...

Package auth

import "golang.conradwood.net/go-easyops/auth"
Overview
Index

Overview ▾

This provides information about users and their groups and organisations.

It provides many helper functions to determine if a user has certain permissions, is a root user or a service. it has helpers to print out user information.

It works on a context to retrieve user and service information.

Note that a 'service account' is also a 'user'. It is just marked as a service. Service accounts are treated differently in some places. For example, a web proxy does not (should not) allow services to log in to a website.

As a rule of thumb, Most calls in this package do not require network I/O and thus are fairly safe and cheap. see package authremote for calls that require network I/O.

It also provides some wrappers to create a new context. That is for historic reasons. Developers should use and port code to use the ctx package instead. In almost all cases, if a context is already present (for example, in a gRPC server), that context must be re-used. New Contexts should only be created after a user has been authenticated.

Index ▾

Constants
func CurrentUserString(ctx context.Context) string
func DISContext(t time.Duration) context.Context
func DISContextForSignedUser(su *auth.SignedUser) (context.Context, error)
func DISGetSignedSession(ctx context.Context) *auth.SignedSession
func Description(user *apb.User) string
func ForkContext(ictx context.Context) (context.Context, error)
func GetCreatingService(uctx context.Context) *apb.User
func GetOrganisationID(uctx context.Context) string
func GetService(uctx context.Context) *apb.User
func GetServiceIDByName(servicename string) string
func GetSessionToken(ctx context.Context) string
func GetSignedService(uctx context.Context) *apb.SignedUser
func GetSignedUser(uctx context.Context) *apb.SignedUser
func GetUser(uctx context.Context) *apb.User
func IsInGroup(ctx context.Context, groupid string) bool
func IsInGroupByUser(user *apb.User, groupid string) bool
func IsInGroups(ctx context.Context, groupids string) bool
func IsInGroupsByUser(user *apb.User, groupids string) bool
func IsRoot(ctx context.Context) bool
func IsRootUser(user *apb.User) bool
func IsService(ctx context.Context, serviceids string) bool
func PrintSignedUser(uu *apb.SignedUser)
func PrintUser(u *apb.User)
func RecreateContextWithTimeout(t time.Duration, bs []byte) (context.Context, error)
func SerialiseContext(ctx context.Context) ([]byte, error)
func SerialiseContextToString(ctx context.Context) (string, error)
func ServiceMapToYaml(m map[string]string) []byte
func SignedDescription(user *apb.SignedUser) string
func UserIDString(user *apb.User) string

Package files

auth.go context.go permissions.go resolve_services.go usercache.go

Constants

const (
    SERBINPREFIX = "CTXUSER-BIN-"
    SERSTRPREFIX = "CTXUSER-STR-"
)

func CurrentUserString 

func CurrentUserString(ctx context.Context) string

returns "User ID (email)"

func DISContext 

func DISContext(t time.Duration) context.Context

return a context with token and/or from environment or so this function is obsolete and deprecated. use authremote.Context() instead

func DISContextForSignedUser 

func DISContextForSignedUser(su *auth.SignedUser) (context.Context, error)

this will create a context for a userobject. if the userobject is signed, it will "just work" this function is obsolete and deprecated. use authremote.Context() instead

func DISGetSignedSession 

func DISGetSignedSession(ctx context.Context) *auth.SignedSession

get signed session from context or nil if none

func Description 

func Description(user *apb.User) string

func ForkContext 

func ForkContext(ictx context.Context) (context.Context, error)

func GetCreatingService 

func GetCreatingService(uctx context.Context) *apb.User

get the service which created this context

func GetOrganisationID 

func GetOrganisationID(uctx context.Context) string

get the OrganisationID in this context

func GetService 

func GetService(uctx context.Context) *apb.User

get the service which directly called us

func GetServiceIDByName 

func GetServiceIDByName(servicename string) string

sometimes a service needs to verify if it is being called by a specific service. This often implies permissions to access certain privileged bits of information. The assumption is, that service A authenticates a user and calls service B, either immediately after or some time later. In this case service B "trusts" service A. The security implication of this model is, that service B must be able to ensure service A really is who they say they are (the auth server signature should be used for this purpose) and service A has not been replaced with a different service of the same name. For this purpose, in this case, the service to userid mappings are hardcoded into the file so to match the "yacloud" default. If someone wishes to run their own yacloud the mapping can be overriden. This then is not a programmatic option, but a configuration (administrator) option. A file in /opt/yacloud/config/service_map.yaml, if exists, will be parsed on startup and used to provide this information. Any lookup for a servicename that does not exist will lead to a panic() (because it is a fatal error!). The intention of this function is to provide a means to create a common method of looking up this information, so that, in future, perhaps a good and secure way can be found to automatically map this through a combination of registry/auth-server lookups or similar.

func GetSessionToken 

func GetSessionToken(ctx context.Context) string

get session token from context or "" if none

func GetSignedService 

func GetSignedService(uctx context.Context) *apb.SignedUser

get the user in this context

func GetSignedUser 

func GetSignedUser(uctx context.Context) *apb.SignedUser

get the user in this context

func GetUser 

func GetUser(uctx context.Context) *apb.User

get the user in this context

func IsInGroup 

func IsInGroup(ctx context.Context, groupid string) bool

return true if user (from context) is part of group specified by groupid

func IsInGroupByUser 

func IsInGroupByUser(user *apb.User, groupid string) bool

* return true if user is in this group

func IsInGroups 

func IsInGroups(ctx context.Context, groupids string) bool

return true if user (from context) is part of at least one of the groups specified by groupids. groupids is a comma delimited list of groupids

func IsInGroupsByUser 

func IsInGroupsByUser(user *apb.User, groupids string) bool

return true if user is in any of the groups (comma delimited list of ids)

func IsRoot 

func IsRoot(ctx context.Context) bool

func IsRootUser 

func IsRootUser(user *apb.User) bool

func IsService 

func IsService(ctx context.Context, serviceids string) bool

return true if service in context is one of the serviceids. serviceids comma delimited

func PrintSignedUser 

func PrintSignedUser(uu *apb.SignedUser)

func PrintUser 

func PrintUser(u *apb.User)

func RecreateContextWithTimeout 

func RecreateContextWithTimeout(t time.Duration, bs []byte) (context.Context, error)

this recreates a context from a previously stored state (see SerialiseContext())

func SerialiseContext 

func SerialiseContext(ctx context.Context) ([]byte, error)

func SerialiseContextToString 

func SerialiseContextToString(ctx context.Context) (string, error)

func ServiceMapToYaml 

func ServiceMapToYaml(m map[string]string) []byte

func SignedDescription 

func SignedDescription(user *apb.SignedUser) string

one line description of the user/caller

func UserIDString 

func UserIDString(user *apb.User) string

print the userid and description