auth

package
v1.0.10 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Feb 3, 2025 License: Apache-2.0 Imports: 39 Imported by: 0

Documentation

Index

Constants

View Source 
const IpaVersion = "2.254"
View Source 
const ResourceArnPrefix = "arn:aws:s3:::"

Variables

View Source 
var (
	// ErrUserExists is returned when the user already exists
	ErrUserExists = errors.New("user already exists")
	// ErrNoSuchUser is returned when the user does not exist
	ErrNoSuchUser = errors.New("user not found")
)

Functions

func CheckIfAccountsExist 

func CheckIfAccountsExist(accs []string, iam IAMService) ([]string, error)

func CheckObjectAccess 

func CheckObjectAccess(ctx context.Context, bucket, userAccess string, objects []types.ObjectIdentifier, bypass bool, be backend.Backend) error

func IsAdminOrOwner 

func IsAdminOrOwner(acct Account, isRoot bool, acl ACL) error

func MayCreateBucket 

func MayCreateBucket(acct Account, isRoot bool) error

func ParseBucketLockConfigurationInput 

func ParseBucketLockConfigurationInput(input []byte) ([]byte, error)

func ParseBucketLockConfigurationOutput 

func ParseBucketLockConfigurationOutput(input []byte) (*types.ObjectLockConfiguration, error)

func ParseObjectLegalHoldOutput 

func ParseObjectLegalHoldOutput(status *bool) *types.ObjectLockLegalHold

func ParseObjectLockRetentionInput 

func ParseObjectLockRetentionInput(input []byte) ([]byte, error)

func ParseObjectLockRetentionOutput 

func ParseObjectLockRetentionOutput(input []byte) (*types.ObjectLockRetention, error)

func UpdateACL 

func UpdateACL(input *PutBucketAclInput, acl ACL, iam IAMService, isAdmin bool) ([]byte, error)

func ValidatePolicyDocument 

func ValidatePolicyDocument(policyBin []byte, bucket string, iam IAMService) error

func VerifyAccess 

func VerifyAccess(ctx context.Context, be backend.Backend, opts AccessOptions) error

func VerifyBucketPolicy 

func VerifyBucketPolicy(policy []byte, access, bucket, object string, action Action) error

func VerifyObjectCopyAccess 

func VerifyObjectCopyAccess(ctx context.Context, be backend.Backend, copySource string, opts AccessOptions) error

Types

type ACL 

type ACL struct {
	Owner    string
	Grantees []Grantee
}

func ParseACL 

func ParseACL(data []byte) (ACL, error)

type AccessControlList 

type AccessControlList struct {
	Grants []Grant `xml:"Grant"`
}

type AccessControlPolicy 

type AccessControlPolicy struct {
	AccessControlList AccessControlList `xml:"AccessControlList"`
	Owner             *types.Owner
}

func (*AccessControlPolicy) Validate added in v1.0.10 

func (acp *AccessControlPolicy) Validate() error

type AccessOptions 

type AccessOptions struct {
	Acl           ACL
	AclPermission Permission
	IsRoot        bool
	Acc           Account
	Bucket        string
	Object        string
	Action        Action
	Readonly      bool
}

type Account 

type Account struct {
	Access  string `json:"access"`
	Secret  string `json:"secret"`
	Role    Role   `json:"role"`
	UserID  int    `json:"userID"`
	GroupID int    `json:"groupID"`
}

Account is a gateway IAM account

type Action 

type Action string
const (
	GetBucketAclAction                     Action = "s3:GetBucketAcl"
	CreateBucketAction                     Action = "s3:CreateBucket"
	PutBucketAclAction                     Action = "s3:PutBucketAcl"
	DeleteBucketAction                     Action = "s3:DeleteBucket"
	PutBucketVersioningAction              Action = "s3:PutBucketVersioning"
	GetBucketVersioningAction              Action = "s3:GetBucketVersioning"
	PutBucketPolicyAction                  Action = "s3:PutBucketPolicy"
	GetBucketPolicyAction                  Action = "s3:GetBucketPolicy"
	DeleteBucketPolicyAction               Action = "s3:DeleteBucketPolicy"
	AbortMultipartUploadAction             Action = "s3:AbortMultipartUpload"
	ListMultipartUploadPartsAction         Action = "s3:ListMultipartUploadParts"
	ListBucketMultipartUploadsAction       Action = "s3:ListBucketMultipartUploads"
	PutObjectAction                        Action = "s3:PutObject"
	GetObjectAction                        Action = "s3:GetObject"
	GetObjectVersionAction                 Action = "s3:GetObjectVersion"
	DeleteObjectAction                     Action = "s3:DeleteObject"
	GetObjectAclAction                     Action = "s3:GetObjectAcl"
	GetObjectAttributesAction              Action = "s3:GetObjectAttributes"
	PutObjectAclAction                     Action = "s3:PutObjectAcl"
	RestoreObjectAction                    Action = "s3:RestoreObject"
	GetBucketTaggingAction                 Action = "s3:GetBucketTagging"
	PutBucketTaggingAction                 Action = "s3:PutBucketTagging"
	GetObjectTaggingAction                 Action = "s3:GetObjectTagging"
	PutObjectTaggingAction                 Action = "s3:PutObjectTagging"
	DeleteObjectTaggingAction              Action = "s3:DeleteObjectTagging"
	ListBucketVersionsAction               Action = "s3:ListBucketVersions"
	ListBucketAction                       Action = "s3:ListBucket"
	GetBucketObjectLockConfigurationAction Action = "s3:GetBucketObjectLockConfiguration"
	PutBucketObjectLockConfigurationAction Action = "s3:PutBucketObjectLockConfiguration"
	GetObjectLegalHoldAction               Action = "s3:GetObjectLegalHold"
	PutObjectLegalHoldAction               Action = "s3:PutObjectLegalHold"
	GetObjectRetentionAction               Action = "s3:GetObjectRetention"
	PutObjectRetentionAction               Action = "s3:PutObjectRetention"
	BypassGovernanceRetentionAction        Action = "s3:BypassGovernanceRetention"
	PutBucketOwnershipControlsAction       Action = "s3:PutBucketOwnershipControls"
	GetBucketOwnershipControlsAction       Action = "s3:GetBucketOwnershipControls"
	AllActions                             Action = "s3:*"
)

func (Action) IsObjectAction 

func (a Action) IsObjectAction() *bool

Checks if the action is object action nil points to 's3:*'

func (Action) IsValid 

func (a Action) IsValid() error

Validates Action: it should either wildcard match with supported actions list or be in it

func (Action) WildCardMatch 

func (a Action) WildCardMatch(act Action) bool

type Actions 

type Actions map[Action]struct{}

func (Actions) Add 

func (a Actions) Add(str string) error

Validates and adds a new Action to Actions map

func (Actions) FindMatch 

func (a Actions) FindMatch(action Action) bool

func (*Actions) UnmarshalJSON 

func (a *Actions) UnmarshalJSON(data []byte) error

Override UnmarshalJSON method to decode both []string and string properties

type Base64Encoded added in v1.0.10 

type Base64Encoded []byte

e.g. 

"value": "aGVsbG93b3JsZAo="

func (*Base64Encoded) UnmarshalJSON added in v1.0.10 

func (b *Base64Encoded) UnmarshalJSON(data []byte) error

type Base64EncodedWrapped added in v1.0.10 

type Base64EncodedWrapped []byte

e.g. 

"value" {
	"__base64__": "aGVsbG93b3JsZAo="
 }

func (*Base64EncodedWrapped) MarshalJSON added in v1.0.10 

func (b *Base64EncodedWrapped) MarshalJSON() ([]byte, error)

func (*Base64EncodedWrapped) UnmarshalJSON added in v1.0.10 

func (b *Base64EncodedWrapped) UnmarshalJSON(data []byte) error

type BucketLockConfig 

type BucketLockConfig struct {
	Enabled          bool
	DefaultRetention *types.DefaultRetention
	CreatedAt        *time.Time
}

type BucketPolicy 

type BucketPolicy struct {
	Statement []BucketPolicyItem `json:"Statement"`
}

func (*BucketPolicy) Validate 

func (bp *BucketPolicy) Validate(bucket string, iam IAMService) error

type BucketPolicyAccessType 

type BucketPolicyAccessType string
const (
	BucketPolicyAccessTypeDeny  BucketPolicyAccessType = "Deny"
	BucketPolicyAccessTypeAllow BucketPolicyAccessType = "Allow"
)

func (BucketPolicyAccessType) Validate 

func (bpat BucketPolicyAccessType) Validate() error

Checks policy statement Effect to be valid ("Deny", "Allow")

type BucketPolicyItem 

type BucketPolicyItem struct {
	Effect     BucketPolicyAccessType `json:"Effect"`
	Principals Principals             `json:"Principal"`
	Actions    Actions                `json:"Action"`
	Resources  Resources              `json:"Resource"`
}

func (*BucketPolicyItem) Validate 

func (bpi *BucketPolicyItem) Validate(bucket string, iam IAMService) error

type GetBucketAclOutput 

type GetBucketAclOutput struct {
	XMLName           xml.Name `xml:"http://s3.amazonaws.com/doc/2006-03-01/ AccessControlPolicy"`
	Owner             *types.Owner
	AccessControlList AccessControlList
}

func ParseACLOutput 

func ParseACLOutput(data []byte) (GetBucketAclOutput, error)

type Grant added in v1.0.4 

type Grant struct {
	Grantee    *Grt       `xml:"Grantee"`
	Permission Permission `xml:"Permission"`
}

type Grantee 

type Grantee struct {
	Permission Permission
	Access     string
	Type       types.Type
}

type Grt added in v1.0.4 

type Grt struct {
	XMLNS string     `xml:"xmlns:xsi,attr"`
	Type  types.Type `xml:"xsi:type,attr"`
	ID    string     `xml:"ID"`
}

func (*Grt) UnmarshalXML added in v1.0.10 

func (g *Grt) UnmarshalXML(d *xml.Decoder, start xml.StartElement) error

Custom Unmarshalling for Grt to parse xsi:type properly

type IAMCache 

type IAMCache struct {
	// contains filtered or unexported fields
}

IAMCache is an in memory cache of the IAM accounts with expiration. This helps to alleviate the load on the real IAM service if the gateway is handling many requests. This forwards account updates to the underlying service, and returns cached results while the in memory account is not expired.

func NewCache 

func NewCache(service IAMService, expireTime, cleanupInterval time.Duration) *IAMCache

NewCache initializes an IAM cache for the provided service. The expireTime is the duration a cache entry can be valid, and the cleanupInterval is how often to scan cache and cleanup expired entries.

func (*IAMCache) CreateAccount 

func (c *IAMCache) CreateAccount(account Account) error

CreateAccount send create to IAM service and creates an account cache entry

func (*IAMCache) DeleteUserAccount 

func (c *IAMCache) DeleteUserAccount(access string) error

DeleteUserAccount deletes account from IAM service and cache

func (*IAMCache) GetUserAccount 

func (c *IAMCache) GetUserAccount(access string) (Account, error)

GetUserAccount retrieves the cache account if it is in the cache and not expired. Otherwise retrieves from underlying IAM service and caches result for the expire duration.

func (*IAMCache) ListUserAccounts 

func (c *IAMCache) ListUserAccounts() ([]Account, error)

ListUserAccounts is a passthrough to the underlying service and does not make use of the cache

func (*IAMCache) Shutdown 

func (c *IAMCache) Shutdown() error

Shutdown graceful termination of service

func (*IAMCache) UpdateUserAccount added in v1.0.2 

func (c *IAMCache) UpdateUserAccount(access string, props MutableProps) error

type IAMService 

type IAMService interface {
	CreateAccount(account Account) error
	GetUserAccount(access string) (Account, error)
	UpdateUserAccount(access string, props MutableProps) error
	DeleteUserAccount(access string) error
	ListUserAccounts() ([]Account, error)
	Shutdown() error
}

IAMService is the interface for all IAM service implementations

func New 

func New(o *Opts) (IAMService, error)

func NewLDAPService 

func NewLDAPService(rootAcc Account, url, bindDN, pass, queryBase, accAtr, secAtr, roleAtr, userIdAtr, groupIdAtr, objClasses string) (IAMService, error)

func NewVaultIAMService 

func NewVaultIAMService(rootAcc Account, endpoint, secretStoragePath, mountPath, rootToken, roleID, roleSecret, serverCert, clientCert, clientCertKey string) (IAMService, error)

type IAMServiceInternal 

type IAMServiceInternal struct {
	// This mutex will help with racing updates to the IAM data
	// from multiple requests to this gateway instance, but
	// will not help with racing updates to multiple load balanced
	// gateway instances. This is a limitation of the internal
	// IAM service. All account updates should be sent to a single
	// gateway instance if possible.
	sync.RWMutex
	// contains filtered or unexported fields
}

IAMServiceInternal manages the internal IAM service

func NewInternal 

func NewInternal(rootAcc Account, dir string) (*IAMServiceInternal, error)

NewInternal creates a new instance for the Internal IAM service

func (*IAMServiceInternal) CreateAccount 

func (s *IAMServiceInternal) CreateAccount(account Account) error

CreateAccount creates a new IAM account. Returns an error if the account already exists.

func (*IAMServiceInternal) DeleteUserAccount 

func (s *IAMServiceInternal) DeleteUserAccount(access string) error

DeleteUserAccount deletes the specified user account. Does not check if account exists.

func (*IAMServiceInternal) GetUserAccount 

func (s *IAMServiceInternal) GetUserAccount(access string) (Account, error)

GetUserAccount retrieves account info for the requested user. Returns ErrNoSuchUser if the account does not exist.

func (*IAMServiceInternal) ListUserAccounts 

func (s *IAMServiceInternal) ListUserAccounts() ([]Account, error)

ListUserAccounts lists all the user accounts stored.

func (*IAMServiceInternal) Shutdown 

func (s *IAMServiceInternal) Shutdown() error

Shutdown graceful termination of service

func (*IAMServiceInternal) UpdateUserAccount added in v1.0.2 

func (s *IAMServiceInternal) UpdateUserAccount(access string, props MutableProps) error

UpdateUserAccount updates the specified user account fields. Returns ErrNoSuchUser if the account does not exist.

type IAMServiceS3 

type IAMServiceS3 struct {
	// This mutex will help with racing updates to the IAM data
	// from multiple requests to this gateway instance, but
	// will not help with racing updates to multiple load balanced
	// gateway instances. This is a limitation of the internal
	// IAM service. All account updates should be sent to a single
	// gateway instance if possible.
	sync.RWMutex
	// contains filtered or unexported fields
}

func NewS3 

func NewS3(rootAcc Account, access, secret, region, bucket, endpoint string, sslSkipVerify, debug bool) (*IAMServiceS3, error)

func (*IAMServiceS3) CreateAccount 

func (s *IAMServiceS3) CreateAccount(account Account) error

func (*IAMServiceS3) DeleteUserAccount 

func (s *IAMServiceS3) DeleteUserAccount(access string) error

func (*IAMServiceS3) GetUserAccount 

func (s *IAMServiceS3) GetUserAccount(access string) (Account, error)

func (*IAMServiceS3) ListUserAccounts 

func (s *IAMServiceS3) ListUserAccounts() ([]Account, error)

func (*IAMServiceS3) Shutdown 

func (s *IAMServiceS3) Shutdown() error

func (*IAMServiceS3) UpdateUserAccount added in v1.0.2 

func (s *IAMServiceS3) UpdateUserAccount(access string, props MutableProps) error

type IAMServiceSingle 

type IAMServiceSingle struct{}

IAMServiceSingle manages the single tenant (root-only) IAM service

func (IAMServiceSingle) CreateAccount 

func (IAMServiceSingle) CreateAccount(account Account) error

CreateAccount not valid in single tenant mode

func (IAMServiceSingle) DeleteUserAccount 

func (IAMServiceSingle) DeleteUserAccount(access string) error

DeleteUserAccount no accounts in single tenant mode

func (IAMServiceSingle) GetUserAccount 

func (IAMServiceSingle) GetUserAccount(access string) (Account, error)

GetUserAccount no accounts in single tenant mode

func (IAMServiceSingle) ListUserAccounts 

func (IAMServiceSingle) ListUserAccounts() ([]Account, error)

ListUserAccounts no accounts in single tenant mode

func (IAMServiceSingle) Shutdown 

func (IAMServiceSingle) Shutdown() error

Shutdown graceful termination of service

func (IAMServiceSingle) UpdateUserAccount added in v1.0.2 

func (IAMServiceSingle) UpdateUserAccount(access string, props MutableProps) error

UpdateUserAccount no accounts in single tenant mode

type IpaIAMService added in v1.0.10 

type IpaIAMService struct {
	// contains filtered or unexported fields
}

func NewIpaIAMService added in v1.0.10 

func NewIpaIAMService(rootAcc Account, host, vaultName, username, password string, isInsecure, debug bool) (*IpaIAMService, error)

func (*IpaIAMService) CreateAccount added in v1.0.10 

func (ipa *IpaIAMService) CreateAccount(account Account) error

func (*IpaIAMService) DeleteUserAccount added in v1.0.10 

func (ipa *IpaIAMService) DeleteUserAccount(access string) error

func (*IpaIAMService) GetUserAccount added in v1.0.10 

func (ipa *IpaIAMService) GetUserAccount(access string) (Account, error)

func (*IpaIAMService) ListUserAccounts added in v1.0.10 

func (ipa *IpaIAMService) ListUserAccounts() ([]Account, error)

func (*IpaIAMService) Shutdown added in v1.0.10 

func (ipa *IpaIAMService) Shutdown() error

func (*IpaIAMService) UpdateUserAccount added in v1.0.10 

func (ipa *IpaIAMService) UpdateUserAccount(access string, props MutableProps) error

type LdapIAMService 

type LdapIAMService struct {
	// contains filtered or unexported fields
}

func (*LdapIAMService) CreateAccount 

func (ld *LdapIAMService) CreateAccount(account Account) error

func (*LdapIAMService) DeleteUserAccount 

func (ld *LdapIAMService) DeleteUserAccount(access string) error

func (*LdapIAMService) GetUserAccount 

func (ld *LdapIAMService) GetUserAccount(access string) (Account, error)

func (*LdapIAMService) ListUserAccounts 

func (ld *LdapIAMService) ListUserAccounts() ([]Account, error)

func (*LdapIAMService) Shutdown 

func (ld *LdapIAMService) Shutdown() error

Shutdown graceful termination of service

func (*LdapIAMService) UpdateUserAccount added in v1.0.2 

func (ld *LdapIAMService) UpdateUserAccount(access string, props MutableProps) error

type ListUserAccountsResult added in v1.0.8 

type ListUserAccountsResult struct {
	Accounts []Account
}

type MutableProps added in v1.0.2 

type MutableProps struct {
	Secret  *string `json:"secret"`
	UserID  *int    `json:"userID"`
	GroupID *int    `json:"groupID"`
}

Mutable props, which could be changed when updating an IAM account

type Opts 

type Opts struct {
	RootAccount            Account
	Dir                    string
	LDAPServerURL          string
	LDAPBindDN             string
	LDAPPassword           string
	LDAPQueryBase          string
	LDAPObjClasses         string
	LDAPAccessAtr          string
	LDAPSecretAtr          string
	LDAPRoleAtr            string
	LDAPUserIdAtr          string
	LDAPGroupIdAtr         string
	VaultEndpointURL       string
	VaultSecretStoragePath string
	VaultMountPath         string
	VaultRootToken         string
	VaultRoleId            string
	VaultRoleSecret        string
	VaultServerCert        string
	VaultClientCert        string
	VaultClientCertKey     string
	S3Access               string
	S3Secret               string
	S3Region               string
	S3Bucket               string
	S3Endpoint             string
	S3DisableSSlVerfiy     bool
	S3Debug                bool
	CacheDisable           bool
	CacheTTL               int
	CachePrune             int
	IpaHost                string
	IpaVaultName           string
	IpaUser                string
	IpaPassword            string
	IpaInsecure            bool
	IpaDebug               bool
}

type Permission added in v1.0.10 

type Permission string
const (
	PermissionFullControl Permission = "FULL_CONTROL"
	PermissionWrite       Permission = "WRITE"
	PermissionWriteAcp    Permission = "WRITE_ACP"
	PermissionRead        Permission = "READ"
	PermissionReadAcp     Permission = "READ_ACP"
)

type Principals 

type Principals map[string]struct{}

func (Principals) Add 

func (p Principals) Add(key string)

func (Principals) Contains 

func (p Principals) Contains(userAccess string) bool

func (Principals) ToSlice 

func (p Principals) ToSlice() []string

Converts Principals map to a slice, by omitting "*"

func (*Principals) UnmarshalJSON 

func (p *Principals) UnmarshalJSON(data []byte) error

Override UnmarshalJSON method to decode both []string and string properties

func (Principals) Validate 

func (p Principals) Validate(iam IAMService) error

Validates Principals by checking user account access keys existence

type PutBucketAclInput added in v1.0.4 

type PutBucketAclInput struct {
	Bucket              *string
	ACL                 types.BucketCannedACL
	AccessControlPolicy *AccessControlPolicy
	GrantFullControl    *string
	GrantRead           *string
	GrantReadACP        *string
	GrantWrite          *string
	GrantWriteACP       *string
}

type Resources 

type Resources map[string]struct{}

func (Resources) Add 

func (r Resources) Add(rc string) error

Adds and validates a new resource to Resources map

func (Resources) ContainsBucketPattern 

func (r Resources) ContainsBucketPattern() bool

Checks if the resources contain bucket pattern

func (Resources) ContainsObjectPattern 

func (r Resources) ContainsObjectPattern() bool

Checks if the resources contain object pattern

func (Resources) FindMatch 

func (r Resources) FindMatch(resource string) bool

func (*Resources) UnmarshalJSON 

func (r *Resources) UnmarshalJSON(data []byte) error

Override UnmarshalJSON method to decode both []string and string properties

func (Resources) Validate 

func (r Resources) Validate(bucket string) error

Bucket resources should start with bucket name: arn:aws:s3:::MyBucket/*

type Role 

type Role string
const (
	RoleUser     Role = "user"
	RoleAdmin    Role = "admin"
	RoleUserPlus Role = "userplus"
)

func (Role) IsValid added in v1.0.8 

func (r Role) IsValid() bool

type UpdateAcctFunc 

type UpdateAcctFunc func([]byte) ([]byte, error)

UpdateAcctFunc accepts the current data and returns the new data to be stored

type VaultIAMService 

type VaultIAMService struct {
	// contains filtered or unexported fields
}

func (*VaultIAMService) CreateAccount 

func (vt *VaultIAMService) CreateAccount(account Account) error

func (*VaultIAMService) DeleteUserAccount 

func (vt *VaultIAMService) DeleteUserAccount(access string) error

func (*VaultIAMService) GetUserAccount 

func (vt *VaultIAMService) GetUserAccount(access string) (Account, error)

func (*VaultIAMService) ListUserAccounts 

func (vt *VaultIAMService) ListUserAccounts() ([]Account, error)

func (*VaultIAMService) Shutdown 

func (vt *VaultIAMService) Shutdown() error

the client doesn't have explicit shutdown, as it uses http.Client

func (*VaultIAMService) UpdateUserAccount added in v1.0.2 

func (vt *VaultIAMService) UpdateUserAccount(access string, props MutableProps) error

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.
JackTT - Gopher 🇻🇳