Documentation
¶
Index ¶
- Constants
- Variables
- func GenerateToken(user User) (Password, Token)
- func GenerateUser(name, email string) (Password, User)
- func NewID() string
- func ValidOrgRole(role Label) bool
- func ValidProjectRole(role Label) bool
- type Action
- type Assignment
- type Collection
- type Config
- type Contributor
- type Credentials
- type CredentialsAlgType
- type DBURL
- func (d *DBURL) Copy() (*DBURL, error)
- func (d DBURL) MarshalGQL(w io.Writer)
- func (d *DBURL) MarshalJSON() ([]byte, error)
- func (d *DBURL) SetPassword(pw string)
- func (d *DBURL) ToURL() *url.URL
- func (d *DBURL) UnmarshalGQL(v interface{}) error
- func (d *DBURL) UnmarshalJSON(b []byte) error
- func (d *DBURL) Validate() error
- type Effect
- type Email
- type EncryptedToken
- type Entity
- type Field
- type Label
- type Match
- type Name
- type NamedTransformation
- type Password
- type Permission
- type Policy
- type PolicyFile
- type Project
- type ProjectDescription
- type ProjectDisplayName
- type ProjectRolesMap
- type ProjectStatus
- type Recovery
- type Role
- type Rule
- type SecretArg
- type Session
- type Suggestion
- type SuggestionState
- type Target
- type TargetType
- type Token
- type Transformation
- type URL
- type User
- type UserRoles
Constants ¶
const ( SecretLength = 32 SaltLength = 16 )
const ( // AdminRole is the label of the admin role AdminRole = Label("admin") // UserRole is the label of the global role UserRole = Label("user") ProjectOwnerRole = Label("project-owner") ProjectContributorRole = Label("project-contributor") ProjectReaderRole = Label("project-reader") )
const MaxPasswordLength = 128
MaxPasswordLength represents the maximum length of a Cape password
const MinPasswordLength = 8
MinPasswordLength represents the minimum length of a Cape password
const PasswordByteLength = 24
PasswordByteLength represents the number of bytes used to generate a Cape password
Variables ¶
var ( InvalidAlgType = errors.NewCause(errors.BadRequestCategory, "invalid_alg_type") InvalidLabelCause = errors.NewCause(errors.BadRequestCategory, "invalid_label") InvalidNameCause = errors.NewCause(errors.BadRequestCategory, "invalid_name") InvalidURLCause = errors.NewCause(errors.BadRequestCategory, "invalid_url") InvalidEmail = errors.NewCause(errors.BadRequestCategory, "invalid_email") InvalidPasswordCause = errors.NewCause(errors.BadRequestCategory, "invalid_password") InvalidDBURLCause = errors.NewCause(errors.BadRequestCategory, "invalid_db_url") InvalidTargetCause = errors.NewCause(errors.BadRequestCategory, "invalid_target") InvalidPolicySpecCause = errors.NewCause(errors.BadRequestCategory, "invalid_policy_spec") InvalidPolicyCause = errors.NewCause(errors.BadRequestCategory, "invalid_policy") InvalidFieldCause = errors.NewCause(errors.BadRequestCategory, "invalid_field") InvalidConfigCause = errors.NewCause(errors.BadRequestCategory, "invalid_config") InvalidSessionCause = errors.NewCause(errors.BadRequestCategory, "invalid_session") InvalidTokenCause = errors.NewCause(errors.BadRequestCategory, "invalid_token") InvalidCredentialsCause = errors.NewCause(errors.BadRequestCategory, "invalid_credentials") InvalidUserCause = errors.NewCause(errors.BadRequestCategory, "invalid_user") SystemErrorCause = errors.NewCause(errors.InternalServerErrorCategory, "system_error") InvalidProjectNameCause = errors.NewCause(errors.BadRequestCategory, "invalid_project_name") InvalidRecoveryCause = errors.NewCause(errors.BadRequestCategory, "invalid_recovery") )
var ( DefaultPermissions = map[Label]Permission{ AdminRole: adminRules, UserRole: userRules, ProjectOwnerRole: projectOwnerRules, ProjectContributorRole: projectContributorRules, ProjectReaderRole: projectReaderRules, } )
var EmptyPassword = Password("")
var OrgRoles = []Label{AdminRole, UserRole}
OrgRoles are roles that can occur outside the scope of a project. There are currently only admin and user roles.
var ProjectRoles = []Label{ProjectOwnerRole, ProjectContributorRole, ProjectReaderRole}
ProjectRoles are roles that are only related to projects. Currently there is a project owner, a contributor and a reader.
var RecoveryExpiration = 30 * time.Minute
RecoveryExpiration is the amount of time that has passed since a recovery was created before it's no longer valid.
var SystemRoles = append(OrgRoles, ProjectRoles...)
SystemRoles are all builtin roles
Functions ¶
func GenerateToken ¶ added in v0.0.2
GenerateToken returns an instantiated token for use in unit testing.
This function _should only ever_ be used inside of a test.
func GenerateUser ¶
GenerateUser returns an instantiated user for use in unit testing
This function _should only ever_ be used inside of a test.
func ValidOrgRole ¶
func ValidProjectRole ¶
Types ¶
type Action ¶
type Action struct {
Transform Transformation `json:"transform"`
}
type Assignment ¶
type Assignment struct {
ID string `json:"id"`
UserID string `json:"user_id"`
RoleID string `json:"role_id"`
ProjectID string `json:"project_id"`
CreatedAt time.Time `json:"created_at"`
UpdatedAt time.Time `json:"updated_at"`
}
Assignment represents a policy being applied/attached to a role
func (*Assignment) GetEncryptable ¶
func (a *Assignment) GetEncryptable() bool
type Collection ¶
type Collection string
Collection for this target
func (Collection) String ¶
func (c Collection) String() string
String returns the string form of the collection
type Config ¶
type Config struct {
ID string `json:"id"`
CreatedAt time.Time `json:"created_at"`
UpdatedAt time.Time `json:"updated_at"`
Setup bool `json:"setup"`
// EncryptionKey is used to encrypt data in the system.
// Specifically we're using envelope encryption which
// can be read more about here
// https://cloud.google.com/kms/docs/envelope-encryption.
// Here it is encrypted and will be decrypted by the
// root key.
EncryptionKey *base64.Value `json:"encryption_key"`
// AuthKeypair is encrypted using the root key, similar, to how the
// EncryptionKey is encrypted.
AuthKeypair *base64.Value `json:"auth_keypair"`
}
type Contributor ¶
type Credentials ¶
type Credentials struct {
// Secret is the "scrypt'ed" secret which we store in the database.
Secret *base64.Value `json:"secret"`
Salt *base64.Value `json:"salt"`
Alg CredentialsAlgType `json:"alg"`
}
func GenerateCredentials ¶ added in v0.0.2
func GenerateCredentials() *Credentials
GenerateCredentials returns an instantiated Credentials for use in unit testing.
This function _should only ever_ be used inside of a test.
type CredentialsAlgType ¶
type CredentialsAlgType string
CredentialsAlgType enum holding the supported crypto algorithms
var ( // UnknownAlg represents the empty state of the CredentialsAlgType UnknownAlg CredentialsAlgType = "" // EDDSA is used for generating asymmetric keypairs for signing tokens and // other items within the cape ecosystem. EDDSA CredentialsAlgType = "eddsa" // Argon2ID exists for production usage, it's the most recent winner of the // Password Hashing Competition and is tuned inside of the auth package. Argon2ID CredentialsAlgType = "argon2id" // SHA256 only exists for internal testing, it should never be used in any // production scenario. // // SHA256 is used as a password hashing algorithm SHA256 CredentialsAlgType = "sha256" )
func (CredentialsAlgType) MarshalGQL ¶
func (c CredentialsAlgType) MarshalGQL(w io.Writer)
MarshalGQL marshals a CredentailsAlgType enum to string
func (*CredentialsAlgType) String ¶
func (c *CredentialsAlgType) String() string
String returns the string represented by the enum value
func (*CredentialsAlgType) UnmarshalGQL ¶
func (c *CredentialsAlgType) UnmarshalGQL(v interface{}) error
UnmarshalGQL unmarshals a string in the CredentialsAlgType enum
type DBURL ¶ added in v0.0.2
DBURL contains a url for a database
func DBURLFromURL ¶ added in v0.0.2
DBURLFromURL returns a DBURL from a net/url.URL
func (DBURL) MarshalGQL ¶ added in v0.0.2
MarshalGQL implements the interface required to unmarshal this type from GraphQL
func (*DBURL) MarshalJSON ¶ added in v0.0.2
MarshalJSON implements the JSON.Marshaller interface
func (*DBURL) SetPassword ¶ added in v0.0.2
SetPassword sets the password
func (*DBURL) UnmarshalGQL ¶ added in v0.0.2
UnmarshalGQL impements the interface required to marshal this type to GraphQL
func (*DBURL) UnmarshalJSON ¶ added in v0.0.2
UnmarshalJSON implements the JSON.Unmarshaller interface
type Effect ¶
type Effect string
Effect represents what kind of effect this policy has, e.g. allow or deny
type EncryptedToken ¶ added in v0.0.2
type EncryptedToken struct {
*Token
Credentials *base64.Value `json:"credentials"`
}
type NamedTransformation ¶
type NamedTransformation struct {
Name string `json:"name"`
Type string `json:"type"`
Args map[string]interface{}
}
func (NamedTransformation) MarshalGQL ¶
func (n NamedTransformation) MarshalGQL(w io.Writer)
MarshalGQL implements the graphql.Marshaler interface
func (NamedTransformation) MarshalJSON ¶
func (n NamedTransformation) MarshalJSON() ([]byte, error)
func (*NamedTransformation) UnmarshalGQL ¶
func (n *NamedTransformation) UnmarshalGQL(v interface{}) error
UnmarshalGQL implements the graphql.Unmarshaler interfacemin
func (*NamedTransformation) UnmarshalJSON ¶
func (n *NamedTransformation) UnmarshalJSON(data []byte) error
type Password ¶ added in v0.0.2
type Password string
Password represents a password used by a user to log into a cape account.
func GeneratePassword ¶ added in v0.0.2
func GeneratePassword() Password
GeneratePassword returns a new password using random data sourced from a cryptographically strong pseudorandom source.
func NewPassword ¶ added in v0.0.2
NewPassword returns a new Password for the given string. If the string isn't a valid password an error is returned.
type Permission ¶
type Permission uint64
const ( WritePolicy Permission = 1 << iota CreateProject // Tokens CreateOwnToken CreateAnyToken RemoveOwnToken RemoveAnyToken ListOwnTokens ListAnyTokens // Projects ArchiveProject UnarchiveProject DeleteOwnedProject DeleteAnyProject AddUser DeleteUser UpdateProject SuggestPolicy AcceptPolicy RejectPolicy ReadPolicy ListPolicySuggestions // Roles ChangeRole ChangeProjectRole ReadAuditLog )
type Policy ¶
type Policy struct {
ID string `json:"id"`
ProjectID string `json:"project_id,omitempty"`
ParentID *string `json:"parent_id"`
Transformations []*NamedTransformation `json:"transformations"`
Rules []*Rule `json:"rules"`
Version uint8 `json:"version"`
CreatedAt time.Time `json:"created_at"`
UpdatedAt time.Time `json:"updated_at"`
}
func CompilePolicies ¶ added in v0.0.2
type PolicyFile ¶
type PolicyFile struct {
Transformations []NamedTransformation `json:"transformations"`
Rules []*Rule `json:"rules"`
}
func ParseProjectSpecFile ¶
func ParseProjectSpecFile(data []byte) (*PolicyFile, error)
type Project ¶
type Project struct {
ID string `json:"id"`
Label Label `json:"label"`
Name ProjectDisplayName `json:"name"`
Description ProjectDescription `json:"description"`
Status ProjectStatus `json:"status"`
CurrentSpecID string
CreatedAt time.Time `json:"created_at"`
UpdatedAt time.Time `json:"updated_at"`
}
func NewProject ¶
func NewProject(name ProjectDisplayName, label Label, description ProjectDescription) Project
type ProjectDescription ¶
type ProjectDescription string
func (ProjectDescription) String ¶
func (p ProjectDescription) String() string
type ProjectDisplayName ¶
type ProjectDisplayName string
func (ProjectDisplayName) String ¶
func (p ProjectDisplayName) String() string
type ProjectRolesMap ¶
type ProjectStatus ¶
type ProjectStatus string
const ( ProjectPending ProjectStatus = "Pending" ProjectActive ProjectStatus = "Active" ProjectArchived ProjectStatus = "Archived" Any ProjectStatus = "any" )
func (ProjectStatus) String ¶
func (p ProjectStatus) String() string
func (ProjectStatus) Validate ¶
func (p ProjectStatus) Validate() error
type Recovery ¶ added in v0.0.2
type Recovery struct {
ID string `json:"id"`
UserID string `json:"user_id"`
Credentials *Credentials `json:"-" gqlgen:"-"`
ExpiresAt time.Time `json:"expires_at"`
CreatedAt time.Time `json:"created_at"`
UpdatedAt time.Time `json:"updated_at"`
}
func GenerateRecovery ¶ added in v0.0.2
func GenerateRecovery() Recovery
func NewRecovery ¶ added in v0.0.2
func NewRecovery(userID string, creds *Credentials) Recovery
type Role ¶
type Role struct {
ID string `json:"id"`
Version uint8 `json:"version"`
Label Label `json:"label"`
System bool `json:"system"`
CreatedAt time.Time `json:"created_at"`
UpdatedAt time.Time `json:"updated_at"`
}
Role in a role in the system (e.g. Admin, user, etc)
func (*Role) Can ¶
func (r *Role) Can(action Permission) bool
Can checks to see if a role can do an action
type Rule ¶
func (Rule) MarshalGQL ¶
MarshalGQL implements the graphql.Marshaler interface
func (*Rule) UnmarshalGQL ¶
UnmarshalGQL implements the graphql.Unmarshaler interface
type Session ¶ added in v0.0.2
type Session struct {
ID string `json:"id"`
UserID string `json:"user_id"`
OwnerID string `json:"owner_id"`
ExpiresAt time.Time `json:"expires_at"`
}
Session holds all the session data required to authenticate API calls with the server
func NewSession ¶ added in v0.0.2
NewSession returns a new Session struct
type Suggestion ¶
type Suggestion struct {
ID string `json:"id"`
ProjectID string `json:"project_id,omitempty"`
PolicyID string `json:"project_spec_id"`
State SuggestionState `json:"state"`
Title string `json:"title"`
Description string `json:"description"`
CreatedAt time.Time `json:"created_at"`
UpdatedAt time.Time `json:"updated_at"`
}
type SuggestionState ¶
type SuggestionState int
const ( SuggestionPending SuggestionState = iota SuggestionApproved SuggestionRejected )
func (SuggestionState) MarshalGQL ¶
func (ss SuggestionState) MarshalGQL(w io.Writer)
MarshalGQL marshals a URL to a strong for GraphQL
func (SuggestionState) String ¶
func (ss SuggestionState) String() string
func (*SuggestionState) UnmarshalGQL ¶
func (ss *SuggestionState) UnmarshalGQL(v interface{}) error
type Target ¶
type Target string
Target of a rule
func (Target) Collection ¶
func (t Target) Collection() Collection
Collection returns which collection this target refers to
type TargetType ¶
type TargetType string
TargetType is the record type this target points at (e.g. records)
const (
Records TargetType = "records"
)
func (TargetType) String ¶
func (t TargetType) String() string
func (TargetType) Validate ¶
func (t TargetType) Validate() error
type Token ¶ added in v0.0.2
type Token struct {
ID string `json:"id"`
UserID string `json:"user_id"`
// We never want to send Credentials over the wire!
Credentials *Credentials `json:"-" gqlgen:"-"`
}
func NewToken ¶ added in v0.0.2
func NewToken(userID string, creds *Credentials) Token
func (*Token) GetCredentials ¶ added in v0.0.2
func (tc *Token) GetCredentials() (*Credentials, error)
func (*Token) GetStringID ¶ added in v0.0.2
type Transformation ¶
type Transformation map[string]interface{}
func (Transformation) MarshalGQL ¶
func (t Transformation) MarshalGQL(w io.Writer)
MarshalGQL implements the graphql.Marshaler interface
func (*Transformation) UnmarshalGQL ¶
func (t *Transformation) UnmarshalGQL(v interface{}) error
UnmarshalGQL implements the graphql.Unmarshaler interface
type URL ¶ added in v0.0.2
URL contains a url to a Cape coordinator
func NewURL ¶ added in v0.0.2
NewURL parses the given string and returns a URL if the given URL is a valid coordinator url. If it's not an error is returned.
func (URL) MarshalGQL ¶ added in v0.0.2
MarshalGQL marshals a URL to a strong for GraphQL
func (*URL) MarshalJSON ¶ added in v0.0.2
MarshalJSON implements the JSON.Marshaller interface
func (*URL) UnmarshalGQL ¶ added in v0.0.2
UnmarshalGQL unmarshalls a string from GraphQL into the URL
func (*URL) UnmarshalJSON ¶ added in v0.0.2
UnmarshalJSON implements the JSON.Unmarshaller interface
type User ¶
type User struct {
ID string `json:"id"`
Version uint8 `json:"version"`
Email Email `json:"email"`
Name Name `json:"name"`
CreatedAt time.Time `json:"created_at"`
UpdatedAt time.Time `json:"updated_at"`
// We never want to send Credentials over the wire!
Credentials Credentials `json:"credentials" gqlgen:"-"`
}
User represents a user of the system
func NewUser ¶
func NewUser(name Name, email Email, creds Credentials) User
NewUser returns a new User struct
func (*User) GetCredentials ¶
func (u *User) GetCredentials() (*Credentials, error)
func (*User) GetStringID ¶
type UserRoles ¶
type UserRoles struct {
// Global is the global role assigned to a user
Global Role
// Projects is a map between a projects Label and the role they have
// in that project.
Projects ProjectRolesMap
}
UserRoles represents the roles assigned to a user. A user can only have one global role and then one project role per project that they are a member of.
Source Files