package auth
import "github.com/docker/distribution/auth"
Package auth defines a standard interface for request access controllers.
An access controller has a simple interface with a single `Authorized` method which checks that a given request is authorized to perform one or more actions on one or more resources. This method should return a non-nil error if the requset is not authorized.
An implementation registers its access controller by name with a constructor which accepts an options map for configuring the access controller.
options := map[string]interface{}{"sillySecret": "whysosilly?"}
accessController, _ := auth.GetAccessController("silly", options)
This `accessController` can then be used in a request handler like so:
func updateOrder(w http.ResponseWriter, r *http.Request) {
orderNumber := r.FormValue("orderNumber")
resource := auth.Resource{Type: "customerOrder", Name: orderNumber}
access := auth.Access{Resource: resource, Action: "update"}
if err := accessController.Authorized(r, access); err != nil {
if challenge, ok := err.(auth.Challenge) {
// Let the challenge write the response.
challenge.ServeHTTP(w, r)
} else {
// Some other error.
}
}
}
Index ¶
- func Register(name string, initFunc InitFunc) error
- type Access
- type AccessController
- type Challenge
- type InitFunc
- type Resource
Functions ¶
func Register ¶
Register is used to register an InitFunc for an AccessController backend with the given name.
Types ¶
type Access ¶
Access describes a specific action that is requested or allowed for a given recource.
type AccessController ¶
type AccessController interface {
// Authorized returns non-nil if the request is granted access. If one or
// more Access structs are provided, the requested access will be compared
// with what is available to the request. If the error is non-nil, access
// should always be denied. The error may be of type Challenge, in which
// case the caller may have the Challenge handle the request or choose
// what action to take based on the Challenge header or response status.
Authorized(req *http.Request, access ...Access) error
}
AccessController controls access to registry resources based on a request and required access levels for a request. Implementations can support both complete denial and http authorization challenges.
func GetAccessController ¶
func GetAccessController(name string, options map[string]interface{}) (AccessController, error)
GetAccessController constructs an AccessController with the given options using the named backend.
type Challenge ¶
type Challenge interface {
error
// ServeHTTP prepares the request to conduct the appropriate challenge
// response. For most implementations, simply calling ServeHTTP should be
// sufficient. Because no body is written, users may write a custom body after
// calling ServeHTTP, but any headers must be written before the call and may
// be overwritten.
ServeHTTP(w http.ResponseWriter, r *http.Request)
}
Challenge is a special error type which is used for HTTP 401 Unauthorized responses and is able to write the response with WWW-Authenticate challenge header values based on the error.
type InitFunc ¶
type InitFunc func(options map[string]interface{}) (AccessController, error)
InitFunc is the type of an AccessController factory function and is used to register the contsructor for different AccesController backends.
type Resource ¶
Resource describes a resource by type and name.
Source Files ¶
Directories ¶
| Path | Synopsis |
|---|---|
| auth/silly | Package silly provides a simple authentication scheme that checks for the existence of an Authorization header and issues access if is present and non-empty. |
| auth/token |
- Version
- v2.0.0-alpha.1+incompatible
- Published
- Jan 28, 2015
- Platform
- js/wasm
- Imports
- 2 packages
- Last checked
- 7 minutes ago –
Tools for package owners.