auth

package
v8.0.0+incompatible Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Apr 24, 2019 License: Apache-2.0 Imports: 10 Imported by: 0

Documentation

Overview

Package auth can be used for authentication and authorization Copyright 2018 Portworx

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at 

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at 

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at 

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at 

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at 

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at 

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at 

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

Package auth can be used for authentication and authorization Copyright 2019 Portworx

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at 

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

Index

Constants

View Source 
const (
	SecondDef = "s"
	MinuteDef = "m"
	HourDef   = "h"
	DayDef    = "d"
	YearDef   = "y"

	Day  = time.Hour * 24
	Year = Day * 365
)

Variables

View Source 
var (

	// Inst returns the instance of system token manager.
	// This function can be overridden for testing purposes
	InitSystemTokenManager = func(tg TokenGenerator) {
		systemTokenInst = tg
	}

	// SystemTokenManagerInst returns the systemTokenManager instance
	SystemTokenManagerInst = func() TokenGenerator {
		return systemTokenInst
	}
)
View Source 
var (
	SecondRegex = regexp.MustCompile("([0-9]+)" + SecondDef)
	MinuteRegex = regexp.MustCompile("([0-9]+)" + MinuteDef)
	HourRegex   = regexp.MustCompile("([0-9]+)" + HourDef)
	DayRegex    = regexp.MustCompile("([0-9]+)" + DayDef)
	YearRegex   = regexp.MustCompile("([0-9]+)" + YearDef)
)

Functions

func ContextSaveUserInfo 

func ContextSaveUserInfo(ctx context.Context, u *UserInfo) context.Context

ContextSaveUserInfo saves user information in the context for other functions to consume

func Enabled 

func Enabled() bool

Enabled returns whether or not auth is enabled.

func IsJwtToken 

func IsJwtToken(authstring string) bool

IsJwtToken returns true if the provided string is a valid jwt token

func NoAuth 

func NoAuth() *noauth

NoAuth returns the default no auth implementation

func ParseToDuration 

func ParseToDuration(s string) (time.Duration, error)

ParseToDuration takes in a "human" type duration and changes it to time.Duration. The format for a human type is <number><type>. For example: Five days: 5d; one year: 1y.

func Token 

func Token(
	claims *Claims,
	signature *Signature,
	options *Options,
) (string, error)

Token returns a signed JWT containing the claims provided

func TokenIssuer 

func TokenIssuer(rawtoken string) (string, error)

TokenIssuer returns the issuer for the raw JWT token.

Types

type Authenticator 

type Authenticator interface {
	// AuthenticateToken validates the token and returns the claims
	AuthenticateToken(context.Context, string) (*Claims, error)

	// Username returns the unique id according to the configuration. Default
	// it will return the value for "sub" in the token claims, but it can be
	// configured to return the email or name as the unique id.
	Username(*Claims) string
}

Authenticator interface validates and extracts the claims from a raw token

type Claims 

type Claims struct {
	// Issuer is the token issuer. For selfsigned token do not prefix
	// with `https://`.
	Issuer string `json:"iss"`
	// Subject identifier. Unique ID of this account
	Subject string `json:"sub" yaml:"sub"`
	// Account name
	Name string `json:"name" yaml:"name"`
	// Account email
	Email string `json:"email" yaml:"email"`
	// Roles of this account
	Roles []string `json:"roles,omitempty" yaml:"roles,omitempty"`
	// (optional) Groups in which this account is part of
	Groups []string `json:"groups,omitempty" yaml:"groups,omitempty"`
}

Claims provides information about the claims in the token See https://openid.net/specs/openid-connect-core-1_0.html#IDToken for more information.

func TokenClaims 

func TokenClaims(rawtoken string) (*Claims, error)

TokenClaims returns the claims for the raw JWT token.

type InterceptorContextkey 

type InterceptorContextkey string

Keys to store data in gRPC context. Use these keys to retrieve the data from the gRPC context 

const (
	// Key to store in the token claims in gRPC context
	InterceptorContextTokenKey InterceptorContextkey = "tokenclaims"
)

type JwtAuthConfig 

type JwtAuthConfig struct {
	// SharedSecret in byte array form
	SharedSecret []byte
	// RsaPublicPem is the contents of the RSA public key file
	RsaPublicPem []byte
	// ECDSPublicPem is the contents of the ECDS public key file
	ECDSPublicPem []byte
	// UsernameClaim has the location of the unique id for the user.
	// If empty, "sub" will be used for the user name unique id.
	UsernameClaim UsernameClaimType
}

JwtAuthConfig provides JwtAuthenticator the keys to validate the token

type JwtAuthenticator 

type JwtAuthenticator struct {
	// contains filtered or unexported fields
}

JwtAuthenticator definition. It contains the raw bytes of the keys and their objects as returned by the Jwt package

func NewJwtAuth 

func NewJwtAuth(config *JwtAuthConfig) (*JwtAuthenticator, error)

New returns a JwtAuthenticator

func (*JwtAuthenticator) AuthenticateToken 

func (j *JwtAuthenticator) AuthenticateToken(ctx context.Context, rawtoken string) (*Claims, error)

AuthenticateToken determines if a token is valid and if it is, returns the information in the claims.

func (*JwtAuthenticator) Username 

func (j *JwtAuthenticator) Username(claims *Claims) string

type OIDCAuthConfig 

type OIDCAuthConfig struct {
	// Issuer of the OIDC tokens
	// e.g. https://accounts.google.com
	Issuer string
	// ClientID is the client id provided by the OIDC
	ClientID string
	// SkipClientIDCheck skips a verification on tokens which are returned
	// from the OIDC without the client ID set
	SkipClientIDCheck bool
	// UsernameClaim has the location of the unique id for the user.
	// If empty, "sub" will be used for the user name unique id.
	UsernameClaim UsernameClaimType
	// Namespace sets the namespace for all custom claims. For example
	// if the claims had the key: "https://mynamespace/roles", then
	// the namespace would be "https://mynamespace/".
	Namespace string
}

OIDCAuthConfig configures an OIDC connection

type OIDCAuthenticator 

type OIDCAuthenticator struct {
	// contains filtered or unexported fields
}

OIDCAuthenticator is used to validate tokens with an OIDC

func NewOIDC 

func NewOIDC(config *OIDCAuthConfig) (*OIDCAuthenticator, error)

NewOIDC returns a new OIDC authenticator

func (*OIDCAuthenticator) AuthenticateToken 

func (o *OIDCAuthenticator) AuthenticateToken(ctx context.Context, rawtoken string) (*Claims, error)

AuthenticateToken will verify the validity of the provided token with the OIDC

func (*OIDCAuthenticator) Username 

func (o *OIDCAuthenticator) Username(claims *Claims) string

Username returns the configured unique id of the user

type Options 

type Options struct {
	// Expiration time in Unix format as per JWT standard
	Expiration int64

	// IATSubtract is the time duration you would like to remove from
	// the token IAT (Issue At Time). This is useful as a guard against
	// NTP drift within a cluster. Without this option, your token may
	// be denied due to the IAT being greater than the current time.
	IATSubtract time.Duration
}

Options provide any options to apply to the token

type Signature 

type Signature struct {
	Type jwt.SigningMethod
	Key  interface{}
}

Signature describes the signature type using definitions from the jwt package

func NewSignatureECDSA 

func NewSignatureECDSA(pem []byte) (*Signature, error)

func NewSignatureECDSAFromFile 

func NewSignatureECDSAFromFile(filename string) (*Signature, error)

func NewSignatureRSA 

func NewSignatureRSA(pem []byte) (*Signature, error)

func NewSignatureRSAFromFile 

func NewSignatureRSAFromFile(filename string) (*Signature, error)

func NewSignatureSharedSecret 

func NewSignatureSharedSecret(secret string) (*Signature, error)

type TokenGenerator 

type TokenGenerator interface {
	// GetToken returns a token which can be used for
	// authentication and communication from node to node.
	GetToken(opts *Options) (string, error)

	// Issuer returns the token issuer for this generator necessary
	// for registering the authenticator in the SDK.
	Issuer() string

	// GetAuthenticator returns an authenticator for this issuer used by the SDK
	GetAuthenticator() (Authenticator, error)
}

TokenGenerator allows for the creation of tokens

type UserInfo 

type UserInfo struct {
	// Username is the unique id of the user. According to the configuration of
	// the storage system, this could be the 'sub', 'name', or 'email' from
	// the claims in the token.
	Username string
	// Claims holds the claims required by the storage system
	Claims Claims
}

UserInfo contains information about the user taken from the token

func NewUserInfoFromContext 

func NewUserInfoFromContext(ctx context.Context) (*UserInfo, bool)

NewUserInfoFromContext returns user information in the context if available. If not available means that the system is running without auth.

type UsernameClaimType 

type UsernameClaimType string

UsernameClaimType holds the claims type to be use as the unique id for the user 

const (
	// default type is sub
	UsernameClaimTypeDefault UsernameClaimType = ""
	// UsernameClaimTypeSubject requests to use "sub" as the claims for the
	// ID of the user
	UsernameClaimTypeSubject UsernameClaimType = "sub"
	// UsernameClaimTypeEmail requests to use "name" as the claims for the
	// ID of the user
	UsernameClaimTypeEmail UsernameClaimType = "email"
	// UsernameClaimTypeName requests to use "name" as the claims for the
	// ID of the user
	UsernameClaimTypeName UsernameClaimType = "name"
)

Source Files

View all Source files

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.