iam

package
v0.2.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Nov 29, 2022 License: MIT Imports: 37 Imported by: 0

Documentation

Overview

Package cmd This file implements helper functions to validate Streaming AWS Signature Version '4' authorization header.

Index

Constants

View Source 
const (
	ServiceS3 serviceType = "s3"
	//ServiceSTS STS
	ServiceSTS serviceType = "sts"
)

Variables

This section is empty.

Functions

func GetContentSha256Cksum 

func GetContentSha256Cksum(r *http.Request, stype serviceType) string

Returns SHA256 for calculating canonical-request.

func IsAuthTypeStreamingSigned 

func IsAuthTypeStreamingSigned(atype AuthType) bool

func IsRequestSignatureV4 

func IsRequestSignatureV4(r *http.Request) bool

IsRequestSignatureV4 Verify if request has AWS Signature Version '4'.

func NewSignV4ChunkedReader 

func NewSignV4ChunkedReader(req *http.Request, s *AuthSys) (io.ReadCloser, apierrors.ErrorCode)

NewSignV4ChunkedReader returns a new s3ChunkedReader that translates the data read from r out of HTTP "chunked" format before returning it. The s3ChunkedReader returns io.EOF when the final 0-length chunk is read.

NewChunkedReader is not needed by normal applications. The http package automatically decodes chunking when reading response bodies.

func SetAuthHandler 

func SetAuthHandler(h http.Handler) http.Handler

SetAuthHandler to validate authorization header for the incoming request.

func SkipContentSha256Cksum 

func SkipContentSha256Cksum(r *http.Request) bool

SkipContentSha256Cksum returns true if caller needs to skip payload checksum, false if not.

func TrimAwsChunkedContentEncoding 

func TrimAwsChunkedContentEncoding(contentEnc string) (trimmedContentEnc string)

Trims away `aws-chunked` from the content-encoding header if present. Streaming signature clients can have custom content-encoding such as `aws-chunked,gzip` here we need to only save `gzip`. For more refer http://docs.aws.amazon.com/AmazonS3/latest/API/sigv4-streaming.html

Types

type AccountStatus 

type AccountStatus string

AccountStatus - account status. 

const (
	AccountEnabled  AccountStatus = "on"
	AccountDisabled AccountStatus = "off"
)

Account status per user.

type AuthSys 

type AuthSys struct {
	Iam       *IdentityAMSys
	PolicySys *iPolicySys
	AdminCred auth.Credentials
}

AuthSys auth and sign system

func NewAuthSys 

func NewAuthSys(db *uleveldb.ULevelDB, adminCred auth.Credentials) *AuthSys

NewAuthSys new an AuthSys

func (*AuthSys) CalculateSeedSignature 

func (s *AuthSys) CalculateSeedSignature(r *http.Request) (cred auth.Credentials, signature string, region string, date time.Time, errCode apierrors.ErrorCode)

CalculateSeedSignature - Calculate seed signature in accordance with

returns signature, error otherwise if the signature mismatches or any other error while parsing and validating.

func (*AuthSys) CheckRequestAuthTypeCredential 

func (s *AuthSys) CheckRequestAuthTypeCredential(ctx context.Context, r *http.Request, action s3action.Action, bucketName, objectName string) (cred auth.Credentials, owner bool, s3Err apierrors.ErrorCode)

CheckRequestAuthTypeCredential Check request auth type verifies the incoming http request

  • validates the request signature
  • validates the policy action if anonymous tests bucket policies if any, for authenticated requests validates IAM policies.

returns APIErrorCode if any to be replied to the client. Additionally, returns the accessKey used in the request, and if this request is by an admin.

func (*AuthSys) GetCredential 

func (s *AuthSys) GetCredential(r *http.Request) (cred auth.Credentials, owner bool, s3Err apierrors.ErrorCode)

func (*AuthSys) GetReqAccessKeyV4 

func (s *AuthSys) GetReqAccessKeyV4(r *http.Request, region string, stype serviceType) (auth.Credentials, bool, apierrors.ErrorCode)

func (*AuthSys) IsPutActionAllowed 

func (s *AuthSys) IsPutActionAllowed(ctx context.Context, r *http.Request, action s3action.Action, bucketName, objectName string) (s3Err apierrors.ErrorCode)

IsPutActionAllowed - check if PUT operation is allowed on the resource, this call verifies bucket policies and IAM policies, supports multi user checks etc.

func (*AuthSys) IsReqAuthenticated 

func (s *AuthSys) IsReqAuthenticated(ctx context.Context, r *http.Request, region string, stype serviceType) (s3Error apierrors.ErrorCode)

IsReqAuthenticated Verify if request has valid AWS Signature Version '4'.

func (*AuthSys) IsReqAuthenticatedV2 

func (s *AuthSys) IsReqAuthenticatedV2(r *http.Request) (s3Error apierrors.ErrorCode)

Verify if request has valid AWS Signature Version '2'.

func (*AuthSys) ReqSignatureV4Verify 

func (s *AuthSys) ReqSignatureV4Verify(r *http.Request, region string, stype serviceType) (s3Error apierrors.ErrorCode)

func (*AuthSys) ValidateAdminSignature 

func (s *AuthSys) ValidateAdminSignature(ctx context.Context, r *http.Request, region string) (auth.Credentials, map[string]interface{}, bool, apierrors.ErrorCode)

ValidateAdminSignature validate admin Signature

type AuthType 

type AuthType int

AuthType Authorization type. 

const (
	AuthTypeUnknown AuthType = iota
	AuthTypeAnonymous
	AuthTypePresigned
	AuthTypePresignedV2
	AuthTypePostPolicy
	AuthTypeStreamingSigned
	AuthTypeSigned
	AuthTypeSignedV2
	AuthTypeJWT
	AuthTypeSTS
)

List of all supported auth types.

func GetRequestAuthType 

func GetRequestAuthType(r *http.Request) AuthType

GetRequestAuthType Get request authentication type.

type IdentityAMSys 

type IdentityAMSys struct {
	// contains filtered or unexported fields
}

IdentityAMSys - config system.

func NewIdentityAMSys 

func NewIdentityAMSys(db *uleveldb.ULevelDB) *IdentityAMSys

NewIdentityAMSys - new an IdentityAM config system

func (*IdentityAMSys) AddSubUser 

func (sys *IdentityAMSys) AddSubUser(ctx context.Context, accessKey, secretKey, parentUser string) error

AddSubUser add user

func (*IdentityAMSys) AddUser 

func (sys *IdentityAMSys) AddUser(ctx context.Context, accessKey, secretKey string) error

AddUser add user

func (*IdentityAMSys) CreatePolicy 

func (sys *IdentityAMSys) CreatePolicy(ctx context.Context, policyName string, policyDocument policy.PolicyDocument) error

CreatePolicy Create Policy

func (*IdentityAMSys) GetUser 

func (sys *IdentityAMSys) GetUser(ctx context.Context, accessKey string) (cred auth.Credentials, ok bool)

GetUser - get user credentials

func (*IdentityAMSys) GetUserInfo 

func (sys *IdentityAMSys) GetUserInfo(ctx context.Context, accessKey string) (cred auth.Credentials, err error)

GetUserInfo - get user info

func (*IdentityAMSys) GetUserList 

func (sys *IdentityAMSys) GetUserList(ctx context.Context, accressKey string) ([]*iam.User, error)

GetUserList all user

func (*IdentityAMSys) GetUserPolices 

func (sys *IdentityAMSys) GetUserPolices(ctx context.Context, userName string) ([]string, error)

GetUserPolices Get User all Policy

func (*IdentityAMSys) GetUserPolicy 

func (sys *IdentityAMSys) GetUserPolicy(ctx context.Context, userName, policyName string, policyDocument *policy.PolicyDocument) error

GetUserPolicy Get User Policy

func (*IdentityAMSys) IsAllowed 

func (sys *IdentityAMSys) IsAllowed(ctx context.Context, args auth.Args) bool

IsAllowed - checks given policy args is allowed to continue the Rest API.

func (*IdentityAMSys) IsAllowedSTS 

func (sys *IdentityAMSys) IsAllowedSTS(args auth.Args, parentUser string) bool

IsAllowedSTS is meant for STS based temporary credentials, which implements claims validation and verification other than applying policies.

func (*IdentityAMSys) IsTempUser 

func (sys *IdentityAMSys) IsTempUser(ctx context.Context, name string) (bool, string, error)

IsTempUser - returns if given key is a temporary user.

func (*IdentityAMSys) PutUserPolicy 

func (sys *IdentityAMSys) PutUserPolicy(ctx context.Context, userName, policyName string, policyDocument policy.PolicyDocument) error

PutUserPolicy Create Policy

func (*IdentityAMSys) RemoveUser 

func (sys *IdentityAMSys) RemoveUser(ctx context.Context, accessKey string) error

RemoveUser Remove User

func (*IdentityAMSys) RemoveUserPolicy 

func (sys *IdentityAMSys) RemoveUserPolicy(ctx context.Context, userName, policyName string) error

RemoveUserPolicy remove User Policy

func (*IdentityAMSys) SetTempUser 

func (sys *IdentityAMSys) SetTempUser(ctx context.Context, accessKey string, cred auth.Credentials, policyName string) error

SetTempUser - set temporary user credentials, these credentials have an expiry. The permissions for these STS credentials is determined in one of the following ways:

func (*IdentityAMSys) UpdateUser 

func (sys *IdentityAMSys) UpdateUser(ctx context.Context, cred auth.Credentials) error

UpdateUser Update User

func (*IdentityAMSys) UpdateUserPolicy 

func (sys *IdentityAMSys) UpdateUserPolicy(ctx context.Context, username string, pname string, p *policy.Policy) error

UpdateUserPolicy update user policy

type UserIdentity 

type UserIdentity struct {
	Credentials auth.Credentials `json:"credentials"`
}

UserIdentity represents a user's secret key and their status

type UserInfo 

type UserInfo struct {
	SecretKey  string        `json:"secretKey,omitempty"`
	PolicyName []string      `json:"policyName,omitempty"`
	Status     AccountStatus `json:"status"`
}

UserInfo carries information about long term users.

Source Files

View all Source files

Directories

Path Synopsis
condition

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.