auth

package
v0.0.0-...-7aac46a Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Mar 10, 2023 License: MIT Imports: 8 Imported by: 0

README

auth

Authentication subsystem.

**Supported modules: **

  • Access Control List
  • Token
Access Control List ( ACL )
Description:

ACL can be used to authorize, restrict or reject certain access, action or usage to resources.

Use Case:

ACL is highly useful for putting restrictions on user capabilities such as assigning roles and dividing them into groups with certain permissions. ACL is divided into four categories, entity, ability, action and resource, in this particular order. Entity refers to a group or a user that is initiating some action on a resource. Ability is a binary Can or Cannot identifier used to indicate whether a particular user has the sufficient permission to proceed. An action is an identifier that indicates what kind of operation is going to take place. The resource is the final block in the chain which evaluates the ability of the user and kind of requested action on itself in order to accept or refuse accesses and actions. Subsequently, these properties can be inherited by subgroups.

For example, an application with three user groups can be illustrated as following.

Guest User Admin
Entity Ability Action Resource
User can subscribe to $channel
User cannot publish to $channel

Access Types

There are four major access types which are a combination of two main types, Inclusive and Exclusive. Inclusive allows accesses to anything that is explicitly defined and rejects anything that is undefined. Exclusive allows accesses to anything that is explicitly undefined and rejects anything that is defined ( opposite of Inclusive ). With this two definitions, following schema can be derived.

Type Description
Inclusive, Exclusive can use anything that is DEFINED, rejects anything that is undefined.
Exclusive, Inclusive can use anything that is UNDEFINED, rejects anything that is DEFINED.
Inclusive, Inclusive can use anything that is only DEFINED.
Exclusive, Exclusive can use anything that is only UNDEFINED.

Documentation

Index

Constants

View Source 
const (
	// ModUSRPSWD is a flag to indicate the usage of username/password
	ModUSRPSWD = iota
	// ModSIG is a flag to indicate the usage of signature
	ModSIG
)

Authenication modes

View Source 
const (
	UNotAuthorized = iota
	UAuthorized
)

Authorization flags

View Source 
const (
	// Permission requires exact length of following
	// constant.
	AuthACLPermLength = 3
)

Permission constants

Variables

View Source 
var (
	EACLInvalid           error = errors.New("permissions: attempt to unset non existing node")
	EACLViolation         error = errors.New("permissions: attempt to readd resource")
	EACInconsistentConfig error = errors.New("auth(config): invalid configuration for mode")
	EACINVAL              error = errors.New("auth(config): invalid/unknown value/flag in configuration")
)

ACL and Config error messages

View Source 
var (
	NonExistingUser     error = errors.New("permissions: user does not exist")
	BadPassword         error = errors.New("permissions: invalid password")
	EAUTHInvalidPerms   error = errors.New("permissions: invalid or insufficent permission list")
	EAUTHGeneralFailure error = errors.New("permissions: general operation failure")
	EAUTHUserReadd      error = errors.New("auth: attempt to re-registering existing user")
	ECREDINVAL          error = errors.New("credentials: missing or invalid credentials")
)

Error messages

View Source 
var (
	EAUTHNotImplemented error = errors.New("auth: not implemented")
)

Debug codes ( for development )

View Source 
var (
	EAUTHUnknownMode error = fmt.Errorf(eFMT, "auth", "unable to set mode")
)

Error messages

Functions

func NewRoleUser 

func NewRoleUser(name string, role protobase.ACLPermInterface) protobase.ACLPermInterface

Types

type ACL 

type ACL struct {
	*sync.RWMutex
	// contains filtered or unexported fields
}

func NewACL 

func NewACL() *ACL

func (*ACL) GetOrCreate 

func (acl *ACL) GetOrCreate(name string) (role protobase.ACLPermInterface, isNew bool)

func (*ACL) GetRole 

func (acl *ACL) GetRole(name string) protobase.ACLPermInterface

func (*ACL) HasRole 

func (acl *ACL) HasRole(name string) (hasRole bool)

func (*ACL) MakeRole 

func (acl *ACL) MakeRole(name string) (role protobase.ACLPermInterface, err error)

type ACLNodeBase 

type ACLNodeBase struct {
	Name string
	// contains filtered or unexported fields
}

func NewACLNodeBase 

func NewACLNodeBase() *ACLNodeBase

func (*ACLNodeBase) Add 

func (anb *ACLNodeBase) Add(args ...string) error

func (*ACLNodeBase) CanDo 

func (anb *ACLNodeBase) CanDo(wildmatch bool, args ...string) bool

func (*ACLNodeBase) GetIdentifier 

func (anb *ACLNodeBase) GetIdentifier(ident string) protobase.ACLNodeInterface

func (*ACLNodeBase) HasIdentifier 

func (anb *ACLNodeBase) HasIdentifier(ident string) bool

func (*ACLNodeBase) HasWildIdentifier 

func (anb *ACLNodeBase) HasWildIdentifier(item string) (ok bool)

func (*ACLNodeBase) IsResource 

func (anb *ACLNodeBase) IsResource(ident string) bool

func (*ACLNodeBase) Len 

func (anb *ACLNodeBase) Len() int

func (*ACLNodeBase) MakeChild 

func (anb *ACLNodeBase) MakeChild(level int, ident string) protobase.ACLNodeInterface

func (*ACLNodeBase) RemoveValue 

func (anb *ACLNodeBase) RemoveValue(key string) bool

func (*ACLNodeBase) SetValue 

func (anb *ACLNodeBase) SetValue(key string, value protobase.ACLNodeInterface) bool

func (*ACLNodeBase) Unset 

func (anb *ACLNodeBase) Unset(args ...string) (bool, error)

type Ability 

type Ability struct {
	*ACLNodeBase
}

type Action 

type Action struct {
	*ACLNodeBase
}

type AuthConfig 

type AuthConfig struct {
	AccessGroups AuthGroups
	Credentials  []AuthEntity
	Mode         protobase.AuthMode
}

AuthConfig is a struct used to config Auth subsystem during/ and after initialization. It defines global access rules such as Authenication mode.

func NewAuthConfig 

func NewAuthConfig() *AuthConfig

NewAuthConfig is a function that allocate and initializes `AuthConfig` and returns a pointer to it. The default authentication mode is `protobase.AUTHModeNone` which returns an error during validity checks intentionally to prevent complications during development & debugging.

func (*AuthConfig) AddCredential 

func (ac *AuthConfig) AddCredential(group string, cred protobase.CredentialsInterface) (err error)

AddCredentials is a receiver method which adds a new entry to its storage. The `group` argument is used to associate a given entry to the corresponding Auth Group in `AccessGroups`. It returns an error in case of unsucc- sessfull operation.

func (*AuthConfig) IsValid 

func (ac *AuthConfig) IsValid() (ok bool, err error)

IsValid is a receiver method that checks validity of underlaying data and returns an error in case of unsuccessfull operation. It can be used manually to ensure integrity, but it is mainly used by Auth subsystem.

func (*AuthConfig) SetMode 

func (ac *AuthConfig) SetMode(mode protobase.AuthMode) (ok bool)

SetMode sets Authorization mode globally for Auth subsystem. It returns false in case `mode` argument is invalid.

type AuthEntity 

type AuthEntity struct {
	Credential protobase.CredentialsInterface // Credential contains entity cred. (e.g. id, passwd, .... )
	Group      string                         // Gruop specifies an association to certain Authorization group
}

type AuthGroups 

type AuthGroups struct {
	Members map[string][][3]string // Groups contains default feasible permissions
	Type    protobase.ACLMode      // Type is default Access type ( i.e. Inclusive, Exclusive or Undefined )
}

AuthGroup is a struct used to define individual access setting. It is used for initial Auth subsystem configuration.

func (*AuthGroups) Add 

func (ag *AuthGroups) Add(name string, perm ...string) (err error)

Add is a receiver method that creates a new group when neccessary and adds the given permission line to it. It returns an error to indicate conformance violation.

func (*AuthGroups) HasGroup 

func (ag *AuthGroups) HasGroup(name string) (ok bool)

HasGroup returns whether a given Auth Group is registered.

func (*AuthGroups) IsValid 

func (ag *AuthGroups) IsValid() (ok bool, err error)

IsValid checks validity of underlaying data and returns an error in case of violation. It is used by `AuthConfig` and invoked prior to `AuthConfig`'s own validation procedure.

func (*AuthGroups) Len 

func (ag *AuthGroups) Len() int

Len returns number of total registered groups.

type AuthInfo 

type AuthInfo struct {
	sync.RWMutex
	// contains filtered or unexported fields
}

AuthInfo is a struct that is associated to each registered identifier in `Authentication`. It contains informations such as access times, statistics, ip address, permissions and etc .... .

func NewAuthInfo 

func NewAuthInfo(creds protobase.CredentialsInterface) *AuthInfo

NewAuthInfo allocates and initializes a new `AuthInfo` with the given credentials and returns a pointer to it.

func (*AuthInfo) GetType 

func (ai *AuthInfo) GetType() protobase.AuthUserType

GetType returns associated `protobase.AuthUserType` of the given entry.

func (*AuthInfo) IsAuthorized 

func (ai *AuthInfo) IsAuthorized() byte

IsAuthorized returns whether the current entry is authorized.

func (*AuthInfo) SetAuthorized 

func (ai *AuthInfo) SetAuthorized()

SetAuthorized sets the authorization status to true.

func (*AuthInfo) SetType 

func (ai *AuthInfo) SetType(t protobase.AuthUserType)

SetType sets user type flag.

func (*AuthInfo) UnsetAuthorized 

func (ai *AuthInfo) UnsetAuthorized()

UnsetAuthorized unauthorizes the current entry by setting authorization flag to false.

type Authentication 

type Authentication struct {
	sync.RWMutex
	// contains filtered or unexported fields
}

Authentication is a `protobase.AuthInterface` compatible struct.

func NewAuthenticator 

func NewAuthenticator() *Authentication

NewAuthenticator allocates and initializes a new `Authentication` instance and returns a pointer to it.

func NewAuthenticatorFromConfig 

func NewAuthenticatorFromConfig(config *AuthConfig) (a *Authentication, err error)

NewAuthenticatorFromConfig allocate and initializes a new `Authentication` instance and config it according to `config` argument. It returns an error in case of unsuccessfull operation or invalid configuration.

func (*Authentication) Authenticate 

func (a *Authentication) Authenticate(creds protobase.CredentialsInterface) bool

TODO

func (*Authentication) CanAuthenticate 

func (a *Authentication) CanAuthenticate(creds protobase.CredentialsInterface) (ok bool, err error)

CanAuthenticate returns a boolean indicating validity of the given credentials. It returns an error propogated from lower levels.

func (*Authentication) CreateGroup 

func (a *Authentication) CreateGroup(name string, permissions [][3]string) (err error)

CreateGroup creates a new ACL group with the given permissions.

func (*Authentication) GetACL 

func (a *Authentication) GetACL() protobase.ACLInterface

GetACL returns internal ACL subsystem. It is important to ensure returned value is not null ( in absence of ACL ).

func (*Authentication) GetMode 

func (a *Authentication) GetMode() protobase.AuthMode

GetMode is a getter for authentication mode.

func (*Authentication) GetUserType 

func (a *Authentication) GetUserType(uid string) (utype protobase.AuthUserType, err error)

func (*Authentication) HasClient 

func (a *Authentication) HasClient(uid string) (ok bool)

HasClient returns a boolen to indicate whether a client with given identifier exists or not.

func (*Authentication) HasSession 

func (a *Authentication) HasSession(clientId string) (result bool)

func (*Authentication) MakeCreds 

func (a *Authentication) MakeCreds(uid string, pid string, cid string, args ...interface{}) (creds protobase.CredentialsInterface, err error)

MakeCreds takes standard `protobase.CredentialsInterface` arguments and creates a new `protobase.CredentialsInterface`.

func (*Authentication) Register 

func (a *Authentication) Register(creds protobase.CredentialsInterface) (result bool)

Register takes a `protobase.CredentialsInterface` struct and tries to register it. It returns true iff the given credential has not been registered prior to current attempt.

func (*Authentication) RegisterToGroup 

func (a *Authentication) RegisterToGroup(group string, creds protobase.CredentialsInterface) (ok bool, err error)

RegisterToGroup takes a `protobase.CredentialsInterface` struct and tries to register it. It returns true iff the given credential has not been registered prior to current attempt and iff given `group` exists.

func (*Authentication) RemoveWithIdentifier 

func (a *Authentication) RemoveWithIdentifier(identifier *string) (result bool, err error)

RemoveWithIdentifier takes a `string` pointer and tries to remove the entry associated with the given identifier when it exists and indicate its success with a boolean. It also returns an error when unsuccessfull.

func (*Authentication) SetMode 

func (a *Authentication) SetMode(mode protobase.AuthMode)

SetMode is a receiver method that sets the authorization mode.

func (*Authentication) TryAuthenticate 

func (a *Authentication) TryAuthenticate(creds protobase.CredentialsInterface) bool

TryAuthenticate evaluates the given credentials and tries to authenticate with it. It returns a boolean indicating its success status.

func (*Authentication) TryUnAuthenticate 

func (a *Authentication) TryUnAuthenticate(uid string) bool

TryUnAuthenticate takes an identifier and tries to unauthenticate the entry associated with it. It returns a boolean indicating its success status.

type Creds 

type Creds struct {
	Username string
	Password string
	ClientId string
}

Creds is a basic credential container.

func (*Creds) Copy 

func (c *Creds) Copy() protobase.CredentialsInterface

Copy returns a new instance of a compatible `protobase.CredentialsInterface`.

func (*Creds) GetCredentials 

func (c *Creds) GetCredentials() (username string, password string, clientId string)

GetCredentials returns data associated with authenication method.

func (*Creds) GetUID 

func (c *Creds) GetUID() string

GetUID returns a string used for user identification ( i.e. used id ).

func (*Creds) IsValid 

func (c *Creds) IsValid() (ok bool)

IsValid returns a boolean indicating that whether the actual credentials are properly formatted and checks edge cases ( e.g. empty strings ).

func (*Creds) Match 

func (c *Creds) Match(cred protobase.CredentialsInterface) (ret bool)
Match is a receiver method that compares two

`protobase.CredentialsInterface` and returns a boolean to indicate whether both are identical or not. It is used to match stored credentials against user-given credentials usually during initial handshake and initialization stage.

type Entity 

type Entity struct {
	Name        string
	Descendants []string
}

type Perms 

type Perms struct {
	*ACLNodeBase
}

func NewPerms 

func NewPerms(name string) *Perms

type Resource 

type Resource struct {
	*ACLNodeBase
	Providers []string
	// contains filtered or unexported fields
}

type Role 

type Role struct {
	*sync.RWMutex
	Name string
	Mode protobase.ACLMode
	// contains filtered or unexported fields
}

func NewRole 

func NewRole(name string) *Role

func (*Role) HasExactPerm 

func (r *Role) HasExactPerm(ability string, action string, resource string) bool

func (*Role) HasPerm 

func (r *Role) HasPerm(ability string, action string, resource string) bool

func (*Role) SetMode 

func (r *Role) SetMode(mode protobase.ACLMode) bool

func (*Role) SetPerm 

func (r *Role) SetPerm(ability string, action string, resource string) error

func (*Role) UnsetPerm 

func (r *Role) UnsetPerm(ability string, action string, resource string) error

type RoleUser 

type RoleUser struct {
	*Role
	Parent     protobase.ACLPermInterface
	Permission *Perms
	Mode       protobase.ACLMode
}

func (*RoleUser) HasExactPerm 

func (ru *RoleUser) HasExactPerm(ability string, action string, resource string) bool

func (*RoleUser) HasPerm 

func (ru *RoleUser) HasPerm(ability string, action string, resource string) bool

func (*RoleUser) SetMode 

func (ru *RoleUser) SetMode(mode protobase.ACLMode) bool

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.