|
|
|
|
@ -63,11 +63,31 @@ type RequestInfo struct {
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
type VerifyResults struct {
|
|
|
|
|
UserId string
|
|
|
|
|
AuthTokenId string
|
|
|
|
|
Error error
|
|
|
|
|
Scope *scopes.ScopeInfo
|
|
|
|
|
Authenticated bool
|
|
|
|
|
UserId string
|
|
|
|
|
AuthTokenId string
|
|
|
|
|
Error error
|
|
|
|
|
Scope *scopes.ScopeInfo
|
|
|
|
|
|
|
|
|
|
// AuthenticatedFinished means that the request has passed through the
|
|
|
|
|
// authentication system successfully. This does _not_ indicate whether a
|
|
|
|
|
// token was provided on the request. Requests for `u_anon` will still have
|
|
|
|
|
// this set true! This is because if a request has a token that is invalid,
|
|
|
|
|
// we fall back to `u_anon` because the request may still be allowed for any
|
|
|
|
|
// anonymous user; it simply fails to validate for and look up grants for an
|
|
|
|
|
// actual known user.
|
|
|
|
|
//
|
|
|
|
|
// A good example is when running dev mode twice. The first time you can
|
|
|
|
|
// authenticate and get a token which is saved by the token helper. The
|
|
|
|
|
// second time, you run a command and it reads the token from the helper.
|
|
|
|
|
// That token is no longer valid, but if the action is granted to `u_anon`
|
|
|
|
|
// the action should still succeed. What happens internally is that the
|
|
|
|
|
// token fails to look up a non-anonymous user, so we fallback to the
|
|
|
|
|
// anonymous user, which is the default.
|
|
|
|
|
//
|
|
|
|
|
// If you want to know if the request had a valid token provided, use a
|
|
|
|
|
// switch on UserId. Anything that isn't `u_anon` will have to have had a
|
|
|
|
|
// valid token provided. And a valid token will never fall back to `u_anon`.
|
|
|
|
|
AuthenticationFinished bool
|
|
|
|
|
|
|
|
|
|
// RoundTripValue can be set to allow the function performing authentication
|
|
|
|
|
// (often accompanied by lookup(s)) to return a result of that lookup to the
|
|
|
|
|
@ -208,7 +228,7 @@ func Verify(ctx context.Context, opt ...Option) (ret VerifyResults) {
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
ret.AuthTokenId = v.requestInfo.PublicId
|
|
|
|
|
ret.Authenticated = authResults.Authenticated
|
|
|
|
|
ret.AuthenticationFinished = authResults.AuthenticationFinished
|
|
|
|
|
if !authResults.Authorized {
|
|
|
|
|
if v.requestInfo.DisableAuthzFailures {
|
|
|
|
|
ret.Error = nil
|
|
|
|
|
@ -441,7 +461,7 @@ func (v verifier) performAuthCheck() (aclResults perms.ACLResults, userId string
|
|
|
|
|
|
|
|
|
|
// At this point we don't need to look up grants since it's automatically allowed
|
|
|
|
|
if v.requestInfo.TokenFormat == AuthTokenTypeRecoveryKms {
|
|
|
|
|
aclResults.Authenticated = true
|
|
|
|
|
aclResults.AuthenticationFinished = true
|
|
|
|
|
aclResults.Authorized = true
|
|
|
|
|
retErr = nil
|
|
|
|
|
return
|
|
|
|
|
@ -481,7 +501,7 @@ func (v verifier) performAuthCheck() (aclResults perms.ACLResults, userId string
|
|
|
|
|
// is used for further permissions checks, such as during recursive listing.
|
|
|
|
|
// So we want to make sure any code relying on that has the full set of
|
|
|
|
|
// grants successfully loaded.
|
|
|
|
|
aclResults.Authenticated = true
|
|
|
|
|
aclResults.AuthenticationFinished = true
|
|
|
|
|
retErr = nil
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
Jeff Mitchell
5 years ago
committed by
GitHub