juju: github.com/juju/juju/apiserver/authentication Index | Files

package authentication

import "github.com/juju/juju/apiserver/authentication"

Index

Package Files

agent.go interactions.go interfaces.go user.go

Constants

const (

    // LocalLoginInteractionTimeout is how long a user has to complete
    // an interactive login before it is expired.
    LocalLoginInteractionTimeout = 2 * time.Minute
)

Variables

var ErrExpired = errors.New("interaction timed out")

ErrExpired is returned by Interactions.Wait when interactions expire before they are done.

var ErrWaitCanceled = errors.New("wait canceled")

ErrWaitCanceled is returned by Interactions.Wait when the cancel channel is signalled.

func CheckLocalLoginCaveat Uses

func CheckLocalLoginCaveat(caveat string) (names.UserTag, error)

CheckLocalLoginCaveat parses and checks that the given caveat string is valid for a local login request, and returns the tag of the local user that the caveat asserts is logged in. checkers.ErrCaveatNotRecognized will be returned if the caveat is not recognised.

func CheckLocalLoginRequest Uses

func CheckLocalLoginRequest(
    service *bakery.Service,
    req *http.Request,
    tag names.UserTag,
    clock clock.Clock,
) ([]checkers.Caveat, error)

CheckLocalLoginRequest checks that the given HTTP request contains at least one valid local login macaroon minted by the given service using CreateLocalLoginMacaroon. It returns an error with a *bakery.VerificationError cause if the macaroon verification failed. If the macaroon is valid, CheckLocalLoginRequest returns a list of caveats to add to the discharge macaroon.

func CreateLocalLoginMacaroon Uses

func CreateLocalLoginMacaroon(
    tag names.UserTag,
    service BakeryService,
    clock clock.Clock,
) (*macaroon.Macaroon, error)

CreateLocalLoginMacaroon creates a macaroon that may be provided to a user as proof that they have logged in with a valid username and password. This macaroon may then be used to obtain a discharge macaroon so that the user can log in without presenting their password for a set amount of time.

type AgentAuthenticator Uses

type AgentAuthenticator struct{}

AgentIdentityProvider performs authentication for machine and unit agents.

func (*AgentAuthenticator) Authenticate Uses

func (*AgentAuthenticator) Authenticate(entityFinder EntityFinder, tag names.Tag, req params.LoginRequest) (state.Entity, error)

Authenticate authenticates the provided entity. It takes an entityfinder and the tag used to find the entity that requires authentication.

type BakeryService Uses

type BakeryService interface {
    AddCaveat(*macaroon.Macaroon, checkers.Caveat) error
    CheckAny([]macaroon.Slice, map[string]string, checkers.Checker) (map[string]string, error)
    NewMacaroon([]checkers.Caveat) (*macaroon.Macaroon, error)
}

BakeryService defines the subset of bakery.Service that we require for authentication.

type EntityAuthenticator Uses

type EntityAuthenticator interface {
    // Authenticate authenticates the given entity
    Authenticate(entityFinder EntityFinder, tag names.Tag, req params.LoginRequest) (state.Entity, error)
}

EntityAuthenticator is the interface all entity authenticators need to implement to authenticate juju entities.

type EntityFinder Uses

type EntityFinder interface {
    FindEntity(tag names.Tag) (state.Entity, error)
}

EntityFinder finds the entity described by the tag.

type ExpirableStorageBakeryService Uses

type ExpirableStorageBakeryService interface {
    BakeryService

    // ExpireStorageAfter returns a new ExpirableStorageBakeryService with
    // a store that will expire items added to it at the specified time.
    ExpireStorageAfter(time.Duration) (ExpirableStorageBakeryService, error)
}

ExpirableStorageBakeryService extends BakeryService with the ExpireStorageAfter method so that root keys are removed from storage at that time.

type ExternalMacaroonAuthenticator Uses

type ExternalMacaroonAuthenticator struct {
    // Service holds the service that is
    // used to verify macaroon authorization.
    Service BakeryService

    // Macaroon guards macaroon-authentication-based access
    // to the APIs. Appropriate caveats will be added before
    // sending it to a client.
    Macaroon *macaroon.Macaroon

    // IdentityLocation holds the URL of the trusted third party
    // that is used to address the is-authenticated-user
    // third party caveat to.
    IdentityLocation string
}

ExternalMacaroonAuthenticator performs authentication for external users using macaroons. If the authentication fails because provided macaroons are invalid, and macaroon authentiction is enabled, it will return a *common.DischargeRequiredError holding a macaroon to be discharged.

func (*ExternalMacaroonAuthenticator) Authenticate Uses

func (m *ExternalMacaroonAuthenticator) Authenticate(entityFinder EntityFinder, _ names.Tag, req params.LoginRequest) (state.Entity, error)

Authenticate authenticates the provided entity. If there is no macaroon provided, it will return a *DischargeRequiredError containing a macaroon that can be used to grant access.

type Interaction Uses

type Interaction struct {
    CaveatId   []byte
    LoginUser  names.UserTag
    LoginError error
}

Interaction records details of an in-progress interactive macaroon-based login.

type Interactions Uses

type Interactions struct {
    // contains filtered or unexported fields
}

Interactions maintains a set of Interactions.

func NewInteractions Uses

func NewInteractions() *Interactions

NewInteractions returns a new Interactions.

func (*Interactions) Done Uses

func (m *Interactions) Done(id string, loginUser names.UserTag, loginError error) error

Done signals that the user has either logged in, or attempted to and failed.

func (*Interactions) Expire Uses

func (m *Interactions) Expire(t time.Time)

Expire removes any interactions that were due to expire by the specified time.

func (*Interactions) Start Uses

func (m *Interactions) Start(caveatId []byte, expiry time.Time) (string, error)

Start records the start of an interactive login, and returns a random ID that uniquely identifies it. A call to Wait with the same ID will return the Interaction once it is done.

func (*Interactions) Wait Uses

func (m *Interactions) Wait(id string, cancel <-chan struct{}) (*Interaction, error)

Wait waits until the identified interaction is done, and returns the corresponding Interaction. If the cancel channel is signalled before the interaction is done, then ErrWaitCanceled is returned. If the interaction expires before it is done, ErrExpired is returned.

type UserAuthenticator Uses

type UserAuthenticator struct {
    AgentAuthenticator

    // Service holds the service that is used to mint and verify macaroons.
    Service ExpirableStorageBakeryService

    // Clock is used to calculate the expiry time for macaroons.
    Clock clock.Clock

    // LocalUserIdentityLocation holds the URL of the trusted third party
    // that is used to address the is-authenticated-user third party caveat
    // to for local users. This always points at the same controller
    // agent that is servicing the authorisation request.
    LocalUserIdentityLocation string
}

UserAuthenticator performs authentication for local users. If a password

func (*UserAuthenticator) Authenticate Uses

func (u *UserAuthenticator) Authenticate(
    entityFinder EntityFinder, tag names.Tag, req params.LoginRequest,
) (state.Entity, error)

Authenticate authenticates the entity with the specified tag, and returns an error on authentication failure.

If and only if no password is supplied, then Authenticate will check for any valid macaroons. Otherwise, password authentication will be performed.

Package authentication imports 16 packages (graph) and is imported by 47 packages. Updated 2019-08-26. Refresh now. Tools for package owners.