Documentation

Overview

    Package x509 provides a request authenticator that validates and extracts user information from client certificates

    Index

    Constants

    This section is empty.

    Variables

    View Source
    var CommonNameUserConversion = UserConversionFunc(func(chain []*x509.Certificate) (user.Info, bool, error) {
    	if len(chain[0].Subject.CommonName) == 0 {
    		return nil, false, nil
    	}
    	return &user.DefaultInfo{
    		Name:   chain[0].Subject.CommonName,
    		Groups: chain[0].Subject.Organization,
    	}, true, nil
    })

      CommonNameUserConversion builds user info from a certificate chain using the subject's CommonName

      View Source
      var DNSNameUserConversion = UserConversionFunc(func(chain []*x509.Certificate) (user.Info, bool, error) {
      	if len(chain[0].DNSNames) == 0 {
      		return nil, false, nil
      	}
      	return &user.DefaultInfo{Name: chain[0].DNSNames[0]}, true, nil
      })

        DNSNameUserConversion builds user info from a certificate chain using the first DNSName on the certificate

        View Source
        var EmailAddressUserConversion = UserConversionFunc(func(chain []*x509.Certificate) (user.Info, bool, error) {
        	var emailAddressOID asn1.ObjectIdentifier = []int{1, 2, 840, 113549, 1, 9, 1}
        	if len(chain[0].EmailAddresses) == 0 {
        		for _, name := range chain[0].Subject.Names {
        			if name.Type.Equal(emailAddressOID) {
        				return &user.DefaultInfo{Name: name.Value.(string)}, true, nil
        			}
        		}
        		return nil, false, nil
        	}
        	return &user.DefaultInfo{Name: chain[0].EmailAddresses[0]}, true, nil
        })

          EmailAddressUserConversion builds user info from a certificate chain using the first EmailAddress on the certificate

          Functions

          func DefaultVerifyOptions

          func DefaultVerifyOptions() x509.VerifyOptions

            DefaultVerifyOptions returns VerifyOptions that use the system root certificates, current time, and requires certificates to be valid for client auth (x509.ExtKeyUsageClientAuth)

            func NewVerifier

            func NewVerifier(opts x509.VerifyOptions, auth authenticator.Request, allowedCommonNames sets.String) authenticator.Request

              NewVerifier create a request.Authenticator by verifying a client cert on the request, then delegating to the wrapped auth

              Types

              type Authenticator

              type Authenticator struct {
              	// contains filtered or unexported fields
              }

                Authenticator implements request.Authenticator by extracting user info from verified client certificates

                func New

                  New returns a request.Authenticator that verifies client certificates using the provided VerifyOptions, and converts valid certificate chains into user.Info using the provided UserConversion

                  func (*Authenticator) AuthenticateRequest

                  func (a *Authenticator) AuthenticateRequest(req *http.Request) (user.Info, bool, error)

                    AuthenticateRequest authenticates the request using presented client certificates

                    type UserConversion

                    type UserConversion interface {
                    	User(chain []*x509.Certificate) (user.Info, bool, error)
                    }

                      UserConversion defines an interface for extracting user info from a client certificate chain

                      type UserConversionFunc

                      type UserConversionFunc func(chain []*x509.Certificate) (user.Info, bool, error)

                        UserConversionFunc is a function that implements the UserConversion interface.

                        func (UserConversionFunc) User

                        func (f UserConversionFunc) User(chain []*x509.Certificate) (user.Info, bool, error)

                          User implements x509.UserConversion

                          type Verifier

                          type Verifier struct {
                          	// contains filtered or unexported fields
                          }

                            Verifier implements request.Authenticator by verifying a client cert on the request, then delegating to the wrapped auth

                            func (*Verifier) AuthenticateRequest

                            func (a *Verifier) AuthenticateRequest(req *http.Request) (user.Info, bool, error)

                              AuthenticateRequest verifies the presented client certificate, then delegates to the wrapped auth

                              Source Files