warden

package
v0.9.13 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Sep 26, 2017 License: Apache-2.0 Imports: 21 Imported by: 0

Documentation

Overview

Package warden decides if access requests should be allowed or denied. In a scientific taxonomy, the warden is classified as a Policy Decision Point. THe warden's primary goal is to implement `github.com/ory-am/hydra/firewall.Firewall`. To read up on the warden, go to:

- https://ory-am.gitbooks.io/hydra/content/policy.html

- http://docs.hydra13.apiary.io/#reference/warden:-access-control-for-resource-providers

Contains source files:

- handler.go: A HTTP handler capable of validating access tokens.

- warden_http.go: A Go API using HTTP to validate access tokens.

- warden_local.go: A Go API using storage managers to validate access tokens.

- warden_test.go: Functional tests all of the above.

Index

Constants

View Source
const (
	// TokenAllowedHandlerPath points to the token access request validation endpoint.
	TokenAllowedHandlerPath = "/warden/token/allowed"

	// AllowedHandlerPath points to the access request validation endpoint.
	AllowedHandlerPath = "/warden/allowed"
)

Variables

This section is empty.

Functions

func OAuth2TokenIntrospectionFactory added in v0.9.12

func OAuth2TokenIntrospectionFactory(config *compose.Config, storage interface{}, strategy interface{}) interface{}

func TokenFromRequest

func TokenFromRequest(r *http.Request) string

Types

type HTTPWarden

type HTTPWarden struct {
	Client   *http.Client
	Dry      bool
	Endpoint *url.URL
}

func (*HTTPWarden) IsAllowed

func (w *HTTPWarden) IsAllowed(ctx context.Context, a *firewall.AccessRequest) error

IsAllowed checks if an arbitrary subject is allowed to perform an action on a resource.

The HTTP API is documented at http://docs.hydra13.apiary.io/#reference/warden:-access-control-for-resource-providers/check-if-a-subject-is-allowed-to-do-something

func (*HTTPWarden) SetClient

func (w *HTTPWarden) SetClient(c *clientcredentials.Config)

func (*HTTPWarden) TokenAllowed

func (w *HTTPWarden) TokenAllowed(ctx context.Context, token string, a *firewall.TokenAccessRequest, scopes ...string) (*firewall.Context, error)

TokenAllowed checks if a token is valid and if the token owner is allowed to perform an action on a resource. This endpoint requires a token, a scope, a resource name, an action name and a context.

The HTTP API is documented at http://docs.hydra13.apiary.io/#reference/warden:-access-control-for-resource-providers/check-if-an-access-tokens-subject-is-allowed-to-do-something

func (*HTTPWarden) TokenFromRequest

func (w *HTTPWarden) TokenFromRequest(r *http.Request) string

type LocalWarden

type LocalWarden struct {
	Warden ladon.Warden
	OAuth2 fosite.OAuth2Provider
	Groups group.Manager

	AccessTokenLifespan time.Duration
	Issuer              string
	L                   logrus.FieldLogger
}

func (*LocalWarden) IsAllowed

func (w *LocalWarden) IsAllowed(ctx context.Context, a *firewall.AccessRequest) error

func (*LocalWarden) TokenAllowed

func (w *LocalWarden) TokenAllowed(ctx context.Context, token string, a *firewall.TokenAccessRequest, scopes ...string) (*firewall.Context, error)

func (*LocalWarden) TokenFromRequest

func (w *LocalWarden) TokenFromRequest(r *http.Request) string

type TokenValidator added in v0.9.12

type TokenValidator struct {
	oauth2.CoreStrategy
	oauth2.CoreStorage
	ScopeStrategy fosite.ScopeStrategy
}

func (*TokenValidator) IntrospectToken added in v0.9.12

func (c *TokenValidator) IntrospectToken(ctx context.Context, token string, tokenType fosite.TokenType, accessRequest fosite.AccessRequester, scopes []string) (err error)

type WardenHandler

type WardenHandler struct {
	H      herodot.Writer
	Warden firewall.Firewall
}

WardenHandler is capable of handling HTTP request and validating access tokens and access requests.

func NewHandler

func NewHandler(c *config.Config, router *httprouter.Router) *WardenHandler

func (*WardenHandler) Allowed

swagger:route POST /warden/allowed warden wardenAllowed

Check if a subject is allowed to do something

Checks if an arbitrary subject is allowed to perform an action on a resource. This endpoint requires a subject, a resource name, an action name and a context.If the subject is not allowed to perform the action on the resource, this endpoint returns a 200 response with `{ "allowed": false} }`.

The subject making the request needs to be assigned to a policy containing:

```
{
  "resources": ["rn:hydra:warden:allowed"],
  "actions": ["decide"],
  "effect": "allow"
}
```

   Consumes:
   - application/json

   Produces:
   - application/json

   Schemes: http, https

   Security:
     oauth2: hydra.warden

   Responses:
     200: wardenAllowedResponse
     401: genericError
     403: genericError
     500: genericError

func (*WardenHandler) SetRoutes

func (h *WardenHandler) SetRoutes(r *httprouter.Router)

func (*WardenHandler) TokenAllowed

func (h *WardenHandler) TokenAllowed(w http.ResponseWriter, r *http.Request, _ httprouter.Params)

swagger:route POST /warden/token/allowed warden wardenTokenAllowed

Check if the subject of a token is allowed to do something

Checks if a token is valid and if the token owner is allowed to perform an action on a resource. This endpoint requires a token, a scope, a resource name, an action name and a context.

If a token is expired/invalid, has not been granted the requested scope or the subject is not allowed to perform the action on the resource, this endpoint returns a 200 response with `{ "allowed": false} }`.

Extra data set through the `at_ext` claim in the consent response will be included in the response. The `id_ext` claim will never be returned by this endpoint.

The subject making the request needs to be assigned to a policy containing:

```
{
  "resources": ["rn:hydra:warden:token:allowed"],
  "actions": ["decide"],
  "effect": "allow"
}
```

   Consumes:
   - application/json

   Produces:
   - application/json

   Schemes: http, https

   Security:
     oauth2: hydra.warden

   Responses:
     200: wardenTokenAllowedResponse
     401: genericError
     403: genericError
     500: genericError

Directories

Path Synopsis
Package group offers capabilities for grouping subjects together, making policy management easier.
Package group offers capabilities for grouping subjects together, making policy management easier.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL