Documentation
¶
Index ¶
- Constants
- Variables
- func CanThoseRolesPerformAction(roles []string, action string) bool
- func CompareFastCryptoHash(plain string, hash string) bool
- func ComparePassword(password string, hash string) (bool, error)
- func CreateHashFromPassword(password string) (string, error)
- func DecideCanDo(dr *DecisionRequest) bool
- func ExtractLoginFromJWT(jwt string) (string, string)
- func FillPasswordFromKindSecret(r config.ConfigurationProvider, ref *PasswordFromSecretRef, ...) error
- func GetRolesActions() map[string][]string
- func GetRolesInheritance() map[string][]string
- func HashJWT(jwt string) string
- func HashSha256(input string) string
- func InitializeModel(db *gorm.DB) error
- type AccessControlList
- type AccessControlObject
- type Actor
- type Argon2Config
- type DecisionRequest
- type GrantedAccess
- type GrantedAccessRepository
- type PasswordFromSecretRef
- type Roles
- type ScopedElement
- type Service
- func (s Service) GetAllGrantedAccessesForUserByUsername(name string) []GrantedAccess
- func (s Service) GetGrantedAccessInformation(jwt string) (GrantedAccess, error)
- func (s Service) GetGrantedAccessInformationBySessionId(sessionId string) (GrantedAccess, error)
- func (s Service) IsTokenStillValid(jwt string) bool
- func (s Service) RevokeSessionByJWT(jwt string) error
- func (s Service) RevokeSessionBySessionId(sessionId string) error
- func (s Service) StoreJWTAsGrantedAccess(token string, expire time.Time, ip string, description string, username string, ...) string
- type SessionLimitedOperationsScope
- type Subject
- type UserIdentity
Constants ¶
View Source
const ( RoleUserManager = "userManager" RoleCollectionManager = "collectionManager" RoleBackupDownloader = "backupDownloader" RoleBackupUploader = "backupUploader" // RoleUploadsAnytime allows uploading versions regardless of Backup Windows RoleUploadsAnytime = "uploadsAnytime" RoleSysAdmin = "systemAdmin" )
View Source
const ( ActionDownload = "file.download" ActionUpload = "file.upload" ActionUploadAnytime = "file.upload-anytime" ActionViewProfile = "profile.view" )
View Source
const ( IdentityKeyClaimIndex = "login" AccessKeyClaimIndex = "accessKeyName" ScopeClaimIndex = "operationsScope" )
View Source
const KindGrantedAccess = "grantedaccesses"
Variables ¶
View Source
var AllActions = []string{ ActionDownload, ActionUpload, ActionUploadAnytime, ActionViewProfile, }
Functions ¶
func CanThoseRolesPerformAction ¶
CanThoseRolesPerformAction checks if any listed role is allowing to perform action
func CompareFastCryptoHash ¶
func ComparePassword ¶
ComparePassword is used to compare a user-inputted password to a hash to see if the password matches or not.
func CreateHashFromPassword ¶
CreateHashFromPassword is used to generate a new password hash for storing and comparing at a later date.
func DecideCanDo ¶
func DecideCanDo(dr *DecisionRequest) bool
DecideCanDo is taking a decision if specific Action can be made on by Actor on a Subject
Logic:
Subject defines who can access it and how
There are SYSTEM-WIDE roles defined on the user that allows globally do everything
User can generate a LIMITED SCOPE JWT token with /auth/login endpoint. This kind of token can define that in context of given Subject the roles should be limited to specific ones Important! Those roles cannot be higher than defined on the Subject or on the Actor in its profile
Cases:
Has limited token: User generates JWT with "backupDownloader" role in context of "iwa-ait" collection.
So even if that User is a "collectionManager" for this collection, with that specific JWT token
its possible to only download backups.
func ExtractLoginFromJWT ¶
ExtractLoginFromJWT returns username of a user that owns this token
func FillPasswordFromKindSecret ¶
func FillPasswordFromKindSecret(r config.ConfigurationProvider, ref *PasswordFromSecretRef, setterCallback func(secret string)) error
FillPasswordFromKindSecret is able to fill up object from a data retrieved from `kind: Secret` in Kubernetes
func GetRolesActions ¶
func GetRolesInheritance ¶
func HashSha256 ¶
func InitializeModel ¶
Types ¶
type AccessControlList ¶
type AccessControlList []AccessControlObject
func (AccessControlList) IsPermitted ¶
func (acl AccessControlList) IsPermitted(name string, objType string, action string) bool
IsPermitted checks if given user is granted a role in this list
type AccessControlObject ¶
type Argon2Config ¶
type Argon2Config struct {
// contains filtered or unexported fields
}
func CreateDefaultPasswordConfig ¶
func CreateDefaultPasswordConfig() *Argon2Config
type DecisionRequest ¶
type GrantedAccess ¶
type GrantedAccess struct {
CreatedAt time.Time
UpdatedAt time.Time
DeletedAt gorm.DeletedAt `gorm:"index"`
ID string `json:"id" structs:"id" sql:"type:string;primary_key;default:uuid_generate_v4()"`
ExpiresAt time.Time `json:"expiresAt" structs:"expiresAt"`
Deactivated bool `json:"deactivated" structs:"deactivated"`
Description string `json:"description" structs:"description"`
RequesterIP string `json:"requesterIP" structs:"requesterIP"`
User string `json:"user" structs:"user"`
AccessKeyName string `json:"accessKeyName" structs:"accessKeyName"`
}
GrantedAccess stores information about generated JWT tokens (successful logins to the system)
func NewGrantedAccess ¶
func (GrantedAccess) IsNotExpired ¶
func (ga GrantedAccess) IsNotExpired() bool
func (GrantedAccess) IsValid ¶
func (ga GrantedAccess) IsValid() bool
type GrantedAccessRepository ¶
type GrantedAccessRepository struct {
// contains filtered or unexported fields
}
type PasswordFromSecretRef ¶
PasswordFromSecretRef references passwords stored in ConfigMaps
Name is the ConfigMap name Entry is the key name in .data
type ScopedElement ¶
type Service ¶
type Service struct {
// contains filtered or unexported fields
}
func NewService ¶
func (Service) GetAllGrantedAccessesForUserByUsername ¶
func (s Service) GetAllGrantedAccessesForUserByUsername(name string) []GrantedAccess
func (Service) GetGrantedAccessInformation ¶
func (s Service) GetGrantedAccessInformation(jwt string) (GrantedAccess, error)
func (Service) GetGrantedAccessInformationBySessionId ¶
func (s Service) GetGrantedAccessInformationBySessionId(sessionId string) (GrantedAccess, error)
func (Service) IsTokenStillValid ¶
func (Service) RevokeSessionByJWT ¶
func (Service) RevokeSessionBySessionId ¶
type SessionLimitedOperationsScope ¶
type SessionLimitedOperationsScope struct {
Elements []ScopedElement `form:"elements" json:"elements"`
}
SessionLimitedOperationsScope allows to define additional limitations on the user's JWT token, so even if user has higher permissions we can limit those permissions per JWT token
func ExtractScopeFromString ¶
func ExtractScopeFromString(asJson string) (*SessionLimitedOperationsScope, error)
func ExtractSessionLimitedOperationsScopeFromJWT ¶
func ExtractSessionLimitedOperationsScopeFromJWT(jwt string) (*SessionLimitedOperationsScope, error)
type Subject ¶
type Subject interface {
GetId() string
GetTypeName() string
GetAccessControlList() *AccessControlList
}
type UserIdentity ¶
func NewUserIdentityFromString ¶
func NewUserIdentityFromString(login string) UserIdentity
Source Files
Click to show internal directories.
Click to hide internal directories.