auth

package
v0.3.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jan 15, 2024 License: Apache-2.0 Imports: 15 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

View Source 
var AddonRole = []string{
	"applications:get",
	"applications:put",
	"applications.tags:*",
	"applications.facts:*",
	"applications.bucket:*",
	"applications.analyses:*",
	"identities:get",
	"identities:decrypt",
	"proxies:get",
	"settings:get",
	"tags:*",
	"tagcategories:*",
	"tasks:get",
	"tasks.report:*",
	"tasks.bucket:get",
	"files:*",
	"rulesets:get",
}

AddonRole defines the addon scopes.

View Source 
var Settings = &settings.Settings
View Source 
var Validators []Validator

Validators provide token validation based on claims.

Functions

This section is empty.

Types

type BaseScope 

type BaseScope struct {
	Resource string
	Method   string
}

BaseScope provides base behavior.

func (*BaseScope) Match 

func (r *BaseScope) Match(resource string, method string) (b bool)

Match returns whether the scope is a match.

func (*BaseScope) String 

func (r *BaseScope) String() (s string)

String representations of the scope.

func (*BaseScope) With 

func (r *BaseScope) With(s string)

With parses a scope and populate fields. Format: <resource>:<method>

type Builtin 

type Builtin struct {
}

Builtin auth provider.

func (*Builtin) Authenticate 

func (r *Builtin) Authenticate(request *Request) (jwToken *jwt.Token, err error)

Authenticate the token

func (*Builtin) Login 

func (r *Builtin) Login(user, password string) (token Token, err error)

Login and obtain a token.

func (*Builtin) NewToken 

func (r *Builtin) NewToken(user string, scopes []string, claims jwt.MapClaims) (signed string, err error)

NewToken creates a new signed token.

func (*Builtin) Refresh added in v0.2.0 

func (r *Builtin) Refresh(refresh string) (token Token, err error)

Refresh token.

func (*Builtin) Scopes 

func (r *Builtin) Scopes(jwToken *jwt.Token) (scopes []Scope)

Scopes returns a list of scopes.

func (*Builtin) User 

func (r *Builtin) User(jwToken *jwt.Token) (user string)

User returns the user associated with the token.

type Keycloak 

type Keycloak struct {
	// contains filtered or unexported fields
}

Keycloak auth provider

func (*Keycloak) Authenticate 

func (r *Keycloak) Authenticate(request *Request) (jwToken *jwt.Token, err error)

Authenticate the token

func (*Keycloak) Login 

func (r *Keycloak) Login(user, password string) (token Token, err error)

Login and obtain a token.

func (Keycloak) NewToken 

func (r Keycloak) NewToken(user string, scopes []string, claims jwt.MapClaims) (signed string, err error)

NewToken creates a new signed token.

func (*Keycloak) Refresh added in v0.2.0 

func (r *Keycloak) Refresh(refresh string) (token Token, err error)

Refresh token.

func (*Keycloak) Scopes 

func (r *Keycloak) Scopes(jwToken *jwt.Token) (scopes []Scope)

Scopes decodes a list of scopes from the token.

func (*Keycloak) User 

func (r *Keycloak) User(jwToken *jwt.Token) (user string)

User resolves token to Keycloak username.

type NoAuth 

type NoAuth struct {
}

NoAuth provider always permits access.

func (*NoAuth) Authenticate 

func (r *NoAuth) Authenticate(_ *Request) (jwToken *jwt.Token, err error)

Authenticate the token

func (*NoAuth) Login 

func (r *NoAuth) Login(user, password string) (token Token, err error)

Login and obtain a token.

func (NoAuth) NewToken 

func (r NoAuth) NewToken(user string, scopes []string, claims jwt.MapClaims) (signed string, err error)

NewToken creates a new signed token.

func (*NoAuth) Refresh added in v0.2.0 

func (r *NoAuth) Refresh(refresh string) (token Token, err error)

Refresh token.

func (*NoAuth) Scopes 

func (r *NoAuth) Scopes(jwToken *jwt.Token) (scopes []Scope)

Scopes decodes a list of scopes from the token. For the NoAuth provider, this just returns a single wildcard scope matching everything.

func (*NoAuth) User 

func (r *NoAuth) User(jwToken *jwt.Token) (name string)

User mocks username for NoAuth

type NotAuthenticated 

type NotAuthenticated struct {
	Token string
}

NotAuthenticated is returned when a token cannot be authenticated.

func (*NotAuthenticated) Error 

func (e *NotAuthenticated) Error() (s string)

func (*NotAuthenticated) Is 

func (e *NotAuthenticated) Is(err error) (matched bool)

type NotValid 

type NotValid struct {
	Reason string
	Token  string
}

NotValid is returned when a token is not valid.

func (*NotValid) Error 

func (e *NotValid) Error() (s string)

func (*NotValid) Is 

func (e *NotValid) Is(err error) (matched bool)

type Provider 

type Provider interface {
	// NewToken creates a signed token.
	NewToken(user string, scopes []string, claims jwt.MapClaims) (signed string, err error)
	// Authenticate authenticates and validates the token.
	Authenticate(r *Request) (jwToken *jwt.Token, err error)
	// Scopes extracts a list of scopes from the token.
	Scopes(jwToken *jwt.Token) []Scope
	// User extracts the user from token.
	User(jwToken *jwt.Token) (user string)
	// Login and obtain a token.
	Login(user, password string) (token Token, err error)
	// Refresh token.
	Refresh(refresh string) (token Token, err error)
}

Provider provides RBAC. 

var (
	// Log logger.
	Log = logr.WithName("auth")
	// Hub provider.
	Hub Provider
	// Remote provider.
	Remote Provider
)

func NewKeycloak 

func NewKeycloak(host, realm string) (p Provider)

NewKeycloak builds a new Keycloak auth provider.

type Realm 

type Realm struct {
	Users  map[string]gocloak.User
	Scopes map[string]gocloak.ClientScope
	Roles  map[string]gocloak.Role
}

Realm is a container for the users, scopes, and roles that exist in the hub's keycloak realm.

type Reconciler 

type Reconciler struct {
	// contains filtered or unexported fields
}

Keycloak realm reconciler

func NewReconciler 

func NewReconciler(host, realm, id, secret, admin, pass, adminRealm string) (r Reconciler)

NewReconciler builds a new Keycloak realm reconciler.

func (*Reconciler) Reconcile 

func (r *Reconciler) Reconcile() (err error)

Reconcile ensures that the Hub realm exists and the expected clients, roles, scopes, and users are present in it.

type Request added in v0.1.0 

type Request struct {
	Token  string
	Scope  string
	Method string
	DB     *gorm.DB
}

Request auth request.

func (*Request) Permit added in v0.1.0 

func (r *Request) Permit() (result Result, err error)

Permit the specified request.

type Resource 

type Resource struct {
	Name  string   `yaml:"name" validate:"required"`
	Verbs []string `yaml:"verbs" validate:"required,dive,oneof=get post put patch delete"`
}

Resource is a set of permissions for a hub resource that a role may have.

type Result added in v0.1.0 

type Result struct {
	Authenticated bool
	Authorized    bool
	User          string
	Scopes        []Scope
}

Result - auth result.

type Role 

type Role struct {
	Name      string     `yaml:"role" validate:"required"`
	Resources []Resource `yaml:"resources" validate:"required"`
}

Role represents a RBAC role which grants access to particular resources in the hub.

func LoadRoles 

func LoadRoles(path string) (roles []Role, err error)

LoadRoles loads a list of Role structs from a yaml file that is located at the given path.

type Scope 

type Scope interface {
	// Match returns whether the scope is a match.
	Match(resource string, method string) bool
	//String representations of the scope.
	String() (s string)
}

Scope represents an authorization scope.

type Token added in v0.2.0 

type Token struct {
	Access  string
	Refresh string
	Expiry  int
}

type User 

type User struct {
	// Username
	Name string `yaml:"name"`
	// Default password
	Password string `yaml:"password"`
	// List of roles specified by name
	Roles []string `yaml:"roles"`
}

User is a hub user which may have Roles.

func LoadUsers 

func LoadUsers(path string) (users []User, err error)

LoadUsers loads a list of User structs from a yaml file that is located at the given path.

type Validator 

type Validator interface {
	// Valid determines if the token is valid.
	// When valid, return nil.
	// When not valid, return NotValid error.
	// On failure, return the (cause) error.
	Valid(token *jwt.Token, db *gorm.DB) (err error)
}

Validator provides token validation.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.