auth

package
v0.0.0-...-936ba1f Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Apr 9, 2024 License: Apache-2.0 Imports: 25 Imported by: 0

Documentation

Index

Constants

View Source 
const ResourceArnPrefix = "arn:aws:s3:::"

Variables

View Source 
var ErrNoSuchUser = errors.New("user not found")
View Source 
var ErrNotSupported = errors.New("method is not supported")

Functions

func CheckIfAccountsExist 

func CheckIfAccountsExist(accs []string, iam IAMService) ([]string, error)

func IsAdminOrOwner 

func IsAdminOrOwner(acct Account, isRoot bool, acl ACL) error

func MayCreateBucket 

func MayCreateBucket(acct Account, isRoot bool) error

func UpdateACL 

func UpdateACL(input *s3.PutBucketAclInput, acl ACL, iam IAMService) ([]byte, error)

func ValidatePolicyDocument 

func ValidatePolicyDocument(policyBin []byte, bucket string, iam IAMService) error

func VerifyAccess 

func VerifyAccess(ctx context.Context, be backend.Backend, opts AccessOptions) error

func VerifyObjectCopyAccess 

func VerifyObjectCopyAccess(ctx context.Context, be backend.Backend, copySource string, opts AccessOptions) error

Types

type ACL 

type ACL struct {
	ACL      types.BucketCannedACL
	Owner    string
	Grantees []Grantee
}

func ParseACL 

func ParseACL(data []byte) (ACL, error)

type AccessControlList 

type AccessControlList struct {
	Grants []types.Grant `xml:"Grant"`
}

type AccessControlPolicy 

type AccessControlPolicy struct {
	AccessControlList AccessControlList `xml:"AccessControlList"`
	Owner             types.Owner
}

type AccessOptions 

type AccessOptions struct {
	Acl           ACL
	AclPermission types.Permission
	IsRoot        bool
	Acc           Account
	Bucket        string
	Object        string
	Action        Action
}

type Account 

type Account struct {
	Access    string `json:"access"`
	Secret    string `json:"secret"`
	Role      Role   `json:"role"`
	UserID    int    `json:"userID"`
	GroupID   int    `json:"groupID"`
	ProjectID int    `json:"projectID"`
}

Account is a gateway IAM account

type Action 

type Action string
const (
	GetBucketAclAction               Action = "s3:GetBucketAcl"
	CreateBucketAction               Action = "s3:CreateBucket"
	PutBucketAclAction               Action = "s3:PutBucketAcl"
	DeleteBucketAction               Action = "s3:DeleteBucket"
	PutBucketVersioningAction        Action = "s3:PutBucketVersioning"
	GetBucketVersioningAction        Action = "s3:GetBucketVersioning"
	PutBucketPolicyAction            Action = "s3:PutBucketPolicy"
	GetBucketPolicyAction            Action = "s3:GetBucketPolicy"
	DeleteBucketPolicyAction         Action = "s3:DeleteBucketPolicy"
	AbortMultipartUploadAction       Action = "s3:AbortMultipartUpload"
	ListMultipartUploadPartsAction   Action = "s3:ListMultipartUploadParts"
	ListBucketMultipartUploadsAction Action = "s3:ListBucketMultipartUploads"
	PutObjectAction                  Action = "s3:PutObject"
	GetObjectAction                  Action = "s3:GetObject"
	DeleteObjectAction               Action = "s3:DeleteObject"
	GetObjectAclAction               Action = "s3:GetObjectAcl"
	GetObjectAttributesAction        Action = "s3:GetObjectAttributes"
	PutObjectAclAction               Action = "s3:PutObjectAcl"
	RestoreObjectAction              Action = "s3:RestoreObject"
	GetBucketTaggingAction           Action = "s3:GetBucketTagging"
	PutBucketTaggingAction           Action = "s3:PutBucketTagging"
	GetObjectTaggingAction           Action = "s3:GetObjectTagging"
	PutObjectTaggingAction           Action = "s3:PutObjectTagging"
	DeleteObjectTaggingAction        Action = "s3:DeleteObjectTagging"
	ListBucketVersionsAction         Action = "s3:ListBucketVersions"
	ListBucketAction                 Action = "s3:ListBucket"
	AllActions                       Action = "s3:*"
)

func (Action) IsObjectAction 

func (a Action) IsObjectAction() bool

Checks if the action is object action

func (Action) IsValid 

func (a Action) IsValid() error

Validates Action: it should either wildcard match with supported actions list or be in it

func (Action) WildCardMatch 

func (a Action) WildCardMatch(act Action) bool

type Actions 

type Actions map[Action]struct{}

func (Actions) Add 

func (a Actions) Add(str string) error

Validates and adds a new Action to Actions map

func (Actions) FindMatch 

func (a Actions) FindMatch(action Action) bool

func (*Actions) UnmarshalJSON 

func (a *Actions) UnmarshalJSON(data []byte) error

Override UnmarshalJSON method to decode both []string and string properties

type BucketPolicy 

type BucketPolicy struct {
	Statement []BucketPolicyItem `json:"Statement"`
}

func (*BucketPolicy) Validate 

func (bp *BucketPolicy) Validate(bucket string, iam IAMService) error

type BucketPolicyAccessType 

type BucketPolicyAccessType string
const (
	BucketPolicyAccessTypeDeny  BucketPolicyAccessType = "Deny"
	BucketPolicyAccessTypeAllow BucketPolicyAccessType = "Allow"
)

func (BucketPolicyAccessType) Validate 

func (bpat BucketPolicyAccessType) Validate() error

Checks policy statement Effect to be valid ("Deny", "Allow")

type BucketPolicyItem 

type BucketPolicyItem struct {
	Effect     BucketPolicyAccessType `json:"Effect"`
	Principals Principals             `json:"Principal"`
	Actions    Actions                `json:"Action"`
	Resources  Resources              `json:"Resource"`
}

func (*BucketPolicyItem) Validate 

func (bpi *BucketPolicyItem) Validate(bucket string, iam IAMService) error

type GetBucketAclOutput 

type GetBucketAclOutput struct {
	Owner             *types.Owner
	AccessControlList AccessControlList
}

func ParseACLOutput 

func ParseACLOutput(data []byte) (GetBucketAclOutput, error)

type Grantee 

type Grantee struct {
	Permission types.Permission
	Access     string
}

type IAMCache 

type IAMCache struct {
	// contains filtered or unexported fields
}

IAMCache is an in memory cache of the IAM accounts with expiration. This helps to alleviate the load on the real IAM service if the gateway is handling many requests. This forwards account updates to the underlying service, and returns cached results while the in memory account is not expired.

func NewCache 

func NewCache(service IAMService, expireTime, cleanupInterval time.Duration) *IAMCache

NewCache initializes an IAM cache for the provided service. The expireTime is the duration a cache entry can be valid, and the cleanupInterval is how often to scan cache and cleanup expired entries.

func (*IAMCache) CreateAccount 

func (c *IAMCache) CreateAccount(account Account) error

CreateAccount send create to IAM service and creates an account cache entry

func (*IAMCache) DeleteUserAccount 

func (c *IAMCache) DeleteUserAccount(access string) error

DeleteUserAccount deletes account from IAM service and cache

func (*IAMCache) GetUserAccount 

func (c *IAMCache) GetUserAccount(access string) (Account, error)

GetUserAccount retrieves the cache account if it is in the cache and not expired. Otherwise retrieves from underlying IAM service and caches result for the expire duration.

func (*IAMCache) ListUserAccounts 

func (c *IAMCache) ListUserAccounts() ([]Account, error)

ListUserAccounts is a passthrough to the underlying service and does not make use of the cache

func (*IAMCache) Shutdown 

func (c *IAMCache) Shutdown() error

Shutdown graceful termination of service

type IAMService 

type IAMService interface {
	CreateAccount(account Account) error
	GetUserAccount(access string) (Account, error)
	DeleteUserAccount(access string) error
	ListUserAccounts() ([]Account, error)
	Shutdown() error
}

IAMService is the interface for all IAM service implementations

func New 

func New(o *Opts) (IAMService, error)

func NewLDAPService 

func NewLDAPService(url, bindDN, pass, queryBase, accAtr, secAtr, roleAtr, objClasses string) (IAMService, error)

type IAMServiceInternal 

type IAMServiceInternal struct {
	// contains filtered or unexported fields
}

IAMServiceInternal manages the internal IAM service

func NewInternal 

func NewInternal(dir string) (*IAMServiceInternal, error)

NewInternal creates a new instance for the Internal IAM service

func (*IAMServiceInternal) CreateAccount 

func (s *IAMServiceInternal) CreateAccount(account Account) error

CreateAccount creates a new IAM account. Returns an error if the account already exists.

func (*IAMServiceInternal) DeleteUserAccount 

func (s *IAMServiceInternal) DeleteUserAccount(access string) error

DeleteUserAccount deletes the specified user account. Does not check if account exists.

func (*IAMServiceInternal) GetUserAccount 

func (s *IAMServiceInternal) GetUserAccount(access string) (Account, error)

GetUserAccount retrieves account info for the requested user. Returns ErrNoSuchUser if the account does not exist.

func (*IAMServiceInternal) ListUserAccounts 

func (s *IAMServiceInternal) ListUserAccounts() ([]Account, error)

ListUserAccounts lists all the user accounts stored.

func (*IAMServiceInternal) Shutdown 

func (s *IAMServiceInternal) Shutdown() error

Shutdown graceful termination of service

type IAMServiceS3 

type IAMServiceS3 struct {
	// contains filtered or unexported fields
}

func NewS3 

func NewS3(access, secret, region, bucket, endpoint string, sslSkipVerify, debug bool) (*IAMServiceS3, error)

func (*IAMServiceS3) CreateAccount 

func (s *IAMServiceS3) CreateAccount(account Account) error

func (*IAMServiceS3) DeleteUserAccount 

func (s *IAMServiceS3) DeleteUserAccount(access string) error

func (*IAMServiceS3) GetUserAccount 

func (s *IAMServiceS3) GetUserAccount(access string) (Account, error)

func (*IAMServiceS3) ListUserAccounts 

func (s *IAMServiceS3) ListUserAccounts() ([]Account, error)

func (*IAMServiceS3) ResolveEndpoint 

func (s *IAMServiceS3) ResolveEndpoint(service, region string, options ...interface{}) (aws.Endpoint, error)

ResolveEndpoint is used for on prem or non-aws endpoints

func (*IAMServiceS3) Shutdown 

func (s *IAMServiceS3) Shutdown() error

type IAMServiceSingle 

type IAMServiceSingle struct{}

IAMServiceSingle manages the single tenant (root-only) IAM service

func (IAMServiceSingle) CreateAccount 

func (IAMServiceSingle) CreateAccount(account Account) error

CreateAccount not valid in single tenant mode

func (IAMServiceSingle) DeleteUserAccount 

func (IAMServiceSingle) DeleteUserAccount(access string) error

DeleteUserAccount no accounts in single tenant mode

func (IAMServiceSingle) GetUserAccount 

func (IAMServiceSingle) GetUserAccount(access string) (Account, error)

GetUserAccount no accounts in single tenant mode

func (IAMServiceSingle) ListUserAccounts 

func (IAMServiceSingle) ListUserAccounts() ([]Account, error)

ListUserAccounts no accounts in single tenant mode

func (IAMServiceSingle) Shutdown 

func (IAMServiceSingle) Shutdown() error

Shutdown graceful termination of service

type LdapIAMService 

type LdapIAMService struct {
	// contains filtered or unexported fields
}

func (*LdapIAMService) CreateAccount 

func (ld *LdapIAMService) CreateAccount(account Account) error

func (*LdapIAMService) DeleteUserAccount 

func (ld *LdapIAMService) DeleteUserAccount(access string) error

func (*LdapIAMService) GetUserAccount 

func (ld *LdapIAMService) GetUserAccount(access string) (Account, error)

func (*LdapIAMService) ListUserAccounts 

func (ld *LdapIAMService) ListUserAccounts() ([]Account, error)

func (*LdapIAMService) Shutdown 

func (ld *LdapIAMService) Shutdown() error

Shutdown graceful termination of service

type Opts 

type Opts struct {
	Dir                string
	LDAPServerURL      string
	LDAPBindDN         string
	LDAPPassword       string
	LDAPQueryBase      string
	LDAPObjClasses     string
	LDAPAccessAtr      string
	LDAPSecretAtr      string
	LDAPRoleAtr        string
	S3Access           string
	S3Secret           string
	S3Region           string
	S3Bucket           string
	S3Endpoint         string
	S3DisableSSlVerfiy bool
	S3Debug            bool
	CacheDisable       bool
	CacheTTL           int
	CachePrune         int
}

type Principals 

type Principals map[string]struct{}

func (Principals) Add 

func (p Principals) Add(key string)

func (Principals) Contains 

func (p Principals) Contains(userAccess string) bool

func (Principals) ToSlice 

func (p Principals) ToSlice() []string

Converts Principals map to a slice, by omitting "*"

func (*Principals) UnmarshalJSON 

func (p *Principals) UnmarshalJSON(data []byte) error

Override UnmarshalJSON method to decode both []string and string properties

func (Principals) Validate 

func (p Principals) Validate(iam IAMService) error

Validates Principals by checking user account access keys existence

type Resources 

type Resources map[string]struct{}

func (Resources) Add 

func (r Resources) Add(rc string) error

Adds and validates a new resource to Resources map

func (Resources) ContainsBucketPattern 

func (r Resources) ContainsBucketPattern() bool

Checks if the resources contain bucket pattern

func (Resources) ContainsObjectPattern 

func (r Resources) ContainsObjectPattern() bool

Checks if the resources contain object pattern

func (Resources) FindMatch 

func (r Resources) FindMatch(resource string) bool

func (*Resources) UnmarshalJSON 

func (r *Resources) UnmarshalJSON(data []byte) error

Override UnmarshalJSON method to decode both []string and string properties

func (Resources) Validate 

func (r Resources) Validate(bucket string) error

Bucket resources should start with bucket name: arn:aws:s3:::MyBucket/*

type Role 

type Role string
const (
	RoleUser     Role = "user"
	RoleAdmin    Role = "admin"
	RoleUserPlus Role = "userplus"
)

type UpdateAcctFunc 

type UpdateAcctFunc func([]byte) ([]byte, error)

UpdateAcctFunc accepts the current data and returns the new data to be stored

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.