Documentation
¶
Overview ¶
Package access provides utilities for access control
Index ¶
- Variables
- func ContextWithAuthorization(ctx context.Context, a *Authorization) context.Context
- func ContextWithIdentity(ctx context.Context, identity string) context.Context
- func EnsureFunctionAccounts(db *csql.DB, accounts ...FunctionAccount) error
- func HandleAuthorizationRoute(router *mux.Router)
- func IdentityFromContext(ctx context.Context) string
- func NewBackdoorMiddelware(bmb *BackdoorMiddlewareBuilder) mux.MiddlewareFunc
- func NewJwtMiddelware(jmb *JwtMiddlewareBuilder) mux.MiddlewareFunc
- type Authorization
- type AuthorizationCache
- type BackdoorMiddlewareBuilder
- type FunctionAccount
- type IdentityIssuer
- type JwtMiddlewareBuilder
- type Permit
Constants ¶
This section is empty.
Variables ¶
var OnlyAdminAccess bool
OnlyAdminAccess requires admin access for everything
Functions ¶
func ContextWithAuthorization ¶
func ContextWithAuthorization(ctx context.Context, a *Authorization) context.Context
ContextWithAuthorization returns a new context with any non-nil authorization added to it
func ContextWithIdentity ¶
ContextWithIdentity returns a new context with the (authenticated) identity added to it
func EnsureFunctionAccounts ¶
func EnsureFunctionAccounts(db *csql.DB, accounts ...FunctionAccount) error
EnsureFunctionAccounts creates the specified function accounts if they do not exist yet
func HandleAuthorizationRoute ¶
HandleAuthorizationRoute adds a route /authorization GET to the router
The route returns the current authorization for the authenticated requester.
func IdentityFromContext ¶
IdentityFromContext retrieves the (authenticated) identity from the context
func NewBackdoorMiddelware ¶
func NewBackdoorMiddelware(bmb *BackdoorMiddlewareBuilder) mux.MiddlewareFunc
NewBackdoorMiddelware returns a middleware handler for a backdoor
The key for the backdoors map is the bearer token passed with the request.
Example: if you specify the backdoor
"please": Authorization{Roles:[]string{"admin"}}
then any request with an authorization bearer token consisting of the single magic word "please" will be authorized with the admin role.
With curl, use -H 'Authorization: Bearer please' or pass a cookie with -b 'Kurbisio-JWT=please'
The backdoor also accepts special tickets for VIPs. It then looks up the final authorization from the account collection in the backend.
func NewJwtMiddelware ¶
func NewJwtMiddelware(jmb *JwtMiddlewareBuilder) mux.MiddlewareFunc
NewJwtMiddelware returns a middleware handler to validate JWT bearer token.
Java-Web-Token (JWT) are accepted as "Authorization: Bearer" header or as "Kurbisio-JWT"-cookie.
This middleware requires that there is a resource "account" in the database, with an external index "identity", which stores the authorization for each identity as properties. An account identity is a combination of the token issuer with the user's email, separated by the pipe symbol '|'. Example:
"https://securetoken.google.com/loyalty2u-ea4fd|[email protected]"
This is a final handler with regards to the bearer token. It will return http.StatusUnauthorized when a token is available but insufficent to authorize the request.
Types ¶
type Authorization ¶
type Authorization struct {
Roles []string `json:"roles"`
Selectors map[string]string `json:"selectors,omitempty"`
}
Authorization is a context object which stores authorization information for user, things, or machines.
An authorization carries a list or roles and identifiers of resources from the backend configuration. It can also carry additional properties.
Authorizations are added to a request context with
ctx = auth.ContextWithAuthorization(ctx)
and retrieved with
auth := AuthorizationFromContext(ctx)
Authorization objects are added to the context by by different middleware implementations, depending on authorization tokens in the HTTP request. Kurbisio supports JWT bearer token, Kurbisio-Device-Token, Kurbisio-Machine-Token and a pair of Kurbisio-Thing-Key/Kurbisio-Thing-Identifier.
For the benefit of simple frontend development, it also supports a Kurbisio-JWT cookie.
func AuthorizationFromContext ¶
func AuthorizationFromContext(ctx context.Context) *Authorization
AuthorizationFromContext retrieves an authorization from the context
func (*Authorization) HasRole ¶
func (a *Authorization) HasRole(role string) bool
HasRole returns true if the authorization contains the requested role; otherwise it returns false.
func (*Authorization) HasRoles ¶
func (a *Authorization) HasRoles() bool
HasRoles returns true if the authorization contains any roles; otherwise it returns false
func (*Authorization) IsAuthorized ¶
func (a *Authorization) IsAuthorized(resources []string, operation core.Operation, params map[string]string, permits []Permit) bool
IsAuthorized returns true if the authorization is authorized for the requested resource and operation according to the passed permits.
The permits are a list of Permit objects, each containing a role, a list of operations and a list of required selectors.
The "admin" role has a universal permit for all operations. If a permit if given to "everybody", then this permit applies to all roles but "public"
The "admin viewer" role has a universal permit for read and list opersations
type AuthorizationCache ¶
type AuthorizationCache struct {
// contains filtered or unexported fields
}
AuthorizationCache is an in-memory cache for authorizations. It is used by jwt middleware to cache authorization objects for bearer tokens. The purpose of the cache is to reduce the number of database queries, without the cache the middleware would have to lookup the authorization for every single request.
func NewAuthorizationCache ¶
func NewAuthorizationCache() *AuthorizationCache
NewAuthorizationCache creates a new authorization cache
func (*AuthorizationCache) Read ¶
func (a *AuthorizationCache) Read(token string) *Authorization
Read returns an authorization from in-process cache. Token should be the temporary token the authorization was derived from, not any of the ids. This function is go-routine safe
func (*AuthorizationCache) Write ¶
func (a *AuthorizationCache) Write(token string, auth *Authorization)
Write stores an authorization in the in-memory cache. Token should be the temporary token it was derived from, not any of the ids. This function is go-routine safe
type BackdoorMiddlewareBuilder ¶
type BackdoorMiddlewareBuilder struct {
// Backdoors is a mapping from a bearer token to an actual authorization
Backdoors map[string]Authorization
// VIPs is a mapping from a bearer token to an identity
VIPs map[string]string
// DB is the postgres database. Must have a collection resource "account" with an external index
// "identity". The database is only used for VIP tickets.
DB *csql.DB
}
BackdoorMiddlewareBuilder is a helper builder for JwtMiddelware
type FunctionAccount ¶
FunctionAccount is a function accoutn
type IdentityIssuer ¶
type IdentityIssuer struct {
// PublicKeyDownloadURL is the download url for public keys. In case of google, this would be
// "https://www.googleapis.com/robot/v1/metadata/x509/[email protected]"
PublicKeyDownloadURL string
// Issuer is the accepted issuer for the token
Name string
}
IdentityIssuer is an entity that provides identity
type JwtMiddlewareBuilder ¶
type JwtMiddlewareBuilder struct {
// The list of providers of identities
Issuers []IdentityIssuer
// DB is the postgres database. Must have a collection resource "account" with an external index
// "identity".
DB *csql.DB
}
JwtMiddlewareBuilder is a helper builder for JwtMiddelware
type Permit ¶
type Permit struct {
Role string `json:"role"`
Operations []core.Operation `json:"operations"`
Selectors []string `json:"selectors"`
}
Permit models an authorization permit for a resource. It gives the role permission to execute any of the listed operations, provided that it can satisfy the requested selectors.
Source Files