authorisation

package

v2.31.2 Latest Latest Go to latest Published: Jan 26, 2024 License: MIT Imports: 15 Imported by: 19

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/ONSdigital/dp-authorisation

Links

Open Source Insights

Documentation ¶

Index ¶

Constants
func GetCollectionIDAttribute(req *http.Request) (map[string]string, error)
func NewCognitoRSAParser(identityClientKeys map[string]string) (*jwt.CognitoRSAParser, error)
type Config
- func NewDefaultConfig() *Config
type GetAttributesFromRequest
type JWTParser
type Middleware
- func NewFeatureFlaggedMiddleware(_ context.Context, _ *Config, _ map[string]string) (Middleware, error)
type NoopMiddleware
- func NewNoopMiddleware() *NoopMiddleware
type PermissionCheckMiddleware
- func NewMiddlewareFromConfig(ctx context.Context, config *Config, jwtRSAPublicKeys map[string]string) (*PermissionCheckMiddleware, error)
- func NewMiddlewareFromDependencies(jwtParser JWTParser, permissionsChecker PermissionsChecker, ...) *PermissionCheckMiddleware
type PermissionsChecker
type ZebedeeClient

Constants ¶

View Source

const (
	IdentityClientError = "identity client cannot be nil"
)

Variables ¶

This section is empty.

Functions ¶

func GetCollectionIDAttribute ¶ added in v2.28.0

func GetCollectionIDAttribute(req *http.Request) (map[string]string, error)

GetCollectionIdAttribute provides an implementation of GetAttributesFromRequest. Retrieves and returns header 'Collection-Id' from the request if it exists, otherwise returns an empty map. It may return an error only if the header cannot be retrieved by some other reason (e.g. nil request).

func NewCognitoRSAParser ¶

func NewCognitoRSAParser(identityClientKeys map[string]string) (*jwt.CognitoRSAParser, error)

NewCognitoRSAParser returns a CognitoRSAParser with correct RSA Public Signing Keys set

Types ¶

type Config ¶

type Config struct {
	Enabled                        bool              `envconfig:"AUTHORISATION_ENABLED"`
	JWTVerificationPublicKeys      map[string]string `envconfig:"JWT_VERIFICATION_PUBLIC_KEYS" json:"-"`
	PermissionsAPIURL              string            `envconfig:"PERMISSIONS_API_URL"`
	PermissionsCacheUpdateInterval time.Duration     `envconfig:"PERMISSIONS_CACHE_UPDATE_INTERVAL"`
	PermissionsMaxCacheTime        time.Duration     `envconfig:"PERMISSIONS_MAX_CACHE_TIME"`
	ZebedeeURL                     string            `envconfig:"ZEBEDEE_URL"`
	IdentityWebKeySetURL           string            `envconfig:"IDENTITY_WEB_KEY_SET_URL"`
	IdentityClientMaxRetries       int               `envconfig:"AUTHORISATION_IDENTITY_CLIENT_MAX_RETRIES"`
}

Config contains the required configuration / environment variables for the typical authorisation setup

func NewDefaultConfig ¶

func NewDefaultConfig() *Config

NewDefaultConfig populates the config struct with default values suitable for local development.

type GetAttributesFromRequest ¶

type GetAttributesFromRequest func(req *http.Request) (attributes map[string]string, err error)

GetAttributesFromRequest defines the func that retrieves and returns attributes from the request. Used by RequireWithAttributes. Use an implementation provided within this package or alternatively use a custom implementation that meets your requirements.

type JWTParser ¶

type JWTParser interface {
	Parse(tokenString string) (*permsdk.EntityData, error)
}

JWTParser takes a raw JWT token string, verifying it and extracting the required entity data.

type Middleware ¶

type Middleware interface {
	Require(permission string, handlerFunc http.HandlerFunc) http.HandlerFunc
	RequireWithAttributes(permission string, handlerFunc http.HandlerFunc, getAttributes GetAttributesFromRequest) http.HandlerFunc
	Close(ctx context.Context) error
	Parse(token string) (*permsdk.EntityData, error)
	HealthCheck(ctx context.Context, state *health.CheckState) error
	IdentityHealthCheck(ctx context.Context, state *health.CheckState) error
}

Middleware represents the high level interface for authorisation middleware

func NewFeatureFlaggedMiddleware ¶

func NewFeatureFlaggedMiddleware(_ context.Context, _ *Config, _ map[string]string) (Middleware, error)

NewFeatureFlaggedMiddleware returns a different Middleware implementation depending on the configured feature flag value Use this constructor when first adding authorisation as middleware so that it can be toggled off if required.

type NoopMiddleware ¶

type NoopMiddleware struct{}

NoopMiddleware provides a middleware implementation that does not do any permissions checking.

func NewNoopMiddleware ¶

func NewNoopMiddleware() *NoopMiddleware

NewNoopMiddleware creates a new instance of NoopMiddleware.

func (NoopMiddleware) Close ¶

func (m NoopMiddleware) Close(_ context.Context) error

Close resources used by the middleware.

func (NoopMiddleware) HealthCheck ¶

func (m NoopMiddleware) HealthCheck(_ context.Context, state *health.CheckState) error

HealthCheck updates the health status of the permissions checker

func (NoopMiddleware) IdentityHealthCheck ¶

func (m NoopMiddleware) IdentityHealthCheck(_ context.Context, state *health.CheckState) error

IdentityHealthCheck updates the health status of the jwt keys request against identity api

func (NoopMiddleware) Parse ¶

func (m NoopMiddleware) Parse(_ string) (*permsdk.EntityData, error)

Parse token used by the middleware.

func (NoopMiddleware) Require ¶

func (m NoopMiddleware) Require(_ string, handlerFunc http.HandlerFunc) http.HandlerFunc

Require wraps an existing handler. The Noop implementation just calls the underlying handler.

func (NoopMiddleware) RequireWithAttributes ¶

func (m NoopMiddleware) RequireWithAttributes(_ string, handlerFunc http.HandlerFunc, _ GetAttributesFromRequest) http.HandlerFunc

RequireWithAttributes wraps an existing handler. The Noop implementation just calls the underlying handler.

type PermissionCheckMiddleware ¶

type PermissionCheckMiddleware struct {
	IdentityClient *identityclient.IdentityClient
	// contains filtered or unexported fields
}

PermissionCheckMiddleware is used to wrap HTTP handlers with JWT token based authorisation

func NewMiddlewareFromConfig ¶

func NewMiddlewareFromConfig(ctx context.Context, config *Config, jwtRSAPublicKeys map[string]string) (*PermissionCheckMiddleware, error)

NewMiddlewareFromConfig creates a new instance of PermissionCheckMiddleware, instantiating the required dependencies from the given configuration values.

This constructor uses default dependencies - the Cognito specific JWT parser, caching permissions checker and JWT RSA public signing keys (optional) If different dependencies are required, use the NewMiddlewareFromDependencies constructor.

func NewMiddlewareFromDependencies ¶

func NewMiddlewareFromDependencies(jwtParser JWTParser, permissionsChecker PermissionsChecker, zebedeeClient ZebedeeClient, identityClient *identityclient.IdentityClient) *PermissionCheckMiddleware

NewMiddlewareFromDependencies creates a new instance of PermissionCheckMiddleware, using injected dependencies

func (PermissionCheckMiddleware) Close ¶

func (m PermissionCheckMiddleware) Close(ctx context.Context) error

Close resources used by the middleware.

func (PermissionCheckMiddleware) HealthCheck ¶

func (m PermissionCheckMiddleware) HealthCheck(ctx context.Context, state *health.CheckState) error

HealthCheck updates the health status of the permissions checker

func (PermissionCheckMiddleware) IdentityHealthCheck ¶

func (m PermissionCheckMiddleware) IdentityHealthCheck(ctx context.Context, state *health.CheckState) error

IdentityHealthCheck updates the health status of the jwt keys request against identity api

func (PermissionCheckMiddleware) Parse ¶

func (m PermissionCheckMiddleware) Parse(token string) (*permsdk.EntityData, error)

Parse token using returned Parser object

func (PermissionCheckMiddleware) Require ¶

func (m PermissionCheckMiddleware) Require(permission string, handlerFunc http.HandlerFunc) http.HandlerFunc

Require wraps an existing handler, only allowing it to be called if the request is authorised against the given permission. Calls method RequireWithAttributes() with nil getAttributes

func (PermissionCheckMiddleware) RequireWithAttributes ¶

func (m PermissionCheckMiddleware) RequireWithAttributes(permission string, handlerFunc http.HandlerFunc, getAttributes GetAttributesFromRequest) http.HandlerFunc

RequireWithAttributes wraps an existing handler, only allowing it to be called if the request is authorised against the given permission. Includes any attributes returned by getAttributes in the permission check.

type PermissionsChecker ¶

type PermissionsChecker interface {
	HasPermission(ctx context.Context,
		entityData permsdk.EntityData,
		permission string,
		attributes map[string]string,
	) (bool, error)
	Close(ctx context.Context) error
	HealthCheck(ctx context.Context, state *health.CheckState) error
}

PermissionsChecker checks if the given entity data matches the given permission

type ZebedeeClient ¶

type ZebedeeClient interface {
	CheckTokenIdentity(ctx context.Context, token string) (*dprequest.IdentityResponse, error)
}

ZebedeeClient validates old world token

Source Files ¶

View all Source files

Directories ¶

Path	Synopsis
mock

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL