iam

package
v0.4.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Feb 1, 2024 License: MIT Imports: 37 Imported by: 0

Documentation

Overview

Package cmd This file implements helper functions to validate Streaming AWS Signature Version '4' authorization header.

Index

Constants

View Source
const (
	ServiceS3 serviceType = "s3"
	//ServiceSTS STS
	ServiceSTS serviceType = "sts"
)

Variables

This section is empty.

Functions

func GetContentSha256Cksum

func GetContentSha256Cksum(r *http.Request, stype serviceType) string

Returns SHA256 for calculating canonical-request.

func IsAuthTypeStreamingSigned

func IsAuthTypeStreamingSigned(atype AuthType) bool

func IsRequestSignatureV4

func IsRequestSignatureV4(r *http.Request) bool

IsRequestSignatureV4 Verify if request has AWS Signature Version '4'.

func NewSignV4ChunkedReader

func NewSignV4ChunkedReader(req *http.Request, s *AuthSys) (io.ReadCloser, apierrors.ErrorCode)

NewSignV4ChunkedReader returns a new s3ChunkedReader that translates the data read from r out of HTTP "chunked" format before returning it. The s3ChunkedReader returns io.EOF when the final 0-length chunk is read.

NewChunkedReader is not needed by normal applications. The http package automatically decodes chunking when reading response bodies.

func SetAuthHandler

func SetAuthHandler(h http.Handler) http.Handler

SetAuthHandler to validate authorization header for the incoming request.

func SkipContentSha256Cksum

func SkipContentSha256Cksum(r *http.Request) bool

SkipContentSha256Cksum returns true if caller needs to skip payload checksum, false if not.

func TrimAwsChunkedContentEncoding

func TrimAwsChunkedContentEncoding(contentEnc string) (trimmedContentEnc string)

Trims away `aws-chunked` from the content-encoding header if present. Streaming signature clients can have custom content-encoding such as `aws-chunked,gzip` here we need to only save `gzip`. For more refer http://docs.aws.amazon.com/AmazonS3/latest/API/sigv4-streaming.html

Types

type AccountStatus

type AccountStatus string

AccountStatus - account status.

const (
	AccountEnabled  AccountStatus = "on"
	AccountDisabled AccountStatus = "off"
)

Account status per user.

type AuthSys

type AuthSys struct {
	Iam       *IdentityAMSys
	PolicySys *store.BucketPolicySys
	AdminCred auth.Credentials
}

AuthSys auth and sign system

func NewAuthSys

func NewAuthSys(db objmetadb.ObjStoreMetaDBAPI, adminCred auth.Credentials) *AuthSys

NewAuthSys new an AuthSys

func (*AuthSys) CalculateSeedSignature

func (s *AuthSys) CalculateSeedSignature(r *http.Request) (cred auth.Credentials, signature string, region string, date time.Time, errCode apierrors.ErrorCode)

CalculateSeedSignature - Calculate seed signature in accordance with

returns signature, error otherwise if the signature mismatches or any other error while parsing and validating.

func (*AuthSys) CheckRequestAuthTypeCredential

func (s *AuthSys) CheckRequestAuthTypeCredential(ctx context.Context, r *http.Request, action s3action.Action, bucketName, objectName string) (cred auth.Credentials, owner bool, s3Err apierrors.ErrorCode)

CheckRequestAuthTypeCredential Check request auth type verifies the incoming http request

  • validates the request signature
  • validates the policy action if anonymous tests bucket policies if any, for authenticated requests validates IAM policies.

returns APIErrorCode if any to be replied to the client. Additionally, returns the accessKey used in the request, and if this request is by an admin.

func (*AuthSys) GetCredential

func (s *AuthSys) GetCredential(r *http.Request) (cred auth.Credentials, owner bool, s3Err apierrors.ErrorCode)

func (*AuthSys) GetReqAccessKeyV4

func (s *AuthSys) GetReqAccessKeyV4(r *http.Request, region string, stype serviceType) (auth.Credentials, bool, apierrors.ErrorCode)

func (*AuthSys) IsPutActionAllowed

func (s *AuthSys) IsPutActionAllowed(ctx context.Context, r *http.Request, action s3action.Action, bucketName, objectName string) (s3Err apierrors.ErrorCode)

IsPutActionAllowed - check if PUT operation is allowed on the resource, this call verifies bucket policies and IAM policies, supports multi user checks etc.

func (*AuthSys) IsReqAuthenticated

func (s *AuthSys) IsReqAuthenticated(ctx context.Context, r *http.Request, region string, stype serviceType) (s3Error apierrors.ErrorCode)

IsReqAuthenticated Verify if request has valid AWS Signature Version '4'.

func (*AuthSys) IsReqAuthenticatedV2

func (s *AuthSys) IsReqAuthenticatedV2(r *http.Request) (s3Error apierrors.ErrorCode)

Verify if request has valid AWS Signature Version '2'.

func (*AuthSys) ReqSignatureV4Verify

func (s *AuthSys) ReqSignatureV4Verify(r *http.Request, region string, stype serviceType) (s3Error apierrors.ErrorCode)

func (*AuthSys) ValidateAdminSignature

func (s *AuthSys) ValidateAdminSignature(ctx context.Context, r *http.Request, region string) (auth.Credentials, map[string]interface{}, bool, apierrors.ErrorCode)

ValidateAdminSignature validate admin Signature

type AuthType

type AuthType int

AuthType Authorization type.

const (
	AuthTypeUnknown AuthType = iota
	AuthTypeAnonymous
	AuthTypePresigned
	AuthTypePresignedV2
	AuthTypePostPolicy
	AuthTypeStreamingSigned
	AuthTypeSigned
	AuthTypeSignedV2
	AuthTypeJWT
	AuthTypeSTS
)

List of all supported auth types.

func GetRequestAuthType

func GetRequestAuthType(r *http.Request) AuthType

GetRequestAuthType Get request authentication type.

type IdentityAMSys

type IdentityAMSys struct {
	// contains filtered or unexported fields
}

IdentityAMSys - config system.

func NewIdentityAMSys

func NewIdentityAMSys(db objmetadb.ObjStoreMetaDBAPI) *IdentityAMSys

NewIdentityAMSys - new an IdentityAM config system

func (*IdentityAMSys) AddSubUser

func (sys *IdentityAMSys) AddSubUser(ctx context.Context, accessKey, secretKey, parentUser string, capacity uint64) error

AddSubUser add user

func (*IdentityAMSys) AddUser

func (sys *IdentityAMSys) AddUser(ctx context.Context, accessKey, secretKey string, capacity uint64) error

AddUser add user

func (*IdentityAMSys) CreatePolicy

func (sys *IdentityAMSys) CreatePolicy(ctx context.Context, policyName string, policyDocument policy.PolicyDocument) error

CreatePolicy Create Policy

func (*IdentityAMSys) GetAllUser added in v0.4.0

func (sys *IdentityAMSys) GetAllUser(ctx context.Context) ([]UserIdentity, error)

GetAllUser all user

func (*IdentityAMSys) GetUser

func (sys *IdentityAMSys) GetUser(ctx context.Context, accessKey string) (cred auth.Credentials, ok bool)

GetUser - get user credentials

func (*IdentityAMSys) GetUserInfo

func (sys *IdentityAMSys) GetUserInfo(ctx context.Context, accessKey string) (userIdentity UserIdentity, err error)

GetUserInfo - get user info

func (*IdentityAMSys) GetUserList

func (sys *IdentityAMSys) GetUserList(ctx context.Context, accressKey string) ([]*iam.User, error)

GetUserList all user

func (*IdentityAMSys) GetUserPolices

func (sys *IdentityAMSys) GetUserPolices(ctx context.Context, userName string) ([]string, error)

GetUserPolices Get User all Policy

func (*IdentityAMSys) GetUserPolicy

func (sys *IdentityAMSys) GetUserPolicy(ctx context.Context, userName, policyName string, policyDocument *policy.PolicyDocument) error

GetUserPolicy Get User Policy

func (*IdentityAMSys) IsAllowed

func (sys *IdentityAMSys) IsAllowed(ctx context.Context, args auth.Args) bool

IsAllowed - checks given policy args is allowed to continue the Rest API.

func (*IdentityAMSys) IsAllowedSTS

func (sys *IdentityAMSys) IsAllowedSTS(args auth.Args, parentUser string) bool

IsAllowedSTS is meant for STS based temporary credentials, which implements claims validation and verification other than applying policies.

func (*IdentityAMSys) IsTempUser

func (sys *IdentityAMSys) IsTempUser(ctx context.Context, name string) (bool, string, error)

IsTempUser - returns if given key is a temporary user.

func (*IdentityAMSys) PutUserPolicy

func (sys *IdentityAMSys) PutUserPolicy(ctx context.Context, userName, policyName string, policyDocument policy.PolicyDocument) error

PutUserPolicy Create Policy

func (*IdentityAMSys) RemoveUser

func (sys *IdentityAMSys) RemoveUser(ctx context.Context, accessKey string) error

RemoveUser Remove User

func (*IdentityAMSys) RemoveUserPolicy

func (sys *IdentityAMSys) RemoveUserPolicy(ctx context.Context, userName, policyName string) error

RemoveUserPolicy remove User Policy

func (*IdentityAMSys) SetTempUser

func (sys *IdentityAMSys) SetTempUser(ctx context.Context, accessKey string, cred auth.Credentials, m map[string]interface{}, policyName string) (auth.Credentials, error)

SetTempUser - set temporary user credentials, these credentials have an expiry. The permissions for these STS credentials is determined in one of the following ways:

func (*IdentityAMSys) UpdateUser

func (sys *IdentityAMSys) UpdateUser(ctx context.Context, cred auth.Credentials) error

UpdateUser Update User

func (*IdentityAMSys) UpdateUserPolicy

func (sys *IdentityAMSys) UpdateUserPolicy(ctx context.Context, username string, pname string, p *policy.Policy) error

UpdateUserPolicy update user policy

type UserIdentity

type UserIdentity struct {
	Credentials          auth.Credentials `json:"credentials"`
	TotalStorageCapacity uint64           `json:"total_storage_capacity"`
}

UserIdentity represents a user's secret key and their status

type UserInfo

type UserInfo struct {
	AccountName          string             `json:"account_name"`
	TotalStorageCapacity uint64             `json:"total_storage_capacity"`
	BucketInfos          []store.BucketInfo `json:"bucket_infos"`
	UseStorageCapacity   uint64             `json:"use_storage_capacity"`
	PolicyName           []string           `json:"policy_name"`
	Status               AccountStatus      `json:"status"`
}

UserInfo carries information about long term users.

type UserOverView added in v0.4.0

type UserOverView struct {
	AccountName          string `json:"account_name"`
	TotalStorageCapacity uint64 `json:"total_storage_capacity"`
	UseStorageCapacity   uint64 `json:"use_storage_capacity"`
	BucketsCount         uint64 `json:"buckets_count"`
	ObjectsCount         uint64 `json:"objects_count"`
}

UserInfo carries information about long term users.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL