243 lines
10 KiB
Go
243 lines
10 KiB
Go
// Copyright 2016 The etcd Authors
|
|
//
|
|
// Licensed under the Apache License, Version 2.0 (the "License");
|
|
// you may not use this file except in compliance with the License.
|
|
// You may obtain a copy of the License at
|
|
//
|
|
// http://www.apache.org/licenses/LICENSE-2.0
|
|
//
|
|
// Unless required by applicable law or agreed to in writing, software
|
|
// distributed under the License is distributed on an "AS IS" BASIS,
|
|
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
// See the License for the specific language governing permissions and
|
|
// limitations under the License.
|
|
|
|
package clientv3
|
|
|
|
import (
|
|
"context"
|
|
"fmt"
|
|
"strings"
|
|
|
|
"go.etcd.io/etcd/auth/authpb"
|
|
pb "go.etcd.io/etcd/etcdserver/etcdserverpb"
|
|
"google.golang.org/grpc"
|
|
)
|
|
|
|
type (
|
|
AuthEnableResponse pb.AuthEnableResponse
|
|
AuthDisableResponse pb.AuthDisableResponse
|
|
AuthenticateResponse pb.AuthenticateResponse
|
|
AuthUserAddResponse pb.AuthUserAddResponse
|
|
AuthUserDeleteResponse pb.AuthUserDeleteResponse
|
|
AuthUserChangePasswordResponse pb.AuthUserChangePasswordResponse
|
|
AuthUserGrantRoleResponse pb.AuthUserGrantRoleResponse
|
|
AuthUserGetResponse pb.AuthUserGetResponse
|
|
AuthUserRevokeRoleResponse pb.AuthUserRevokeRoleResponse
|
|
AuthRoleAddResponse pb.AuthRoleAddResponse
|
|
AuthRoleGrantPermissionResponse pb.AuthRoleGrantPermissionResponse
|
|
AuthRoleGetResponse pb.AuthRoleGetResponse
|
|
AuthRoleRevokePermissionResponse pb.AuthRoleRevokePermissionResponse
|
|
AuthRoleDeleteResponse pb.AuthRoleDeleteResponse
|
|
AuthUserListResponse pb.AuthUserListResponse
|
|
AuthRoleListResponse pb.AuthRoleListResponse
|
|
|
|
PermissionType authpb.Permission_Type
|
|
Permission authpb.Permission
|
|
)
|
|
|
|
const (
|
|
PermRead = authpb.READ
|
|
PermWrite = authpb.WRITE
|
|
PermReadWrite = authpb.READWRITE
|
|
)
|
|
|
|
type UserAddOptions authpb.UserAddOptions
|
|
|
|
type Auth interface {
|
|
// AuthEnable enables auth of an etcd cluster.
|
|
AuthEnable(ctx context.Context) (*AuthEnableResponse, error)
|
|
|
|
// AuthDisable disables auth of an etcd cluster.
|
|
AuthDisable(ctx context.Context) (*AuthDisableResponse, error)
|
|
|
|
// UserAdd adds a new user to an etcd cluster.
|
|
UserAdd(ctx context.Context, name string, password string) (*AuthUserAddResponse, error)
|
|
|
|
// UserAddWithOptions adds a new user to an etcd cluster with some options.
|
|
UserAddWithOptions(ctx context.Context, name string, password string, opt *UserAddOptions) (*AuthUserAddResponse, error)
|
|
|
|
// UserDelete deletes a user from an etcd cluster.
|
|
UserDelete(ctx context.Context, name string) (*AuthUserDeleteResponse, error)
|
|
|
|
// UserChangePassword changes a password of a user.
|
|
UserChangePassword(ctx context.Context, name string, password string) (*AuthUserChangePasswordResponse, error)
|
|
|
|
// UserGrantRole grants a role to a user.
|
|
UserGrantRole(ctx context.Context, user string, role string) (*AuthUserGrantRoleResponse, error)
|
|
|
|
// UserGet gets a detailed information of a user.
|
|
UserGet(ctx context.Context, name string) (*AuthUserGetResponse, error)
|
|
|
|
// UserList gets a list of all users.
|
|
UserList(ctx context.Context) (*AuthUserListResponse, error)
|
|
|
|
// UserRevokeRole revokes a role of a user.
|
|
UserRevokeRole(ctx context.Context, name string, role string) (*AuthUserRevokeRoleResponse, error)
|
|
|
|
// RoleAdd adds a new role to an etcd cluster.
|
|
RoleAdd(ctx context.Context, name string) (*AuthRoleAddResponse, error)
|
|
|
|
// RoleGrantPermission grants a permission to a role.
|
|
RoleGrantPermission(ctx context.Context, name string, key, rangeEnd string, permType PermissionType) (*AuthRoleGrantPermissionResponse, error)
|
|
|
|
// RoleGet gets a detailed information of a role.
|
|
RoleGet(ctx context.Context, role string) (*AuthRoleGetResponse, error)
|
|
|
|
// RoleList gets a list of all roles.
|
|
RoleList(ctx context.Context) (*AuthRoleListResponse, error)
|
|
|
|
// RoleRevokePermission revokes a permission from a role.
|
|
RoleRevokePermission(ctx context.Context, role string, key, rangeEnd string) (*AuthRoleRevokePermissionResponse, error)
|
|
|
|
// RoleDelete deletes a role.
|
|
RoleDelete(ctx context.Context, role string) (*AuthRoleDeleteResponse, error)
|
|
}
|
|
|
|
type authClient struct {
|
|
remote pb.AuthClient
|
|
callOpts []grpc.CallOption
|
|
}
|
|
|
|
func NewAuth(c *Client) Auth {
|
|
api := &authClient{remote: RetryAuthClient(c)}
|
|
if c != nil {
|
|
api.callOpts = c.callOpts
|
|
}
|
|
return api
|
|
}
|
|
|
|
func (auth *authClient) AuthEnable(ctx context.Context) (*AuthEnableResponse, error) {
|
|
resp, err := auth.remote.AuthEnable(ctx, &pb.AuthEnableRequest{}, auth.callOpts...)
|
|
return (*AuthEnableResponse)(resp), toErr(ctx, err)
|
|
}
|
|
|
|
func (auth *authClient) AuthDisable(ctx context.Context) (*AuthDisableResponse, error) {
|
|
resp, err := auth.remote.AuthDisable(ctx, &pb.AuthDisableRequest{}, auth.callOpts...)
|
|
return (*AuthDisableResponse)(resp), toErr(ctx, err)
|
|
}
|
|
|
|
func (auth *authClient) UserAdd(ctx context.Context, name string, password string) (*AuthUserAddResponse, error) {
|
|
resp, err := auth.remote.UserAdd(ctx, &pb.AuthUserAddRequest{Name: name, Password: password, Options: &authpb.UserAddOptions{NoPassword: false}}, auth.callOpts...)
|
|
return (*AuthUserAddResponse)(resp), toErr(ctx, err)
|
|
}
|
|
|
|
func (auth *authClient) UserAddWithOptions(ctx context.Context, name string, password string, options *UserAddOptions) (*AuthUserAddResponse, error) {
|
|
resp, err := auth.remote.UserAdd(ctx, &pb.AuthUserAddRequest{Name: name, Password: password, Options: (*authpb.UserAddOptions)(options)}, auth.callOpts...)
|
|
return (*AuthUserAddResponse)(resp), toErr(ctx, err)
|
|
}
|
|
|
|
func (auth *authClient) UserDelete(ctx context.Context, name string) (*AuthUserDeleteResponse, error) {
|
|
resp, err := auth.remote.UserDelete(ctx, &pb.AuthUserDeleteRequest{Name: name}, auth.callOpts...)
|
|
return (*AuthUserDeleteResponse)(resp), toErr(ctx, err)
|
|
}
|
|
|
|
func (auth *authClient) UserChangePassword(ctx context.Context, name string, password string) (*AuthUserChangePasswordResponse, error) {
|
|
resp, err := auth.remote.UserChangePassword(ctx, &pb.AuthUserChangePasswordRequest{Name: name, Password: password}, auth.callOpts...)
|
|
return (*AuthUserChangePasswordResponse)(resp), toErr(ctx, err)
|
|
}
|
|
|
|
func (auth *authClient) UserGrantRole(ctx context.Context, user string, role string) (*AuthUserGrantRoleResponse, error) {
|
|
resp, err := auth.remote.UserGrantRole(ctx, &pb.AuthUserGrantRoleRequest{User: user, Role: role}, auth.callOpts...)
|
|
return (*AuthUserGrantRoleResponse)(resp), toErr(ctx, err)
|
|
}
|
|
|
|
func (auth *authClient) UserGet(ctx context.Context, name string) (*AuthUserGetResponse, error) {
|
|
resp, err := auth.remote.UserGet(ctx, &pb.AuthUserGetRequest{Name: name}, auth.callOpts...)
|
|
return (*AuthUserGetResponse)(resp), toErr(ctx, err)
|
|
}
|
|
|
|
func (auth *authClient) UserList(ctx context.Context) (*AuthUserListResponse, error) {
|
|
resp, err := auth.remote.UserList(ctx, &pb.AuthUserListRequest{}, auth.callOpts...)
|
|
return (*AuthUserListResponse)(resp), toErr(ctx, err)
|
|
}
|
|
|
|
func (auth *authClient) UserRevokeRole(ctx context.Context, name string, role string) (*AuthUserRevokeRoleResponse, error) {
|
|
resp, err := auth.remote.UserRevokeRole(ctx, &pb.AuthUserRevokeRoleRequest{Name: name, Role: role}, auth.callOpts...)
|
|
return (*AuthUserRevokeRoleResponse)(resp), toErr(ctx, err)
|
|
}
|
|
|
|
func (auth *authClient) RoleAdd(ctx context.Context, name string) (*AuthRoleAddResponse, error) {
|
|
resp, err := auth.remote.RoleAdd(ctx, &pb.AuthRoleAddRequest{Name: name}, auth.callOpts...)
|
|
return (*AuthRoleAddResponse)(resp), toErr(ctx, err)
|
|
}
|
|
|
|
func (auth *authClient) RoleGrantPermission(ctx context.Context, name string, key, rangeEnd string, permType PermissionType) (*AuthRoleGrantPermissionResponse, error) {
|
|
perm := &authpb.Permission{
|
|
Key: []byte(key),
|
|
RangeEnd: []byte(rangeEnd),
|
|
PermType: authpb.Permission_Type(permType),
|
|
}
|
|
resp, err := auth.remote.RoleGrantPermission(ctx, &pb.AuthRoleGrantPermissionRequest{Name: name, Perm: perm}, auth.callOpts...)
|
|
return (*AuthRoleGrantPermissionResponse)(resp), toErr(ctx, err)
|
|
}
|
|
|
|
func (auth *authClient) RoleGet(ctx context.Context, role string) (*AuthRoleGetResponse, error) {
|
|
resp, err := auth.remote.RoleGet(ctx, &pb.AuthRoleGetRequest{Role: role}, auth.callOpts...)
|
|
return (*AuthRoleGetResponse)(resp), toErr(ctx, err)
|
|
}
|
|
|
|
func (auth *authClient) RoleList(ctx context.Context) (*AuthRoleListResponse, error) {
|
|
resp, err := auth.remote.RoleList(ctx, &pb.AuthRoleListRequest{}, auth.callOpts...)
|
|
return (*AuthRoleListResponse)(resp), toErr(ctx, err)
|
|
}
|
|
|
|
func (auth *authClient) RoleRevokePermission(ctx context.Context, role string, key, rangeEnd string) (*AuthRoleRevokePermissionResponse, error) {
|
|
resp, err := auth.remote.RoleRevokePermission(ctx, &pb.AuthRoleRevokePermissionRequest{Role: role, Key: []byte(key), RangeEnd: []byte(rangeEnd)}, auth.callOpts...)
|
|
return (*AuthRoleRevokePermissionResponse)(resp), toErr(ctx, err)
|
|
}
|
|
|
|
func (auth *authClient) RoleDelete(ctx context.Context, role string) (*AuthRoleDeleteResponse, error) {
|
|
resp, err := auth.remote.RoleDelete(ctx, &pb.AuthRoleDeleteRequest{Role: role}, auth.callOpts...)
|
|
return (*AuthRoleDeleteResponse)(resp), toErr(ctx, err)
|
|
}
|
|
|
|
func StrToPermissionType(s string) (PermissionType, error) {
|
|
val, ok := authpb.Permission_Type_value[strings.ToUpper(s)]
|
|
if ok {
|
|
return PermissionType(val), nil
|
|
}
|
|
return PermissionType(-1), fmt.Errorf("invalid permission type: %s", s)
|
|
}
|
|
|
|
type authenticator struct {
|
|
conn *grpc.ClientConn // conn in-use
|
|
remote pb.AuthClient
|
|
callOpts []grpc.CallOption
|
|
}
|
|
|
|
func (auth *authenticator) authenticate(ctx context.Context, name string, password string) (*AuthenticateResponse, error) {
|
|
resp, err := auth.remote.Authenticate(ctx, &pb.AuthenticateRequest{Name: name, Password: password}, auth.callOpts...)
|
|
return (*AuthenticateResponse)(resp), toErr(ctx, err)
|
|
}
|
|
|
|
func (auth *authenticator) close() {
|
|
auth.conn.Close()
|
|
}
|
|
|
|
func newAuthenticator(ctx context.Context, target string, opts []grpc.DialOption, c *Client) (*authenticator, error) {
|
|
conn, err := grpc.DialContext(ctx, target, opts...)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
api := &authenticator{
|
|
conn: conn,
|
|
remote: pb.NewAuthClient(conn),
|
|
}
|
|
if c != nil {
|
|
api.callOpts = c.callOpts
|
|
}
|
|
return api, nil
|
|
}
|