auth

package
v0.0.0-...-1c5d739 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Dec 14, 2023 License: Apache-2.0 Imports: 28 Imported by: 10

Documentation

Index

Constants

View Source 
const (
	TOKEN_LEN_BYTES = 4
	SIGNATURE_BYTES = 256
)
View Source 
const (
	DelegateKeyFileName = "delegate.keys"
	MasterKeyFileName   = ".keys/master.keys"
	CommonKeyFilename   = "common.key"
)
View Source 
const (

	// ClockDriftDelta provides the tolerance for clock drift
	// between master and hosts when a token or request is considered valid
	ClockDriftDelta = 5 * time.Minute

	// token to be refreshed ahead of the expiration time
	RefreshAhead = 3 * time.Minute
)
View Source 
const (
	ADDRESS_BYTES = 6
)

Variables

View Source 
var (
	// ErrIdentityTokenInvalid is a generic invalid token error
	ErrIdentityTokenInvalid = errors.New("Identity token is invalid")
	// ErrIdentityTokenExpired is thrown when an identity token is expired
	ErrIdentityTokenExpired = errors.New("Identity token expired")
	// ErrIdentityTokenNotValidYet is thrown when an identity token is used before its issue time
	ErrIdentityTokenNotValidYet = errors.New("Identity token used before issue time")
	// ErrIdentityTokenBadSig is thrown when an identity token has a bad signature
	ErrIdentityTokenBadSig = errors.New("Identity token signature cannot be verified")
	// ErrNoPublicKey is thrown when no public key is available to verify a signature
	ErrNoPublicKey = errors.New("Cannot retrieve public key to verify signature")
	// ErrNoPrivateKey is thrown when no private key is available to sign a message
	ErrNoPrivateKey = errors.New("Cannot retrieve private key to sign message")
	// ErrInvalidSigningMethod is thrown when an identity token is not signed with the correct method
	ErrInvalidSigningMethod = errors.New("Identity token signing method was not RSAPSS")
	// ErrInvalidIdentityTokenClaims is thrown when an identity token does not have required claims
	ErrInvalidIdentityTokenClaims = errors.New("Identity token is missing required claims")
	// ErrNotRSAPublicKey is thrown when a key is not an RSA public key and needs to be
	ErrNotRSAPublicKey = errors.New("Not an RSA public key")
	// ErrNotRSAPrivateKey is thrown when a key is not an RSA private key and needs to be
	ErrNotRSAPrivateKey = errors.New("Not an RSA private key")
	// ErrNotPEMEncoded is thrown when bytes are not PEM encoded and need to be
	ErrNotPEMEncoded = errors.New("Not PEM encoded")
	// ErrBadKeysFile is thrown when the local keys file isn't parseable
	ErrBadKeysFile = errors.New("Unable to read security keys file")
	// ErrNotAuthenticated is thrown when there's no authentication token
	ErrNotAuthenticated = errors.New("No authentication token available")
	// ErrBadToken is thrown when there is a problem extracting a token from a data stream (e.g. mux, rpc, etc)
	ErrBadToken = errors.New("Could not extract token")
	// ErrRestTokenExpired is thrown when an rest token is expired
	ErrRestTokenExpired = errors.New("Rest token expired")
	// ErrBadRestToken is thrown when the rest token cant be extracted or parsed
	ErrBadRestToken = errors.New("Invalid rest token")
	// ErrRestTokenBadSig is thrown when a rest token has a bad signature
	ErrRestTokenBadSig = errors.New("Rest token signature cannot be verified")
	// ErrSSHFailed is thrown when we can't ssh to a remote host to register keys
	ErrSSHFailed = errors.New("Unable to make an ssh connection to host")
	// ErrAuth0TokenExpired is thrown when an auth0 token is expired
	ErrAuth0TokenExpired = errors.New("auth0 token expired")
	// ErrAuth0TokenBadIssuer is thrown when the issuer claim in an auth0 token does not match the value configured in the API
	ErrAuth0TokenBadIssuer = errors.New("auth0 token issuer does not match value configured in API")
	// ErrAuth0TokenBadAudience is thrown when the audience claim in an auth0 token does not match the value of the target API
	ErrAuth0TokenBadAudience = errors.New("auth0 token audience does not match the target API")
)
View Source 
var (
	// ProtocolVersion is the current protocol version
	ProtocolVersion protocolVersion = 1
	// MagicNumber is a magic number to identify headers as auth
	MagicNumber = magicNumber([3]byte{139, 143, 165})

	// ErrInvalidAuthHeader is thrown when the auth header is invalid
	ErrInvalidAuthHeader = errors.New("Invalid authentication header")
	// ErrAuthProtocolVersion is thrown when the auth protocol version passed is unknown
	ErrAuthProtocolVersion = errors.New("Unknown authentication protocol version")
	// ErrPayloadTooLarge is thrown when the payload length for an auth header overflows a uint16
	ErrPayloadTooLarge = errors.New("Authentication header payload is too large")
	// ErrUnknownAuthProtocol is thrown when the authentication protocol version is not supported
	ErrUnknownAuthProtocol = errors.New("Unknown authentication protocol version")
	// ErrHeaderExpired is thrown when an authentication header is more than 10s old
	ErrHeaderExpired = errors.New("Expired authentication header.")
)
View Source 
var (
	RequestDelimiter                       = " "
	RestTokenExpiration                    = 10 * time.Second
	AuthTokenGetter     AuthTokenRetriever = AuthTokenNonBlocking
)
View Source 
var (
	// RPCMagicNumber is a magic number for RPC
	RPCMagicNumber = []byte{224, 227, 155}
	// BodyLenLen is the length of the length of the payload
	BodyLenLen = 4

	// ErrBadRPCHeader is thrown when the RPC header is bad
	ErrBadRPCHeader = errors.New("Bad rpc header")
	// ErrWritingLength is thrown when the length writing has an error
	ErrWritingLength = errors.New("Wrote too few bytes for message length")
	// ErrWritingBody is thrown when the body writing has an error
	ErrWritingBody = errors.New("Wrote too few bytes for message body")
	// ErrReadingLength is thrown when we read too few bytes for message length
	ErrReadingLength = errors.New("Read too few bytes for message length")
	// ErrReadingBody is thrown when we read too few bytes for message body
	ErrReadingBody = errors.New("Read too few bytes for message body")
)
View Source 
var (
	// DevPubKeyPEM is a sample public key for use in dev
	DevPubKeyPEM = []byte(`-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxeGhO/4jJ7fPwXHjtZx+
q/Ne+fhMEzGB41aD6QKij6u0LPBWynmXdJeLdIW1N8ZFF7PdpA4qAu6ouMRvOuSJ
1qPt1hToahBxxducEp64nQ/fWN0uANjPqjlKcjj/fiSZ2ewrXYAOmnbaIQgt3fjv
VYQgdGmHA5uyROclsutOF0shyprU2x/S8uXIK1fJM/yxukcDG6GvymW0b5mqLZZA
Zmpt11QJ8YV5yiBtziSyYfiXTFs5yoydvRqmTIRm1CBnV3JYXio9fXv4C1BVTk11
miqYybTUZga1O9mykjDbrwtaigb2rP1EjQzJoMLHW27edXBZUFQjedD0N20+WkUx
0wIDAQAB
-----END PUBLIC KEY-----`)

	// DevPrivKeyPEM is a sample private key for use in dev
	DevPrivKeyPEM = []byte(`-----BEGIN RSA PRIVATE KEY-----
MIIEpQIBAAKCAQEAxeGhO/4jJ7fPwXHjtZx+q/Ne+fhMEzGB41aD6QKij6u0LPBW
ynmXdJeLdIW1N8ZFF7PdpA4qAu6ouMRvOuSJ1qPt1hToahBxxducEp64nQ/fWN0u
ANjPqjlKcjj/fiSZ2ewrXYAOmnbaIQgt3fjvVYQgdGmHA5uyROclsutOF0shyprU
2x/S8uXIK1fJM/yxukcDG6GvymW0b5mqLZZAZmpt11QJ8YV5yiBtziSyYfiXTFs5
yoydvRqmTIRm1CBnV3JYXio9fXv4C1BVTk11miqYybTUZga1O9mykjDbrwtaigb2
rP1EjQzJoMLHW27edXBZUFQjedD0N20+WkUx0wIDAQABAoIBAQC5W2HZvXOWx9Jf
JNylCOOLFFx6EIDKVcySdD757BL0O2V51uOlpAIgH7hsvLaEeT/NNRm/i9kEiCQZ
dz+tzdfj7AhkSY9vktnP+aeXtX++99hB+GUYO/9CN4optoR017oZ7OSuH78OJ5ip
6mx0ibM+ypZQFW14DscNTev9TfcHTx2Id9/iQx1bZFXxWyhjpuAlxliw3hkS4ANt
axI9N8Wi+K7uHYkMsDul32JIHFPPgpD4uB8mcCsLG48sRPqC/wcqeb48Dift6c/y
wo3JWk8Q5wi8/pE+ryVccSHa5KHaO+bhVr/z5ItNgA9MQdE3k5N7Umx41rgQR0Xr
+CYwH2JhAoGBAPLGIi5TK/hb+0Z9NQvoqOOObju8U4gOv5n+diW+xMU4EoJBsllM
piKfrlXBn+09hovx72p2LWYXQERp7yfd0AzcWC41HqGjtQ+1gA+9GDYC/wLDA+pl
tW7tlmzcIAIsYPUFBSPSb+WA4aJygir/1Hta/PldYGGrhUxfhrzZbeXxAoGBANCp
Ze3pG7N2mDuSxEhtXOOD9JMupz3tMZr2p+QgtjR5MRWR9+G3mFna5462Rg9d/d7z
4adxsvn/7OE/9stkLpdmcZrq0jx5s9V/EQkliO7LG9l3H/JoPEYPt5alGpeV3awG
7uTrkpdqO44U2PTCPCZ7i07axeHC9J68GzDMM4ADAoGBAMNto45O/ZJL2RaBK/aO
L4Ye3bXQgB2CYdKA+HKiApwP6zZX1E32WbZ9fEUkPK0pXenBs8yrnRgVl3J7JD2f
XR89MO7ha+sKcXJX1OLWgWrZNpbujXRes5K8Rt8Sw+F8AAC9LcoMWG8TNI8kRox+
rHkwYXwLIs78160HKNtU3BbBAoGBAMgCCA0TC5VrUSKRXQnbolUG8BGAf5hxWsIi
Oe4GmQAVRsJZR1SZqjQ/CwQVnXQvcSAbfyoEZz0RXprOuB5fafV/odePzHNhaMp1
YPv2eZoDIC/D6uBtn5C8kgqZObMhWPkDMExHrhzrHCjlvMxnvkZY18B/HXx4Zggd
YKbWpWrHAoGAYhE/GcHnJ/SJznMl0O9jkg/I0TQwDRnibzvESb3M2aZZ7slL/AYb
x9eZ/rWmKDZN74BDBmCIVBn8jgXk0Qv9JmltOS7b6Md4R5DTaeP6QJEEBGpKkFI4
gTU6k22ENbaM2VIHhEjJQYftvA63316pfDqF31yq/cpspdaNrntc7xc=
-----END RSA PRIVATE KEY-----`)
)
View Source 
var (
	ErrBadMuxAddress = errors.New("Bad mux address")
)
View Source 
var (
	// ErrMissingHost indicates if a host does not
	// exist in the host expiration registry
	ErrMissingHost = errors.New("Host is not present in host expiration registry")
)
View Source 
var (
	// TokenFileName is the file in which we store the current token
	TokenFileName = "auth.token"
)

Functions

func AddRestTokenToRequest 

func AddRestTokenToRequest(r *http.Request, token string)

func AddSignedMuxHeader 

func AddSignedMuxHeader(w io.Writer, address []byte, token string) error

func At 

func At(t time.Time, f func())

At sets a fake time, executes the provided function, then restores the default time getter, making it possible to test time-sensitive stuff

func Auth0IsConfigured 

func Auth0IsConfigured() bool

func AuthToken 

func AuthToken(cancel <-chan interface{}) <-chan string

AuthToken returns an unexpired auth token, blocking if necessary until authenticated

func AuthTokenNonBlocking 

func AuthTokenNonBlocking() (string, error)

A non-blocking call to get an unexpired auth token. Returns an error 

If no token exists or if the token is expired

func BuildRestToken 

func BuildRestToken(r *http.Request) (string, error)

func ClearKeys 

func ClearKeys()

ClearKeys wipes the current state

func ClearToken 

func ClearToken()

ClearToken wipes the current state

func CreateJWTIdentity 

func CreateJWTIdentity(hostID, poolID string, admin, dfs bool, pubKeyPEM []byte, expiration time.Duration) (string, int64, error)

CreateJWTIdentity returns a signed string

func CreateOrLoadMasterKeys 

func CreateOrLoadMasterKeys(filename string) error

CreateOrLoadMasterKeys will load the master keys from disk 

If the file does not exist, it will generate new keys and
write them to disk.

func DumpPEMKeyPairToFile 

func DumpPEMKeyPairToFile(filename string, public, private []byte) error

DumpPEMKeyPairToFile dumps PEM-encoded public and private keys to a single file

func DumpRSAPEMKeyPair 

func DumpRSAPEMKeyPair(public, private []byte) ([]byte, error)

DumpRSAPEMKeyPair dumps PEM-encoded public and private keys to a single byte array

func ExtractRestToken 

func ExtractRestToken(r *http.Request) (string, error)

func GenerateRSAKeyPairPEM 

func GenerateRSAKeyPairPEM(headers map[string]string) (public []byte, private []byte, err error)

GenerateKey generates an RSA key pair and returns the public and private PEM blocks for that key.

func GetMasterPublicKey 

func GetMasterPublicKey() (crypto.PublicKey, error)

GetMasterPublicKey() returns the public key of the master 

It first checks to see if we have a set of master keys (i.e. we are the master)
It then checks the delegate keys.  If neither exists, returns ErrNoPublicKey

func GetRequestHash 

func GetRequestHash(r *http.Request) []byte

func HasDFSAccess 

func HasDFSAccess() bool

Check if the current identity is allowed to access the DFS

func LoadCommonRSAKeyPairPEM 

func LoadCommonRSAKeyPairPEM(headers map[string]string) (public []byte, private []byte, err error)

LoadCommonRSAKeyPairPEM loads the common keys from a specific file.

func LoadDelegateKeysFromFile 

func LoadDelegateKeysFromFile(filename string) error

LoadKeysFromFile loads keys from a file on disk.

func LoadDelegateKeysFromPEM 

func LoadDelegateKeysFromPEM(public, private []byte) error

LoadDelegateKeysFromPEM loads the local delegate keys (master public, delegate private) 

from PEM data passed in directly
Useful mostly for writing tests

func LoadKeyPairFromFile 

func LoadKeyPairFromFile(filename string) (public crypto.PublicKey, private crypto.PrivateKey, err error)

LoadPEMKeyPair loads a private/public key pair from a reader over PEM-encoded data. 

The private key is first, the public key is second.

func LoadMasterKeyFile 

func LoadMasterKeyFile(filename string) error

LoadMasterKeyFile will load the master keys from disk if 

the file exists.  If the file does not exist, it will
return an error

func LoadMasterKeys 

func LoadMasterKeys(public crypto.PublicKey, private crypto.PrivateKey)

LoadMasterKeys sets the current master key pair to the one specified

func LoadMasterKeysFromPEM 

func LoadMasterKeysFromPEM(public, private []byte) error

LoadMasterKeysFromPEM loads the local master keys from PEM data passed in directly 

Useful mostly for writing tests

func LoadRSAKeyPair 

func LoadRSAKeyPair(pub, priv []byte) (public crypto.PublicKey, private crypto.PrivateKey, err error)

LoadRSAKeyPair loads a private/public key pair from separate PEM-encoded byte arrays

func LoadRSAKeyPairPackage 

func LoadRSAKeyPairPackage(data []byte) (public crypto.PublicKey, private crypto.PrivateKey, err error)

LoadRSAKeyPairPackage loads a private/public key pair from a reader over PEM-encoded data. 

The private key is first, the public key is second.

func LoadTokenFile 

func LoadTokenFile(tokenfile string) error

func MasterToken 

func MasterToken() (string, error)

MasterToken() generates a new token with an empty host and pool ID and the master's public key, 

signed by the master's private key.  This will return an error if there is no master private
key available (i.e. if we are not the master)

func NewAuthHeaderWriterTo 

func NewAuthHeaderWriterTo(token, payload []byte, signer Signer) io.WriterTo

NewAuthHeaderWriterTo returns an io.WriterTo that can write an authentication header with the given parameters to a Writer.

func NotifyOnChange 

func NotifyOnChange(filename string, ops fsnotify.Op, cancel <-chan interface{}) (<-chan struct{}, error)

NotifyOnChange watches a file for changes that match the given operation set and notifies on a channel when they occur.

func NotifyOnKeyChange 

func NotifyOnKeyChange() <-chan struct{}

func PEMFromRSAPrivateKey 

func PEMFromRSAPrivateKey(key crypto.PrivateKey, headers map[string]string) ([]byte, error)

PEMFromRSAPrivateKey creates a PEM block from an RSA public key

func PEMFromRSAPublicKey 

func PEMFromRSAPublicKey(key crypto.PublicKey, headers map[string]string) ([]byte, error)

PEMFromRSAPublicKey creates a PEM block from an RSA public key

func RSAPrivateKeyFromPEM 

func RSAPrivateKeyFromPEM(key []byte) (*rsa.PrivateKey, error)

RSAPrivateKeyFromPEM decodes a PEM-encoded RSA private key

func RSAPublicKeyFromPEM 

func RSAPublicKeyFromPEM(key []byte) (*rsa.PublicKey, error)

RSAPublicKeyFromPEM decodes a PEM-encoded RSA public key

func ReadLengthAndBytes 

func ReadLengthAndBytes(reader io.Reader) ([]byte, error)

ReadLengthAndBytes reads the length of a byte array and then the bytes themselves. It is the inverse of WriteLengthAndBytes.

func RefreshToken 

func RefreshToken(f TokenFunc, filename string) (int64, error)

RefreshToken gets a new token, sets it as the current, and returns the expiration time

func RegisterLocalHost 

func RegisterLocalHost(keydata []byte) error

func RegisterRemoteHost 

func RegisterRemoteHost(hostID string, nat utils.URL, hostIPAddr string, keydata []byte, prompt bool) error

func SignAsDelegate 

func SignAsDelegate(message []byte) ([]byte, error)

SignAsDelegate signs the given message with the private key local to the delegate running this process.

func SignAsMaster 

func SignAsMaster(message []byte) ([]byte, error)

SignAsMaster signs the given message with the master's private key will return an error if the delegate running this process is not the master

func TokenLoop 

func TokenLoop(f TokenFunc, tokenfile string, done <-chan interface{}, forceRefresh <-chan struct{})

TokenLoop accepts a function that returns an expiring token. It will then periodically refresh that token, one minute before it is due to expire, setting the result as the current live token, until the done channel is closed.

func VerifyMasterSignature 

func VerifyMasterSignature(message, signature []byte) error

VerifyMasterSignature verifies that a given message was signed by the master whose public key we have.

func WaitForAuthToken 

func WaitForAuthToken(cancel <-chan interface{}) <-chan struct{}

WaitForAuthToken blocks until the authentication token is defined.

func WaitForDelegateKeys 

func WaitForDelegateKeys(cancel <-chan interface{}) <-chan struct{}

WaitForDelegateKeys blocks until delegate keys are defined.

func WatchDelegateKeyFile 

func WatchDelegateKeyFile(filename string, cancel <-chan interface{}) error

WatchDelegateKeyFile watches the delegate key file on the filesystem and updates the internal delegate keys when changes are detected.

func WatchTokenFile 

func WatchTokenFile(tokenfile string, done <-chan interface{}) error

Watch a token file for changes. Load the token when those changes occur.

func WriteKeyToFile 

func WriteKeyToFile(filename string, keydata []byte) error

func WriteLengthAndBytes 

func WriteLengthAndBytes(b []byte, writer io.Writer) error

WriteLengthAndBytes writes the length of a byte array and then the bytes themselves. It is the inverse of ReadLengthAndBytes.

Types

type Auth0Token 

type Auth0Token interface {
	HasAdminAccess() bool
	User() string
	Expiration() int64
}

func ParseAuth0Token 

func ParseAuth0Token(token string) (Auth0Token, error)

See https://auth0.com/docs/api-auth/tutorials/verify-access-token for information on validating auth0 tokens. Per https://jwt.io/, the jwt-go library validates exp, but not iss or sub.

type AuthHeaderError 

type AuthHeaderError struct {
	Err     error
	Payload []byte
}

AuthHeaderError wraps another error with an accompanying payload, for the sake of those receiving the error who need access to the payload.

func (*AuthHeaderError) Error 

func (e *AuthHeaderError) Error() string

Error implements the error interface.

type AuthTokenRetriever 

type AuthTokenRetriever func() (string, error)

type HostExpirationRegistry 

type HostExpirationRegistry struct {
	sync.RWMutex
	// contains filtered or unexported fields
}

HostExpirationRegistry is a threadsafe map of host id to auth expiration time. NOTE: expired hosts are not removed from the registry

func NewHostExpirationRegistry 

func NewHostExpirationRegistry() *HostExpirationRegistry

NewHostExpirationRegistry creates a new HostExpirationRegistry

func (*HostExpirationRegistry) IsExpired 

func (reg *HostExpirationRegistry) IsExpired(hostid string) (bool, error)

IsExpired checks if a give host's auth has expired and returns a bool or an error if the host isn't in the registry

func (*HostExpirationRegistry) Remove 

func (reg *HostExpirationRegistry) Remove(hostid string)

Remove removes a host from the expiration registry

func (*HostExpirationRegistry) Set 

func (reg *HostExpirationRegistry) Set(hostid string, expires int64)

Set adds a host to the expiration registry by its id and sets its auth expiration time

type HostExpirationRegistryInterface 

type HostExpirationRegistryInterface interface {
	Set(string, int64)
	Remove(string)
	IsExpired(string) (bool, error)
}

type HostKeys 

type HostKeys struct {
	// contains filtered or unexported fields
}

func (*HostKeys) Sign 

func (h *HostKeys) Sign(message []byte) ([]byte, error)

func (*HostKeys) Verify 

func (h *HostKeys) Verify(message, signature []byte) error

type Identity 

type Identity interface {
	Valid() error
	Expired() bool
	HostID() string
	PoolID() string
	HasAdminAccess() bool
	HasDFSAccess() bool
	Verifier() (Verifier, error)
}

Identity represents the identity of a host. The most-used implementation will involve serializing this to a token.

func CurrentIdentity 

func CurrentIdentity() Identity

CurrentIdentity returns the identity represented by the currently-live token, or nil if the token is not yet available

func ParseJWTIdentity 

func ParseJWTIdentity(token string) (Identity, error)

ParseJWTIdentity parses a JSON Web Token string, verifying that it was signed by the master.

func ReadAuthHeader 

func ReadAuthHeader(r io.Reader) (sender Identity, timestamp time.Time, payload []byte, err error)

ReadAuthHeader reads an authentication header from the reader given. If there's a non-EOF error, it will read to the payload and return an AuthHeaderError with the contents of the payload and the original error. This allows us to support protocols that require the payload for bookkeeping purposes, like RPC.

func ReadMuxHeader 

func ReadMuxHeader(r io.Reader) ([]byte, Identity, error)

type JSONWebkeys 

type JSONWebkeys struct {
	Kty string   `json:"kty"`
	Kid string   `json:"kid"`
	Use string   `json:"use"`
	N   string   `json:"n"`
	E   string   `json:"e"`
	X5c []string `json:"x5c"`
}

type Jwks 

type Jwks struct {
	Keys []JSONWebkeys `json:"keys"`
	// contains filtered or unexported fields
}

type MasterKeys 

type MasterKeys struct {
	// contains filtered or unexported fields
}

func (*MasterKeys) Sign 

func (m *MasterKeys) Sign(message []byte) ([]byte, error)

func (*MasterKeys) Verify 

func (m *MasterKeys) Verify(message, signature []byte) error

type RPCHeaderBuilder 

type RPCHeaderBuilder interface {
	// WriteHeader writes an RPC header to the provided writer. Optionally, it
	// writes an authentication header as part of the RPC header.
	WriteHeader(io.Writer, []byte, bool) error
}

RPCHeaderBuilder builds headers and writes them to writers

type RPCHeaderHandler 

type RPCHeaderHandler struct{}

RPCHeaderHandler is an implementation of RPCHeaderParser and RPCHeaderBuilder

func (*RPCHeaderHandler) ReadHeader 

func (r *RPCHeaderHandler) ReadHeader(reader io.Reader) (Identity, []byte, error)

ReadHeader reads an RPC header from a reader, parsing the authentication header, if any.

func (*RPCHeaderHandler) WriteHeader 

func (r *RPCHeaderHandler) WriteHeader(w io.Writer, req []byte, writeAuth bool) error

WriteHeader writes an RPC header to the provided writer. Optionally, it writes an authentication header as part of the RPC header.

type RPCHeaderParser 

type RPCHeaderParser interface {
	// ReadHeader reads an RPC header from a reader, parsing the authentication
	// header, if any.
	ReadHeader(io.Reader) (Identity, []byte, error)
}

RPCHeaderParser reads headers from readers and parses them

type RestToken 

type RestToken interface {
	Valid() error
	Expired() bool
	AuthToken() string
	RestToken() string
	ValidateRequestHash(r *http.Request) bool
	HasAdminAccess() bool
}

func ParseRestToken 

func ParseRestToken(token string) (RestToken, error)

type Signer 

type Signer interface {
	Sign(message []byte) ([]byte, error)
}

Signer is used to sign a message

func DevRSASigner 

func DevRSASigner() Signer

DevRSASigner returns a dev signer for dev purposes

func RSASigner 

func RSASigner(key crypto.PrivateKey) (Signer, error)

RSASigner creates a Signer from a key, validating that it is an RSA private key first

func RSASignerFromPEM 

func RSASignerFromPEM(key []byte) (Signer, error)

RSASignerFromPEM creates a Signer from a PEM-encoded key, validating that it is an RSA private key first

type TokenFunc 

type TokenFunc func() (string, int64, error)

TokenFunc is a function that can return an authentication token and its expiration time

type Verifier 

type Verifier interface {
	Verify(message []byte, signature []byte) error
}

Verifier is used to verify a signed message

func DevRSAVerifier 

func DevRSAVerifier() Verifier

DevRSAVerifier returns a dev verifier for dev purposes

func RSAVerifier 

func RSAVerifier(key crypto.PublicKey) (Verifier, error)

RSAVerifier creates a Verifier from a key, verifying that it is an RSA public key first

func RSAVerifierFromPEM 

func RSAVerifierFromPEM(key []byte) (Verifier, error)

RSAVerifierFromPEM creates a Verifier from a PEM-encoded key, verifying that it is an RSA public key first

Source Files

View all Source files

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.