authz

package
v0.0.0-...-fefa64c Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jan 18, 2026 License: Apache-2.0 Imports: 13 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	EventNoPermissions  EventPermissionMask  = 0
	GlobalNoPermissions GlobalPermissionMask = 0
)
View Source 
const RefreshTokenCookieName = "refresh_token"

RefreshTokenCookieName is the cookie name for the refresh token value. Ideally we'd use the "__Host-" prefix, but that would make local development with Chrome more difficult :(.

https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/Cookies#cookie_prefixes https://issues.chromium.org/issues/40202941

View Source 
const SuggestedEarlyAccessTokenRefresh time.Duration = -10 * time.Second

SuggestedEarlyAccessTokenRefresh is how long before an access token actually expires that web clients should consider refreshing the token. This prevents annoying client-side errors, when the client thinks its access token is still valid, makes a request, but by the time the server is actually getting around to processing the request, the access token is already expired.

Variables

View Source 
var RolesToEventPerms = map[Role]EventPermissionMask{
	EventReporter: EventReadEventName | EventReadOwnFieldReports | EventWriteOwnFieldReports | EventReadDestinations,
	EventReader:   EventReadEventName | EventReadIncidents | EventReadOwnFieldReports | EventReadAllFieldReports | EventReadDestinations,
	EventWriter:   EventReadEventName | EventReadIncidents | EventWriteIncidents | EventReadAllFieldReports | EventReadOwnFieldReports | EventWriteAllFieldReports | EventWriteOwnFieldReports | EventReadDestinations,
}
View Source 
var RolesToGlobalPerms = map[Role]GlobalPermissionMask{
	AnyAuthenticatedUser: GlobalListEvents | GlobalReadIncidentTypes | GlobalReadPersonnel | GlobalReadStreets,
	Administrator:        GlobalAdministrateEvents | GlobalAdministrateStreets | GlobalAdministrateIncidentTypes | GlobalAdministrateDestinations | GlobalAdministrateDebugging,
}

Functions

func PersonMatches 

func PersonMatches(
	ea imsdb.EventAccess,
	handle string,
	positions []string,
	teams []string,
	onsite bool,
	onDutyPosition string,
) bool

Types

type EventPermissionMask 

type EventPermissionMask uint16
const (
	EventReadIncidents EventPermissionMask = 1 << iota
	EventWriteIncidents
	EventReadAllFieldReports
	EventReadOwnFieldReports
	EventWriteAllFieldReports
	EventWriteOwnFieldReports
	EventReadEventName
	EventReadDestinations
)

type GlobalPermissionMask 

type GlobalPermissionMask uint16
const (
	GlobalListEvents GlobalPermissionMask = 1 << iota
	GlobalReadIncidentTypes
	GlobalReadStreets
	GlobalReadPersonnel
	GlobalAdministrateEvents
	GlobalAdministrateStreets
	GlobalAdministrateIncidentTypes
	GlobalAdministrateDestinations
	GlobalAdministrateDebugging
)

func EventPermissions 

func EventPermissions(
	ctx context.Context,
	eventID *int32,
	imsDBQ *store.DBQ,
	userStore *directory.UserStore,
	imsAdmins []string,
	claims IMSClaims,
) (eventPermissions map[int32]EventPermissionMask, globalPermissions GlobalPermissionMask, err error)

func ManyEventPermissions 

func ManyEventPermissions(
	accessByEvent map[int32][]imsdb.EventAccess,
	imsAdmins []string,
	handle string,
	onsite bool,
	positions []string,
	teams []string,
	onDutyPosition string,
) (eventPermissions map[int32]EventPermissionMask, globalPermissions GlobalPermissionMask)

type IMSClaims 

type IMSClaims struct {
	jwt.RegisteredClaims

	Handle         string `json:"han"`
	Positions      string `json:"pos"`
	Teams          string `json:"tea"`
	Onsite         bool   `json:"ons"`
	OnDutyPosition *int64 `json:"dut,omitempty"`
}

func (IMSClaims) DirectoryID 

func (c IMSClaims) DirectoryID() int64

DirectoryID returns the Clubhouse ID for a Ranger. It returns -1 if the ID cannot be determined.

func (IMSClaims) RangerHandle 

func (c IMSClaims) RangerHandle() string

func (IMSClaims) RangerOnDutyPosition 

func (c IMSClaims) RangerOnDutyPosition() *int64

func (IMSClaims) RangerOnSite 

func (c IMSClaims) RangerOnSite() bool

func (IMSClaims) RangerPositions 

func (c IMSClaims) RangerPositions() []int64

func (IMSClaims) RangerTeams 

func (c IMSClaims) RangerTeams() []int64

func (IMSClaims) WithExpiration 

func (c IMSClaims) WithExpiration(t time.Time) IMSClaims

func (IMSClaims) WithIssuedAt 

func (c IMSClaims) WithIssuedAt(t time.Time) IMSClaims

func (IMSClaims) WithIssuer 

func (c IMSClaims) WithIssuer(s string) IMSClaims

func (IMSClaims) WithRangerHandle 

func (c IMSClaims) WithRangerHandle(s string) IMSClaims

func (IMSClaims) WithRangerOnDutyPosition 

func (c IMSClaims) WithRangerOnDutyPosition(pos *int64) IMSClaims

func (IMSClaims) WithRangerOnSite 

func (c IMSClaims) WithRangerOnSite(onsite bool) IMSClaims

func (IMSClaims) WithRangerPositions 

func (c IMSClaims) WithRangerPositions(pos ...int64) IMSClaims

func (IMSClaims) WithRangerTeams 

func (c IMSClaims) WithRangerTeams(teams ...int64) IMSClaims

func (IMSClaims) WithSubject 

func (c IMSClaims) WithSubject(s string) IMSClaims

type JWTer 

type JWTer struct {
	SecretKey string
}

func (JWTer) AuthenticateJWT 

func (j JWTer) AuthenticateJWT(jwtStr string) (*IMSClaims, error)

AuthenticateJWT gives JWT claims for a valid, authenticated JWT string, or returns an error otherwise. A JWT may be invalid because it was signed by a different key, because it has expired, etc.

func (JWTer) AuthenticateRefreshToken 

func (j JWTer) AuthenticateRefreshToken(refreshToken string) (*IMSClaims, error)

AuthenticateRefreshToken is like AuthenticateJWT, in that it validates that the supplied token is valid (was signed by the same secret key and hasn't expired). It's an implementation detail that refresh tokens are also JWTs. Clients of IMS should treat them as simply opaque strings.

func (JWTer) CreateAccessToken 

func (j JWTer) CreateAccessToken(
	rangerName string,
	clubhouseID int64,
	positionIDs []int64,
	teamIDs []int64,
	onsite bool,
	onDutyPositionID *int64,
	expiration time.Time,
) (string, error)

func (JWTer) CreateRefreshToken 

func (j JWTer) CreateRefreshToken(rangerName string, clubhouseID int64, expiration time.Time) (string, error)

CreateRefreshToken creates a refresh token, which the client can use to request new access tokens, based on any updated claims from the UserStore. It's an implementation detail that this uses an access token-style JWT. Ideally a refresh token is supposed to be persisted, so that it can be invalidated from the server side. As a stopgap before we have such a per-user persistence component, we instead rely on the security of JWT signing.

type Role 

type Role string
const (
	AnyAuthenticatedUser Role = "AnyAuthenticatedUser"
	EventReporter        Role = "EventReporter"
	EventReader          Role = "EventReader"
	EventWriter          Role = "EventWriter"
	Administrator        Role = "Administrator"
)

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.