Packages

package auth

Ordering
  1. Alphabetic
Visibility
  1. Public
  2. Protected

Type Members

  1. sealed trait AccessLevel extends Product with Serializable with UniformCantonConfigValidation
  2. abstract class AsyncForwardingListener[ReqT] extends Listener[ReqT]

    This listener buffers all messages until setNextListener is called, at which point all buffered messages are sent to the given listener.

    This listener buffers all messages until setNextListener is called, at which point all buffered messages are sent to the given listener. From then on, all future messages are sent directly to the given listener.

    The target listener is usually created through Contexts.interceptCall or ServerCallHandler.startCall.

    Annotations
    @SuppressWarnings()
  3. class AuthInterceptor extends NamedLogging

    This interceptor uses the given AuthService to get ClaimSet.Claims for the current request, and then stores them in the current io.grpc.Context.

  4. trait AuthService extends AnyRef

    An interface for authorizing the ledger API access to a participant.

    An interface for authorizing the ledger API access to a participant.

    The AuthService is responsible for converting request metadata (such as the HTTP headers) into a ClaimSet. These claims are then used by the ledger API server to check whether the request is authorized.

    • The authorization information MUST be specified in the Authorization header.
    • The value of the Authorization header MUST start with Bearer (notice the trailing space of the prefix).
    • An AuthService implementation MAY use other headers when converting metadata to claims.

    For example, a participant could:

    • Ask all ledger API users to attach an Authorization header with a JWT token as the header value.
    • Implement decodeMetadata() such that it reads the JWT token from the corresponding HTTP header, validates the token, and converts the token payload to ClaimSet.
  5. class AuthServiceJWT extends AuthServiceJWTBase
  6. abstract class AuthServiceJWTBase extends AuthService with NamedLogging

    An AuthService that reads a JWT token from a Authorization: Bearer HTTP header.

    An AuthService that reads a JWT token from a Authorization: Bearer HTTP header. The token is expected to use the format as defined in com.daml.jwt.AuthServiceJWTPayload:

  7. class AuthServicePrivilegedJWT extends AuthServiceJWTBase
  8. sealed abstract class AuthorizationError extends AnyRef
  9. final case class AuthorizedUser(userId: String, allowedServices: Seq[String]) extends UniformCantonConfigValidation with Product with Serializable
  10. final class Authorizer extends NamedLogging with TelemetryTracing

    A simple helper that allows services to use authorization claims that have been stored by AuthInterceptor.

  11. class CachedJwtVerifierLoader extends JwtVerifierLoader with NamedLogging

    A JWK verifier loader, where the public keys are automatically fetched from the given JWKS URL.

    A JWK verifier loader, where the public keys are automatically fetched from the given JWKS URL. The keys are then transformed into JWK Verifier

    The verifiers are kept in cache, in order to prevent having to do a remote network access for each token validation.

    The cache is limited both in size and time. A size limit protects against infinitely growing memory consumption. A time limit is a safety catch for the case where a public key is used to sign a token without an expiration time and then is revoked.

  12. final case class CantonAdminToken(secret: String) extends Product with Serializable
  13. class CantonAdminTokenAuthService extends AuthService

    AuthService interceptor used for internal canton services

    AuthService interceptor used for internal canton services

    Internal Canton services such as the PingService or the DarService require access to the Ledger-Api server. However, if the Ledger-Api server is configured with JWT, they will fail. But we can't expect that Canton obtains an oauth token from a third party service during startup.

    Therefore, we create on each startup a master token which is only ever shared internally.

  14. class CantonAdminTokenDispenser extends AnyRef

    Token dispenser for CantonAdminToken

    Token dispenser for CantonAdminToken

    This dispenser generates a new token every tokenDuration and rotates it every rotationInterval (tokenDuration / 2). It keeps track of the current and previous tokens, allowing for a grace period during which both tokens are valid. If a fixed token is provided, it can be used without time validation.

    The fixed token is only used for testing purposes, and should not be used in production.

  15. sealed abstract class Claim extends AnyRef

    A claim is a single statement about what an authenticated user can do with the ledger API.

    A claim is a single statement about what an authenticated user can do with the ledger API.

    Note: this ADT is expected to evolve in the future by adding new cases for more fine grained claims. The existing cases should be treated as immutable in order to guarantee backwards compatibility for AuthService implementations.

  16. final case class ClaimActAsParty(name: Party) extends Claim with Product with Serializable

    Authorized to act as the given party, including:

    Authorized to act as the given party, including:

    • Reading all data for the given party
    • Creating contracts on behalf of the given party
    • Exercising choices on behalf of the given party
  17. final case class ClaimReadAsParty(name: Party) extends Claim with Product with Serializable

    Authorized to read all data for the given party.

    Authorized to read all data for the given party.

    Does NOT authorize to issue commands.

  18. trait ClaimResolver extends AnyRef
  19. sealed trait ClaimSet extends AnyRef
  20. class GrpcAuthInterceptor extends ServerInterceptor with NamedLogging
  21. class JwksVerifier extends JwtVerifierBase with WithExecuteUnsafe

    A JWK verifier, where the public keys are automatically fetched from the given JWKS URL.

    A JWK verifier, where the public keys are automatically fetched from the given JWKS URL.

    In JWKS, each key ID uniquely identifies a public key. The keys are kept in cache, in order to prevent having to do a remote network access for each token validation.

    The cache is limited both in size and time. A size limit protects against infinitely growing memory consumption. A time limit is a safety catch for the case where a public key is used to sign a token without an expiration time and then is revoked.

  22. trait JwtVerifierLoader extends AnyRef
  23. final case class NoOpOngoingAuthorizationFactory() extends OngoingAuthorizationFactory with Product with Serializable
  24. trait OngoingAuthorizationFactory extends AnyRef
  25. sealed trait RequiredClaim[Req] extends Product with Serializable
  26. class UserConfigAuthService extends AuthServiceJWTBase

Value Members

  1. object AccessLevel extends Serializable
  2. object AuthInterceptor
  3. object AuthServiceJWT
  4. object AuthServiceWildcard extends AuthService

    An AuthService that authorizes all calls by always returning a wildcard ClaimSet.Claims

  5. object AuthorizationChecksErrors extends AuthorizationChecksErrorGroup
    Annotations
    @Explanation(explanation = "Authentication and authorization errors.")
  6. object AuthorizationError
  7. object AuthorizedUser extends Serializable
  8. object CachedJwtVerifierLoader
  9. object CantonAdminToken extends Serializable
  10. case object ClaimActAsAnyParty extends Claim with Product with Serializable

    Authorized to act as any party, including:

    Authorized to act as any party, including:

    • Reading all data for all parties
    • Creating contract on behalf of any party
    • Exercising choices on behalf of any party
  11. case object ClaimAdmin extends Claim with Product with Serializable

    Authorized to use all admin services.

    Authorized to use all admin services. Does not authorize to use non-admin services.

  12. case object ClaimIdentityProviderAdmin extends Claim with Product with Serializable

    Authorized to use admin services for the configured identity provider.

    Authorized to use admin services for the configured identity provider. Does not authorize to use non-admin services.

  13. case object ClaimPublic extends Claim with Product with Serializable

    Authorized to use all "public" services, i.e., those that do not require admin rights and do not depend on any Daml party.

    Authorized to use all "public" services, i.e., those that do not require admin rights and do not depend on any Daml party. Examples include the VersionService or the PackageService.

  14. case object ClaimReadAsAnyParty extends Claim with Product with Serializable

    Authorized to read all data as any party on the participant.

    Authorized to read all data as any party on the participant.

    Does NOT authorize to issue commands.

  15. object ClaimSet
  16. object GrpcAuthInterceptor
  17. object JwksVerifier
  18. object RequiredClaim extends Serializable
  19. case object RequiringAdminClaimResolver extends ClaimResolver with Product with Serializable

Ungrouped