security

package

v0.0.0-...-b1a156a Latest Latest Go to latest Published: May 12, 2020 License: Zlib Imports: 7 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/liyong-li/baasapi

Links

Open Source Insights

Documentation ¶

Index ¶

func AuthorizedRegistryAccess(registry *baasapi.Registry, userID baasapi.UserID, ...) bool
func AuthorizedResourceControlAccess(resourceControl *baasapi.ResourceControl, context *RestrictedRequestContext) bool
func AuthorizedResourceControlCreation(resourceControl *baasapi.ResourceControl, context *RestrictedRequestContext) bool
func AuthorizedResourceControlDeletion(resourceControl *baasapi.ResourceControl, context *RestrictedRequestContext) bool
func AuthorizedResourceControlUpdate(resourceControl *baasapi.ResourceControl, context *RestrictedRequestContext) bool
func AuthorizedTeamManagement(teamID baasapi.TeamID, context *RestrictedRequestContext) bool
func AuthorizedUserManagement(userID baasapi.UserID, context *RestrictedRequestContext) bool
func FilterBaask8sGroups(baask8sGroups []baasapi.Baask8sGroup, context *RestrictedRequestContext) []baasapi.Baask8sGroup
func FilterBaask8ss(baask8ss []baasapi.Baask8s, context *RestrictedRequestContext) []baasapi.Baask8s
func FilterLeaderTeams(teams []baasapi.Team, context *RestrictedRequestContext) []baasapi.Team
func FilterRegistries(registries []baasapi.Registry, context *RestrictedRequestContext) []baasapi.Registry
func FilterTemplates(templates []baasapi.Template, context *RestrictedRequestContext) []baasapi.Template
func FilterUserTeams(teams []baasapi.Team, context *RestrictedRequestContext) []baasapi.Team
func FilterUsers(users []baasapi.User, context *RestrictedRequestContext) []baasapi.User
func RetrieveTokenData(request *http.Request) (*baasapi.TokenData, error)
func StripAddrPort(addr string) string
type RateLimiter
- func NewRateLimiter(maxRequests int, duration time.Duration, banDuration time.Duration) *RateLimiter
- func (limiter *RateLimiter) LimitAccess(next http.Handler) http.Handler
type RequestBouncer
- func NewRequestBouncer(parameters *RequestBouncerParams) *RequestBouncer
- func (bouncer *RequestBouncer) AdministratorAccess(h http.Handler) http.Handler
- func (bouncer *RequestBouncer) AuthenticatedAccess(h http.Handler) http.Handler
- func (bouncer *RequestBouncer) Baask8sAccess(r *http.Request, baask8s *baasapi.Baask8s) error
- func (bouncer *RequestBouncer) PublicAccess(h http.Handler) http.Handler
- func (bouncer *RequestBouncer) RegistryAccess(r *http.Request, registry *baasapi.Registry) error
- func (bouncer *RequestBouncer) RestrictedAccess(h http.Handler) http.Handler
type RequestBouncerParams
type RestrictedRequestContext
- func RetrieveRestrictedRequestContext(request *http.Request) (*RestrictedRequestContext, error)

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

func AuthorizedRegistryAccess ¶

func AuthorizedRegistryAccess(registry *baasapi.Registry, userID baasapi.UserID, memberships []baasapi.TeamMembership) bool

AuthorizedRegistryAccess ensure that the user can access the specified registry. It will check if the user is part of the authorized users or part of a team that is listed in the authorized teams.

func AuthorizedResourceControlAccess ¶

func AuthorizedResourceControlAccess(resourceControl *baasapi.ResourceControl, context *RestrictedRequestContext) bool

AuthorizedResourceControlAccess checks whether the user can alter an existing resource control.

func AuthorizedResourceControlCreation ¶

func AuthorizedResourceControlCreation(resourceControl *baasapi.ResourceControl, context *RestrictedRequestContext) bool

AuthorizedResourceControlCreation ensure that the user can create a resource control object. A non-administrator user cannot create a resource control where: * the Public flag is set false * he wants to create a resource control without any user/team accesses * he wants to add more than one user in the user accesses * he wants tp add a user in the user accesses that is not corresponding to its id * he wants to add a team he is not a member of

func AuthorizedResourceControlDeletion ¶

func AuthorizedResourceControlDeletion(resourceControl *baasapi.ResourceControl, context *RestrictedRequestContext) bool

AuthorizedResourceControlDeletion ensure that the user can delete a resource control object. A non-administrator user cannot delete a resource control where: * the Public flag is false * he is not one of the users in the user accesses * he is not a member of any team within the team accesses

func AuthorizedResourceControlUpdate ¶

func AuthorizedResourceControlUpdate(resourceControl *baasapi.ResourceControl, context *RestrictedRequestContext) bool

AuthorizedResourceControlUpdate ensure that the user can update a resource control object. It reuses the creation restrictions and adds extra checks. A non-administrator user cannot update a resource control where: * he wants to put one or more user in the user accesses

func AuthorizedTeamManagement ¶

func AuthorizedTeamManagement(teamID baasapi.TeamID, context *RestrictedRequestContext) bool

AuthorizedTeamManagement ensure that access to the management of the specified team is granted. It will check if the user is either administrator or leader of that team.

func AuthorizedUserManagement ¶

func AuthorizedUserManagement(userID baasapi.UserID, context *RestrictedRequestContext) bool

AuthorizedUserManagement ensure that access to the management of the specified user is granted. It will check if the user is either administrator or the owner of the user account.

func FilterBaask8sGroups ¶

func FilterBaask8sGroups(baask8sGroups []baasapi.Baask8sGroup, context *RestrictedRequestContext) []baasapi.Baask8sGroup

FilterBaask8sGroups filters baask8s groups based on user role and team memberships. Non administrator users only have access to authorized baask8s groups.

func FilterBaask8ss ¶

func FilterBaask8ss(baask8ss []baasapi.Baask8s, context *RestrictedRequestContext) []baasapi.Baask8s

FilterBaask8ss filters baask8s based on user role and team memberships. Non administrator users only have access to authorized baask8ss (can be inherited via endoint groups).

func FilterLeaderTeams ¶

func FilterLeaderTeams(teams []baasapi.Team, context *RestrictedRequestContext) []baasapi.Team

FilterLeaderTeams filters teams based on user role. Team leaders only have access to team they lead.

func FilterRegistries ¶

func FilterRegistries(registries []baasapi.Registry, context *RestrictedRequestContext) []baasapi.Registry

FilterRegistries filters registries based on user role and team memberships. Non administrator users only have access to authorized registries.

func FilterTemplates ¶

func FilterTemplates(templates []baasapi.Template, context *RestrictedRequestContext) []baasapi.Template

FilterTemplates filters templates based on the user role. Non-administrato template do not have access to templates where the AdministratorOnly flag is set to true.

func FilterUserTeams ¶

func FilterUserTeams(teams []baasapi.Team, context *RestrictedRequestContext) []baasapi.Team

FilterUserTeams filters teams based on user role. non-administrator users only have access to team they are member of.

func FilterUsers ¶

func FilterUsers(users []baasapi.User, context *RestrictedRequestContext) []baasapi.User

FilterUsers filters users based on user role. Non-administrator users only have access to non-administrator users.

func RetrieveTokenData ¶

func RetrieveTokenData(request *http.Request) (*baasapi.TokenData, error)

RetrieveTokenData returns the TokenData object stored in the request context.

func StripAddrPort ¶

func StripAddrPort(addr string) string

StripAddrPort removes port from IP address

Types ¶

type RateLimiter ¶

type RateLimiter struct {
	*defender.Defender
}

RateLimiter represents an entity that manages request rate limiting

func NewRateLimiter ¶

func NewRateLimiter(maxRequests int, duration time.Duration, banDuration time.Duration) *RateLimiter

NewRateLimiter initializes a new RateLimiter

func (*RateLimiter) LimitAccess ¶

func (limiter *RateLimiter) LimitAccess(next http.Handler) http.Handler

LimitAccess wraps current request with check if remote address does not goes above the defined limits

type RequestBouncer ¶

type RequestBouncer struct {
	// contains filtered or unexported fields
}

RequestBouncer represents an entity that manages API request accesses

func NewRequestBouncer ¶

func NewRequestBouncer(parameters *RequestBouncerParams) *RequestBouncer

NewRequestBouncer initializes a new RequestBouncer

func (*RequestBouncer) AdministratorAccess ¶

func (bouncer *RequestBouncer) AdministratorAccess(h http.Handler) http.Handler

AdministratorAccess defines a chain of middleware for restricted baask8ss. Authentication as well as administrator role are required to access these baask8ss.

func (*RequestBouncer) AuthenticatedAccess ¶

func (bouncer *RequestBouncer) AuthenticatedAccess(h http.Handler) http.Handler

AuthenticatedAccess defines a security check for private baask8ss. Authentication is required to access these baask8ss.

func (*RequestBouncer) Baask8sAccess ¶

func (bouncer *RequestBouncer) Baask8sAccess(r *http.Request, baask8s *baasapi.Baask8s) error

Baask8sAccess retrieves the JWT token from the request context and verifies that the user can access the specified baask8s. An error is returned when access is denied.

func (*RequestBouncer) PublicAccess ¶

func (bouncer *RequestBouncer) PublicAccess(h http.Handler) http.Handler

PublicAccess defines a security check for public baask8ss. No authentication is required to access these baask8ss.

func (*RequestBouncer) RegistryAccess ¶

func (bouncer *RequestBouncer) RegistryAccess(r *http.Request, registry *baasapi.Registry) error

RegistryAccess retrieves the JWT token from the request context and verifies that the user can access the specified registry. An error is returned when access is denied.

func (*RequestBouncer) RestrictedAccess ¶

func (bouncer *RequestBouncer) RestrictedAccess(h http.Handler) http.Handler

RestrictedAccess defines a security check for restricted baask8ss. Authentication is required to access these baask8ss. The request context will be enhanced with a RestrictedRequestContext object that might be used later to authorize/filter access to resources.

type RequestBouncerParams ¶

type RequestBouncerParams struct {
	JWTService            baasapi.JWTService
	UserService           baasapi.UserService
	TeamMembershipService baasapi.TeamMembershipService
	Baask8sGroupService   baasapi.Baask8sGroupService
	AuthDisabled          bool
}

RequestBouncerParams represents the required parameters to create a new RequestBouncer instance.

type RestrictedRequestContext ¶

type RestrictedRequestContext struct {
	IsAdmin         bool
	IsTeamLeader    bool
	UserID          baasapi.UserID
	UserMemberships []baasapi.TeamMembership
}

RestrictedRequestContext is a data structure containing information used in RestrictedAccess

func RetrieveRestrictedRequestContext ¶

func RetrieveRestrictedRequestContext(request *http.Request) (*RestrictedRequestContext, error)

RetrieveRestrictedRequestContext returns the RestrictedRequestContext object stored in the request context.

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL