oioidwsrest

package module

v1.1.20 Latest Latest Go to latest Published: Jun 29, 2022 License: Apache-2.0 Imports: 29 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/KvalitetsIT/gooioidwsrest

Links

Open Source Insights

README ¶

kvalitetsit/gooioidwsrest

Er et Docker image, der indeholder implementationer af hhv

Web Service Consumer (WSC)
Web Service Producer (WSP) For sikkerhedsprotokollen OIO IDWS REST

Både WSC og WSP er lavet som moduler til open source web serveren Caddy. Til caching af hhv. tokens og sessions anvendes MongoDb.

Konfiguration

konfigureres som dokumenteret i vejledningerne til Caddy dvs. med en konfigurationsfil V2: Config from Scratch Caddy config For at gøre konfigurationen lettere kan du anvende imaget kvalitetsit/gooioidwsrest-templates til at generere en passende konfigurationsfil for hhv WSC og WSP.

Varibelnavn	Beskrivelse	Eksempel
TEMPLATE_FILE	Den template, der ønskes benyttet til genereringen	/caddyfiletemplates/Caddyfile-wsc-nosessiondata
CADDYFILE	Outputfil for den genererede Caddyfile	/output/Caddyfile-test

For WSC findes to forskellige templates:

/caddyfiletemplates/Caddyfile-wsc: En WSC der er placeret bagved en WSP (hvor den skal hente session data i forbindelse med trækning/veksling af SAML tokens)
/caddyfiletemplates/Caddyfile-wsc-nosessiondata: En "standalone" WSC (dvs uden WSC_SESSION_DATA_URL)

For WSP kan denne template anvendes:

/caddyfiletemplates/Caddyfile-wsp: En WSP

Konfiguration af WSC

Til genereringen af konfigurationfil for WSC skal følgende ENV variable sættes:

Varibelnavn	Beskrivelse	Eksempel
LISTEN_PORT	Den HTTP port, som containeren skal lytte på	8080
MONGO_HOST	Hostnavn for MongoDb	mongodb
MONGO_DATABASE	Databasenavn for MongoDb	wsc_tokens
WSC_STS_URL	URL, der udpeger STS Issue endpoint	https://www.myorg.dk/sts/service/sts
WSC_SERVICE_AUDIENCE	Audience, der bedes om i forhold til STS'ens udstedelse af SAML tokens	urn:kit:testa:servicea
WSC_CLIENT_CERTIFICATE_FILE	Fil, der udpeger klientens certifikat	/config/client.cer
WSC_CLIENT_KEY_FILE	Fil, der udpeger klientens private nøgle	/config/client.key
WSC_TRUST_CERT_FILES	Liste af filer med certifikater, der skal trustes (typisk STS certifikat og evt. SSL certifikater	"/wsc/trust/sts.cer", "/wsc/trust/testssl.cer"
WSC_SERVICE_ENDPOINT_HOST	Hostnavnet på den service, som WSC ønsker at gøre brug af	servicea.myorg.dk
WSC_SERVICE_ENDPOINT_PORT	Porten, som servicen, som WSC ønsker at gøre brug af, lytter på	443
WSC_SERVICE_ENDPOINT_CONTEXT	Context for servicen, som WSC ønsker at gøre brug af (kan være tom)	servicea
WSC_SESSION_DATA_URL	Den url, hvor WSC kan hente sessionsdata (for setups, hvor WSC er placeret i forbindelse med en WSP)	https://testservicea
WSC_CLIENT_LOGLEVEL	Log level for Caddy moduler	info, debug osv

For et eksempel (med docker-compose), der både anvender generering af konfigurationsfil for WSC og sætter WSC op med den genererede konfiguration, se: docker-compose setup med generering af konfigurationsfil for en WSC

Konfiguration af WSP

Til genereringen af konfigurationfil for WSP skal følgende ENV variable sættes:

Varibelnavn	Beskrivelse	Eksempel
LISTEN_PORT	Den HTTP port, som containeren skal lytte på	8080
MONGO_HOST	Hostnavn for MongoDb	mongodb
MONGO_DATABASE	Databasenavn for MongoDb	wsc_tokens
SSL_HOST_NAME	WSP hostname	servicea.myorg.dk
WSP_SSL_CERTIFICATE_FILE	Filnavn, der udpeger WSP SSL certifikat	/ssl/testserviceaa-ssl.crt
WSP_SSL_KEY_FILE	Filnavn, der udpeger WSP SSL private nøgle	/ssl/testserviceaa-ssl.key
WSP_BACKEND_HOST	Hostnavn på den service, som WSP beskytter	localhost
WSP_BACKEND_PORT	Port for den service, som WSP beskytter	8080
WSP_AUDIENCE_RESTRICTION	Audience, som WSP skal verificere	urn:kit:testa:servicea
WSP_TRUST_CERT_FILES	Liste af filer med certifikater, der skal trustes (typisk STS certifikat og evt. SSL certifikater	"/wsc/trust/sts.cer"
WSP_CLIENT_LOGLEVEL	Log level for Caddy moduler	info, debug osv

For et eksempel (med docker-compose), der både anvender generering af konfigurationsfil for WSP og sætter WSP op med den genererede konfiguration, se: docker-compose setup med generering af konfigurationsfil for en WSP

Anvendelse

Anvendelse af WSC

Når oioidwsrestwsc er startet op kan den danne en proxy foran et sikret API, hvor sikkerhed håndteres. Hvis man fra anvendersiden har brug for at påvirke token udstedelsen med extra claims kan disse sendes til oioidwsrestwsc i en optionel HTTP header:

	X-Claims værdi

Værdien af HTTP headeren forventes at være en base64 encoded streng f.eks:

WwoJeyAia2V5IjogInVybjp1c2Vycm9sZSIsICJ2YWx1ZSI6ICJhZG1pbiJ9LAoJeyAia2V5IjogInVybjplbWFpbCIsICJ2YWx1ZSI6ICJhZG1pbkBhZG1pbi5kayJ9Cl0=

Strukturen af værdien (decoded er som følger):

[
  { "key": "urn:userrole", "value": "admin"},
  { "key": "urn:email", "value": "admin@admin.dk"}
]

Således sendes en liste af key+value par, hvor key definerer navnet på claimen og value definerer værdien.

Documentation ¶

Index ¶

Constants
func AddExtraClaimsToSessionData(sessionId string, sessionData *securityprotocol.SessionData, r *http.Request) (*securityprotocol.SessionData, error)
func CreateCaCertPool(trustCertFiles []string) *x509.CertPool
func GetExpiryDate(expiresInSeconds int64) time.Time
func ResponseWithSuccessfulAuth(w http.ResponseWriter, sessionData *securityprotocol.SessionData, ...) (int, error)
type AuthenticatedAssertion
- func (a AuthenticatedAssertion) GetAssertion() *types.Assertion
type Claim
type OioIdwsRestAuthResponse
- func CreateOioIdwsRestAuthResponseFromHttpReponse(authResponse *http.Response, logger *zap.SugaredLogger) (*OioIdwsRestAuthResponse, error)
type OioIdwsRestAuthenticationInfo
- func CreateAuthenticatonRequestInfoFromReponse(authResponse *http.Response, logger *zap.SugaredLogger) (*OioIdwsRestAuthenticationInfo, error)
type OioIdwsRestClientAuthentification
type OioIdwsRestDecorateRequestWithAuthenticationToken
type OioIdwsRestHttpProtocolClient
- func NewOioIdwsRestHttpProtocolClient(config OioIdwsRestHttpProtocolClientConfig, ...) *OioIdwsRestHttpProtocolClient
- func (client OioIdwsRestHttpProtocolClient) GetEncodedTokenFromSts(sessionId string, decodedToken []byte, claims map[string]string) (string, error)
- func (client OioIdwsRestHttpProtocolClient) Handle(w http.ResponseWriter, r *http.Request) (int, error)
- func (client OioIdwsRestHttpProtocolClient) HandleService(w http.ResponseWriter, r *http.Request, service securityprotocol.HttpHandler) (int, error)
- func (client OioIdwsRestHttpProtocolClient) HandleServiceWithCallback(w http.ResponseWriter, r *http.Request, service securityprotocol.HttpHandler) (int, error, *func())
type OioIdwsRestHttpProtocolClientConfig
type OioIdwsRestHttpProtocolServerConfig
type OioIdwsRestWsp
- func NewOioIdwsRestWsp(sessionCache securityprotocol.SessionCache, ...) *OioIdwsRestWsp
- func NewOioIdwsRestWspFromConfig(config *OioIdwsRestHttpProtocolServerConfig, ...) *OioIdwsRestWsp
- func (a OioIdwsRestWsp) Handle(w http.ResponseWriter, r *http.Request) (int, error)
- func (a OioIdwsRestWsp) HandleService(w http.ResponseWriter, r *http.Request, service securityprotocol.HttpHandler) (int, error)
type TokenAuthenticator
- func NewTokenAuthenticator(audienceRestriction string, certPaths []string, validateSamlConstraints bool, ...) *TokenAuthenticator
- func (t TokenAuthenticator) Authenticate(clientCert *x509.Certificate, r *http.Request) (string, *AuthenticatedAssertion, error)
- func (t TokenAuthenticator) ParseAndValidateAuthenticationRequestPayload(body string, clientCert *x509.Certificate) (string, *AuthenticatedAssertion, error)

Constants ¶

View Source

const HEADER_AUTHORIZATION = "Authorization"

View Source

const HEADER_WWW_AUTHENTICATE = "WWW-Authenticate"

View Source

const HTTP_HEADER_X_CLAIMS = "X-Claims"

View Source

const OIO_IDWS_REST_TOKEN_TYPE_BEARER = "Bearer"

View Source

const OIO_IDWS_REST_TOKEN_TYPE_HOLDER_OF_KEY = "Holder-of-key"

Variables ¶

This section is empty.

Functions ¶

func AddExtraClaimsToSessionData ¶

func AddExtraClaimsToSessionData(sessionId string, sessionData *securityprotocol.SessionData, r *http.Request) (*securityprotocol.SessionData, error)

func CreateCaCertPool ¶

func CreateCaCertPool(trustCertFiles []string) *x509.CertPool

func GetExpiryDate ¶ added in v1.1.15

func GetExpiryDate(expiresInSeconds int64) time.Time

func ResponseWithSuccessfulAuth ¶

func ResponseWithSuccessfulAuth(w http.ResponseWriter, sessionData *securityprotocol.SessionData, logger *zap.SugaredLogger) (int, error)

Types ¶

type AuthenticatedAssertion ¶

type AuthenticatedAssertion struct {
	// contains filtered or unexported fields
}

func (AuthenticatedAssertion) GetAssertion ¶

func (a AuthenticatedAssertion) GetAssertion() *types.Assertion

type Claim ¶

type Claim struct {
	Key   string `json:"key"`
	Value string `json:"value"`
}

type OioIdwsRestAuthResponse ¶

type OioIdwsRestAuthResponse struct {
	AccessToken string `json:"access_token"`
	TokenType   string `json:"token_type"`
	ExpiresIn   int64  `json:"expires_in"`
}

func CreateOioIdwsRestAuthResponseFromHttpReponse ¶

func CreateOioIdwsRestAuthResponseFromHttpReponse(authResponse *http.Response, logger *zap.SugaredLogger) (*OioIdwsRestAuthResponse, error)

type OioIdwsRestAuthenticationInfo ¶

type OioIdwsRestAuthenticationInfo struct {
	Token     string
	ExpiresIn int64
}

func CreateAuthenticatonRequestInfoFromReponse ¶

func CreateAuthenticatonRequestInfoFromReponse(authResponse *http.Response, logger *zap.SugaredLogger) (*OioIdwsRestAuthenticationInfo, error)

type OioIdwsRestClientAuthentification ¶

type OioIdwsRestClientAuthentification func(http.ResponseWriter, *http.Request, *securityprotocol.SessionData) (*OioIdwsRestAuthenticationInfo, int, error)

type OioIdwsRestDecorateRequestWithAuthenticationToken ¶

type OioIdwsRestDecorateRequestWithAuthenticationToken func(tokenData *securityprotocol.TokenData, r *http.Request) error

type OioIdwsRestHttpProtocolClient ¶

type OioIdwsRestHttpProtocolClient struct {
	Logger *zap.SugaredLogger
	// contains filtered or unexported fields
}

func NewOioIdwsRestHttpProtocolClient ¶

func NewOioIdwsRestHttpProtocolClient(config OioIdwsRestHttpProtocolClientConfig, tokenCache securityprotocol.TokenCache, logger *zap.SugaredLogger) *OioIdwsRestHttpProtocolClient

func (OioIdwsRestHttpProtocolClient) GetEncodedTokenFromSts ¶

func (client OioIdwsRestHttpProtocolClient) GetEncodedTokenFromSts(sessionId string, decodedToken []byte, claims map[string]string) (string, error)

func (OioIdwsRestHttpProtocolClient) Handle ¶

func (client OioIdwsRestHttpProtocolClient) Handle(w http.ResponseWriter, r *http.Request) (int, error)

func (OioIdwsRestHttpProtocolClient) HandleService ¶

func (client OioIdwsRestHttpProtocolClient) HandleService(w http.ResponseWriter, r *http.Request, service securityprotocol.HttpHandler) (int, error)

func (OioIdwsRestHttpProtocolClient) HandleServiceWithCallback ¶ added in v1.1.15

func (client OioIdwsRestHttpProtocolClient) HandleServiceWithCallback(w http.ResponseWriter, r *http.Request, service securityprotocol.HttpHandler) (int, error, *func())

type OioIdwsRestHttpProtocolClientConfig ¶

type OioIdwsRestHttpProtocolClientConfig struct {
	SessionHeaderName string

	UseKombitVersion bool

	StsUrl         string
	TrustCertFiles []string

	ClientCertFile string
	ClientKeyFile  string

	ServiceAudience      string
	ServiceEndpoint      string
	ServiceTokenEndpoint string

	SessionDataFetcher securityprotocol.SessionDataFetcher

	Service securityprotocol.HttpHandler
	// contains filtered or unexported fields
}

type OioIdwsRestHttpProtocolServerConfig ¶

type OioIdwsRestHttpProtocolServerConfig struct {
	TrustCertFiles []string

	AudienceRestriction string

	Service securityprotocol.HttpHandler

	HoK bool

	SessiondataHeaderName string

	ClientCertHandler func(req *http.Request) *x509.Certificate
}

type OioIdwsRestWsp ¶

type OioIdwsRestWsp struct {
	Service securityprotocol.HttpHandler

	HoK bool

	SessiondataHeaderName string

	ClientCertHandler func(req *http.Request) *x509.Certificate

	Logger *zap.SugaredLogger
	// contains filtered or unexported fields
}

func NewOioIdwsRestWsp ¶

func NewOioIdwsRestWsp(sessionCache securityprotocol.SessionCache, tokenAuthenticator *TokenAuthenticator, matchHandler *securityprotocol.MatchHandler, service securityprotocol.HttpHandler, clientCertHandler func(req *http.Request) *x509.Certificate, logger *zap.SugaredLogger) *OioIdwsRestWsp

func NewOioIdwsRestWspFromConfig ¶

func NewOioIdwsRestWspFromConfig(config *OioIdwsRestHttpProtocolServerConfig, sessionCache securityprotocol.SessionCache, logger *zap.SugaredLogger) *OioIdwsRestWsp

func (OioIdwsRestWsp) Handle ¶

func (a OioIdwsRestWsp) Handle(w http.ResponseWriter, r *http.Request) (int, error)

func (OioIdwsRestWsp) HandleService ¶

func (a OioIdwsRestWsp) HandleService(w http.ResponseWriter, r *http.Request, service securityprotocol.HttpHandler) (int, error)

type TokenAuthenticator ¶

type TokenAuthenticator struct {
	// contains filtered or unexported fields
}

func NewTokenAuthenticator ¶

func NewTokenAuthenticator(audienceRestriction string, certPaths []string, validateSamlConstraints bool, logger *zap.SugaredLogger) *TokenAuthenticator

func (TokenAuthenticator) Authenticate ¶

func (t TokenAuthenticator) Authenticate(clientCert *x509.Certificate, r *http.Request) (string, *AuthenticatedAssertion, error)

func (TokenAuthenticator) ParseAndValidateAuthenticationRequestPayload ¶

func (t TokenAuthenticator) ParseAndValidateAuthenticationRequestPayload(body string, clientCert *x509.Certificate) (string, *AuthenticatedAssertion, error)

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL