authentication

package
v0.0.0-...-0b47d81 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Apr 26, 2024 License: AGPL-3.0 Imports: 20 Imported by: 10

Documentation

Index

Constants

View Source 
const (
	// ErrorEntityMissingPermission is an error that acts as an anchor for all
	// consumers of authorization information in the API. As authorizers may
	// return different authorization errors based on the entity context. This
	// error exists to wrap all of these difference so one value can be used to
	// determine if an authorization problem has occurred.
	ErrorEntityMissingPermission = errors.ConstError("entity missing permission")
)
View Source 
const (

	// LocalLoginInteractionTimeout is how long a user has to complete
	// an interactive login before it is expired.
	LocalLoginInteractionTimeout = 2 * time.Minute
)

Variables

View Source 
var ErrExpired = errors.New("interaction timed out")

ErrExpired is returned by Interactions.Wait when interactions expire before they are done.

View Source 
var ErrWaitCanceled = errors.New("wait canceled")

ErrWaitCanceled is returned by Interactions.Wait when the cancel channel is signalled.

Functions

func CheckLocalLoginCaveat 

func CheckLocalLoginCaveat(caveat string) (names.UserTag, error)

CheckLocalLoginCaveat parses and checks that the given caveat string is valid for a local login request, and returns the tag of the local user that the caveat asserts is logged in. checkers.ErrCaveatNotRecognized will be returned if the caveat is not recognised.

func CheckLocalLoginRequest 

func CheckLocalLoginRequest(
	ctx context.Context,
	auth MacaroonChecker,
	req *http.Request,
) error

CheckLocalLoginRequest checks that the given HTTP request contains at least one valid local login macaroon minted by the given service using CreateLocalLoginMacaroon. It returns an error with a *bakery.VerificationError cause if the macaroon verification failed.

func CreateLocalLoginMacaroon 

func CreateLocalLoginMacaroon(
	ctx context.Context,
	tag names.UserTag,
	minter MacaroonMinter,
	clock clock.Clock,
	version bakery.Version,
) (*bakery.Macaroon, error)

CreateLocalLoginMacaroon creates a macaroon that may be provided to a user as proof that they have logged in with a valid username and password. This macaroon may then be used to obtain a discharge macaroon so that the user can log in without presenting their password for a set amount of time.

func DischargeCaveats 

func DischargeCaveats(tag names.UserTag, clock clock.Clock) []checkers.Caveat

DischargeCaveats returns the caveats to add to a login discharge macaroon.

Types

type AgentAuthenticator 

type AgentAuthenticator struct{}

EntityAuthenticator performs authentication for juju entities.

func (*AgentAuthenticator) Authenticate 

func (*AgentAuthenticator) Authenticate(ctx context.Context, entityFinder EntityFinder, authParams AuthParams) (state.Entity, error)

Authenticate authenticates the provided entity. It takes an entityfinder and the tag used to find the entity that requires authentication.

type AuthInfo 

type AuthInfo struct {
	// Delegator is the interface back to the authenticating mechanism for
	// helping with permission questions about the authed entity.
	Delegator PermissionDelegator

	// Entity is the user/machine/unit/etc that has authenticated.
	Entity Entity

	// Controller reports whether or not the authenticated
	// entity is a controller agent.
	Controller bool
}

AuthInfo is returned by Authenticator and RequestAuthInfo.

func (*AuthInfo) SubjectPermissions 

func (a *AuthInfo) SubjectPermissions(subject names.Tag) (permission.Access, error)

SubjectPermissions is a convenience wrapper around the AuthInfo permissions delegator. errors.NotImplemented is returned if the permission delegator on this AuthInfo is nil.

type AuthInfoPermissions 

type AuthInfoPermissions func(Entity, names.Tag) (permission.Access, error)

AuthInfoPermissions defined a type for a helper func that can answer questions an entity and what access they have on to a specific subject tag.

It is up to the creator of the AuthInfo struct to provide a suitable implementation of this func. It's is for legacy reasons we allow querying of other entities besides the one focused on in the AuthInfo struct.

TODO: tlm look at ways to gradually remove the Entity portion of this function so the question can only be asked of the one focuses on in the AuthInfo struct.

type AuthParams 

type AuthParams struct {
	// These are used for user or agent auth.
	AuthTag     names.Tag
	Credentials string

	// Token is used for rebac based auth.
	Token string

	// None is used for agent auth.
	Nonce string

	// These are used for macaroon auth.
	Macaroons     []macaroon.Slice
	BakeryVersion bakery.Version
}

AuthParams holds the info used to authenticate a login request.

type Authorizer 

type Authorizer interface {
	Authorize(AuthInfo) error
}

Authorizer is a function type for authorizing a request.

If this returns an error, the handler should return StatusForbidden.

type Bakery 

type Bakery interface {
	MacaroonMinter
	MacaroonChecker
}

Bakery defines the subset of bakery.Bakery that we require for authentication.

type Entity 

type Entity interface {
	Tag() names.Tag
}

Entity represents a user, machine, or unit that might be authenticated.

func TagToEntity 

func TagToEntity(t names.Tag) Entity

TagToEntity takes a name names.Tag and concerts it an authentication Entity.

type EntityAuthenticator 

type EntityAuthenticator interface {
	// Authenticate authenticates the given entity.
	Authenticate(ctx context.Context, entityFinder EntityFinder, authParams AuthParams) (state.Entity, error)
}

EntityAuthenticator is the interface all entity authenticators need to implement to authenticate juju entities.

type EntityFinder 

type EntityFinder interface {
	FindEntity(tag names.Tag) (state.Entity, error)
}

EntityFinder finds the entity described by the tag.

type ExpirableStorageBakery 

type ExpirableStorageBakery interface {
	Bakery

	// ExpireStorageAfter returns a new ExpirableStorageBakery with
	// a store that will expire items added to it at the specified time.
	ExpireStorageAfter(time.Duration) (ExpirableStorageBakery, error)
}

ExpirableStorageBakery extends Bakery with the ExpireStorageAfter method so that root keys are removed from storage at that time.

type ExternalMacaroonAuthenticator 

type ExternalMacaroonAuthenticator struct {
	// Bakery holds the bakery that is
	// used to verify macaroon authorization.
	Bakery *identchecker.Bakery

	// IdentityLocation holds the URL of the trusted third party
	// that is used to address the is-authenticated-user
	// third party caveat to.
	IdentityLocation string

	// Clock is used to set macaroon expiry time.
	Clock clock.Clock
}

ExternalMacaroonAuthenticator performs authentication for external users using macaroons. If the authentication fails because provided macaroons are invalid, and macaroon authentiction is enabled, it will return a *apiservererrors.DischargeRequiredError holding a macaroon to be discharged.

func (*ExternalMacaroonAuthenticator) Authenticate 

func (m *ExternalMacaroonAuthenticator) Authenticate(ctx context.Context, _ EntityFinder, authParams AuthParams) (state.Entity, error)

Authenticate authenticates the provided entity. If there is no macaroon provided, it will return a *DischargeRequiredError containing a macaroon that can be used to grant access.

func (ExternalMacaroonAuthenticator) DeclaredIdentity 

func (ExternalMacaroonAuthenticator) DeclaredIdentity(ctx context.Context, declared map[string]string) (identchecker.Identity, error)

DeclaredIdentity implements IdentityClient.DeclaredIdentity.

func (*ExternalMacaroonAuthenticator) IdentityFromContext 

func (m *ExternalMacaroonAuthenticator) IdentityFromContext(ctx context.Context) (identchecker.Identity, []checkers.Caveat, error)

IdentityFromContext implements IdentityClient.IdentityFromContext.

type HTTPAuthenticator 

type HTTPAuthenticator interface {
	// Authenticate authenticates the given request, returning the
	// auth info.
	//
	// If the request does not contain any authentication details,
	// then an error satisfying errors.Is(err, errors.NotFound) will be
	// returned.
	// If this returns an error that is not composable as HTTPWritableError then
	// the handler should return StatusUnauthorized.
	Authenticate(*http.Request) (AuthInfo, error)
}

HTTPAuthenticator provides an interface for authenticating a raw http request from a client.

type HTTPStrategicAuthenticator 

type HTTPStrategicAuthenticator []HTTPAuthenticator

HTTPStrategicAuthenticator is responsible for trying multiple Authenticators until one succeeds or an error is returned that is not equal to NotFound or NotImplemented.

func (HTTPStrategicAuthenticator) Authenticate 

func (s HTTPStrategicAuthenticator) Authenticate(req *http.Request) (AuthInfo, error)

Authenticate implements HTTPAuthenticator and calls each authenticator in order.

type Interaction 

type Interaction struct {
	CaveatId   []byte
	LoginUser  names.UserTag
	LoginError error
}

Interaction records details of an in-progress interactive macaroon-based login.

type Interactions 

type Interactions struct {
	// contains filtered or unexported fields
}

Interactions maintains a set of Interactions.

func NewInteractions 

func NewInteractions() *Interactions

NewInteractions returns a new Interactions.

func (*Interactions) Done 

func (m *Interactions) Done(id string, loginUser names.UserTag, loginError error) error

Done signals that the user has either logged in, or attempted to and failed.

func (*Interactions) Expire 

func (m *Interactions) Expire(t time.Time)

Expire removes any interactions that were due to expire by the specified time.

func (*Interactions) Start 

func (m *Interactions) Start(caveatId []byte, expiry time.Time) (string, error)

Start records the start of an interactive login, and returns a random ID that uniquely identifies it. A call to Wait with the same ID will return the Interaction once it is done.

func (*Interactions) Wait 

func (m *Interactions) Wait(id string, cancel <-chan struct{}) (*Interaction, error)

Wait waits until the identified interaction is done, and returns the corresponding Interaction. If the cancel channel is signalled before the interaction is done, then ErrWaitCanceled is returned. If the interaction expires before it is done, ErrExpired is returned.

type LocalUserAuthenticator 

type LocalUserAuthenticator struct {
	AgentAuthenticator

	// Bakery holds the bakery that is used to mint and verify macaroons.
	Bakery ExpirableStorageBakery

	// Clock is used to calculate the expiry time for macaroons.
	Clock clock.Clock

	// LocalUserIdentityLocation holds the URL of the trusted third party
	// that is used to address the is-authenticated-user third party caveat
	// to for local users. This always points at the same controller
	// agent that is servicing the authorisation request.
	LocalUserIdentityLocation string
}

LocalUserAuthenticator performs authentication for local users. If a password

func (*LocalUserAuthenticator) Authenticate 

func (u *LocalUserAuthenticator) Authenticate(
	ctx context.Context, entityFinder EntityFinder, authParams AuthParams,
) (state.Entity, error)

Authenticate authenticates the entity with the specified tag, and returns an error on authentication failure.

If and only if no password is supplied, then Authenticate will check for any valid macaroons. Otherwise, password authentication will be performed.

type LoginAuthenticator 

type LoginAuthenticator interface {
	// AuthenticateLoginRequest authenticates a LoginRequest.
	AuthenticateLoginRequest(
		ctx context.Context,
		serverHost string,
		modelUUID string,
		authParams AuthParams,
	) (AuthInfo, error)
}

LoginAuthenticator provides an interface for authenticating RPC login requests from a client.

type MacaroonChecker 

type MacaroonChecker interface {
	Auth(mss ...macaroon.Slice) *bakery.AuthChecker
}

MacaroonChecker exposes the methods needed from bakery.Checker.

type MacaroonMinter 

type MacaroonMinter interface {
	NewMacaroon(ctx context.Context, version bakery.Version, caveats []checkers.Caveat, ops ...bakery.Op) (*bakery.Macaroon, error)
}

MacaroonMinter exposes the methods needed from bakery.Oven.

type PermissionDelegator 

type PermissionDelegator interface {
	// SubjectPermissions returns the permission the entity has for the
	// specified subject.
	SubjectPermissions(entity Entity, subject names.Tag) (permission.Access, error)

	// PermissionError is a helper implemented by the Authenticator for
	// returning the appropriate error when an authenticated entity is missing
	// permission for subject.
	PermissionError(subject names.Tag, permission permission.Access) error
}

PermissionDelegator is an interface that represents a window back into the original authentication method that generated an AuthInfo struct. Specifically it allows users of AuthInfo to ask specific details about an entity's permissions that needs response aligned with the way in which they were authenticated.

type RequestAuthenticator 

type RequestAuthenticator interface {
	HTTPAuthenticator
	LoginAuthenticator
}

RequestAuthenticator is an interface the combines both the HTTPAuthenticator and LoginAuthenticator into a single interface as this functionality is most likely to be implemented together.

Source Files

View all Source files

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.