leaps: github.com/Jeffail/leaps/lib/acl Index | Files

package acl

import "github.com/Jeffail/leaps/lib/acl"

Package acl - Contains solutions for introducing Access Control Layers to a leaps service. All acl types should implement the Authenticator interface, as this is used by the curator to determine user access. ACLs can also implement behaviour for managing sources or exposing information through HTTP APIs etc.

Index

Package Files

anarchy.go file_exists.go interface.go package.go redis_based.go

Variables

var (
    ErrInvalidAuthType = errors.New("invalid token authenticator type")
)

Errors for the auth package.

var (
    ErrNoKey = errors.New("key did not exist")
)

Errors for the Redis type.

type AccessLevel Uses

type AccessLevel int

AccessLevel - A unit of access to a particular document ID.

const (
    NoAccess AccessLevel = iota
    ReadAccess
    EditAccess
    CreateAccess
)

Units of AccessLevel for expressing a users access to a document.

type Anarchy Uses

type Anarchy struct {
    AllowCreate bool
}

Anarchy - Most basic implementation of an ACL, everyone has access to everything.

func (Anarchy) Authenticate Uses

func (a Anarchy) Authenticate(_ interface{}, _, _ string) AccessLevel

Authenticate - Always returns at least edit access, because anarchy.

type Authenticator Uses

type Authenticator interface {
    // Authenticate - Check a users access level. Leave documentID blank to check for CreateAccess.
    Authenticate(userMetadata interface{}, token, documentID string) AccessLevel
}

Authenticator - Implemented by types able to validate tokens for editing or creating documents. This is abstracted in order to accommodate for multiple authentication strategies.

Authenticate is the single call for all access level queries. The userID and token strings are used to identify a specific user and session token respectively, it is up to the implementation to make use of these fields or disregard them entirely.

The documentID field is used to a identify a specific document for accessing. If this field is populated then the authenticator is expected to check the access level the user has for that specific document, if the document does not exist then NoAccess should be returned. If, however, the field is left blank then the authenticator is expected to check for CreateAccess.

func NewAnarchy Uses

func NewAnarchy(allowCreate bool) Authenticator

NewAnarchy - Create a new anarchy authenticator.

func NewRedis Uses

func NewRedis(config RedisConfig, logger log.Modular) Authenticator

NewRedis - Creates a Redis using the provided configuration.

type FileExists Uses

type FileExists struct {
    // contains filtered or unexported fields
}

FileExists - An acl authenticator type that validates document edit sessions by checking that the document ID (the file path) exists. Can be configured to show hidden files.

func NewFileExists Uses

func NewFileExists(config FileExistsConfig, logger log.Modular) *FileExists

NewFileExists - Creates an File using the provided configuration.

func (*FileExists) Authenticate Uses

func (f *FileExists) Authenticate(_ interface{}, _, documentID string) AccessLevel

Authenticate - Checks whether the documentID (file path) exists, returns EditAccess if it does.

func (*FileExists) GetPaths Uses

func (f *FileExists) GetPaths() []string

GetPaths - Returns the cached list of file paths available.

type FileExistsConfig Uses

type FileExistsConfig struct {
    Path            string   `json:"path" yaml:"path"`
    ShowHidden      bool     `json:"show_hidden" yaml:"show_hidden"`
    RefreshPeriod   int64    `json:"refresh_period_s" yaml:"refresh_period_s"`
    ReservedIgnores []string `json:"ignore_files" yaml:"ignore_files"`
}

FileExistsConfig - A config object for the FileExists acl object.

func NewFileExistsConfig Uses

func NewFileExistsConfig() FileExistsConfig

NewFileExistsConfig - Returns a default config object for a FileExists object.

type Redis Uses

type Redis struct {
    // contains filtered or unexported fields
}

Redis - An Authenticator type that uses Redis for passing authentication tokens into leaps.

Leaps can be configured to use Redis for authentication. A service can provide an access token to leaps on behalf of a prospective user by adding a single key to the shared redis instance that outlines the type of access to be provided.

The key should be the unique, one-use access token that is also shared with the user. The value is a JSON blob that details the credentials and access level of the authentication:

Key: <token> Value: { "access_level":"<access_level>", "user_id":"<user_id>", "document_id":"<document_id>" }

<token> The shared token that the user is also given and subsequently provides to leaps. <access_level> The access level that your service wishes to grant the user. <user_id> The id of the authenticated user. <document_id> The id of the document, omit or leave this blank if you are granting CREATE access.

The options for <access_level> are `CREATE`, `EDIT` and `READ`.

Once leaps has read and verified the auth token it will delete the key. Key/value pairs should have a TTL such that they will expire if not used.

func (*Redis) Authenticate Uses

func (s *Redis) Authenticate(userMetadata interface{}, token, documentID string) AccessLevel

Authenticate - Reads a key (token) from redis and parses the value to check for an access level.

func (*Redis) DeleteKey Uses

func (s *Redis) DeleteKey(key string) error

DeleteKey - Deletes an existing key.

func (*Redis) ReadKey Uses

func (s *Redis) ReadKey(key string) (string, error)

ReadKey - Simply return the value of a particular key, or an error.

type RedisConfig Uses

type RedisConfig struct {
    URL          string `json:"url" yaml:"url"`
    Password     string `json:"password" yaml:"password"`
    PoolIdleTOut int64  `json:"pool_idle_s" yaml:"pool_idle_s"`
    PoolMaxIdle  int    `json:"pool_max_idle" yaml:"pool_max_idle"`
}

RedisConfig - A config object for the redis authentication object.

func NewRedisConfig Uses

func NewRedisConfig() RedisConfig

NewRedisConfig - Returns a default config object for a Redis.

Package acl imports 12 packages (graph) and is imported by 1 packages. Updated 2018-02-26. Refresh now. Tools for package owners.