warden

package
Version: v0.11.14 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jun 15, 2018 License: Apache-2.0 Imports: 17 Imported by: 0

Documentation

Index

Constants

View Source
const (
	// TokenAllowedHandlerPath points to the token access request validation endpoint.
	TokenAllowedHandlerPath = "/warden/token/allowed"

	// AllowedHandlerPath points to the access request validation endpoint.
	AllowedHandlerPath = "/warden/allowed"
)

Variables

This section is empty.

Functions

func OAuth2TokenIntrospectionFactory added in v0.9.12

func OAuth2TokenIntrospectionFactory(config *compose.Config, storage interface{}, strategy interface{}) interface{}

func TokenFromRequest

func TokenFromRequest(r *http.Request) string

Types

type LocalWarden

type LocalWarden struct {
	Warden ladon.Warden
	OAuth2 fosite.OAuth2Provider
	Groups group.Manager

	AccessTokenLifespan time.Duration
	Issuer              string
	L                   logrus.FieldLogger
}

func (*LocalWarden) IsAllowed

func (w *LocalWarden) IsAllowed(ctx context.Context, a *firewall.AccessRequest) error

func (*LocalWarden) TokenAllowed

func (w *LocalWarden) TokenAllowed(ctx context.Context, token string, a *firewall.TokenAccessRequest, scopes ...string) (*firewall.Context, error)

func (*LocalWarden) TokenFromRequest

func (w *LocalWarden) TokenFromRequest(r *http.Request) string

type TokenValidator added in v0.9.12

type TokenValidator struct {
	oauth2.CoreStrategy
	oauth2.CoreStorage
	ScopeStrategy fosite.ScopeStrategy
}

func (*TokenValidator) IntrospectToken added in v0.9.12

func (c *TokenValidator) IntrospectToken(ctx context.Context, token string, tokenType fosite.TokenType, accessRequest fosite.AccessRequester, scopes []string) (err error)

type WardenHandler

type WardenHandler struct {
	H      herodot.Writer
	Warden firewall.Firewall

	ResourcePrefix string
}

WardenHandler is capable of handling HTTP request and validating access tokens and access requests.

func NewHandler

func NewHandler(c *config.Config, router *httprouter.Router) *WardenHandler

func (*WardenHandler) Allowed

swagger:route POST /warden/allowed warden doesWardenAllowAccessRequest

Check if an access request is valid (without providing an access token)

Checks if a subject (typically a user or a service) is allowed to perform an action on a resource. This endpoint requires a subject, a resource name, an action name and a context. If the subject is not allowed to perform the action on the resource, this endpoint returns a 200 response with `{ "allowed": false}`, otherwise `{ "allowed": true }` is returned.

The subject making the request needs to be assigned to a policy containing:

“`
{
  "resources": ["rn:hydra:warden:allowed"],
  "actions": ["decide"],
  "effect": "allow"
}
“`

   Consumes:
   - application/json

   Produces:
   - application/json

   Schemes: http, https

   Security:
     oauth2: hydra.warden

   Responses:
     200: wardenAccessRequestResponse
     401: genericError
     403: genericError
     500: genericError

func (*WardenHandler) PrefixResource added in v0.10.0

func (h *WardenHandler) PrefixResource(resource string) string

func (*WardenHandler) SetRoutes

func (h *WardenHandler) SetRoutes(r *httprouter.Router)

func (*WardenHandler) TokenAllowed

func (h *WardenHandler) TokenAllowed(w http.ResponseWriter, r *http.Request, _ httprouter.Params)

swagger:route POST /warden/token/allowed warden doesWardenAllowTokenAccessRequest

Check if an access request is valid (providing an access token)

Checks if a token is valid and if the token subject is allowed to perform an action on a resource. This endpoint requires a token, a scope, a resource name, an action name and a context.

If a token is expired/invalid, has not been granted the requested scope or the subject is not allowed to perform the action on the resource, this endpoint returns a 200 response with `{ "allowed": false}`.

Extra data set through the `accessTokenExtra` field in the consent flow will be included in the response.

The subject making the request needs to be assigned to a policy containing:

“`
{
  "resources": ["rn:hydra:warden:token:allowed"],
  "actions": ["decide"],
  "effect": "allow"
}
“`

   Consumes:
   - application/json

   Produces:
   - application/json

   Schemes: http, https

   Security:
     oauth2: hydra.warden

   Responses:
     200: wardenTokenAccessRequestResponse
     401: genericError
     403: genericError
     500: genericError

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL