Documentation
¶
Index ¶
- Constants
- Variables
- func CheckAccess(permissionGroup string, hasRole string, makerChecker bool, ...) (bool, error)
- func CheckEndpointPermission(endpoint string, role string, method string, level string) bool
- func ClearContext(r *http.Request)
- func ClientToken(w http.ResponseWriter, r *http.Request)
- func ComparePaths(expr string, target string) bool
- func DoSomething(w http.ResponseWriter, r *http.Request)
- func EndPointPermissions() string
- func ExtractRoutePath(r *http.Request) (string, error)
- func GetEndpointPermissions(endpoint string, method string, level string) []string
- func GetIdentity(req *http.Request) (string, error)
- func GetTimeTill(req *http.Request) (int64, error)
- func HasAccount(accountName string, req *http.Request) bool
- func ServiceCheck(w http.ResponseWriter, r *http.Request)
- type Default
- type Endpoint
- type Groups
- type Method
- type Operation
- type Permissions
- type Permit
- type Role
- type SessionContext
Constants ¶
const ContextKey key = "sessionToken"
Variables ¶
var EndpointJwtPermissions = func() map[string]bool { return map[string]bool{ "/accounts": true, "/assets": true, "/assets/participants": true, "/assets/issued": true, "/assets/accounts": true, "/balances/accounts": true, "/obligations": true, "/exchange": true, "/fees": true, "/participants": true, "/participants/whitelist": true, "/payout": true, "/quotes": true, "/quotes/request": true, "/sign": true, "/token/refresh": true, "/transactions": true, "/transactions/reply": true, "/transactions/send": true, "/transactions/settle/da": true, "/transactions/settle/do": true, "/trust": true, "/auth/participant-auth-test": true, "/address": true, "/fundings/instruction": true, "/fundings/send": true, "/message": true, } }
EndpointJwtPermissions : for jwt-authentication This are for controlling the admin endpoints. This needs to be reviewed by the security team This will also require require strict control because these are endpoints that the api will hit. We don't want to allow unnecessary api-requests pass through
var EndpointParticipantNoMakerChecker = func() map[string]bool { return map[string]bool{ "/direct-maker-checker": true, } }
EndpointParticipantNoMakerChecker : set of endpoints that don't need maker checker for POST Updating this list requires critical review from Security team and all functional leaders at the time.
var EndpointParticipantPermissionsForGet = func() map[string][]string { return map[string][]string{ "/v1/admin/pr": []string{"admin", "manager"}, "/v1/admin/pr/domain": []string{"admin", "manager"}, "/v1/anchor/assets/issued": []string{"admin", "manager"}, "/v1/anchor/address": []string{"admin", "manager"}, "/v1/client/accounts": []string{"admin", "manager"}, "/v1/client/assets": []string{"admin", "manager"}, "/v1/client/assets/accounts": []string{"admin", "manager"}, "/v1/client/assets/issued": []string{"admin", "manager"}, "/v1/client/assets/participants": []string{"admin", "manager"}, "/v1/client/balances/accounts": []string{"admin", "manager"}, "/v1/client/obligations": []string{"admin", "manager"}, "/v1/client/participants/whitelist": []string{"admin", "manager"}, "/v1/client/participants": []string{"admin", "manager"}, "/v1/client/transactions": []string{"admin", "manager"}, "/maker-checker": []string{"admin", "manager"}, } }
EndpointParticipantPermissionsForGet lists endpoints for participants to get
var EndpointParticipantPermissionsForPost = func() map[string][]string { return map[string][]string{ "/v1/client/participants": []string{"admin", "manager"}, "/v1/client/participants/whitelist": []string{"admin"}, "/v1/client/transactions/settle/da": []string{"admin", "manager"}, "/v1/client/transactions/settle/do": []string{"admin", "manager"}, "/v1/client/trust": []string{"admin", "manager"}, "/v1/anchor/fundings/instruction": []string{"admin", "manager"}, "/v1/anchor/fundings/send": []string{"admin", "manager"}, "/v1/anchor/trust": []string{"admin"}, "/v1/client/assets": []string{"admin", "manager"}, "/maker-checker": []string{"admin", "manager"}, } }
EndpointParticipantPermissionsForPost lists endpoints for participants to post Will go through maker checker flow
var EndpointSuperNoMakerChecker = func() map[string]bool { return map[string]bool{ "/v1/admin/payout": true, "/v1/admin/payout/csv": true, "/v1/admin/accounts/" + util.ISSUING: true, "/v1/admin/accounts/" + util.DEFAULT: true, "/direct-maker-checker": true, } }
EndpointSuperNoMakerChecker : set of endpoints that don't need maker checker for POST requests Updating this list requires critical review from Security team and all functional leaders at the time.
var EndpointSuperPermissionsForGet = func() map[string][]string { return map[string][]string{ "/v1/registry/participants": []string{"admin", "manager"}, "/v1/onboarding/accounts": []string{"admin", "manager"}, "v1/admin/anchor/assets/issued": []string{"admin", "manager"}, "/v1/admin/blocklist": []string{"admin", "manager"}, "/maker-checker": []string{"admin", "manager"}, } }
EndpointSuperPermissionsForGet : Permission based on Chase's permission branch on world wire services
var EndpointSuperPermissionsForPost = func() map[string][]string { return map[string][]string{ "/v1/admin/pr": []string{"admin", "manager"}, "/v1/admin/anchor": []string{"admin", "manager"}, "/v1/onboarding/accounts": []string{"admin", "manager"}, "/v1/deploy/participant": []string{"admin", "manager"}, "/v1/admin/blocklist": []string{"admin", "manager"}, "/v1/admin/suspend": []string{"admin", "manager"}, "/v1/admin/reactivate": []string{"admin", "manager"}, "/maker-checker": []string{"admin", "manager"}, } }
EndpointSuperPermissionsForPost lists endpoints for super user permissions for post Will go through maker checker flow
var LOGGER = logging.MustGetLogger("auth-middleware")
Functions ¶
func CheckAccess ¶
func CheckAccess(permissionGroup string, hasRole string, makerChecker bool, requestedMethod string, requestedEndpoint string) (bool, error)
CheckAccess : gets roles needed for an endpoint and permission type permissionGroup = Jwt | Super_permissions | Participant_permissions hasRole = admin | manager | viewer | allow (for jwt only) makerChecker = true (ie: maker/checker required) | false (ie: maker/checker NOT required) NOTE: does not matter if the value is true or false for JWT related endpoint group since JWT does not implement a maker/checker flow requestedMethod = GET | PUT | POST | DELETE requestedEndpoint = path that the inbound request is attempting to reach userRole = admin | manager | viewer | allow (for jwt only)
func CheckEndpointPermission ¶
CheckEndpointPermission : checks for permissions in auth constants file
Params {{ endpoint: string, role : string, method : string., level : string }}
func ClientToken ¶
func ClientToken(w http.ResponseWriter, r *http.Request)
ClientToken : final test endpoint logic (executes after passing client token middleware) $ curl -X POST -d '{"msg":"some really cool message"}' http://localhost:8080/test -H "Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyIjp7InVzZXJuYW1lIjoidXNlcjEyMyIsInBhc3N3b3JkIjoiMTIzNCIsImZpcnN0TmFtZSI6IkpvbiIsImxhc3ROYW1lIjoiRG9lIiwiZG9iIjoiMTIvMTEvMTk5MSIsImVtYWlsIjoidXNlckBnbWFpbC5jb20iLCJhZGRyZXNzIjp7InN0cmVldCI6IjU1NSBCYXlzaG9yZSBCbHZkIiwiY2l0eSI6IlRhbXBhIiwic3RhdGUiOiJGbG9yaWRhIiwiemlwIjoiMzM4MTMifX0sImNvdW50IjoxLCJpYXQiOjE1NDYwNzMyMzcsImF1ZCI6IltcIi90ZXN0XCIsXCIvdGVzdDFcIixcIi90ZXN0MlwiXSJ9.opHpsnB4Glrnyqm5_pFXN-OuSyRde8a_-l1uB5qA56g"
func ComparePaths ¶
ComparePaths : compares two input routes and trims surrounding whitespace
func DoSomething ¶
func DoSomething(w http.ResponseWriter, r *http.Request)
DoSomething : final test endpoint logic (executes after passing jwt middleware) $ curl -X POST -d '{"msg":"some really cool message"}' http://localhost:8080/test -H "Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyIjp7InVzZXJuYW1lIjoidXNlcjEyMyIsInBhc3N3b3JkIjoiMTIzNCIsImZpcnN0TmFtZSI6IkpvbiIsImxhc3ROYW1lIjoiRG9lIiwiZG9iIjoiMTIvMTEvMTk5MSIsImVtYWlsIjoidXNlckBnbWFpbC5jb20iLCJhZGRyZXNzIjp7InN0cmVldCI6IjU1NSBCYXlzaG9yZSBCbHZkIiwiY2l0eSI6IlRhbXBhIiwic3RhdGUiOiJGbG9yaWRhIiwiemlwIjoiMzM4MTMifX0sImNvdW50IjoxLCJpYXQiOjE1NDYwNzMyMzcsImF1ZCI6IltcIi90ZXN0XCIsXCIvdGVzdDFcIixcIi90ZXN0MlwiXSJ9.opHpsnB4Glrnyqm5_pFXN-OuSyRde8a_-l1uB5qA56g"
func EndPointPermissions ¶
func EndPointPermissions() string
Permissions : defined permissions for middleware
func ExtractRoutePath ¶
ExtractRoutePath : uses mux function to get the requested raw path used by the mux router (ie: with path params formated with in format /some/route/{path}/{params}) returns path, err
func GetEndpointPermissions ¶
* GetEndpointPermission : return the list of permission that the endpoint has * * @param {{ endpoint : string, method : string }} * @returns { list of strings i.e the permissions associated with this specific endpoint. For example /trust should only be allowed by participant_manager role.} * @memberOf AuthService
func GetIdentity ¶
GetIdentity : Return the participant ID of the caller/user this function assume the authentication and authorization check has already been performed and varified against participantID
func GetTimeTill ¶
GetTimeTill : Returns JWT token time till this function assume the authentication and authorization check has already been performed and varified against participantID
func HasAccount ¶
HasAccount : has correct account access in the jwt token
func ServiceCheck ¶
func ServiceCheck(w http.ResponseWriter, r *http.Request)
ServiceCheck : Service check for auth service
Types ¶
type Permissions ¶
type Permissions struct {
Permissions Groups
}
Roles : defines user & JWT permissions needed to access an endpoint
type SessionContext ¶
SessionContext : object to store token session
func GetSessionContext ¶
func GetSessionContext(r *http.Request) (SessionContext, error)
GetSessionContext : Return the session context from jwt token, without the dependency of func JwtAuthorization.
func ParseContext ¶
func ParseContext(r *http.Request, claims *jwt.IJWTTokenClaim) (SessionContext, error)
ParseContext : Parse jwt token
Source Files
Directories