data

package
v0.0.0-...-9fcbe96 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Nov 15, 2018 License: MIT Imports: 23 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

View Source 
var (
	// ErrRequestDenied is returned when an access request can not be satisfied by any policy.
	ErrRequestDenied = &errorWithContext{
		error:  errors.New("Request was denied by default"),
		code:   http.StatusForbidden,
		status: http.StatusText(http.StatusForbidden),
		reason: "The request was denied because no matching policy was found.",
	}

	// ErrRequestForcefullyDenied is returned when an access request is explicitly denied by a policy.
	ErrRequestForcefullyDenied = &errorWithContext{
		error:  errors.New("Request was forcefully denied"),
		code:   http.StatusForbidden,
		status: http.StatusText(http.StatusForbidden),
		reason: "The request was denied because a policy denied request.",
	}

	// ErrNotFound is returned when a resource can not be found.
	ErrNotFound = &errorWithContext{
		error:  errors.New("Resource could not be found"),
		code:   http.StatusNotFound,
		status: http.StatusText(http.StatusNotFound),
	}
)
View Source 
var DefaultMatcher = NewRegexpMatcher(512)

DefaultMatcher is the default matcher

View Source 
var (
	// SystemUser represents the system user
	SystemUser = User{Name: "System"}
)

Functions

func GetKey 

func GetKey(entityType string, keyPart ...string) []byte

GetKey returns a key to be used in the storage system

Types

type Group 

type Group struct {
	Name        string      `json:"name"`
	Description string      `json:"description"`
	Created     time.Time   `json:"created"`
	CreatedBy   string      `json:"created_by"`
	Updated     time.Time   `json:"updated"`
	UpdatedBy   string      `json:"updated_by"`
	Deleted     zero.Time   `json:"deleted"`
	DeletedBy   null.String `json:"deleted_by"`
	Users       []string    `json:"users"`
	Policies    []string    `json:"policies"`
	Roles       []string    `json:"roles"`
}

Group represents a named collection of users

type Manager 

type Manager struct {
	Matcher matcher
	Input   *bluemonday.Policy
	// contains filtered or unexported fields
}

Manager is the data manager

func NewManager 

func NewManager(systemdbpath, tokendbpath string) (*Manager, error)

NewManager creates a new instance of a Manager and returns it

func (Manager) AddActionToResource 

func (store Manager) AddActionToResource(context User, resourceName string, actions ...string) (Resource, error)

AddActionToResource adds action(s) to a resource

func (Manager) AddGroup 

func (store Manager) AddGroup(context User, groupName string, groupDescription string) (Group, error)

AddGroup adds a user group to the system

func (Manager) AddPolicy 

func (store Manager) AddPolicy(context User, newPolicy Policy) (Policy, error)

AddPolicy adds a policy to the system

func (Manager) AddResource 

func (store Manager) AddResource(context User, name, description string) (Resource, error)

AddResource adds a resource to the system

func (Manager) AddRole 

func (store Manager) AddRole(context User, roleName string, roleDescription string) (Role, error)

AddRole adds a role to the system

func (Manager) AddUser 

func (store Manager) AddUser(context User, user User, userPassword string) (User, error)

AddUser adds a user to the system

func (Manager) AddUsersToGroup 

func (store Manager) AddUsersToGroup(context User, groupName string, users ...string) (Group, error)

AddUsersToGroup adds user(s) to a group -- and tracks that relationship at the group level and at the user level

func (Manager) AttachPoliciesToRole 

func (store Manager) AttachPoliciesToRole(context User, roleName string, policies ...string) (Role, error)

AttachPoliciesToRole attaches policies to a role -- and tracks that relationship at the role level and at the policy level

func (Manager) AttachPolicyToGroups 

func (store Manager) AttachPolicyToGroups(context User, policyName string, groups ...string) (Policy, error)

AttachPolicyToGroups attaches a policy to the given group(s)

func (Manager) AttachPolicyToUsers 

func (store Manager) AttachPolicyToUsers(context User, policyName string, users ...string) (Policy, error)

AttachPolicyToUsers attaches a policy to the given user(s)

func (Manager) AttachRoleToGroups 

func (store Manager) AttachRoleToGroups(context User, roleName string, groups ...string) (Role, error)

AttachRoleToGroups attaches a role to the given group(s)

func (Manager) AttachRoleToUsers 

func (store Manager) AttachRoleToUsers(context User, roleName string, users ...string) (Role, error)

AttachRoleToUsers attaches a role to the given user(s)

func (Manager) BeginTOTPEnrollment 

func (store Manager) BeginTOTPEnrollment(userName string, expiresafter time.Duration) (TotpEnrollment, error)

BeginTOTPEnrollment begins TOTP enrollment for a user. If the user already has two factor authentication enabled, this will return an error

func (Manager) Close 

func (store Manager) Close() error

Close closes the data Manager

func (Manager) DeleteUser 

func (store Manager) DeleteUser(context User, user User, userPassword string) (User, error)

DeleteUser adds a user to the system

func (Manager) DoPoliciesAllow 

func (store Manager) DoPoliciesAllow(r *Request, policies map[string]Policy) error

DoPoliciesAllow checks to see if the request is allowed by policy

func (Manager) FinishTOTPEnrollment 

func (store Manager) FinishTOTPEnrollment(userName, validationCode string) (User, error)

FinishTOTPEnrollment finishes TOTP enrollment for a user. If the user already has two factor authentication enabled, this will return an error

func (Manager) GetAllGroups 

func (store Manager) GetAllGroups(context User) ([]Group, error)

GetAllGroups gets all groups in the system

func (Manager) GetAllPolicies 

func (store Manager) GetAllPolicies(context User) ([]Policy, error)

GetAllPolicies gets all policies in the system

func (Manager) GetAllResources 

func (store Manager) GetAllResources(context User) ([]Resource, error)

GetAllResources gets all resources in the system

func (Manager) GetAllRoles 

func (store Manager) GetAllRoles(context User) ([]Role, error)

GetAllRoles gets all roles in the system

func (Manager) GetAllUsers 

func (store Manager) GetAllUsers(context User) ([]User, error)

GetAllUsers gets all users in the system

func (Manager) GetGroup 

func (store Manager) GetGroup(context User, groupName string) (Group, error)

GetGroup gets a user from the system

func (Manager) GetNewToken 

func (store Manager) GetNewToken(user User, expiresafter time.Duration) (Token, error)

GetNewToken gets a token for the given user. The token will have a TTL and expire automatically

func (Manager) GetOverview 

func (store Manager) GetOverview(context User) (SystemOverview, error)

GetOverview gets a system overview of counts in the system

func (Manager) GetPoliciesForUser 

func (store Manager) GetPoliciesForUser(context User, userName string) (map[string]Policy, error)

GetPoliciesForUser gets policies for a user. Chains include: User -> Policies User -> Role -> Policies User -> Group -> Policies User -> Group -> Role -> Policies

func (Manager) GetPolicy 

func (store Manager) GetPolicy(context User, policyName string) (Policy, error)

GetPolicy gets a policy from the system

func (Manager) GetResource 

func (store Manager) GetResource(context User, resourceName string) (Resource, error)

GetResource gets a resource from the system

func (Manager) GetRole 

func (store Manager) GetRole(context User, roleName string) (Role, error)

GetRole gets a user from the system

func (Manager) GetTOTPEnrollment 

func (store Manager) GetTOTPEnrollment(userName string) (TotpEnrollment, error)

GetTOTPEnrollment gets the TOTP enrollment for a user. If the enrollment information can't be found, this will return an error

func (Manager) GetTokenInfo 

func (store Manager) GetTokenInfo(tokenID string) (Token, error)

GetTokenInfo returns token information for a given unexpired tokenID (or an error if it can't be found)

func (Manager) GetUser 

func (store Manager) GetUser(context User, userName string) (User, error)

GetUser gets a user from the system

func (Manager) GetUserForToken 

func (store Manager) GetUserForToken(tokenID string) (User, error)

GetUserForToken returns user information for a given unexpired tokenID (or an error if token or user can't be found)

func (Manager) GetUserWithCredentials 

func (store Manager) GetUserWithCredentials(name, secret string) (User, error)

GetUserWithCredentials gets a user given a set of credentials

func (Manager) IsUserRequestAuthorized 

func (store Manager) IsUserRequestAuthorized(user User, request *Request) bool

IsUserRequestAuthorized determines whether the given user is authorized to execute the given request

func (Manager) Search 

func (store Manager) Search(context User, searchExpression string) (SearchResults, error)

Search gets items that match the searchExpression

func (Manager) SystemBootstrap 

func (store Manager) SystemBootstrap() (User, string, error)

SystemBootstrap is a 'run-once' operation to setup up the system initially

type Policy 

type Policy struct {
	Name      string      `json:"sid"`
	Effect    string      `json:"effect"`
	Resources []string    `json:"resources"`
	Actions   []string    `json:"actions"`
	Roles     []string    `json:"roles"`
	Users     []string    `json:"users"`
	Groups    []string    `json:"groups"`
	Created   time.Time   `json:"created"`
	CreatedBy string      `json:"created_by"`
	Updated   time.Time   `json:"updated"`
	UpdatedBy string      `json:"updated_by"`
	Deleted   zero.Time   `json:"deleted"`
	DeletedBy null.String `json:"deleted_by"`
}

Policy is an AWS style policy document. They wrap up the following ideas: - Resources: The things in a system that users would need permissions to - Actions: The interactions users have with those resources - Effect: The permissive effect of a policy (allow or deny) - Conditions: Additional information to take into account when evaluating a policy Policies can be attached to a user or user group. They can also be grouped in a role

type RegexpMatcher 

type RegexpMatcher struct {
	*lru.Cache

	C map[string]*regexp.Regexp
}

RegexpMatcher represents a regular expression matcher

func NewRegexpMatcher 

func NewRegexpMatcher(size int) *RegexpMatcher

NewRegexpMatcher creates and returns a new RegexpMatcher

func (*RegexpMatcher) Matches 

func (m *RegexpMatcher) Matches(p Policy, haystack []string, needle string) (bool, error)

Matches a needle with an array of regular expressions and returns true if a match was found.

type Request 

type Request struct {
	Resource string `json:"resource"`
	Action   string `json:"action"`
}

Request represents a request to be validated

type Resource 

type Resource struct {
	Name        string      `json:"name"`
	Description string      `json:"description"`
	Created     time.Time   `json:"created"`
	CreatedBy   string      `json:"created_by"`
	Updated     time.Time   `json:"updated"`
	UpdatedBy   string      `json:"updated_by"`
	Deleted     zero.Time   `json:"deleted"`
	DeletedBy   null.String `json:"deleted_by"`
	Actions     []string    `json:"actions"`
}

Resource represents a thing that can be acted on. This is really only used for lookups when editing a policy. Because a policy can have wildcards, this type isn't used for policy validation.

type ResourceAction 

type ResourceAction struct {
	Name        string `json:"name"`
	Description string `json:"description"`
}

ResourceAction represents an action that can be performed in relation to the parent resource. Example: list, get, update

type Role 

type Role struct {
	Name        string      `json:"name"`
	Description string      `json:"description"`
	Created     time.Time   `json:"created"`
	CreatedBy   string      `json:"created_by"`
	Updated     time.Time   `json:"updated"`
	UpdatedBy   string      `json:"updated_by"`
	Deleted     zero.Time   `json:"deleted"`
	DeletedBy   null.String `json:"deleted_by"`
	Policies    []string    `json:"policies"`
	Users       []string    `json:"users"`
	Groups      []string    `json:"groups"`
}

Role represents a named collection of policies. Roles can be attached to a user or a user group

type SearchResults 

type SearchResults struct {
	Users     []string
	Groups    []string
	Roles     []string
	Policies  []string
	Resources []string
}

SearchResults represents search results

type SystemOverview 

type SystemOverview struct {
	UserCount     int
	GroupCount    int
	RoleCount     int
	PolicyCount   int
	ResourceCount int
}

SystemOverview represents the system overview data

type Token 

type Token struct {
	ID      string    `json:"token"`
	User    string    `json:"user"`
	Created time.Time `json:"created"`
	Expires time.Time `json:"expires"`
}

Token represents an auth token

type TotpEnrollment 

type TotpEnrollment struct {
	User   string `json:"user"`
	Secret string `json:"secret"`
	Image  string `json:"image"`
	URL    string `json:"url"`
}

TotpEnrollment represents an enrollment record for Time based one-time-pad (two factor authentication) for a user Both the secret and the image will be stored temporarily until the user validates the key with a generated password (indicating they have setup the TOTP key in their app and have generated a valid code at least once). When enrollment is complete, this record will be removed and the secret will be stored with the user data

func (TotpEnrollment) GetImage 

func (enrollment TotpEnrollment) GetImage() ([]byte, error)

GetImage gets the image for an enrollment.

type User 

type User struct {
	Name        string      `json:"name"`
	Enabled     bool        `json:"enabled"`
	Description string      `json:"description"`
	SecretHash  string      `json:"secrethash"`
	TOTPEnabled bool        `json:"totpenabled"`
	TOTPSecret  string      `json:"totpsecret"`
	Created     time.Time   `json:"created"`
	CreatedBy   string      `json:"created_by"`
	Updated     time.Time   `json:"updated"`
	UpdatedBy   string      `json:"updated_by"`
	Deleted     zero.Time   `json:"deleted"`
	DeletedBy   null.String `json:"deleted_by"`
	Groups      []string    `json:"groups"`
	Policies    []string    `json:"policies"`
	Roles       []string    `json:"roles"`
}

User represents a user in the system. Users are associated with resources and roles within those applications/resources/services. They can be created/updated/deleted. If they are deleted, eventually they will be removed from the system. The admin user can only be disabled, not deleted

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.