forked from influxdata/influxdb
-
Notifications
You must be signed in to change notification settings - Fork 0
/
auth.go
115 lines (93 loc) · 3.43 KB
/
auth.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
package influxdb
import (
"context"
"fmt"
)
// AuthorizationKind is returned by (*Authorization).Kind().
const AuthorizationKind = "authorization"
var (
// ErrUnableToCreateToken sanitized error message for all errors when a user cannot create a token
ErrUnableToCreateToken = &Error{
Msg: "unable to create token",
Code: EInvalid,
}
)
// Authorization is an authorization. 🎉
type Authorization struct {
ID ID `json:"id"`
Token string `json:"token"`
Status Status `json:"status"`
Description string `json:"description"`
OrgID ID `json:"orgID"`
UserID ID `json:"userID,omitempty"`
Permissions []Permission `json:"permissions"`
}
// Valid ensures that the authorization is valid.
func (a *Authorization) Valid() error {
for _, p := range a.Permissions {
if p.Resource.OrgID != nil && *p.Resource.OrgID != a.OrgID {
return &Error{
Msg: fmt.Sprintf("permisson %s is not for org id %s", p, a.OrgID),
Code: EInvalid,
}
}
}
return nil
}
// Allowed returns true if the authorization is active and request permission
// exists in the authorization's list of permissions.
func (a *Authorization) Allowed(p Permission) bool {
if !a.IsActive() {
return false
}
return PermissionAllowed(p, a.Permissions)
}
// IsActive is a stub for idpe.
func IsActive(a *Authorization) bool {
return a.IsActive()
}
// IsActive returns true if the authorization active.
func (a *Authorization) IsActive() bool {
return a.Status == Active
}
// GetUserID returns the user id.
func (a *Authorization) GetUserID() ID {
return a.UserID
}
// Kind returns session and is used for auditing.
func (a *Authorization) Kind() string { return AuthorizationKind }
// Identifier returns the authorizations ID and is used for auditing.
func (a *Authorization) Identifier() ID { return a.ID }
// auth service op
const (
OpFindAuthorizationByID = "FindAuthorizationByID"
OpFindAuthorizationByToken = "FindAuthorizationByToken"
OpFindAuthorizations = "FindAuthorizations"
OpCreateAuthorization = "CreateAuthorization"
OpSetAuthorizationStatus = "SetAuthorizationStatus"
OpDeleteAuthorization = "DeleteAuthorization"
)
// AuthorizationService represents a service for managing authorization data.
type AuthorizationService interface {
// Returns a single authorization by ID.
FindAuthorizationByID(ctx context.Context, id ID) (*Authorization, error)
// Returns a single authorization by Token.
FindAuthorizationByToken(ctx context.Context, t string) (*Authorization, error)
// Returns a list of authorizations that match filter and the total count of matching authorizations.
// Additional options provide pagination & sorting.
FindAuthorizations(ctx context.Context, filter AuthorizationFilter, opt ...FindOptions) ([]*Authorization, int, error)
// Creates a new authorization and sets a.Token and a.UserID with the new identifier.
CreateAuthorization(ctx context.Context, a *Authorization) error
// SetAuthorizationStatus updates the status of the authorization. Useful
// for setting an authorization to inactive or active.
SetAuthorizationStatus(ctx context.Context, id ID, status Status) error
// Removes a authorization by token.
DeleteAuthorization(ctx context.Context, id ID) error
}
// AuthorizationFilter represents a set of filter that restrict the returned results.
type AuthorizationFilter struct {
Token *string
ID *ID
UserID *ID
User *string
}