auth

package
v0.9.15 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Mar 3, 2021 License: Apache-2.0 Imports: 24 Imported by: 0

Documentation

Overview

Package auth contains authorization check wrapper for handlers. Example: h, err := auth.WithAuth(handler, checker, Requirement{ClientID: true, ClientSecret: true, Role: Admin} if err != nil { ... } r.HandleFunc("/path", h)

Index

Constants

View Source 
const (

	// UserAuthorizationHeader is the standard user authorization request header as a bearer token.
	UserAuthorizationHeader = "Authorization"
	// LinkAuthorizationHeader is an additional auth token in the request header for linking accounts.
	LinkAuthorizationHeader = "X-Link-Authorization"
)

Variables

View Source 
var (
	// RequireNone -> requires nothing for authorization
	RequireNone = Require{Nothing: true}
	// RequireClientID -> only require client id
	RequireClientID = Require{ClientID: true, ClientSecret: false, Role: None}
	// RequireClientIDAndSecret -> require client id and matched secret
	RequireClientIDAndSecret = Require{ClientID: true, ClientSecret: true, Role: None}
	// RequireAdminTokenClientCredential -> require an admin token, also the client id and secret
	RequireAdminTokenClientCredential = Require{ClientID: true, ClientSecret: true, Role: Admin, AllowIssuerInAudOrAzp: true, AllowAzp: true}
	// RequireUserTokenClientCredential -> require an user token, also the client id and secret
	RequireUserTokenClientCredential = Require{ClientID: true, ClientSecret: true, Role: User, AllowIssuerInAudOrAzp: true, AllowAzp: true}
	// RequireAccountAdminUserTokenCredential -> require a user token, client id & secret, and non-admins require "account_admin" scope for edits methods
	RequireAccountAdminUserTokenCredential = Require{ClientID: true, ClientSecret: true, Role: User, EditScopes: []string{"account_admin"}, AllowIssuerInAudOrAzp: true, AllowAzp: true}
)
View Source 
var (
	// HTTPClient used for external calls.
	HTTPClient *http.Client = nil
)

Functions

func AccessTokenCacheKey added in v0.9.13 

func AccessTokenCacheKey(issuer, token string) string

AccessTokenCacheKey creates the caching key of access token.

func MustWithAuth 

func MustWithAuth(handler func(http.ResponseWriter, *http.Request), checker *Checker, require Require) func(http.ResponseWriter, *http.Request)

MustWithAuth wraps the handler func with authorization check includes client credentials, bearer token validation and role in token. function will cause fatal if passed in invalid requirement. This is cleaner when calling in main.

func WithAuth 

func WithAuth(handler func(http.ResponseWriter, *http.Request), checker *Checker, require Require) (func(http.ResponseWriter, *http.Request), error)

WithAuth wraps the handler func with authorization check includes client credentials, bearer token validation and role in token. function will return error if passed in invalid requirement.

Types

type Checker 

type Checker struct {
	// contains filtered or unexported fields
}

Checker stores information and functions for authorization check.

func NewChecker added in v0.9.4 

func NewChecker(logger *logging.Client, issuer string, permissions *permissions.Permissions, fetchClientSecrets func() (map[string]string, error), transformIdentity func(*ga4gh.Identity) *ga4gh.Identity, useUserinfoVerifyToken bool, cache func() cache.Client) *Checker

NewChecker creates checker for authorization check. ctx: used to creates oidc token verifier, may store httpclient for mock. logger: audit log logger. issuer: accepted oidc issuer url. permissions: contains method to check if user admin permission. fetchClientSecrets: fetches client id and client secret. transformIdentity: transform as needed, will run just after token convert to identity.

type Context added in v0.8.6 

type Context struct {
	ID           *ga4gh.Identity
	LinkedID     *ga4gh.Identity
	ClientID     string
	ClientSecret string
	IsAdmin      bool
}

Context (i.e. auth.Context) is authorization information that is stored within the request context.

func FromContext added in v0.8.6 

func FromContext(ctx context.Context) (*Context, error)

FromContext (i.e. auth.FromContext) returns auth information from the request context. Example within a request handler: a, err := auth.FromContext(r.Context())

type Require 

type Require struct {
	Nothing      bool
	ClientID     bool
	ClientSecret bool
	// Roles current supports "user" and "admin". Check will check the role inside the bearer token.
	// not requirement bearer token if "Role" is empty.
	Role       Role
	EditScopes []string
	// client id of self
	SelfClientID string
	// allow using issuer as aud or azp
	AllowIssuerInAudOrAzp bool
	// allow azp
	AllowAzp bool
}

Require defines the Authorization Requirement.

type Role 

type Role string

Role requirement of access. 

const (
	// None -> no bearer token required
	None Role = ""
	// User -> requires any valid bearer token, need to match {user} in path
	User Role = "user"
	// Admin -> requires bearer token with admin permission
	Admin Role = "admin"
)

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.