-
Notifications
You must be signed in to change notification settings - Fork 16
/
authz.go
244 lines (217 loc) · 6.97 KB
/
authz.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
package types
import (
"encoding/json"
log "github.com/Sirupsen/logrus"
"github.com/contiv/auth_proxy/common"
)
// Consts that will be used across different packages
const (
// AuthProxyDir is the directory in the KV store
// where directories and keys used by
// auth proxy will be stored
AuthProxyDir = "auth_proxy"
// AuthZDir is the directory under which all
// types.Authorizations state will be saved
// in the KV store
AuthZDir = AuthProxyDir + "/" + "authorizations"
)
// DatastoreDirectories is a list of all the directories in the datastore that
// our code assumes exist. These will be automatically created whenever a
// state driver is initialized.
var DatastoreDirectories = []string{
AuthZDir,
AuthProxyDir + "/local_users",
AuthProxyDir + "/principals",
}
//
// Authorization represents the dynamic policy that defines mapping of
// principals and their access claims to entities with certain capabilities.
//
// Principals are also called subjects. Entities are also called
// objects. Objects and the capabilities defined on them are termed as
// a claim's key and value.
//
//
// Capabilities
// (claim's value)
// Principals -------------------------> Entities
// (subjects) (objects or the claim's key)
//
//
// This is a many-to-many association - one principal will have access to many
// claims (e.g., for different tenants), and one claim (e.g., for a specific
// tenant) might be associated with many principals.
//
// All subject-object mappings must be unique - hence the primary key is a
// combination of the principal and claims' keys.
//
// Fields:
// CommonState: Embedded common state struct (which will be part of all structs that implement
// types.State)
// UUID: unique ID for an authorization.
// PrincipalName: Unique name of the subject; it could be a username or LDAP group name.
// Local: Bool indicating whether the principal is a local user. False indicates
// that the principal is an LDAP group
// ClaimKey: string encoding of the claim's key associated with the authorization
// ClaimValue: string encoding of the claim's value associated with the
// authorization
//
type Authorization struct {
CommonState
UUID string `json:"uuid"`
PrincipalName string `json:"principalName"`
Local bool `json:"local"`
ClaimKey string `json:"claimKey"`
ClaimValue string `json:"claimValue"`
}
//
// "Schema" of how authorizations will be stored in the KV store
//
//
// /[AuthZDir]/{AuthZID:[AuthZState]}
//
// Key: Authorization UUID or AuthZID
// Value: Authorization instance
//
// e.g.
// /authproxy/authorizations/{11111111: {
// CommonState
// UUID: "11111111"
// PrincipalName: "test"
// ClaimKey: "tenant:t1"
// ClaimValue: "devops"
// }
// }
//
// /authproxy/authorizations/{22222222: {
// CommonState
// UUID: "22222222"
// PrincipalName: "OU=auth,DC=auth,DC=example,DC=com"
// ClaimKey: "tenant:t2"
// ClaimValue: "devops"
// }
// }
//
// For each authz instance, the claim key indicates the tenants (or
// other objects) that the authorization allows access to. The claim
// value indicates the type of capability or access that is allowed
// on the object in the claim-key. This capability can also be specified
// as a "role".
//
//
// BelongsToBuiltInAdmin determines if the authz belongs to the built-in local
// admin user.
//
func (a *Authorization) BelongsToBuiltInAdmin() bool {
return a.Local && Admin.String() == a.PrincipalName
}
//
// Write adds an authz instance to the authz dir in the KV store
//
// Parameters:
// (Receiver): authorization object on which operation is occurring
//
// Return Values:
// error: Error received from StateDriver
// nil if operation is successful
//
func (a *Authorization) Write() error {
defer common.Untrace(common.Trace())
// write the authz state
key := AuthZDir + "/" + a.UUID
return a.StateDriver.WriteState(key, a, json.Marshal)
}
//
// Clear removes an authz instance from the authz dir in the KV store
//
// Parameters:
// (Receiver): authorization object on which operation is occurring
// ID: of the authorization object
//
// Return Values:
// error: Any error from the state driver
// Nil if successful
//
func (a *Authorization) Clear() error {
defer common.Untrace(common.Trace())
log.Debug("deleting authorization:", a.UUID)
key := AuthZDir + "/" + a.UUID
return a.StateDriver.ClearState(key)
}
//
// Read looks up an authorization entry in the authz dir
//
// Parameters:
// (Receiver): authorization object on which operation is occurring
// UUID: of the authZ that needs to be read
//
// Return Values:
// error: Any error from the state driver
// Nil if successful
//
func (a *Authorization) Read(UUID string) error {
defer common.Untrace(common.Trace())
key := AuthZDir + "/" + UUID
return a.StateDriver.ReadState(key, a, json.Unmarshal)
}
//
// ReadAll returns all authorizations in the authz dir
//
// Return Values:
// []State: List of authorization states
// error: Any error when reading from the KV store
// nil if operation is successful
//
func (a *Authorization) ReadAll() ([]State, error) {
defer common.Untrace(common.Trace())
key := AuthZDir
return a.StateDriver.ReadAllState(key, a, json.Unmarshal)
}
/*
//
// CapabilityType represents a capability that captures an operation
// specific authorization. These capabilities are associated with roles
// that are assigned to security principals. Capabiliites themselves
// are not stored in an authorized token, but are derived from the role.
// A capability check is carried out by APIs to see if caller principal
// has a role that grants this capability.
//
type CapabilityType int
// TODO: Make these bitmasks
const (
// Tenant specific capabilities
capCreateTenant = iota
capCreateTenant
capUpdateTenant
capDeleteTenant
// Network specific capabilties
capCreateNetwork
capReadNetwork
capUpdateNetwork
capDeleteTenant
// Define all capabilities before this
capLast
)
func (typ CapabilityType) String() string {
s := ""
switch typ {
case capCreateTenant:
s += "capCreateTenant"
case capReadTenant:
s += "capReadTenant"
case capUpdateTenant:
s += "capUpdateTenant"
case capDeleteTenant:
s += "capDeleteTenant"
case capCreateNetwork:
s += "capCreateNetwork"
case capReadNetwork:
s += "capReadNetwork"
case capUpdateNetwork:
s += "capUpdateNetwork"
case capDeleteNetwork:
s += "capDeleteNetwork"
}
return s
}
*/