basculechecks

package

v0.11.7 Latest Latest Go to latest Published: Nov 10, 2023 License: Apache-2.0 Imports: 10 Imported by: 11

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/xmidt-org/bascule

Links

Open Source Insights

Documentation ¶

Index ¶

Constants
Variables
func AllowAll() bascule.ValidatorFunc
func AttributeList(keys []string, checks ...func(context.Context, []interface{}) error) bascule.ValidatorFunc
func CapabilityKeys() []string
func DeterminePartnerMetric(partners []string) string
func NonEmptyPrincipal() bascule.ValidatorFunc
func NonEmptyType() bascule.ValidatorFunc
func PartnerKeys() []string
func ProvideCapabilitiesMapValidator() fx.Option
func ProvideMetricValidator(optional bool) fx.Option
func ProvideMetrics() fx.Option
func ProvideRegexCapabilitiesValidator() fx.Option
func ValidType(validTypes []string) bascule.ValidatorFunc
type AlwaysEndpointCheck
- func (a AlwaysEndpointCheck) Authorized(_, _, _ string) bool
- func (a AlwaysEndpointCheck) Name() string
type AuthCapabilityCheckMeasures
type CapabilitiesChecker
type CapabilitiesCheckerOut
- func NewCapabilitiesMap(config CapabilitiesMapConfig) (CapabilitiesCheckerOut, error)
- func NewCapabilitiesValidator(config CapabilitiesValidatorConfig) (CapabilitiesCheckerOut, error)
type CapabilitiesMap
- func (c CapabilitiesMap) CheckAuthentication(auth bascule.Authentication, vs ParsedValues) error
type CapabilitiesMapConfig
type CapabilitiesValidator
- func (c CapabilitiesValidator) Check(ctx context.Context, _ bascule.Token) error
- func (c CapabilitiesValidator) CheckAuthentication(auth bascule.Authentication, _ ParsedValues) error
type CapabilitiesValidatorConfig
type ConstEndpointCheck
- func (c ConstEndpointCheck) Authorized(capability, _, _ string) bool
- func (c ConstEndpointCheck) Name() string
type EndpointChecker
type MetricOption
- func MonitorOnly() MetricOption
- func WithEndpoints(e []*regexp.Regexp) MetricOption
- func WithServer(s string) MetricOption
type MetricValidator
- func NewMetricValidator(checker CapabilitiesChecker, measures *AuthCapabilityCheckMeasures, ...) (*MetricValidator, error)
- func (m MetricValidator) Check(ctx context.Context, _ bascule.Token) error
type MetricValidatorIn
type ParsedValues
type Reasoner
type RegexEndpointCheck
- func NewRegexEndpointCheck(prefix string, acceptAllMethod string) (RegexEndpointCheck, error)
- func (r RegexEndpointCheck) Authorized(capability string, urlToMatch string, methodToMatch string) bool
- func (e RegexEndpointCheck) Name() string

Constants ¶

View Source

const (
	OutcomeLabel   = "outcome"
	ReasonLabel    = "reason"
	ClientIDLabel  = "clientid"
	EndpointLabel  = "endpoint"
	MethodLabel    = "method"
	PartnerIDLabel = "partnerid"
	ServerLabel    = "server"
)

labels

View Source

const (
	// outcomes
	RejectedOutcome = "rejected"
	AcceptedOutcome = "accepted"
	// reasons
	UnknownReason            = "unknown"
	TokenMissing             = "auth_missing"
	UndeterminedPartnerID    = "undetermined_partner_ID"
	UndeterminedCapabilities = "undetermined_capabilities"
	EmptyCapabilitiesList    = "empty_capabilities_list"
	MissingValues            = "auth_is_missing_values"
	NoEndpointChecker        = "no_capability_checker"
	NoCapabilitiesMatch      = "no_capabilities_match"
	EmptyParsedURL           = "empty_parsed_URL"
	// partners
	NonePartner     = "none"
	WildcardPartner = "wildcard"
	ManyPartner     = "many"
	// endpoints
	NoneEndpoint          = "no_endpoints"
	NotRecognizedEndpoint = "not_recognized"
)

label values

View Source

const (
	AuthCapabilityCheckOutcome = "auth_capability_check"
)

Names for our metrics

View Source

const Wildcard = "*"

Variables ¶

View Source

var (
	ErrNilDefaultChecker = errors.New("default checker cannot be nil")
	ErrEmptyEndpoint     = errWithReason{
							// contains filtered or unexported fields
	}
)

View Source

var (
	ErrNoAuth = errors.New("couldn't get request info: authorization not found")
	ErrNoVals = errWithReason{
				// contains filtered or unexported fields
	}
	ErrNoToken = errWithReason{
				// contains filtered or unexported fields
	}
	ErrNoValidCapabilityFound = errWithReason{
								// contains filtered or unexported fields
	}
	ErrNilAttributes = errWithReason{
						// contains filtered or unexported fields
	}
	ErrNoMethod = errWithReason{
				// contains filtered or unexported fields
	}
	ErrNoURL = errWithReason{
				// contains filtered or unexported fields
	}
	ErrGettingCapabilities = errWithReason{
							// contains filtered or unexported fields
	}
	ErrCapabilityNotStringSlice = errWithReason{
								// contains filtered or unexported fields
	}
)

View Source

var (
	ErrNilChecker        = errors.New("capabilities checker cannot be nil")
	ErrNilMeasures       = errors.New("measures cannot be nil")
	ErrGettingPartnerIDs = errWithReason{
							// contains filtered or unexported fields
	}
	ErrPartnerIDsNotStringSlice = errWithReason{
								// contains filtered or unexported fields
	}
)

Functions ¶

func AllowAll ¶

func AllowAll() bascule.ValidatorFunc

AllowAll returns a Validator that never returns an error.

func AttributeList ¶

func AttributeList(keys []string, checks ...func(context.Context, []interface{}) error) bascule.ValidatorFunc

AttributeList returns a Validator that runs checks against the content found in the key given. It runs every check and returns all errors it finds.

func CapabilityKeys ¶

func CapabilityKeys() []string

CapabilityKeys is the default location of capabilities in a bascule Token's Attributes.

func DeterminePartnerMetric ¶

func DeterminePartnerMetric(partners []string) string

DeterminePartnerMetric takes a list of partners and decides what the partner metric label should be.

func NonEmptyPrincipal ¶

func NonEmptyPrincipal() bascule.ValidatorFunc

NonEmptyPrincipal returns a Validator that checks that the token's Principal isn't an empty string.

func NonEmptyType ¶

func NonEmptyType() bascule.ValidatorFunc

NonEmptyType returns a Validator that checks that the token's type isn't an empty string.

func PartnerKeys ¶

func PartnerKeys() []string

PartnerKeys is the location of the list of allowed partners in a bascule Token's Attributes.

func ProvideCapabilitiesMapValidator ¶

func ProvideCapabilitiesMapValidator() fx.Option

ProvideCapabilitiesMapValidator is an uber fx Provide() function that builds a MetricValidator that uses a CapabilitiesMap and ConstChecks, using the configuration found at the key provided.

func ProvideMetricValidator ¶

func ProvideMetricValidator(optional bool) fx.Option

ProvideMetricValidator is an uber fx Provide() function that builds a MetricValidator given the dependencies needed.

func ProvideMetrics ¶

func ProvideMetrics() fx.Option

ProvideMetrics provides the metrics relevant to this package as uber/fx options.

func ProvideRegexCapabilitiesValidator ¶

func ProvideRegexCapabilitiesValidator() fx.Option

ProvideRegexCapabilitiesValidator is an uber fx Provide() function that builds a MetricValidator that uses a CapabilitiesValidator and RegexEndpointCheck, using the configuration found at the key provided.

func ValidType ¶

func ValidType(validTypes []string) bascule.ValidatorFunc

ValidType returns a Validator that checks that the token's type is one of the given valid types.

Types ¶

type AlwaysEndpointCheck ¶

type AlwaysEndpointCheck bool

AlwaysEndpointCheck is a EndpointChecker that always returns either true or false.

func (AlwaysEndpointCheck) Authorized ¶

func (a AlwaysEndpointCheck) Authorized(_, _, _ string) bool

Authorized returns the saved boolean value, rather than checking the parameters given.

func (AlwaysEndpointCheck) Name ¶

func (a AlwaysEndpointCheck) Name() string

Name returns the endpoint check's name.

type AuthCapabilityCheckMeasures ¶

type AuthCapabilityCheckMeasures struct {
	fx.In

	CapabilityCheckOutcome *prometheus.CounterVec `name:"auth_capability_check"`
}

AuthCapabilityCheckMeasures describes the defined metrics that will be used by clients.

type CapabilitiesChecker ¶

type CapabilitiesChecker interface {
	CheckAuthentication(auth bascule.Authentication, vals ParsedValues) error
}

CapabilitiesChecker is an object that can determine if a request is authorized given a bascule.Authentication object. If it's not authorized, an error is given for logging and metrics.

type CapabilitiesCheckerOut ¶

type CapabilitiesCheckerOut struct {
	fx.Out
	Checker CapabilitiesChecker
	Options []MetricOption `group:"bascule_capability_options,flatten"`
}

CapabilitiesCheckerOut is a struct returned by New() functions that help to create a CapabilitiesChecker and as a byproduct also create some MetricOptions.

func NewCapabilitiesMap ¶

func NewCapabilitiesMap(config CapabilitiesMapConfig) (CapabilitiesCheckerOut, error)

NewCapabilitiesMap parses the CapabilitiesMapConfig provided into a CapabilitiesMap. The same regular expression provided for the map are also needed for labels for a MetricValidator, so an option to be used for that is also created.

func NewCapabilitiesValidator ¶

func NewCapabilitiesValidator(config CapabilitiesValidatorConfig) (CapabilitiesCheckerOut, error)

NewCapabilitiesValidator uses the provided config to create an RegexEndpointCheck and wrap it in a CapabilitiesValidator. Metric Options are also created for a Metric Validator by parsing the type to determine if the metric validator should only monitor and compiling endpoints into Regexps.

type CapabilitiesMap ¶

type CapabilitiesMap struct {
	Checkers       map[string]EndpointChecker
	DefaultChecker EndpointChecker
	KeyPath        []string
}

CapabilitiesMap runs a capability check based on the value of the parsedURL, which is the key to the CapabilitiesMap's map. The parsedURL is expected to be some regex values, allowing for bucketing of urls that contain some kind of ID or otherwise variable portion of a URL.

func (CapabilitiesMap) CheckAuthentication ¶

func (c CapabilitiesMap) CheckAuthentication(auth bascule.Authentication, vs ParsedValues) error

CheckAuthentication uses the parsed endpoint value to determine which EndpointChecker to run against the capabilities in the auth provided. If there is no EndpointChecker for the endpoint, the default is used. As long as one capability is found to be authorized by the EndpointChecker, no error is returned.

type CapabilitiesMapConfig ¶

type CapabilitiesMapConfig struct {
	Endpoints map[string]string `json:"endpoints" yaml:"endpoints"`
	Default   string            `json:"default" yaml:"default"`
}

CapabilitiesMapConfig includes the values needed to set up a map capability checker. The checker will verify that one of the capabilities in a provided JWT match the string meant for that endpoint exactly. A CapabilitiesMap set up with this will use the default KeyPath.

type CapabilitiesValidator ¶

type CapabilitiesValidator struct {
	Checker  EndpointChecker
	KeyPath  []string
	ErrorOut bool
}

CapabilitiesValidator checks the capabilities provided in a bascule.Authentication object to determine if a request is authorized. It can also provide a function to be used in authorization middleware that pulls the Authentication object from a context before checking it.

func (CapabilitiesValidator) Check ¶

func (c CapabilitiesValidator) Check(ctx context.Context, _ bascule.Token) error

Check determines whether or not a client is authorized to make a request to an endpoint. It uses the bascule.Authentication from the context to get the information needed by the EndpointChecker to determine authorization.

func (CapabilitiesValidator) CheckAuthentication ¶

func (c CapabilitiesValidator) CheckAuthentication(auth bascule.Authentication, _ ParsedValues) error

CheckAuthentication takes the needed values out of the given Authentication object in order to determine if a request is authorized. It determines this through iterating through each capability and calling the EndpointChecker. If no capability authorizes the client for the given endpoint and method, it is unauthorized.

type CapabilitiesValidatorConfig ¶

type CapabilitiesValidatorConfig struct {
	Type            string   `json:"type" yaml:"type"`
	Prefix          string   `json:"prefix" yaml:"prefix"`
	AcceptAllMethod string   `json:"acceptAllMethod" yaml:"acceptAllMethod"`
	EndpointBuckets []string `json:"endpointBuckets" yaml:"endpointBuckets"`
}

CapabilitiesValidatorConfig is input that can be used to build a CapabilitiesValidator and some metric options for a MetricValidator. A CapabilitiesValidator set up with this will use the default KeyPath and an EndpointRegexCheck.

type ConstEndpointCheck ¶

type ConstEndpointCheck string

ConstEndpointCheck is a basic EndpointChecker that determines a capability is authorized if it matches the ConstCheck's string.

func (ConstEndpointCheck) Authorized ¶

func (c ConstEndpointCheck) Authorized(capability, _, _ string) bool

Authorized validates the capability provided against the stored string.

func (ConstEndpointCheck) Name ¶

func (c ConstEndpointCheck) Name() string

Name returns the endpoint check's name.

type EndpointChecker ¶

type EndpointChecker interface {
	Authorized(value string, reqURL string, method string) bool
	Name() string
}

EndpointChecker is an object that can determine if a value provides authorization to the endpoint.

type MetricOption ¶

type MetricOption func(*MetricValidator)

MetricOption provides a way to configure a MetricValidator.

func MonitorOnly ¶

func MonitorOnly() MetricOption

MonitorOnly modifies the MetricValidator to never return an error when the Check() function is called.

func WithEndpoints ¶

func WithEndpoints(e []*regexp.Regexp) MetricOption

WithEndpoints provides the endpoint buckets to use in the endpoint metric label. The endpoint bucket found for a request is also passed to the CapabilitiesChecker.

func WithServer ¶

func WithServer(s string) MetricOption

WithServer provides the server name to be used in the metric label.

type MetricValidator ¶

type MetricValidator struct {
	// contains filtered or unexported fields
}

MetricValidator determines if a request is authorized and then updates a metric to show those results.

func NewMetricValidator ¶

func NewMetricValidator(checker CapabilitiesChecker, measures *AuthCapabilityCheckMeasures, options ...MetricOption) (*MetricValidator, error)

NewMetricValidator creates a MetricValidator given a CapabilitiesChecker, measures, and options to configure it. The checker and measures cannot be nil.

func (MetricValidator) Check ¶

func (m MetricValidator) Check(ctx context.Context, _ bascule.Token) error

Check is a function for authorization middleware. The function parses the information needed for the CapabilitiesChecker, calls it to determine if the request is authorized, and maintains the results in a metric. The function can mark the request as unauthorized or only update the metric and allow the request, depending on configuration. This allows for monitoring before being more strict with authorization.

type MetricValidatorIn ¶

type MetricValidatorIn struct {
	fx.In
	Checker  CapabilitiesChecker
	Measures AuthCapabilityCheckMeasures
	Options  []MetricOption `group:"bascule_capability_options"`
}

MetricValidatorIn contains the objects needed to create a MetricValidator, wired with uber fx.

type ParsedValues ¶

type ParsedValues struct {
	// Endpoint is the string representation of a regular expression that
	// matches the URL for the request.  The main benefit of this string is it
	// most likely won't include values that change from one request to the next
	// (ie, device ID).
	Endpoint string
}

ParsedValues are values determined from the bascule Authentication.

type Reasoner ¶

type Reasoner interface {
	Reason() string
}

Reasoner is an error that provides a failure reason to use as a value for a metric label.

type RegexEndpointCheck ¶

type RegexEndpointCheck struct {
	// contains filtered or unexported fields
}

RegexEndpointCheck uses a regular expression to validate an endpoint and method provided in a capability against the endpoint hit and method used for the request.

func NewRegexEndpointCheck ¶

func NewRegexEndpointCheck(prefix string, acceptAllMethod string) (RegexEndpointCheck, error)

NewRegexEndpointCheck creates an object that implements the EndpointChecker interface. It takes a prefix that is expected at the beginning of a capability and a string that, if provided in the capability, authorizes all methods for that endpoint. After the prefix, the RegexEndpointCheck expects there to be an endpoint regular expression and an http method - separated by a colon. The expected format of a capability is: <prefix><endpoint regex>:<method> Note, the endpoint url path and the capabilities substring (used for authorization) will be normalized to have a leading `/` if missing.

func (RegexEndpointCheck) Authorized ¶

func (r RegexEndpointCheck) Authorized(capability string, urlToMatch string, methodToMatch string) bool

Authorized checks the capability against the endpoint hit and method used. If the capability has the correct prefix and is meant to be used with the method provided to access the endpoint provided, it is authorized.

func (RegexEndpointCheck) Name ¶

func (e RegexEndpointCheck) Name() string

Name returns the endpoint check's name.

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL