Documentation ¶
Overview ¶
Package warden decides if access requests should be allowed or denied. In a scientific taxonomy, the warden is classified as a Policy Decision Point. THe warden's primary goal is to implement `github.com/ory-am/hydra/firewall.Firewall`. To read up on the warden, go to:
- https://ory-am.gitbooks.io/hydra/content/policy.html
- http://docs.hydra13.apiary.io/#reference/warden:-access-control-for-resource-providers
Contains source files:
- handler.go: A HTTP handler capable of validating access tokens.
- warden_http.go: A Go API using HTTP to validate access tokens.
- warden_local.go: A Go API using storage managers to validate access tokens.
- warden_test.go: Functional tests all of the above.
Index ¶
- Constants
- func TokenFromRequest(r *http.Request) string
- type HTTPWarden
- func (w *HTTPWarden) IsAllowed(ctx context.Context, a *firewall.AccessRequest) error
- func (w *HTTPWarden) SetClient(c *clientcredentials.Config)
- func (w *HTTPWarden) TokenAllowed(ctx context.Context, token string, a *firewall.TokenAccessRequest, ...) (*firewall.Context, error)
- func (w *HTTPWarden) TokenFromRequest(r *http.Request) string
- type LocalWarden
- type WardenHandler
Constants ¶
const ( // TokenAllowedHandlerPath points to the token access request validation endpoint. TokenAllowedHandlerPath = "/warden/token/allowed" // AllowedHandlerPath points to the access request validation endpoint. AllowedHandlerPath = "/warden/allowed" )
Variables ¶
This section is empty.
Functions ¶
func TokenFromRequest ¶
Types ¶
type HTTPWarden ¶
func (*HTTPWarden) IsAllowed ¶
func (w *HTTPWarden) IsAllowed(ctx context.Context, a *firewall.AccessRequest) error
IsAllowed checks if an arbitrary subject is allowed to perform an action on a resource.
The HTTP API is documented at http://docs.hydra13.apiary.io/#reference/warden:-access-control-for-resource-providers/check-if-a-subject-is-allowed-to-do-something
func (*HTTPWarden) SetClient ¶
func (w *HTTPWarden) SetClient(c *clientcredentials.Config)
func (*HTTPWarden) TokenAllowed ¶
func (w *HTTPWarden) TokenAllowed(ctx context.Context, token string, a *firewall.TokenAccessRequest, scopes ...string) (*firewall.Context, error)
TokenAllowed checks if a token is valid and if the token owner is allowed to perform an action on a resource. This endpoint requires a token, a scope, a resource name, an action name and a context.
The HTTP API is documented at http://docs.hydra13.apiary.io/#reference/warden:-access-control-for-resource-providers/check-if-an-access-tokens-subject-is-allowed-to-do-something
func (*HTTPWarden) TokenFromRequest ¶
func (w *HTTPWarden) TokenFromRequest(r *http.Request) string
type LocalWarden ¶
type LocalWarden struct { Warden ladon.Warden OAuth2 fosite.OAuth2Provider Groups group.Manager AccessTokenLifespan time.Duration Issuer string L logrus.FieldLogger }
func (*LocalWarden) IsAllowed ¶
func (w *LocalWarden) IsAllowed(ctx context.Context, a *firewall.AccessRequest) error
func (*LocalWarden) TokenAllowed ¶
func (w *LocalWarden) TokenAllowed(ctx context.Context, token string, a *firewall.TokenAccessRequest, scopes ...string) (*firewall.Context, error)
func (*LocalWarden) TokenFromRequest ¶
func (w *LocalWarden) TokenFromRequest(r *http.Request) string
type WardenHandler ¶
WardenHandler is capable of handling HTTP request and validating access tokens and access requests.
func NewHandler ¶
func NewHandler(c *config.Config, router *httprouter.Router) *WardenHandler
func (*WardenHandler) Allowed ¶
func (h *WardenHandler) Allowed(w http.ResponseWriter, r *http.Request, _ httprouter.Params)
swagger:route POST /warden/allowed warden wardenAllowed
Check if a subject is allowed to do something ¶
Checks if an arbitrary subject is allowed to perform an action on a resource. This endpoint requires a subject, a resource name, an action name and a context.If the subject is not allowed to perform the action on the resource, this endpoint returns a 200 response with `{ "allowed": false} }`.
The subject making the request needs to be assigned to a policy containing:
``` { "resources": ["rn:hydra:warden:allowed"], "actions": ["decide"], "effect": "allow" } ``` Consumes: - application/json Produces: - application/json Schemes: http, https Security: oauth2: hydra.warden Responses: 200: wardenAllowedResponse 401: genericError 403: genericError 500: genericError
func (*WardenHandler) SetRoutes ¶
func (h *WardenHandler) SetRoutes(r *httprouter.Router)
func (*WardenHandler) TokenAllowed ¶
func (h *WardenHandler) TokenAllowed(w http.ResponseWriter, r *http.Request, _ httprouter.Params)
swagger:route POST /warden/token/allowed warden wardenTokenAllowed
Check if the subject of a token is allowed to do something ¶
Checks if a token is valid and if the token owner is allowed to perform an action on a resource. This endpoint requires a token, a scope, a resource name, an action name and a context.
If a token is expired/invalid, has not been granted the requested scope or the subject is not allowed to perform the action on the resource, this endpoint returns a 200 response with `{ "allowed": false} }`.
Extra data set through the `at_ext` claim in the consent response will be included in the response. The `id_ext` claim will never be returned by this endpoint.
The subject making the request needs to be assigned to a policy containing:
``` { "resources": ["rn:hydra:warden:token:allowed"], "actions": ["decide"], "effect": "allow" } ``` Consumes: - application/json Produces: - application/json Schemes: http, https Security: oauth2: hydra.warden Responses: 200: wardenTokenAllowedResponse 401: genericError 403: genericError 500: genericError