juju: github.com/wallyworld/juju/apiserver/authentication Index | Files

package authentication

import "github.com/wallyworld/juju/apiserver/authentication"


Package Files

agent.go interactions.go interfaces.go user.go


const (

    // LocalLoginInteractionTimeout is how long a user has to complete
    // an interactive login before it is expired.
    LocalLoginInteractionTimeout = 2 * time.Minute


var ErrExpired = errors.New("interaction timed out")

ErrExpired is returned by Interactions.Wait when interactions expire before they are done.

var ErrWaitCanceled = errors.New("wait canceled")

ErrWaitCanceled is returned by Interactions.Wait when the cancel channel is signalled.

func CheckLocalLoginCaveat Uses

func CheckLocalLoginCaveat(caveat string) (names.UserTag, error)

CheckLocalLoginCaveat parses and checks that the given caveat string is valid for a local login request, and returns the tag of the local user that the caveat asserts is logged in. checkers.ErrCaveatNotRecognized will be returned if the caveat is not recognised.

func CheckLocalLoginRequest Uses

func CheckLocalLoginRequest(
    ctx context.Context,
    auth MacaroonChecker,
    req *http.Request,
) error

CheckLocalLoginRequest checks that the given HTTP request contains at least one valid local login macaroon minted by the given service using CreateLocalLoginMacaroon. It returns an error with a *bakery.VerificationError cause if the macaroon verification failed.

func CreateLocalLoginMacaroon Uses

func CreateLocalLoginMacaroon(
    ctx context.Context,
    tag names.UserTag,
    minter MacaroonMinter,
    clock clock.Clock,
    version bakery.Version,
) (*bakery.Macaroon, error)

CreateLocalLoginMacaroon creates a macaroon that may be provided to a user as proof that they have logged in with a valid username and password. This macaroon may then be used to obtain a discharge macaroon so that the user can log in without presenting their password for a set amount of time.

func DischargeCaveats Uses

func DischargeCaveats(tag names.UserTag, clock clock.Clock) []checkers.Caveat

Discharge caveats returns the caveats to add to a login discharge macaroon.

type AgentAuthenticator Uses

type AgentAuthenticator struct{}

AgentIdentityProvider performs authentication for machine and unit agents.

func (*AgentAuthenticator) Authenticate Uses

func (*AgentAuthenticator) Authenticate(ctx context.Context, entityFinder EntityFinder, tag names.Tag, req params.LoginRequest) (state.Entity, error)

Authenticate authenticates the provided entity. It takes an entityfinder and the tag used to find the entity that requires authentication.

type Bakery Uses

type Bakery interface {

Bakery defines the subset of bakery.Bakery that we require for authentication.

type EntityAuthenticator Uses

type EntityAuthenticator interface {
    // Authenticate authenticates the given entity
    Authenticate(ctx context.Context, entityFinder EntityFinder, tag names.Tag, req params.LoginRequest) (state.Entity, error)

EntityAuthenticator is the interface all entity authenticators need to implement to authenticate juju entities.

type EntityFinder Uses

type EntityFinder interface {
    FindEntity(tag names.Tag) (state.Entity, error)

EntityFinder finds the entity described by the tag.

type ExpirableStorageBakery Uses

type ExpirableStorageBakery interface {

    // ExpireStorageAfter returns a new ExpirableStorageBakery with
    // a store that will expire items added to it at the specified time.
    ExpireStorageAfter(time.Duration) (ExpirableStorageBakery, error)

ExpirableStorageBakery extends Bakery with the ExpireStorageAfter method so that root keys are removed from storage at that time.

type ExternalMacaroonAuthenticator Uses

type ExternalMacaroonAuthenticator struct {
    // Bakery holds the bakery that is
    // used to verify macaroon authorization.
    Bakery *identchecker.Bakery

    // IdentityLocation holds the URL of the trusted third party
    // that is used to address the is-authenticated-user
    // third party caveat to.
    IdentityLocation string

    // Clock is used to set macaroon expiry time.
    Clock clock.Clock

ExternalMacaroonAuthenticator performs authentication for external users using macaroons. If the authentication fails because provided macaroons are invalid, and macaroon authentiction is enabled, it will return a *apiservererrors.DischargeRequiredError holding a macaroon to be discharged.

func (*ExternalMacaroonAuthenticator) Authenticate Uses

func (m *ExternalMacaroonAuthenticator) Authenticate(ctx context.Context, entityFinder EntityFinder, _ names.Tag, req params.LoginRequest) (state.Entity, error)

Authenticate authenticates the provided entity. If there is no macaroon provided, it will return a *DischargeRequiredError containing a macaroon that can be used to grant access.

func (ExternalMacaroonAuthenticator) DeclaredIdentity Uses

func (ExternalMacaroonAuthenticator) DeclaredIdentity(ctx context.Context, declared map[string]string) (identchecker.Identity, error)

DeclaredIdentity implements IdentityClient.DeclaredIdentity.

func (*ExternalMacaroonAuthenticator) IdentityFromContext Uses

func (m *ExternalMacaroonAuthenticator) IdentityFromContext(ctx context.Context) (identchecker.Identity, []checkers.Caveat, error)

IdentityFromContext implements IdentityClient.IdentityFromContext.

type Interaction Uses

type Interaction struct {
    CaveatId   []byte
    LoginUser  names.UserTag
    LoginError error

Interaction records details of an in-progress interactive macaroon-based login.

type Interactions Uses

type Interactions struct {
    // contains filtered or unexported fields

Interactions maintains a set of Interactions.

func NewInteractions Uses

func NewInteractions() *Interactions

NewInteractions returns a new Interactions.

func (*Interactions) Done Uses

func (m *Interactions) Done(id string, loginUser names.UserTag, loginError error) error

Done signals that the user has either logged in, or attempted to and failed.

func (*Interactions) Expire Uses

func (m *Interactions) Expire(t time.Time)

Expire removes any interactions that were due to expire by the specified time.

func (*Interactions) Start Uses

func (m *Interactions) Start(caveatId []byte, expiry time.Time) (string, error)

Start records the start of an interactive login, and returns a random ID that uniquely identifies it. A call to Wait with the same ID will return the Interaction once it is done.

func (*Interactions) Wait Uses

func (m *Interactions) Wait(id string, cancel <-chan struct{}) (*Interaction, error)

Wait waits until the identified interaction is done, and returns the corresponding Interaction. If the cancel channel is signalled before the interaction is done, then ErrWaitCanceled is returned. If the interaction expires before it is done, ErrExpired is returned.

type MacaroonChecker Uses

type MacaroonChecker interface {
    Auth(mss ...macaroon.Slice) *bakery.AuthChecker

MacaroonChecker exposes the methods needed from bakery.Checker.

type MacaroonMinter Uses

type MacaroonMinter interface {
    NewMacaroon(ctx context.Context, version bakery.Version, caveats []checkers.Caveat, ops ...bakery.Op) (*bakery.Macaroon, error)

MacaroonMinter exposes the methods needed from bakery.Oven.

type UserAuthenticator Uses

type UserAuthenticator struct {

    // Bakery holds the bakery that is used to mint and verify macaroons.
    Bakery ExpirableStorageBakery

    // Clock is used to calculate the expiry time for macaroons.
    Clock clock.Clock

    // LocalUserIdentityLocation holds the URL of the trusted third party
    // that is used to address the is-authenticated-user third party caveat
    // to for local users. This always points at the same controller
    // agent that is servicing the authorisation request.
    LocalUserIdentityLocation string

UserAuthenticator performs authentication for local users. If a password

func (*UserAuthenticator) Authenticate Uses

func (u *UserAuthenticator) Authenticate(
    ctx context.Context, entityFinder EntityFinder, tag names.Tag, req params.LoginRequest,
) (state.Entity, error)

Authenticate authenticates the entity with the specified tag, and returns an error on authentication failure.

If and only if no password is supplied, then Authenticate will check for any valid macaroons. Otherwise, password authentication will be performed.

Package authentication imports 19 packages (graph). Updated 2020-08-06. Refresh now. Tools for package owners.