auxdata

Documentation

Index

• Variables
• type AuxData
  • func New(ctx context.Context) (*AuxData, error)
  • func NewFromConf(ctx context.Context, conf *Conf) *AuxData
  • func NewWithoutVerification(ctx context.Context) *AuxData
  • func (ad *AuxData) Extract(ctx context.Context, adProto *requestv1.AuxData) (*enginev1.AuxData, error)
• type Conf
  • func (c *Conf) Key() string
  • func (c *Conf) Validate() (errs error)
• type InsecureKeySetOpt
• type JWTConf
• type JWTKeySet
• type LocalSource
• type RemoteSource

Variables

var ErrFailedToExtractJWT = errors.New("failed to extract JWT")

Types

type AuxData

type AuxData struct {
	// contains filtered or unexported fields
}

func New

func New(ctx context.Context) (*AuxData, error)

func NewFromConf

func NewFromConf(ctx context.Context, conf *Conf) *AuxData

func NewWithoutVerification

func NewWithoutVerification(ctx context.Context) *AuxData

func (*AuxData) Extract

func (ad *AuxData) Extract(ctx context.Context, adProto *requestv1.AuxData) (*enginev1.AuxData, error)

Extract auxiliary data and convert to format expected by the engine.

type Conf

type Conf struct {
	// JWT holds the configuration for JWTs used as an auxiliary data source for the engine.
	JWT *JWTConf `yaml:"jwt"`
}

Conf is optional configuration for Auxdata.

func (*Conf) Key

func (c *Conf) Key() string

func (*Conf) Validate

func (c *Conf) Validate() (errs error)

type InsecureKeySetOpt

type InsecureKeySetOpt struct {
	// OptionalAlg configures Cerbos to not require the alg field to be set in the key set.
	OptionalAlg bool `yaml:"optionalAlg" conf:",example=false"`
	// OptionalKid configures Cerbos to not require the kid field to be set in the key set.
	OptionalKid bool `yaml:"optionalKid" conf:",example=false"`
}

type JWTConf

type JWTConf struct {
	// KeySets is the list of keysets to be used to verify tokens.
	KeySets []JWTKeySet `yaml:"keySets"`
	// DisableVerification disables JWT verification.
	DisableVerification bool `yaml:"disableVerification" conf:",example=false"`
	// CacheSize sets the number of verified tokens cached in memory. Set to negative value to disable caching.
	CacheSize int `yaml:"cacheSize" conf:",example=256"`
	// AcceptableTimeSkew sets the acceptable skew when checking exp and nbf claims.
	AcceptableTimeSkew time.Duration `yaml:"acceptableTimeSkew" conf:",example=2s"`
}

type JWTKeySet

type JWTKeySet struct {
	// Remote defines a remote keyset. Mutually exclusive with Local.
	Remote *RemoteSource `yaml:"remote"`
	// Local defines a local keyset. Mutually exclusive with Remote.
	Local *LocalSource `yaml:"local"`
	// ID is the unique reference to this keyset.
	ID string `yaml:"id" conf:"required,example=ks1"`
	// Insecure options for relaxing security. Not recommended for production use. Use with caution.
	Insecure InsecureKeySetOpt `yaml:"insecure"`
}

type LocalSource

type LocalSource struct {
	// Data is the encoded JWK data for this keyset. Mutually exclusive with File.
	Data string `yaml:"data" conf:",example=base64encodedJWK"`
	// File is the path to file containing JWK data. Mutually exclusive with Data.
	File string `yaml:"file" conf:",example=/path/to/keys.jwk"`
	// PEM indicates that the data is PEM encoded.
	PEM bool `yaml:"pem" conf:",example=true"`
}

type RemoteSource

type RemoteSource struct {
	// URL is the JWKS URL to fetch the keyset from.
	URL string `yaml:"url" conf:"required,example=https://domain.tld/.well-known/keys.jwks"`
	// RefreshInterval is the refresh interval for the keyset.
	RefreshInterval time.Duration `yaml:"refreshInterval" conf:",example=1h"`
}