Documentation
¶
Overview ¶
Package ipnauth controls access to the LocalAPI.
Index ¶
- Variables
- func LookupUserFromID(logf logger.Logf, uid string) (*user.User, error)
- type ConnIdentity
- func (ci *ConnIdentity) Creds() *peercred.Creds
- func (ci *ConnIdentity) IsReadonlyConn(operatorUID string, logf logger.Logf) bool
- func (ci *ConnIdentity) IsUnixSock() bool
- func (ci *ConnIdentity) Pid() int
- func (ci *ConnIdentity) WindowsToken() (WindowsToken, error)
- func (ci *ConnIdentity) WindowsUserID() ipn.WindowsUserID
- type WindowsToken
Constants ¶
This section is empty.
Variables ¶
var ErrNotImplemented = errors.New("not implemented for GOOS=" + runtime.GOOS)
ErrNotImplemented is returned by ConnIdentity.WindowsToken when it is not implemented for the current GOOS.
Functions ¶
Types ¶
type ConnIdentity ¶
type ConnIdentity struct {
// contains filtered or unexported fields
}
ConnIdentity represents the owner of a localhost TCP or unix socket connection connecting to the LocalAPI.
func GetConnIdentity ¶
GetConnIdentity extracts the identity information from the connection based on the user who owns the other end of the connection. and couldn't. The returned connIdentity has NotWindows set to true.
func (*ConnIdentity) Creds ¶
func (ci *ConnIdentity) Creds() *peercred.Creds
func (*ConnIdentity) IsReadonlyConn ¶
func (ci *ConnIdentity) IsReadonlyConn(operatorUID string, logf logger.Logf) bool
IsReadonlyConn reports whether the connection should be considered read-only, meaning it's not allowed to change the state of the node.
Read-only also means it's not allowed to access sensitive information, which admittedly doesn't follow from the name. Consider this "IsUnprivileged". Also, Windows doesn't use this. For Windows it always returns false.
TODO(bradfitz): rename it? Also make Windows use this.
func (*ConnIdentity) IsUnixSock ¶
func (ci *ConnIdentity) IsUnixSock() bool
func (*ConnIdentity) Pid ¶
func (ci *ConnIdentity) Pid() int
func (*ConnIdentity) WindowsToken ¶ added in v1.44.3
func (ci *ConnIdentity) WindowsToken() (WindowsToken, error)
WindowsToken is unsupported when GOOS != windows and always returns ErrNotImplemented.
func (*ConnIdentity) WindowsUserID ¶
func (ci *ConnIdentity) WindowsUserID() ipn.WindowsUserID
WindowsUserID returns the local machine's userid of the connection if it's on Windows. Otherwise it returns the empty string.
It's suitable for passing to LookupUserFromID (os/user.LookupId) on any operating system.
type WindowsToken ¶ added in v1.44.3
type WindowsToken interface {
io.Closer
// EqualUIDs reports whether other refers to the same user ID as the receiver.
EqualUIDs(other WindowsToken) bool
// IsAdministrator reports whether the receiver is a member of the built-in
// Administrators group, or else an error. Use IsElevated to determine whether
// the receiver is actually utilizing administrative rights.
IsAdministrator() (bool, error)
// IsUID reports whether the receiver's user ID matches uid.
IsUID(uid ipn.WindowsUserID) bool
// UID returns the ipn.WindowsUserID associated with the receiver, or else
// an error.
UID() (ipn.WindowsUserID, error)
// IsElevated reports whether the receiver is currently executing as an
// elevated administrative user.
IsElevated() bool
// IsLocalSystem reports whether the receiver is the built-in SYSTEM user.
IsLocalSystem() bool
// UserDir returns the special directory identified by folderID as associated
// with the receiver. folderID must be one of the KNOWNFOLDERID values from
// the x/sys/windows package, serialized as a stringified GUID.
UserDir(folderID string) (string, error)
// Username returns the user name associated with the receiver.
Username() (string, error)
}
WindowsToken represents the current security context of a Windows user.
Source Files