequest describes the requested access. This is designed bo to play nicely with the kubernetes authorization system: https://github.com/kubernetes/kubernetes/blob/v1.30.3/staging/src/k8s.io/apiserver/pkg/authorization/authorizer/interfaces.go#L28
type CheckResponse ¶
type IdentityType ¶
type IdentityType string
The type of identity +enum
const ( TypeUser IdentityType = "user" TypeAPIKey IdentityType = "api-key" TypeServiceAccount IdentityType = "service-account" TypeAnonymous IdentityType = "anonymous" TypeRenderService IdentityType = "render" TypeUnauthenticated IdentityType = "unauthenticated" TypeAccessPolicy IdentityType = "access-policy" TypeProvisioning IdentityType = "provisioning" TypePublic IdentityType = "public" TypeEmpty IdentityType = "" )
func ParseType ¶
func ParseType(str string) (IdentityType, error)
func ParseTypeID ¶
func ParseTypeID(str string) (IdentityType, string, error)
func (IdentityType) String ¶
func (n IdentityType) String() string
type ItemChecker ¶
Checks access while iterating within a resource
type ListRequest ¶
type ListRequest struct {
// API group (dashboards.grafana.app)
Group string
// ~Kind eg dashboards
Resource string
// tenant isolation
Namespace string
// Verb is the requested access verb.
Verb string
// Optional subresource
Subresource string
// SkipCache forces the access checker to skip any caching layer
SkipCache bool
}
type NamespaceFormatter ¶
NamespaceFormatter defines a function that formats a stack or organization ID into the expected namespace format based on the deployment environment (Cloud/On-prem). Example: stacks-6481, org-12
type NamespaceInfo ¶
type NamespaceInfo struct {
// The original namespace string regardless the input
Value string
// OrgID defined in namespace (1 when using stack ids)
OrgID int64
// The cloud stack ID (must match the value in cfg.Settings)
StackID int64
}
func ParseNamespace ¶
func ParseNamespace(ns string) (NamespaceInfo, error)
type NoopZookie ¶
type NoopZookie struct{}
A Zookie that is always fresh
func (NoopZookie) IsFresherThan ¶
func (n NoopZookie) IsFresherThan(d time.Time) bool
Source Files
Click to show internal directories.
Click to hide internal directories.