auth

package

v0.0.0-...-f02fc73 Latest Latest Go to latest Published: Jun 2, 2020 License: Apache-2.0 Imports: 11 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/bryst/windmill

Links

Open Source Insights

Documentation ¶

Index ¶

Constants
func GetKeyFunc(pubKey *ecdsa.PublicKey) func(token *jwt.Token) (interface{}, error)
func NewAuthMiddleware(pubKey func() *ecdsa.PublicKey, validations ...ClaimValidation) func(ctx *gin.Context)
func NewAuthServerMiddleware() func(ctx *gin.Context)
func NewBasicMiddleware(pubKey func() *ecdsa.PublicKey, appID string) func(ctx *gin.Context)
func WithScopes(handler gin.HandlerFunc, scopes string) gin.HandlerFunc
type Authorizer
type Claim
type ClaimProvider
type ClaimValidation
- func ValidateAudience(identifier string) ClaimValidation
type Credentials
type GinAuth
- func BasicGinAuth(c *GinAuthConfig) (GinAuth, error)
- func NewGinAuth(authorizers map[string]Authorizer, clProv ClaimProvider, signer TokenSigner, ...) (GinAuth, error)
type GinAuthConfig
type InvalidGrant
type InvalidToken
type InvalidUser
type RequestAuthData
type ScopeProvider
type Scopes
- func (s Scopes) ToString() string
type SignerConfig
type TokenCredentials
type TokenServer
- func NewTokenServer(c *TokenServerConfig) (TokenServer, error)
type TokenServerConfig
type TokenSigner
- func NewTokenSigner(c *SignerConfig) TokenSigner
type Unexpected
type UnknownAudience
type UserAudValidator

Constants ¶

View Source

const AuthorizationHeader = "Authorization"

AuthorizationHeader http Authorization header

View Source

const ClientCredentials = "client_credentials"

ClientCredentials is a grant type

View Source

const GrantTypeHeader = "GRANT-TYPE"

GrantTypeHeader use to indicate the grant type in the request headers

View Source

const PasswordCredentials = "password_credentials"

PasswordCredentials is a grant type

View Source

const RefreshToken = "refreshToken"

RefreshToken key to find the refresh token in the gin context

View Source

const RefreshTokenScope = "auth/refresh"

RefreshTokenScope scope assign to the refresh token

View Source

const ReqAuthData = "requestAuthData"

ReqAuthData key to find the RequestAuthData in the gin context

Variables ¶

This section is empty.

Functions ¶

func GetKeyFunc ¶

func GetKeyFunc(pubKey *ecdsa.PublicKey) func(token *jwt.Token) (interface{}, error)

GetKeyFunc retrieves a function which validate the signing method of a token and returns the public key

func NewAuthMiddleware ¶

func NewAuthMiddleware(pubKey func() *ecdsa.PublicKey, validations ...ClaimValidation) func(ctx *gin.Context)

NewAuthMiddleware retrieves a middleware to validate the access token ton the resource server side. pubKey: public key corresponding to private key used by the auth server to sign the token validations: additional validations the user might want to perform over the tokens claims

func NewAuthServerMiddleware ¶

func NewAuthServerMiddleware() func(ctx *gin.Context)

NewAuthServerMiddleware used for AuthServer to extract the Authorization header data.

func NewBasicMiddleware ¶

func NewBasicMiddleware(pubKey func() *ecdsa.PublicKey, appID string) func(ctx *gin.Context)

NewBasicMiddleware retrieves a default middleware. it will validate the jwt. The only validation done to the claims is that the audience matches the appID pubKey: public key corresponding to private key used by the auth server to sign the token appId: resource service external identifier

func WithScopes ¶

func WithScopes(handler gin.HandlerFunc, scopes string) gin.HandlerFunc

WithScopes creates a handler to validate the given scopes before calling the intended handler

Types ¶

type Authorizer ¶

type Authorizer func(uc Credentials) error

Authorizer should try to authorize an user/client using the provided credentials. It returns an error if something went wrong

type Claim ¶

type Claim struct {
	Key   string
	Value interface{}
}

Claim to add in the token

type ClaimProvider ¶

type ClaimProvider func(identifier string, aud string) ([]Claim, error)

ClaimProvider provides additional claims for a given user and audience

type ClaimValidation ¶

type ClaimValidation func(claims jwt.MapClaims) error

ClaimValidation perform validation over the tokens claims

func ValidateAudience ¶

func ValidateAudience(identifier string) ClaimValidation

ValidateAudience retrieves a ClaimValidation which validates that the 'aud' claim matches the identifier

type Credentials ¶

type Credentials struct {
	ID       string
	Password string
	Grant    string
}

Credentials data to identify an user

type GinAuth ¶

type GinAuth interface {
	// AddAuthenticationEndpoint register an endpoint in the given path to perform the authentication
	AddAuthenticationEndpoint(route gin.IRouter, relativePath string)
	// AddAccessTokenEndpoint register an endpoint in the given path to generate a new AccessToken
	AddAccessTokenEndpoint(route gin.IRouter, authMiddleware func(ctx *gin.Context), relativePath string)
	// AddRefreshEndpoint register an endpoint in the given path to refresh both the RefreshToken and the AccessToken
	AddRefreshEndpoint(route gin.IRouter, authMiddleware func(ctx *gin.Context), relativePath string)
	// AddPubKeyEndpoint register an endpoint to retrieve the
	AddPubKeyEndpoint(route gin.IRouter, relativePath string)
	// AddAuthProtocol adds all previous endpoints
	AddAuthProtocol(route gin.IRouter, middleware func(ctx *gin.Context))
}

GinAuth is an abstraction to create a Auth server using the 'Gin' Framework

func BasicGinAuth ¶

func BasicGinAuth(c *GinAuthConfig) (GinAuth, error)

BasicGinAuth retrieves a new GinAuth using the basic configuration

func NewGinAuth ¶

func NewGinAuth(authorizers map[string]Authorizer, clProv ClaimProvider,
	signer TokenSigner, scopes ScopeProvider, clients UserAudValidator) (GinAuth, error)

NewGinAuth retrieves a new GinAuth

type GinAuthConfig ¶

type GinAuthConfig struct {
	UsrAuthorizer      Authorizer
	ClientAuthorizer   Authorizer
	ScopeProvider      ScopeProvider
	AudValidator       UserAudValidator
	ClaimProvider      ClaimProvider
	SigningKey         *ecdsa.PrivateKey
	AccessTknDuration  time.Duration
	RefreshTknDuration time.Duration
	AppID              string
}

GinAuthConfig basic configuration to setup a GinAuth

type InvalidGrant ¶

type InvalidGrant error

InvalidGrant indicates an error with the grant type

type InvalidToken ¶

type InvalidToken error

InvalidToken indicates that the jwt is not valid.

type InvalidUser ¶

type InvalidUser error

InvalidUser indicates an error for the user authentication

type RequestAuthData ¶

type RequestAuthData struct {
	Sender    string
	Scopes    []string
	GrantType string
	Aud       string
}

RequestAuthData basic data extracted from the access token

type ScopeProvider ¶

type ScopeProvider func(userID string, grant string, resourceID string, requested Scopes) (Scopes, error)

ScopeProvider retrieves, from the requested scopes, the ones that are actually granted for the user

type Scopes ¶

type Scopes []string

Scopes is a mechanism in OAuth 2.0 to limit an application's access to a user's account.

func (Scopes) ToString ¶

func (s Scopes) ToString() string

ToString transforms Scopes into a string separated by a ' '

type SignerConfig ¶

type SignerConfig struct {
	SigningKey         *ecdsa.PrivateKey
	AccessTknDuration  time.Duration
	RefreshTknDuration time.Duration
	SignerIdentifier   string
}

SignerConfig configuration for a new TokenSigner

type TokenCredentials ¶

type TokenCredentials struct {
	AccessToken  string `json:"access_token"`
	RefreshToken string `json:"refresh_token"`
}

TokenCredentials access_token + refresh_token (signed)

type TokenServer ¶

type TokenServer interface {
	Authorize(credentials Credentials, scopes Scopes, aud string) (*TokenCredentials, error)
	Refresh(refreshToken string, scopes Scopes) (*TokenCredentials, error)
	AccessToken(refreshToken string, scopes Scopes) (string, error)
	GetEncodedPubKey() string
}

TokenServer is an Abstraction to authorize and generate credentials for a token base auth system

func NewTokenServer ¶

func NewTokenServer(c *TokenServerConfig) (TokenServer, error)

NewTokenServer retrieves a TokenServer

type TokenServerConfig ¶

type TokenServerConfig struct {
	Authorizers     map[string]Authorizer
	Signer          TokenSigner
	ScopesProvider  ScopeProvider
	ClientValidator UserAudValidator
	ClaimProvider   ClaimProvider
}

TokenServerConfig parameters needed to invoke NewTokenServer

type TokenSigner ¶

type TokenSigner interface {
	GetAccessToken(userID string, scopes Scopes, grantType string, aud string, claims ...Claim) (string, error)
	GetRefreshToken(userID string, grantType string, aud string, claims ...Claim) (string, error)
	ParseToken(token string) (jwt.MapClaims, error)
	GetSigningKey() ecdsa.PrivateKey
}

TokenSigner abstraction to handle token creation

func NewTokenSigner ¶

func NewTokenSigner(c *SignerConfig) TokenSigner

NewTokenSigner return an instance of TokenSigner

type Unexpected ¶

type Unexpected error

Unexpected errors that are not expected

type UnknownAudience ¶

type UnknownAudience error

UnknownAudience indicates an error related with the audience requested

type UserAudValidator ¶

type UserAudValidator func(userID string, grant string, resourceID string) (bool, error)

UserAudValidator checks if the given credentials are allowed to have access to the resource

Source Files ¶

View all Source files

Directories ¶

Path	Synopsis
keys

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL