gcp

package
Version: v1.3.6 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Aug 25, 2020 License: Apache-2.0 Imports: 25 Imported by: 1

Documentation

Index

Constants

This section is empty.

Variables

View Source
var Issuers = map[string]bool{
	"accounts.google.com":         true,
	"https://accounts.google.com": true,
}

Issuers contains the known Google account issuers for identity tokens.

Functions

func GetDefaultEmail

func GetDefaultEmail(ctx context.Context, addr string, hc *http.Client) (string, error)

GetDefaultEmail is a helper method for users on GCE or the 2nd generation GAE environment.

func IAMClaimsDecoderFunc

func IAMClaimsDecoderFunc(_ context.Context, b []byte) (auth.ClaimSetter, error)

IAMClaimsDecoderFunc is an auth.ClaimsDecoderFunc for GCP identity tokens.

func IAMVerifyFunc

func IAMVerifyFunc(vf func(ctx context.Context, cs IAMClaimSet) bool) auth.VerifyFunc

IAMVerifyFunc auth.VerifyFunc wrapper around the IAMClaimSet.

func IdentityClaimsDecoderFunc

func IdentityClaimsDecoderFunc(_ context.Context, b []byte) (auth.ClaimSetter, error)

IdentityClaimsDecoderFunc is an auth.ClaimsDecoderFunc for GCP identity tokens.

func IdentityVerifyFunc

func IdentityVerifyFunc(vf func(ctx context.Context, cs IdentityClaimSet) bool) auth.VerifyFunc

IdentityVerifyFunc auth.VerifyFunc wrapper around the IdentityClaimSet.

func NewDefaultIAMVerifier

func NewDefaultIAMVerifier(ctx context.Context, cfg IAMConfig, clientFunc func(context.Context) *http.Client) (*auth.Verifier, error)

NewDefaultIAMVerifier will verify tokens that have the same default service account as the server running this verifier.

func NewDefaultIdentityVerifier added in v0.3.2

func NewDefaultIdentityVerifier(ctx context.Context, cfg IdentityConfig) (*auth.Verifier, error)

NewDefaultIdentityVerifier will verify tokens that have the same default service account as the server running this verifier.

func NewIAMPublicKeySource

func NewIAMPublicKeySource(ctx context.Context, cfg IAMConfig, clientFunc func(context.Context) *http.Client) (auth.PublicKeySource, error)

NewIAMPublicKeySource returns a PublicKeySource that uses the Google IAM service for fetching public keys of a given service account. The function for returning an HTTP client is to allow 1st generation App Engine users to lean on urlfetch.

func NewIAMTokenSource

func NewIAMTokenSource(ctx context.Context, cfg IAMConfig) (oauth2.TokenSource, error)

NewIAMTokenSource returns an oauth2.TokenSource that uses Google's IAM services to sign a JWT with the default service account and the given audience. Users should use the Identity token source if they can. This client is meant to be used as a bridge for users as they transition from the 1st generation App Engine runtime to the 2nd generation. This implementation can be used in the 2nd gen runtime as it can reuse an http.Client.

func NewIdentityPublicKeySource

func NewIdentityPublicKeySource(ctx context.Context, cfg IdentityConfig) (auth.PublicKeySource, error)

NewIdentityPublicKeySource fetches Google's public oauth2 certificates to be used with the auth.Verifier tool.

func NewIdentityTokenSource

func NewIdentityTokenSource(cfg IdentityConfig) (oauth2.TokenSource, error)

NewIdentityTokenSource will use the GCP metadata services to generate GCP Identity tokens. More information on asserting GCP identities can be found here: https://cloud.google.com/compute/docs/instances/verifying-instance-identity

func ValidIAMClaims

func ValidIAMClaims(cs IAMClaimSet, audience string) bool

ValidIAMClaims ensures the token audience issuers matches expectations.

func ValidIdentityClaims

func ValidIdentityClaims(cs IdentityClaimSet, audience string) bool

ValidIdentityClaims ensures the token audience and issuers match expectations.

func VerifyIAMEmails

func VerifyIAMEmails(ctx context.Context, emails []string, audience string) auth.VerifyFunc

VerifyIAMEmails is an auth.VerifyFunc that ensures IAMClaimSets are valid and have the expected email and audience in their payload.

func VerifyIdentityEmails

func VerifyIdentityEmails(ctx context.Context, emails []string, audience string) auth.VerifyFunc

VerifyIdentityEmails is an auth.VerifyFunc that ensures IdentityClaimSets are valid and have the expected email and audience in their payload.

Types

type Authenticator added in v1.3.0

type Authenticator struct {
	// contains filtered or unexported fields
}

Authenticator leans on Google's OAuth user flow to capture a Google Identity JWS and use it in a local, short lived HTTP cookie. The `Middleware` function manages login redirects, OAuth callbacks, dropping the HTTP cookie and adding the JWS claims information to the request context. User information and the JWS token can be retrieved from the context via GetInfo function. The Authenticator can also be used for checking service-to-service authentication via an Authorization header containing a Google Identity JWS, which can be generated using this package's IdentityTokenSource. The user state in the web login flow is encrypted using Google KMS. Ensure the service account being used has permissions to encrypt and decrypt.

func NewAuthenticator added in v1.3.0

func NewAuthenticator(ctx context.Context, cfg AuthenticatorConfig) (Authenticator, error)

NewAuthenticator will instantiate a new Authenticator, which can be used for verifying a number of authentication styles within the Google Cloud Platform ecosystem.

func (Authenticator) LogOut added in v1.3.0

func (c Authenticator) LogOut(w http.ResponseWriter)

LogOut can be used to clear an existing session. It will add an HTTP cookie with a -1 "MaxAge" to the response to remove the cookie from the logged in user's browser.

func (Authenticator) Middleware added in v1.3.0

func (c Authenticator) Middleware(h http.Handler) http.Handler

Middleware will handle login redirects, OAuth callbacks, header exceptions, custom exceptions, verifying inbound Google ID or IAM JWS' within HTTP cookies or Authorization headers and, if the user passes all checks, it will add the user claims to the inbound request context.

type AuthenticatorConfig added in v1.3.0

type AuthenticatorConfig struct {
	// CookieName will be used for the local HTTP cookie name.
	CookieName string

	// KMSKeyName is used by a Google KMS client for encrypting and decrypting state
	// tokens within the oauth exchange.
	KMSKeyName string
	// UnsafeState can be used to skip the encryption of the "state" token
	// within the auth flow.
	UnsafeState bool

	// AuthConfig is used by Authenticator.Middleware and callback to enable the
	// Google OAuth flow.
	AuthConfig *oauth2.Config

	// HeaderExceptions can optionally be included. Any requests that include any of
	// the headers included will skip all Authenticator.Middlware checks and no
	// claims information will be added to the context.
	// This can be useful for unspoofable headers like Google App Engine's
	// "X-AppEngine-*" headers for Google Task Queues.
	HeaderExceptions []string

	// CustomExceptionsFunc allows any custom exceptions based on the request. For
	// example, looking for specific URIs.  Return true if should be allowed.  If
	// false is returned, normal cookie-based authentication happens.
	CustomExceptionsFunc func(context.Context, *http.Request) bool

	// IDConfig will be used to verify the Google Identity JWS when it is inbound
	// in the HTTP cookie.
	IDConfig IdentityConfig
	// IDVerifyFunc allows developers to add their own verification on the user
	// claims. For example, one could enable access for anyone with an email domain
	// of "@example.com".
	IDVerifyFunc func(context.Context, IdentityClaimSet) bool

	// Logger will be used to log any errors encountered during the auth flow.
	Logger log.Logger
}

AuthenticatorConfig encapsulates the needs of the Authenticator.

type ContextTokenSource

type ContextTokenSource interface {
	ContextToken(context.Context) (*oauth2.Token, error)
}

ContextTokenSource is an oauth2.TokenSource that is capable of running on the 1st generation App Engine environment because it can create a urlfetch.Client from the given context.

func NewContextIAMTokenSource

func NewContextIAMTokenSource(ctx context.Context, cfg IAMConfig) (ContextTokenSource, error)

NewContextIAMTokenSource returns an oauth2.TokenSource that uses Google's IAM services to sign a JWT with the default service account and the given audience. Users should use the Identity token source if they can. This client is meant to be used as a bridge for users as they transition from the 1st generation App Engine runtime to the 2nd generation. This implementation can be used in the 1st gen runtime as it allows users to pass a context.Context while fetching the token. The context allows the implementation to reuse clients while changing out the HTTP client under the hood.

type IAMClaimSet

type IAMClaimSet struct {
	jws.ClaimSet

	// Email address of the default service account
	Email string `json:"email"`
}

IAMClaimSet contains just an email for service account identification.

func (IAMClaimSet) BaseClaims

func (s IAMClaimSet) BaseClaims() *jws.ClaimSet

BaseClaims implements the auth.ClaimSetter interface.

type IAMConfig

type IAMConfig struct {
	IAMAddress string `envconfig:"IAM_ADDR"` // optional, for testing

	Audience            string `envconfig:"IAM_AUDIENCE"`
	Project             string `envconfig:"IAM_PROJECT"`
	ServiceAccountEmail string `envconfig:"IAM_SERVICE_ACCOUNT_EMAIL"`

	// JSON contains the raw bytes from a JSON credentials file.
	// This field may be nil if authentication is provided by the
	// environment and not with a credentials file, e.g. when code is
	// running on Google Cloud Platform.
	JSON []byte
}

IAMConfig contains the information required for generating or verifying IAM JWTs.

type IdentityClaimSet

type IdentityClaimSet struct {
	jws.ClaimSet

	// Email address of the default service account (only exists on GAE 2nd gen?)
	Email         string `json:"email"`
	EmailVerified bool   `json:"email_verified"`

	// Google metadata info (appears to only exist on GCE?)
	Google map[string]interface{} `json:"google"`
}

IdentityClaimSet holds all the expected values for the various versions of the GCP identity token. More details: https://cloud.google.com/compute/docs/instances/verifying-instance-identity#payload https://developers.google.com/identity/sign-in/web/backend-auth#calling-the-tokeninfo-endpoint

func GetUserClaims added in v1.3.0

func GetUserClaims(ctx context.Context) (IdentityClaimSet, error)

GetUserClaims will return the Google identity claim set if it exists in the context. This can be used in coordination with the Authenticator.Middleware.

func (IdentityClaimSet) BaseClaims

func (s IdentityClaimSet) BaseClaims() *jws.ClaimSet

BaseClaims implements the auth.ClaimSetter interface.

type IdentityConfig

type IdentityConfig struct {
	Audience string `envconfig:"ID_AUDIENCE"`

	CertURL string `envconfig:"ID_CERT_URL"` // optional override for public key source

	Client *http.Client // optional override

	MetadataAddress string `envconfig:"ID_METADATA_ADDR"` // optional override for token and email retrieval
}

IdentityConfig contains the information required for generating or verifying identity JWTs.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
t or T : Toggle theme light dark auto
y or Y : Canonical URL