Documentation
¶
Index ¶
- Constants
- Variables
- func HTTPMsg(respBody []uint8) (string, error)
- func StatusCodeErr(resp *http.Response, respBody []uint8, requestData []byte) error
- type APIApplication
- type APIGroup
- type APIIdentity
- type APIPage
- type APIPageLink
- type APIRegistration
- type APIRole
- type AccessTokenArgs
- type AuthzAPI
- type AuthzClient
- type AuthzClientHTTP
- func (c *AuthzClientHTTP) CreateApplicationRole(role APIRole, applicationID string) (string, error)
- func (c *AuthzClientHTTP) Delete(cmd AuthzAPI, body io.Reader) (resp *http.Response, err error)
- func (c *AuthzClientHTTP) Get(cmd AuthzAPI, body io.Reader) (resp *http.Response, err error)
- func (c *AuthzClientHTTP) GetApplicationByAppID(appID string) (APIApplication, error)
- func (c *AuthzClientHTTP) GetGroup(id string) (APIGroup, error)
- func (c *AuthzClientHTTP) GetIdentity(id string) (APIIdentity, error)
- func (c *AuthzClientHTTP) GetLoA(level string) (string, error)
- func (c *AuthzClientHTTP) GetMyApplications() ([]APIApplication, error)
- func (c *AuthzClientHTTP) GetRegistrationProvider(providerID string) (string, error)
- func (c *AuthzClientHTTP) GetRole(id string, role string) (bool, error)
- func (c *AuthzClientHTTP) IssuerURL() string
- func (c *AuthzClientHTTP) LinkGroupToAppRole(groupID string, roleID string, appID string) error
- func (c *AuthzClientHTTP) ManagerID() string
- func (c *AuthzClientHTTP) OidcProviderID() string
- func (c *AuthzClientHTTP) Post(cmd AuthzAPI, body io.Reader) (resp *http.Response, err error)
- func (c *AuthzClientHTTP) Put(cmd AuthzAPI, body io.Reader) (resp *http.Response, err error)
- func (c *AuthzClientHTTP) RefreshClientSecret(regID string) error
Constants ¶
View Source
const ( //TokenURL contains sub-path to retrieve access token TokenURL = "api-access/token" //Audience contains the audience on which the operator communicates with Audience = "authorization-service-api" )
Variables ¶
View Source
var ( // When HTTP 404 isn't enough ErrNotFound = errors.New("NotFound") ErrExistsInAuthzNotInCluster = errors.New("Application exists in API but not in Cluster") )
Exported API error conditions
Functions ¶
Types ¶
type APIApplication ¶
type APIApplication struct {
AppID string `json:"applicationIdentifier"`
DisplayName string `json:"displayName"`
Description string `json:"description"`
OwnerID string `json:"ownerId"`
ManagerID string `json:"managerId"`
IdentityID string `json:"identityId"`
AdministratorsID *string `json:"administratorsId"`
HomePage string `json:"homePage"`
Category string `json:"resourceCategory"`
Blocked bool `json:"blocked"`
ID string `json:"id"`
CreateTime string `json:"creationTime"`
ModTime string `json:"modificationTime"`
// OIDC fields
ClientID string `json:"clientId"`
ClientSecret string `json:"secret"`
RegistrationID string `json:"registrationId"`
// Internal fields
// OwnerUPN is the Owner username, it is named OwnerUPN to match the naming on the Authzsvc API
OwnerUPN string `json:"-"`
// DisplayName of the Administrators group
AdministratorsDisplayName string `json:"-"`
}
APIApplication contains all the relevant fields to parse JSON responses from the Authzsvc API that should be compared against and ApplicationRegistration
func APIApplicationHTTP ¶
func APIApplicationHTTP(respBody []uint8) (APIApplication, error)
APIApplicationHTTP creates an APIApplication from the JSON contained in an API GET/POST Application request. If there is no parseable Application inside, returns an empty object and no error.
func APIApplicationListHTTP ¶
func APIApplicationListHTTP(respBody []uint8) ([]APIApplication, error)
APIApplicationHTTP creates an APIApplication List from the JSON contained in an API GET/POST Application request. If there is no parseable Application inside, returns an empty object and no error.
type APIIdentity ¶
type APIIdentity struct {
// ExternalEmail interface{} `json:"externalEmail"`
PrimaryAccountEmail string `json:"primaryAccountEmail"`
Type string `json:"type"`
Upn string `json:"upn"`
DisplayName string `json:"displayName"`
PersonID string `json:"personId"`
SupervisorID string `json:"supervisorId"`
DirectResponsibleID string `json:"directResponsibleId"`
// Source string `json:"source"`
// Unconfirmed bool `json:"unconfirmed"`
// UnconfirmedEmail interface{} `json:"unconfirmedEmail"`
PrimaryAccountID string `json:"primaryAccountId"`
UID int `json:"uid"`
Gid int `json:"gid"`
ResourceCategory string `json:"resourceCategory"`
Reassignable bool `json:"reassignable"`
// AutoReassign bool `json:"autoReassign"`
// PendingAction bool `json:"pendingAction"`
// Blocked bool `json:"blocked"`
// SecurityIssues bool `json:"securityIssues"`
// BlockingReason string `json:"blockingReason"`
// BlockingTime interface{} `json:"blockingTime"`
// BlockingDeadline interface{} `json:"blockingDeadline"`
// ExpirationDeadline interface{} `json:"expirationDeadline"`
ID string `json:"id"`
CreationTime time.Time `json:"creationTime"`
// Room string `json:"room"`
// Floor string `json:"floor"`
// Building string `json:"building"`
// EndClass time.Time `json:"endClass"`
// LastName string `json:"lastName"`
// BirthDate time.Time `json:"birthDate"`
CernClass string `json:"cernClass"`
CernGroup string `json:"cernGroup"`
// FirstName string `json:"firstName"`
// ActiveUser bool `json:"activeUser"`
// StartClass time.Time `json:"startClass"`
CernSection string `json:"cernSection"`
Description string `json:"description"`
CernPersonID string `json:"cernPersonId"`
InstituteName string `json:"instituteName"`
CernDepartment string `json:"cernDepartment"`
}
type APIPage ¶
type APIPage struct {
Total int `json:"total"`
Offset int `json:"offset"`
Limit int `json:"limit"`
Next *string `json:"next"`
Links APIPageLink `json:"links"`
}
type APIPageLink ¶
type APIRegistration ¶
type APIRegistration struct {
RegistrationID string
// Attributes we recognise
ClientID string `json:"clientId"`
ClientSecret string `json:"secret"`
RedirectURIs []string `json:"redirectUris"`
ImplicitFlowEnabled bool `json:"implicitFlowEnabled"`
ConsentRequired bool `json:"consentRequired"`
Enabled bool `json:"enabled"`
DefaultClientScopes []string `json:"defaultClientScopes"`
OptionalClientScopes []string `json:"optionalClientScopes"`
// Additional attributes
WebOrigins []string `json:"webOrigins"`
ClientAuthenticatorType string `json:"clientAuthenticatorType"`
DirectAccessGrantsEnabled bool `json:"directAccessGrantsEnabled"`
PublicClient bool `json:"publicClient"`
ServiceAccountsEnabled bool `json:"serviceAccountsEnabled"`
StandardFlowEnabled bool `json:"standardFlowEnabled"`
SurrogateAuthRequired bool `json:"surrogateAuthRequired"`
FullScopeAllowed bool `json:"fullScopeAllowed"`
FrontchannelLogout bool `json:"frontchannelLogout"`
}
APIRegistration parses a JSON response from the Authzsvc API containing an OIDC Data
func APIRegistrationHTTP ¶
func APIRegistrationHTTP(respBody []uint8) (APIRegistration, error)
APIRegistrationHTTP creates an APIRegistration from the JSON contained in an API GET/POST Registration request
type APIRole ¶
type APIRole struct {
Name string `json:"name"`
DisplayName string `json:"displayName"`
Description string `json:"description"`
ApplicationID string `json:"applicationId"`
ApplyToAllUsers bool `json:"applyToAllUsers"`
MinimumLoaID string `json:"minimumLoaId"`
Required bool `json:"required"`
RoleId string `json:"id"`
}
type AccessTokenArgs ¶
AccessTokenArgs is the only way we found to make arguments to accessToken both keywords and optional, at the expense of an extra type...
type AuthzAPI ¶
type AuthzAPI string
AuthzAPI represents API endpoints in the Authzsvc API
const ( // Application [GET,POST] Application AuthzAPI = apiV + "Application" MyApplication AuthzAPI = apiV + "Application/my" Group AuthzAPI = apiV + "Group" RegistrationProviders AuthzAPI = apiV + "Registration/providers" Identity AuthzAPI = apiV + "Identity" Registration AuthzAPI = apiV + "Registration" LevelofAssurance AuthzAPI = apiV + "LevelOfAssurance" )
type AuthzClient ¶
type AuthzClient interface {
// Post authorized req to Authzsvc API
Post(cmd AuthzAPI, body io.Reader) (resp *http.Response, err error)
// Get authorized req from Authzsvc API
Get(cmd AuthzAPI, body io.Reader) (resp *http.Response, err error)
// Put authorized req from Authzsvc API
Put(cmd AuthzAPI, body io.Reader) (resp *http.Response, err error)
// Delete authorized req from Authzsvc API
Delete(cmd AuthzAPI, body io.Reader) (resp *http.Response, err error)
// GetMyApplications will retrieve all the applications in the API (Note: this call is expensive as it has to go through all the pages)
GetMyApplications() ([]APIApplication, error)
// GetRole validates if Role already exists on an ApplicationRegistration in the API
GetRole(id string, role string) (bool, error)
// GetApplicationByAppID queries the API for the Application with the given applicationIdentifier
GetApplicationByAppID(appID string) (APIApplication, error)
// GetLoA queries the Authzsvc API for the ID of the Level of Assurance with the given level
// this method is also available through the AuthZ apicache
GetLoA(level string) (string, error)
// CreateApplicationRole creates a new Role for a Specific Application
CreateApplicationRole(role APIRole, applicationID string) (string, error)
// LinkGroupToAppRole links an existing Group to an existing Role in an existing Application
LinkGroupToAppRole(groupID string, roleID string, appID string) error
// GetIdentity returns information about a user account - this method is also available through the AuthZ apicache
GetIdentity(id string) (APIIdentity, error)
// GetGroup returns information about a group - this method is also available through the AuthZ apicache
GetGroup(id string) (APIGroup, error)
// ManagerID returns the API ID of this AuthzAPI client's Application registration
ManagerID() string
// OidcProviderID returns the OIDC Provider ID on the Authzsvc API
OidcProviderID() string
IssuerURL() string
RefreshClientSecret(regID string) error
}
AuthzClient provides methods to access the AuthzAPI
func NewAuthzClient ¶
func NewAuthzClient(log logr.Logger) (AuthzClient, error)
NewAuthzClient creates a client for the Authzsvc API configured with environment variables
type AuthzClientHTTP ¶
AuthzClientHTTP is an http client authorized to talk with the authzsvc API
func (*AuthzClientHTTP) CreateApplicationRole ¶
func (c *AuthzClientHTTP) CreateApplicationRole(role APIRole, applicationID string) (string, error)
CreateApplicationRole creates a new Role for a Specific Application
func (*AuthzClientHTTP) GetApplicationByAppID ¶
func (c *AuthzClientHTTP) GetApplicationByAppID(appID string) (APIApplication, error)
GetApplicationByAppID queries the API for the Application with the given applicationIdentifier
func (*AuthzClientHTTP) GetGroup ¶
func (c *AuthzClientHTTP) GetGroup(id string) (APIGroup, error)
GetGroup returns information about a group
func (*AuthzClientHTTP) GetIdentity ¶
func (c *AuthzClientHTTP) GetIdentity(id string) (APIIdentity, error)
GetIdentity returns information about a user account
func (*AuthzClientHTTP) GetLoA ¶
func (c *AuthzClientHTTP) GetLoA(level string) (string, error)
GetLoA queries the API for the Level of Assurance with the given level
func (*AuthzClientHTTP) GetMyApplications ¶
func (c *AuthzClientHTTP) GetMyApplications() ([]APIApplication, error)
GetMyApplications will retrieve all the applications in the API (Note: this call is expensive as it has to go through all the pages)
func (*AuthzClientHTTP) GetRegistrationProvider ¶
func (c *AuthzClientHTTP) GetRegistrationProvider(providerID string) (string, error)
GetRegistrationProvider queries the API for the Registration provider with the given identifier
func (*AuthzClientHTTP) GetRole ¶
func (c *AuthzClientHTTP) GetRole(id string, role string) (bool, error)
GetRole validates if Role already exists on an ApplicationRegistration in the API
func (*AuthzClientHTTP) IssuerURL ¶
func (c *AuthzClientHTTP) IssuerURL() string
func (*AuthzClientHTTP) LinkGroupToAppRole ¶
func (c *AuthzClientHTTP) LinkGroupToAppRole(groupID string, roleID string, appID string) error
LinkGroupToAppRole links an existing Group to an existing Role in an existing Application
func (*AuthzClientHTTP) ManagerID ¶
func (c *AuthzClientHTTP) ManagerID() string
ManagerID returns the API ID of this AuthzAPI client's Application registration
func (*AuthzClientHTTP) OidcProviderID ¶
func (c *AuthzClientHTTP) OidcProviderID() string
OidcProviderID returns the API ID of this AuthzAPI client's Application registration
func (*AuthzClientHTTP) Post ¶
Post authorized req to Authzsvc API Errors: what happens if the accessToken is empty? It's the caller's problem.
func (*AuthzClientHTTP) RefreshClientSecret ¶
func (c *AuthzClientHTTP) RefreshClientSecret(regID string) error
Source Files
Click to show internal directories.
Click to hide internal directories.