vas

package module

v0.0.0-...-9f00ac5 Latest Latest Go to latest Published: May 25, 2021 License: MIT Imports: 8 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/9072997/vas

Links

Open Source Insights

README ¶

A simple-ish server implimentation for the Chrome Verified Access API. See also: the client API and setup guide.

Prerequisites: The server must already be authenticated via OAuth to Google and have the https://www.googleapis.com/auth/verifiedaccess scope. Additionally the user corresponding to the OAuth token must be configured under "Service accounts that are allowed to receive device ID" and/or "Service accounts that are allowed to receive user data" in Google Admin. Read the setup guide.

The exchange goeth thusly:

The server gets a challenge string by calling GetChallenge().
This string is passed to the client.
The string is de-serialized in to an ArrayBuffer. See util.js for a function to do this.
Your extension passes the array buffer to chrome.enterprise.platformKeys.challengeMachineKey or chrome.enterprise.platformKeys.challengeUserKey.
An ArrayBuffer is returned to your callback function.
This array buffer is serialized to a string. See util.js for a function to do this.
This string is passed to the server.
The server calls VerifyResponse(), optionally specifying the expected identity of the client.

This entire exchange must take place in less than 60 seconds.

You might have noticed that the Google-recommended flow has the client requesting a challenge from Google directly. We don't do that.

Here is an example of what the client-side code might look like:

chrome.enterprise.platformKeys.challengeUserKey(
	deserializeArrayBuffer('p6qOaLxKAAmFup8HRDYex08i...'),
	false,
	resp => console.log(serializeArrayBuffer(resp)),
)

Documentation ¶

Overview ¶

VAS is a simple implimentation of the Chrome Verified Access API, which does not support the certificate flow. Pay special attention to https://support.google.com/chrome/a/answer/7156268 when setting this up. There are several things you have to configure in user settings, device settings, and extension settings.

Index ¶

Variables
type SignedData
type VAS
- func NewFromChallengeService(cs *verifiedaccess.ChallengeService) VAS
- func NewFromOAuthClient(c *http.Client) (VAS, error)
- func (vas VAS) GetChallenge() (string, error)
- func (vas VAS) VerifyResponse(respFromChromebook string, expectedIdentity string) (deviceID string, err error)

Constants ¶

This section is empty.

Variables ¶

View Source

var File_vas_proto protoreflect.FileDescriptor

Functions ¶

This section is empty.

Types ¶

type SignedData ¶

type SignedData struct {
	Data      []byte `protobuf:"bytes,1,opt,name=data,proto3" json:"data,omitempty"`
	Signature []byte `protobuf:"bytes,2,opt,name=signature,proto3" json:"signature,omitempty"`
	// contains filtered or unexported fields
}

func (*SignedData) Descriptor deprecated

func (*SignedData) Descriptor() ([]byte, []int)

Deprecated: Use SignedData.ProtoReflect.Descriptor instead.

func (*SignedData) GetData ¶

func (x *SignedData) GetData() []byte

func (*SignedData) GetSignature ¶

func (x *SignedData) GetSignature() []byte

func (*SignedData) ProtoMessage ¶

func (*SignedData) ProtoMessage()

func (*SignedData) ProtoReflect ¶

func (x *SignedData) ProtoReflect() protoreflect.Message

func (*SignedData) Reset ¶

func (x *SignedData) Reset()

func (*SignedData) String ¶

func (x *SignedData) String() string

type VAS ¶

type VAS struct {
	// contains filtered or unexported fields
}

VAS represents authentication information necessary to make calls to the Chrome Verified Access Service.

func NewFromChallengeService ¶

func NewFromChallengeService(cs *verifiedaccess.ChallengeService) VAS

NewFromChallengeService returns a VAS from a verifiedaccess.ChallengeService you construct yourself. This allows you to use an API key if you want, though note that it appears API key authenticated clients can only create and not verify requests.

func NewFromOAuthClient ¶

func NewFromOAuthClient(c *http.Client) (VAS, error)

NewFromOAuthClient is probably the easiest way to create a VAS. Get an OAuth client by calling `.Client()` on an `oauth2.Config` struct. You can find many examples of how to do this online, as this is a common flow for using any Google API.

func (VAS) GetChallenge ¶

func (vas VAS) GetChallenge() (string, error)

GetChallenge returns a base64 encoded string which should be de-serialized in to an ArrayBuffer (see util.js) and passed to chrome.enterprise.platformKeys.challengeMachineKey or chrome.enterprise.platformKeys.challengeUserKey

func (VAS) VerifyResponse ¶

func (vas VAS) VerifyResponse(
	respFromChromebook string, expectedIdentity string,
) (
	deviceID string, err error,
)

VerifyResponse verifies a serialized ArrayBuffer response from chrome.enterprise.platformKeys.challengeMachineKey or chrome.enterprise.platformKeys.challengeUserKey. If verifying a user, you should put the expected email address of the user in the `expectedIdentity` field. If verifying a device you may put the domain in the `expectedIdentity` field, though this is optional. If verifying a device, the device's device ID will be returned as a string. Failures of any kind (authentication failures or application issues) are returned as errors.

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL