...

Package crypto

import "github.com/gonitro/nitro/app/crypto"
Overview
Index
Subdirectories

Overview ▾

Package crypto provides authentication and authorization capability

Index ▾

Constants
Variables
func VerifyAccess(rules []*Rule, acc *Account, res *Resource) error
type Access
type Account
type Auth
type GenerateOption
    func WithIssuer(i string) GenerateOption
    func WithMetadata(md map[string]string) GenerateOption
    func WithName(n string) GenerateOption
    func WithProvider(p string) GenerateOption
    func WithScopes(s ...string) GenerateOption
    func WithSecret(s string) GenerateOption
    func WithType(t string) GenerateOption
type GenerateOptions
    func NewGenerateOptions(opts ...GenerateOption) GenerateOptions
type Option
    func Addrs(addrs ...string) Option
    func ClientToken(token *Token) Option
    func Credentials(id, secret string) Option
    func Issuer(i string) Option
    func LoginURL(url string) Option
    func PrivateKey(key string) Option
    func PublicKey(key string) Option
type Options
    func NewOptions(opts ...Option) Options
type Resource
type Rule
type Rules
type RulesOption
    func RulesContext(ctx context.Context) RulesOption
    func RulesNamespace(ns string) RulesOption
type RulesOptions
type Token
    func (t *Token) Expired() bool
type TokenOption
    func WithCredentials(id, secret string) TokenOption
    func WithExpiry(ex time.Duration) TokenOption
    func WithToken(rt string) TokenOption
    func WithTokenIssuer(iss string) TokenOption
type TokenOptions
    func NewTokenOptions(opts ...TokenOption) TokenOptions
type VerifyOption
    func VerifyContext(ctx context.Context) VerifyOption
    func VerifyNamespace(ns string) VerifyOption
type VerifyOptions

Package files

auth.go options.go rules.go

Constants

const (
    // ScopePublic is the scope applied to a rule to allow access to the public
    ScopePublic = ""
    // ScopeAccount is the scope applied to a rule to limit to users with any valid account
    ScopeAccount = "*"
)

Variables

var (
    // ErrInvalidToken is when the token provided is not valid
    ErrInvalidToken = errors.New("invalid token provided")
    // ErrForbidden is when a user does not have the necessary scope to access a resource
    ErrForbidden = errors.New("resource forbidden")
)

func VerifyAccess

func VerifyAccess(rules []*Rule, acc *Account, res *Resource) error

VerifyAccess an account has access to a resource using the rules provided. If the account does not have access an error will be returned. If there are no rules provided which match the resource, an error will be returned

type Access

Access defines the type of access a rule grants

type Access int
const (
    // AccessGranted to a resource
    AccessGranted Access = iota
    // AccessDenied to a resource
    AccessDenied
)

type Account

Account provided by an auth provider

type Account struct {
    // ID of the account e.g. UUID. Should not change
    ID string `json:"id"`
    // Type of the account, e.g. service
    Type string `json:"type"`
    // Issuer of the account
    Issuer string `json:"issuer"`
    // Any other associated metadata
    Metadata map[string]string `json:"metadata"`
    // Scopes the account has access to
    Scopes []string `json:"scopes"`
    // Secret for the account, e.g. the password
    Secret string `json:"secret"`
    // Name of the account. User friendly name that might change e.g. a username or email
    Name string `json:"name"`
}

type Auth

Auth provides authentication

type Auth interface {
    // Init the auth
    Init(opts ...Option)
    // Options set for auth
    Options() Options
    // Generate a new account
    Generate(id string, opts ...GenerateOption) (*Account, error)
    // Inspect a token
    Inspect(token string) (*Account, error)
    // Token generated using refresh token or credentials
    Token(opts ...TokenOption) (*Token, error)
    // String returns the name of the implementation
    String() string
}

type GenerateOption

type GenerateOption func(o *GenerateOptions)

func WithIssuer

func WithIssuer(i string) GenerateOption

WithIssuer for the generated account

func WithMetadata

func WithMetadata(md map[string]string) GenerateOption

WithMetadata for the generated account

func WithName

func WithName(n string) GenerateOption

WithName for the generated account

func WithProvider

func WithProvider(p string) GenerateOption

WithProvider for the generated account

func WithScopes

func WithScopes(s ...string) GenerateOption

WithScopes for the generated account

func WithSecret

func WithSecret(s string) GenerateOption

WithSecret for the generated account

func WithType

func WithType(t string) GenerateOption

WithType for the generated account

type GenerateOptions

type GenerateOptions struct {
    // Metadata associated with the account
    Metadata map[string]string
    // Scopes the account has access too
    Scopes []string
    // Provider of the account, e.g. oauth
    Provider string
    // Type of the account, e.g. user
    Type string
    // Secret used to authenticate the account
    Secret string
    // Issuer of the account, e.g. micro
    Issuer string
    // Name of the acouunt e.g. an email or username
    Name string
}

func NewGenerateOptions

func NewGenerateOptions(opts ...GenerateOption) GenerateOptions

NewGenerateOptions from a slice of options

type Option

type Option func(o *Options)

func Addrs

func Addrs(addrs ...string) Option

Addrs is the auth addresses to use

func ClientToken

func ClientToken(token *Token) Option

ClientToken sets the auth token to use when making requests

func Credentials

func Credentials(id, secret string) Option

Credentials sets the auth credentials

func Issuer

func Issuer(i string) Option

Issuer of the services account

func LoginURL

func LoginURL(url string) Option

LoginURL sets the auth LoginURL

func PrivateKey

func PrivateKey(key string) Option

PrivateKey is the JWT private key

func PublicKey

func PublicKey(key string) Option

PublicKey is the JWT public key

type Options

type Options struct {
    // Issuer of the service's account
    Issuer string
    // ID is the services auth ID
    ID string
    // Secret is used to authenticate the service
    Secret string
    // Token is the services token used to authenticate itself
    Token *Token
    // PublicKey for decoding JWTs
    PublicKey string
    // PrivateKey for encoding JWTs
    PrivateKey string
    // LoginURL is the relative url path where a user can login
    LoginURL string
    // Addrs sets the addresses of auth
    Addrs []string
    // Context to db.other options
    Context context.Context
}

func NewOptions

func NewOptions(opts ...Option) Options

type Resource

Resource is an entity such as a user or

type Resource struct {
    // Name of the resource, e.g. go.micro.service.notes
    Name string `json:"name"`
    // Type of resource, e.g. service
    Type string `json:"type"`
    // Endpoint resource e.g NotesApp.Create
    Endpoint string `json:"endpoint"`
}

type Rule

Rule is used to verify access to a resource

type Rule struct {
    // ID of the rule, e.g. "public"
    ID string
    // Scope the rule requires, a blank scope indicates open to the public and * indicates the rule
    // applies to any valid account
    Scope string
    // Resource the rule applies to
    Resource *Resource
    // Access determines if the rule grants or denies access to the resource
    Access Access
    // Priority the rule should take when verifying a request, the higher the value the sooner the
    // rule will be applied
    Priority int32
}

type Rules

Rules is an interface for authorization

type Rules interface {
    // Grant access to a resource
    Grant(rule *Rule) error
    // Revoke access to a resource
    Revoke(rule *Rule) error
    // List returns all the rules used to verify requests
    List(...RulesOption) ([]*Rule, error)
    // Verify an account has access to a resource using the rules
    Verify(acc *Account, res *Resource, opts ...VerifyOption) error
}

type RulesOption

type RulesOption func(o *RulesOptions)

func RulesContext

func RulesContext(ctx context.Context) RulesOption

func RulesNamespace

func RulesNamespace(ns string) RulesOption

type RulesOptions

type RulesOptions struct {
    Context   context.Context
    Namespace string
}

type Token

Token can be short or long lived

type Token struct {
    // The token to be used for accessing resources
    AccessToken string `json:"access_token"`
    // RefreshToken to be used to generate a new token
    RefreshToken string `json:"refresh_token"`
    // Time of token creation
    Created time.Time `json:"created"`
    // Time of token expiry
    Expiry time.Time `json:"expiry"`
}

func (*Token) Expired

func (t *Token) Expired() bool

Expired returns a boolean indicating if the token needs to be refreshed

type TokenOption

type TokenOption func(o *TokenOptions)

func WithCredentials

func WithCredentials(id, secret string) TokenOption

func WithExpiry

func WithExpiry(ex time.Duration) TokenOption

WithExpiry for the token

func WithToken

func WithToken(rt string) TokenOption

func WithTokenIssuer

func WithTokenIssuer(iss string) TokenOption

type TokenOptions

type TokenOptions struct {
    // ID for the account
    ID string
    // Secret for the account
    Secret string
    // RefreshToken is used to refesh a token
    RefreshToken string
    // Expiry is the time the token should live for
    Expiry time.Duration
    // Issuer of the account
    Issuer string
}

func NewTokenOptions

func NewTokenOptions(opts ...TokenOption) TokenOptions

NewTokenOptions from a slice of options

type VerifyOption

type VerifyOption func(o *VerifyOptions)

func VerifyContext

func VerifyContext(ctx context.Context) VerifyOption

func VerifyNamespace

func VerifyNamespace(ns string) VerifyOption

type VerifyOptions

type VerifyOptions struct {
    Context   context.Context
    Namespace string
}

Subdirectories

Name Synopsis
..
noop