Documentation
¶
Overview ¶
Package warden implements endpoints capable of making access control decisions based on Access Control Policies
Index ¶
Constants ¶
const ( // TokenAllowedHandlerPath points to the token access request validation endpoint. TokenAllowedHandlerPath = "/warden/token/allowed" // AllowedHandlerPath points to the access request validation endpoint. AllowedHandlerPath = "/warden/allowed" )
Variables ¶
This section is empty.
Functions ¶
func OAuth2TokenIntrospectionFactory ¶ added in v0.9.12
func TokenFromRequest ¶
Types ¶
type LocalWarden ¶
type LocalWarden struct {
Warden ladon.Warden
OAuth2 fosite.OAuth2Provider
Groups group.Manager
AccessTokenLifespan time.Duration
Issuer string
L logrus.FieldLogger
}
func (*LocalWarden) IsAllowed ¶
func (w *LocalWarden) IsAllowed(ctx context.Context, a *firewall.AccessRequest) error
func (*LocalWarden) TokenAllowed ¶
func (w *LocalWarden) TokenAllowed(ctx context.Context, token string, a *firewall.TokenAccessRequest, scopes ...string) (*firewall.Context, error)
func (*LocalWarden) TokenFromRequest ¶
func (w *LocalWarden) TokenFromRequest(r *http.Request) string
type TokenValidator ¶ added in v0.9.12
type TokenValidator struct {
oauth2.CoreStrategy
oauth2.CoreStorage
ScopeStrategy fosite.ScopeStrategy
}
func (*TokenValidator) IntrospectToken ¶ added in v0.9.12
func (c *TokenValidator) IntrospectToken(ctx context.Context, token string, tokenType fosite.TokenType, accessRequest fosite.AccessRequester, scopes []string) (err error)
type WardenHandler ¶
WardenHandler is capable of handling HTTP request and validating access tokens and access requests.
func NewHandler ¶
func NewHandler(c *config.Config, router *httprouter.Router) *WardenHandler
func (*WardenHandler) Allowed ¶
func (h *WardenHandler) Allowed(w http.ResponseWriter, r *http.Request, _ httprouter.Params)
swagger:route POST /warden/allowed warden doesWardenAllowAccessRequest
Check if an access request is valid (without providing an access token)
Checks if a subject (typically a user or a service) is allowed to perform an action on a resource. This endpoint requires a subject, a resource name, an action name and a context. If the subject is not allowed to perform the action on the resource, this endpoint returns a 200 response with `{ "allowed": false}`, otherwise `{ "allowed": true }` is returned.
The subject making the request needs to be assigned to a policy containing:
```
{
"resources": ["rn:hydra:warden:allowed"],
"actions": ["decide"],
"effect": "allow"
}
```
Consumes:
- application/json
Produces:
- application/json
Schemes: http, https
Security:
oauth2: hydra.warden
Responses:
200: wardenAccessRequestResponse
401: genericError
403: genericError
500: genericError
func (*WardenHandler) SetRoutes ¶
func (h *WardenHandler) SetRoutes(r *httprouter.Router)
func (*WardenHandler) TokenAllowed ¶
func (h *WardenHandler) TokenAllowed(w http.ResponseWriter, r *http.Request, _ httprouter.Params)
swagger:route POST /warden/token/allowed warden doesWardenAllowTokenAccessRequest
Check if an access request is valid (providing an access token)
Checks if a token is valid and if the token subject is allowed to perform an action on a resource. This endpoint requires a token, a scope, a resource name, an action name and a context.
If a token is expired/invalid, has not been granted the requested scope or the subject is not allowed to perform the action on the resource, this endpoint returns a 200 response with `{ "allowed": false}`.
Extra data set through the `accessTokenExtra` field in the consent flow will be included in the response.
The subject making the request needs to be assigned to a policy containing:
```
{
"resources": ["rn:hydra:warden:token:allowed"],
"actions": ["decide"],
"effect": "allow"
}
```
Consumes:
- application/json
Produces:
- application/json
Schemes: http, https
Security:
oauth2: hydra.warden
Responses:
200: wardenTokenAccessRequestResponse
401: genericError
403: genericError
500: genericError
Source Files
Directories