models

package
v0.0.0-...-277766b Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Aug 18, 2023 License: MIT Imports: 15 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

This section is empty.

Types

type Account 

type Account struct {
	ShortName              string        `bson:"_id" json:"short_name"`
	AccountType            string        `json:"account_type"`
	AccountNumber          int           `json:"account_number"`
	Name                   string        `json:"name"`
	ConsoleSessionDuration time.Duration `json:"console_session_duration,omitempty"`
	AdminVaultMaterial     string        `json:"admin_vault_material,omitempty"`
	AssumedRoleARN         string        `json:"assumed_role_arn"`
	DefaultRegion          string        `json:"default_region"`
	Users                  []string      `json:"users,omitempty"`
	Deleted                *time.Time    `json:"deleted,omitempty" bson:"deleted,omitempty"`
}

func (*Account) CanBeModifiedBy 

func (a *Account) CanBeModifiedBy(u *User) bool

func (*Account) ConsoleSessionDurationSecs 

func (a *Account) ConsoleSessionDurationSecs() int64

type AccountStore 

type AccountStore interface {
	List(context.Context) ([]*Account, error)
	ListForUser(context.Context, *User) ([]*Account, error)
	Get(context.Context, string) (*Account, error)               // Error on not found
	GetForUser(context.Context, string, *User) (*Account, error) // Error on not found
	Put(context.Context, *Account) error
	Delete(context.Context, *Account) error
}

type MongoDbAccountStore 

type MongoDbAccountStore struct {
	Db *mongodb.Mongo

	// ReturnDeleted will allow all methods to return deleted items. items
	// where the Deleted field is set will not be returned. Non-admin
	// use-cases should leave this set to false.
	ReturnDeleted bool
}

func (*MongoDbAccountStore) Delete 

func (s *MongoDbAccountStore) Delete(ctx context.Context, a *Account) error

func (*MongoDbAccountStore) Get 

func (s *MongoDbAccountStore) Get(ctx context.Context, id string) (*Account, error)

func (*MongoDbAccountStore) GetForUser 

func (s *MongoDbAccountStore) GetForUser(ctx context.Context, id string, u *User) (*Account, error)

GetForUser returns an account if the user has access to this account, otherwise it returns an error. This is the authorized version of Get.

func (*MongoDbAccountStore) List 

func (s *MongoDbAccountStore) List(ctx context.Context) ([]*Account, error)

List returns all accounts in the system.

func (*MongoDbAccountStore) ListForUser 

func (s *MongoDbAccountStore) ListForUser(ctx context.Context, u *User) ([]*Account, error)

ListForUser returns all accounts for which the user has access. This is the authorized version of List.

Note this does not handle the case where a user is an admin but not explicitly listed in the allowed users list for an account. For that case just use List directly.

func (*MongoDbAccountStore) Put 

func (s *MongoDbAccountStore) Put(ctx context.Context, a *Account) error

type MongoDbUserStore 

type MongoDbUserStore struct {
	Db *mongodb.Mongo

	// ReturnDeleted will allow all methods to return deleted items. By default
	// items where the Deleted field is set will not be returned. This should
	// be the common cast for most code using this store but in some Admin
	// use-cases it would be useful to show deleted accounts.
	ReturnDeleted bool
}

func (*MongoDbUserStore) Delete 

func (s *MongoDbUserStore) Delete(ctx context.Context, u *User) error

func (*MongoDbUserStore) Get 

func (s *MongoDbUserStore) Get(ctx context.Context, username string) (*User, error)

func (*MongoDbUserStore) List 

func (s *MongoDbUserStore) List(ctx context.Context) ([]*User, error)

func (*MongoDbUserStore) Put 

func (s *MongoDbUserStore) Put(ctx context.Context, u *User) error

type SessionKey 

type SessionKey struct {
	KeyId                   string
	Description             string
	Revoked                 *time.Time
	NotAfter                *time.Time
	NotBefore               *time.Time
	PublicKey               crypto.PublicKey
	PrivateKey              *ecdsa.PrivateKey
	ExposePrivateKeysInJSON bool `json:"-" bson:"-"`
}

SessionKey represents a public and sometimes private key-pair for a user that will be stored on the user's record in the user store. These keys are used for signing authentication JWTs.

This object is designed to be serialized to and from BSON and JSON. Other serializations can be added in the future as needed.

The ExposePrivateKeysInJSON controls how JSON serialization of this struct works. When the field is set to false (the default) then serialization into JSON will never encode a private key, but may encode a public key. If this is set to true then the private key will be encoded into the JSON value and not the public key. SETTING THIS TO TRUE AND EXPOSING THE RESULTS TO THE USER IS A SECURITY ERROR so this should normally not be changed. This value of this field will never be persisted in any form.

There are two flavors of this record. A record with a private key (which implies a public key) is a key that the service generated and is used by the service to sign JWTs for the user. The private key is never given to the user. The private key is only used in the CreateToken flow, never the Verify flow. Currently (as of Nov 2021) the application sets a near-future NotAfter date and these get garbage collected. It might be nice to re-use them in the future for a while but it's not all that important.

The other flavor of this key will have a public key but no private key. These are service keys. Service keys are given to programmatic actors that need to be able to mint their own JWTs for authentication to the service. For these keys the client will construct their own JWT and sign it with the private key and the service will validate the signature with the public key. These keys (as of Nov 2021) do not expire, though they can be revoked.

func GenerateSessionKey 

func GenerateSessionKey(ttl time.Duration) (*SessionKey, error)

func (*SessionKey) IsGarbage 

func (s *SessionKey) IsGarbage() bool

IsGarbage checks to determine if a key is garbage that should be collected. The definition of garbage is similar to the inversion of the definition of vaild but revoked keys are not considered to be garbage since they may be useful for auditing later. Also keys that are not yet valid are not garbage.

func (*SessionKey) IsValid 

func (s *SessionKey) IsValid() bool

IsValid checks the various dates in the SessionKey to verify that they are valid and in-range for use. This should be called before trusting this key for any use.

func (*SessionKey) MarshalBSON 

func (s *SessionKey) MarshalBSON() ([]byte, error)

func (*SessionKey) MarshalJSON 

func (s *SessionKey) MarshalJSON() ([]byte, error)

MarshalJSON marshals a struct to JSON

This method will have different behavior if the ExposePrivateKeysInJSON field is set in the struct (the default is false). If this field is set to true the private keys will be exposed in the JSON results. If it is false then private keys will not be exposed. The ExposePrivateKeysInJSON itself will never be serialized.

func (*SessionKey) MarshalPrivateKey 

func (s *SessionKey) MarshalPrivateKey() (string, error)

MarshalPrivateKey marshals the private key to a X509 encoded base64 string

func (*SessionKey) MarshalPublicKey 

func (s *SessionKey) MarshalPublicKey() (string, error)

MarshalPublicKey marshals the public key to an X509 encoded base64 string

func (*SessionKey) UnmarshalBSON 

func (s *SessionKey) UnmarshalBSON(d []byte) error

func (*SessionKey) UnmarshalJSON 

func (s *SessionKey) UnmarshalJSON(d []byte) error

UnmarshalJSON unmarshals a struct from JSON.

This method does attempt to unmarshal private keys.

func (*SessionKey) UnmarshalPrivateKey 

func (s *SessionKey) UnmarshalPrivateKey(k string) error

UnmarshalPrivateKey unmarshals the private key from a base64 encoded X509 string into the public and private key fields.

func (*SessionKey) UnmarshalPublicKey 

func (s *SessionKey) UnmarshalPublicKey(k string) error

UnmarshalPublicKey unmarshals the public key from a base64 encoded X509 string into the public key field.

type User 

type User struct {
	Username   string                   `bson:"_id" json:"username"`
	IsAdmin    bool                     `json:"is_admin"`
	IsService  bool                     `json:"is_service"`
	Keys       map[string]*SessionKey   `json:"keys,omitempty"`        // kid  -> key
	AuthTokens map[string]*oauth2.Token `json:"auth_tokens,omitempty"` // kind -> token
	Deleted    *time.Time               `json:"deleted,omitempty"`
}

func (*User) AddKey 

func (u *User) AddKey(k *SessionKey)

func (*User) AddToken 

func (u *User) AddToken(name string, t *oauth2.Token)

func (*User) GCKeys 

func (u *User) GCKeys()

GCKeys garbage collects keys that are no longer valid

func (*User) GetKey 

func (u *User) GetKey(kid string) *SessionKey

GetKey returns a key for a key ID. It will only return valid keys.

type UserStore 

type UserStore interface {
	List(context.Context) ([]*User, error)
	Get(context.Context, string) (*User, error) // Error on not found
	Put(context.Context, *User) error
	Delete(context.Context, *User) error
}

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.