auth.go 4.2 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122
  1. // Package auth deals with authentication and authorization against topics
  2. package auth
  3. import (
  4. "errors"
  5. "regexp"
  6. )
  7. // Auther is a generic interface to implement password-based authentication and authorization
  8. type Auther interface {
  9. // Authenticate checks username and password and returns a user if correct. The method
  10. // returns in constant-ish time, regardless of whether the user exists or the password is
  11. // correct or incorrect.
  12. Authenticate(username, password string) (*User, error)
  13. // Authorize returns nil if the given user has access to the given topic using the desired
  14. // permission. The user param may be nil to signal an anonymous user.
  15. Authorize(user *User, topic string, perm Permission) error
  16. }
  17. // Manager is an interface representing user and access management
  18. type Manager interface {
  19. // AddUser adds a user with the given username, password and role. The password should be hashed
  20. // before it is stored in a persistence layer.
  21. AddUser(username, password string, role Role) error
  22. // RemoveUser deletes the user with the given username. The function returns nil on success, even
  23. // if the user did not exist in the first place.
  24. RemoveUser(username string) error
  25. // Users returns a list of users. It always also returns the Everyone user ("*").
  26. Users() ([]*User, error)
  27. // User returns the user with the given username if it exists, or ErrNotFound otherwise.
  28. // You may also pass Everyone to retrieve the anonymous user and its Grant list.
  29. User(username string) (*User, error)
  30. // ChangePassword changes a user's password
  31. ChangePassword(username, password string) error
  32. // ChangeRole changes a user's role. When a role is changed from RoleUser to RoleAdmin,
  33. // all existing access control entries (Grant) are removed, since they are no longer needed.
  34. ChangeRole(username string, role Role) error
  35. // AllowAccess adds or updates an entry in th access control list for a specific user. It controls
  36. // read/write access to a topic. The parameter topicPattern may include wildcards (*).
  37. AllowAccess(username string, topicPattern string, read bool, write bool) error
  38. // ResetAccess removes an access control list entry for a specific username/topic, or (if topic is
  39. // empty) for an entire user. The parameter topicPattern may include wildcards (*).
  40. ResetAccess(username string, topicPattern string) error
  41. // DefaultAccess returns the default read/write access if no access control entry matches
  42. DefaultAccess() (read bool, write bool)
  43. }
  44. // User is a struct that represents a user
  45. type User struct {
  46. Name string
  47. Hash string // password hash (bcrypt)
  48. Role Role
  49. Grants []Grant
  50. }
  51. // Grant is a struct that represents an access control entry to a topic
  52. type Grant struct {
  53. TopicPattern string // May include wildcard (*)
  54. AllowRead bool
  55. AllowWrite bool
  56. }
  57. // Permission represents a read or write permission to a topic
  58. type Permission int
  59. // Permissions to a topic
  60. const (
  61. PermissionRead = Permission(1)
  62. PermissionWrite = Permission(2)
  63. )
  64. // Role represents a user's role, either admin or regular user
  65. type Role string
  66. // User roles
  67. const (
  68. RoleAdmin = Role("admin")
  69. RoleUser = Role("user")
  70. RoleAnonymous = Role("anonymous")
  71. )
  72. // Everyone is a special username representing anonymous users
  73. const (
  74. Everyone = "*"
  75. )
  76. var (
  77. allowedUsernameRegex = regexp.MustCompile(`^[-_.@a-zA-Z0-9]+$`) // Does not include Everyone (*)
  78. allowedTopicPatternRegex = regexp.MustCompile(`^[-_*A-Za-z0-9]{1,64}$`) // Adds '*' for wildcards!
  79. )
  80. // AllowedRole returns true if the given role can be used for new users
  81. func AllowedRole(role Role) bool {
  82. return role == RoleUser || role == RoleAdmin
  83. }
  84. // AllowedUsername returns true if the given username is valid
  85. func AllowedUsername(username string) bool {
  86. return allowedUsernameRegex.MatchString(username)
  87. }
  88. // AllowedTopicPattern returns true if the given topic pattern is valid; this includes the wildcard character (*)
  89. func AllowedTopicPattern(username string) bool {
  90. return allowedTopicPatternRegex.MatchString(username)
  91. }
  92. // Error constants used by the package
  93. var (
  94. ErrUnauthenticated = errors.New("unauthenticated")
  95. ErrUnauthorized = errors.New("unauthorized")
  96. ErrInvalidArgument = errors.New("invalid argument")
  97. ErrNotFound = errors.New("not found")
  98. )