gcp

package
v1.2.8 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jun 10, 2019 License: Apache-2.0 Imports: 18 Imported by: 1

Documentation

Index

Constants

This section is empty.

Variables

View Source 
var Issuers = map[string]bool{
	"accounts.google.com":         true,
	"https://accounts.google.com": true,
}

Issuers contains the known Google account issuers for identity tokens.

Functions

func GetDefaultEmail 

func GetDefaultEmail(ctx context.Context, addr string, hc *http.Client) (string, error)

GetDefaultEmail is a helper method for users on GCE or the 2nd generation GAE environment.

func IAMClaimsDecoderFunc 

func IAMClaimsDecoderFunc(_ context.Context, b []byte) (auth.ClaimSetter, error)

IAMClaimsDecoderFunc is an auth.ClaimsDecoderFunc for GCP identity tokens.

func IAMVerifyFunc 

func IAMVerifyFunc(vf func(ctx context.Context, cs IAMClaimSet) bool) auth.VerifyFunc

IAMVerifyFunc auth.VerifyFunc wrapper around the IAMClaimSet.

func IdentityClaimsDecoderFunc 

func IdentityClaimsDecoderFunc(_ context.Context, b []byte) (auth.ClaimSetter, error)

IdentityClaimsDecoderFunc is an auth.ClaimsDecoderFunc for GCP identity tokens.

func IdentityVerifyFunc 

func IdentityVerifyFunc(vf func(ctx context.Context, cs IdentityClaimSet) bool) auth.VerifyFunc

IdentityVerifyFunc auth.VerifyFunc wrapper around the IdentityClaimSet.

func NewDefaultIAMVerifier 

func NewDefaultIAMVerifier(ctx context.Context, cfg IAMConfig, clientFunc func(context.Context) *http.Client) (*auth.Verifier, error)

NewDefaultIAMVerifier will verify tokens that have the same default service account as the server running this verifier.

func NewDefaultIdentityVerifier added in v0.3.2 

func NewDefaultIdentityVerifier(ctx context.Context, cfg IdentityConfig) (*auth.Verifier, error)

NewDefaultIdentityVerifier will verify tokens that have the same default service account as the server running this verifier.

func NewIAMPublicKeySource 

func NewIAMPublicKeySource(ctx context.Context, cfg IAMConfig, clientFunc func(context.Context) *http.Client) (auth.PublicKeySource, error)

NewIAMPublicKeySource returns a PublicKeySource that uses the Google IAM service for fetching public keys of a given service account. The function for returning an HTTP client is to allow 1st generation App Engine users to lean on urlfetch.

func NewIAMTokenSource 

func NewIAMTokenSource(ctx context.Context, cfg IAMConfig) (oauth2.TokenSource, error)

NewIAMTokenSource returns an oauth2.TokenSource that uses Google's IAM services to sign a JWT with the default service account and the given audience. Users should use the Identity token source if they can. This client is meant to be used as a bridge for users as they transition from the 1st generation App Engine runtime to the 2nd generation. This implementation can be used in the 2nd gen runtime as it can reuse an http.Client.

func NewIdentityPublicKeySource 

func NewIdentityPublicKeySource(ctx context.Context, cfg IdentityConfig) (auth.PublicKeySource, error)

NewIdentityPublicKeySource fetches Google's public oauth2 certificates to be used with the auth.Verifier tool.

func NewIdentityTokenSource 

func NewIdentityTokenSource(cfg IdentityConfig) (oauth2.TokenSource, error)

NewIdentityTokenSource will use the GCP metadata services to generate GCP Identity tokens. More information on asserting GCP identities can be found here: https://cloud.google.com/compute/docs/instances/verifying-instance-identity

func ValidIAMClaims 

func ValidIAMClaims(cs IAMClaimSet, audience string) bool

ValidIAMClaims ensures the token audience issuers matches expectations.

func ValidIdentityClaims 

func ValidIdentityClaims(cs IdentityClaimSet, audience string) bool

ValidIdentityClaims ensures the token audience and issuers match expectations.

func VerifyIAMEmails 

func VerifyIAMEmails(ctx context.Context, emails []string, audience string) auth.VerifyFunc

VerifyIAMEmails is an auth.VerifyFunc that ensures IAMClaimSets are valid and have the expected email and audience in their payload.

func VerifyIdentityEmails 

func VerifyIdentityEmails(ctx context.Context, emails []string, audience string) auth.VerifyFunc

VerifyIdentityEmails is an auth.VerifyFunc that ensures IdentityClaimSets are valid and have the expected email and audience in their payload.

Types

type ContextTokenSource 

type ContextTokenSource interface {
	ContextToken(context.Context) (*oauth2.Token, error)
}

ContextTokenSource is an oauth2.TokenSource that is capable of running on the 1st generation App Engine environment because it can create a urlfetch.Client from the given context.

func NewContextIAMTokenSource 

func NewContextIAMTokenSource(ctx context.Context, cfg IAMConfig) (ContextTokenSource, error)

NewContextIAMTokenSource returns an oauth2.TokenSource that uses Google's IAM services to sign a JWT with the default service account and the given audience. Users should use the Identity token source if they can. This client is meant to be used as a bridge for users as they transition from the 1st generation App Engine runtime to the 2nd generation. This implementation can be used in the 1st gen runtime as it allows users to pass a context.Context while fetching the token. The context allows the implementation to reuse clients while changing out the HTTP client under the hood.

type IAMClaimSet 

type IAMClaimSet struct {
	jws.ClaimSet

	// Email address of the default service account
	Email string `json:"email"`
}

IAMClaimSet contains just an email for service account identification.

func (IAMClaimSet) BaseClaims 

func (s IAMClaimSet) BaseClaims() *jws.ClaimSet

BaseClaims implements the auth.ClaimSetter interface.

type IAMConfig 

type IAMConfig struct {
	IAMAddress string `envconfig:"IAM_ADDR"` // optional, for testing

	Audience            string `envconfig:"IAM_AUDIENCE"`
	Project             string `envconfig:"IAM_PROJECT"`
	ServiceAccountEmail string `envconfig:"IAM_SERVICE_ACCOUNT_EMAIL"`

	// JSON contains the raw bytes from a JSON credentials file.
	// This field may be nil if authentication is provided by the
	// environment and not with a credentials file, e.g. when code is
	// running on Google Cloud Platform.
	JSON []byte
}

IAMConfig contains the information required for generating or verifying IAM JWTs.

type IdentityClaimSet 

type IdentityClaimSet struct {
	jws.ClaimSet

	// Email address of the default service account (only exists on GAE 2nd gen?)
	Email         string `json:"email"`
	EmailVerified bool   `json:"email_verified"`

	// Google metadata info (appears to only exist on GCE?)
	Google map[string]interface{} `json:"google"`
}

IdentityClaimSet holds all the expected values for the various versions of the GCP identity token. More details: https://cloud.google.com/compute/docs/instances/verifying-instance-identity#payload https://developers.google.com/identity/sign-in/web/backend-auth#calling-the-tokeninfo-endpoint

func (IdentityClaimSet) BaseClaims 

func (s IdentityClaimSet) BaseClaims() *jws.ClaimSet

BaseClaims implements the auth.ClaimSetter interface.

type IdentityConfig 

type IdentityConfig struct {
	Audience string `envconfig:"ID_AUDIENCE"`

	CertURL string `envconfig:"ID_CERT_URL"` // optional override for public key source

	Client *http.Client // optional override

	MetadataAddress string `envconfig:"ID_METADATA_ADDR"` // optional override for token and email retrieval
}

IdentityConfig contains the information required for generating or verifying identity JWTs.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.