Documentation
¶
Index ¶
- Constants
- Variables
- func CheckLocalLoginCaveat(caveat string) (names.UserTag, error)
- func CheckLocalLoginRequest(service *bakery.Service, req *http.Request, tag names.UserTag, ...) ([]checkers.Caveat, error)
- func CreateLocalLoginMacaroon(tag names.UserTag, service BakeryService, clock clock.Clock) (*macaroon.Macaroon, error)
- type AgentAuthenticator
- type BakeryService
- type EntityAuthenticator
- type EntityFinder
- type ExpirableStorageBakeryService
- type ExternalMacaroonAuthenticator
- type Interaction
- type Interactions
- type UserAuthenticator
Constants ¶
const ( // LocalLoginInteractionTimeout is how long a user has to complete // an interactive login before it is expired. LocalLoginInteractionTimeout = 2 * time.Minute )
Variables ¶
var ErrExpired = errors.New("interaction timed out")
ErrExpired is returned by Interactions.Wait when interactions expire before they are done.
var ErrWaitCanceled = errors.New("wait canceled")
ErrWaitCanceled is returned by Interactions.Wait when the cancel channel is signalled.
Functions ¶
func CheckLocalLoginCaveat ¶
CheckLocalLoginCaveat parses and checks that the given caveat string is valid for a local login request, and returns the tag of the local user that the caveat asserts is logged in. checkers.ErrCaveatNotRecognized will be returned if the caveat is not recognised.
func CheckLocalLoginRequest ¶
func CheckLocalLoginRequest( service *bakery.Service, req *http.Request, tag names.UserTag, clock clock.Clock, ) ([]checkers.Caveat, error)
CheckLocalLoginRequest checks that the given HTTP request contains at least one valid local login macaroon minted by the given service using CreateLocalLoginMacaroon. It returns an error with a *bakery.VerificationError cause if the macaroon verification failed. If the macaroon is valid, CheckLocalLoginRequest returns a list of caveats to add to the discharge macaroon.
func CreateLocalLoginMacaroon ¶
func CreateLocalLoginMacaroon( tag names.UserTag, service BakeryService, clock clock.Clock, ) (*macaroon.Macaroon, error)
CreateLocalLoginMacaroon creates a macaroon that may be provided to a user as proof that they have logged in with a valid username and password. This macaroon may then be used to obtain a discharge macaroon so that the user can log in without presenting their password for a set amount of time.
Types ¶
type AgentAuthenticator ¶
type AgentAuthenticator struct{}
AgentIdentityProvider performs authentication for machine and unit agents.
func (*AgentAuthenticator) Authenticate ¶
func (*AgentAuthenticator) Authenticate(entityFinder EntityFinder, tag names.Tag, req params.LoginRequest) (state.Entity, error)
Authenticate authenticates the provided entity. It takes an entityfinder and the tag used to find the entity that requires authentication.
type BakeryService ¶
type BakeryService interface {
AddCaveat(*macaroon.Macaroon, checkers.Caveat) error
CheckAny([]macaroon.Slice, map[string]string, checkers.Checker) (map[string]string, error)
NewMacaroon(string, []byte, []checkers.Caveat) (*macaroon.Macaroon, error)
}
BakeryService defines the subset of bakery.Service that we require for authentication.
type EntityAuthenticator ¶
type EntityAuthenticator interface {
// Authenticate authenticates the given entity
Authenticate(entityFinder EntityFinder, tag names.Tag, req params.LoginRequest) (state.Entity, error)
}
EntityAuthenticator is the interface all entity authenticators need to implement to authenticate juju entities.
type EntityFinder ¶
EntityFinder finds the entity described by the tag.
type ExpirableStorageBakeryService ¶
type ExpirableStorageBakeryService interface {
BakeryService
// ExpireStorageAt returns a new ExpirableStorageBakeryService with
// a store that will expire items added to it at the specified time.
ExpireStorageAt(time.Time) (ExpirableStorageBakeryService, error)
}
ExpirableStorageBakeryService extends BakeryService with the ExpireStorageAt method so that root keys are removed from storage at that time.
type ExternalMacaroonAuthenticator ¶
type ExternalMacaroonAuthenticator struct {
// Service holds the service that is
// used to verify macaroon authorization.
Service BakeryService
// Macaroon guards macaroon-authentication-based access
// to the APIs. Appropriate caveats will be added before
// sending it to a client.
Macaroon *macaroon.Macaroon
// IdentityLocation holds the URL of the trusted third party
// that is used to address the is-authenticated-user
// third party caveat to.
IdentityLocation string
}
ExternalMacaroonAuthenticator performs authentication for external users using macaroons. If the authentication fails because provided macaroons are invalid, and macaroon authentiction is enabled, it will return a *common.DischargeRequiredError holding a macaroon to be discharged.
func (*ExternalMacaroonAuthenticator) Authenticate ¶
func (m *ExternalMacaroonAuthenticator) Authenticate(entityFinder EntityFinder, _ names.Tag, req params.LoginRequest) (state.Entity, error)
Authenticate authenticates the provided entity. If there is no macaroon provided, it will return a *DischargeRequiredError containing a macaroon that can be used to grant access.
type Interaction ¶
Interaction records details of an in-progress interactive macaroon-based login.
type Interactions ¶
type Interactions struct {
// contains filtered or unexported fields
}
Interactions maintains a set of Interactions.
func NewInteractions ¶
func NewInteractions() *Interactions
NewInteractions returns a new Interactions.
func (*Interactions) Done ¶
func (m *Interactions) Done(id string, loginUser names.UserTag, loginError error) error
Done signals that the user has either logged in, or attempted to and failed.
func (*Interactions) Expire ¶
func (m *Interactions) Expire(t time.Time)
Expire removes any interactions that were due to expire by the specified time.
func (*Interactions) Start ¶
Start records the start of an interactive login, and returns a random ID that uniquely identifies it. A call to Wait with the same ID will return the Interaction once it is done.
func (*Interactions) Wait ¶
func (m *Interactions) Wait(id string, cancel <-chan struct{}) (*Interaction, error)
Wait waits until the identified interaction is done, and returns the corresponding Interaction. If the cancel channel is signalled before the interaction is done, then ErrWaitCanceled is returned. If the interaction expires before it is done, ErrExpired is returned.
type UserAuthenticator ¶
type UserAuthenticator struct {
AgentAuthenticator
// Service holds the service that is used to mint and verify macaroons.
Service ExpirableStorageBakeryService
// Clock is used to calculate the expiry time for macaroons.
Clock clock.Clock
// LocalUserIdentityLocation holds the URL of the trusted third party
// that is used to address the is-authenticated-user third party caveat
// to for local users. This always points at the same controller
// agent that is servicing the authorisation request.
LocalUserIdentityLocation string
}
UserAuthenticator performs authentication for local users. If a password
func (*UserAuthenticator) Authenticate ¶
func (u *UserAuthenticator) Authenticate( entityFinder EntityFinder, tag names.Tag, req params.LoginRequest, ) (state.Entity, error)
Authenticate authenticates the entity with the specified tag, and returns an error on authentication failure.
If and only if no password is supplied, then Authenticate will check for any valid macaroons. Otherwise, password authentication will be performed.
Source Files