jose

package module
Version: v1.4.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: May 21, 2021 License: Apache-2.0 Imports: 22 Imported by: 3

README

krakend-jose

JOSE component for the KrakenD framework

Documentation

Index

Constants

View Source
const (
	ValidatorNamespace = "github.com/devopsfaith/krakend-jose/validator"
	SignerNamespace    = "github.com/devopsfaith/krakend-jose/signer"
)

Variables

View Source
var (
	ErrInsecureJWKSource = errors.New("JWK client is using an insecure connection to the JWK service")
	ErrPinnedKeyNotFound = errors.New("JWK client did not find a pinned key")
)
View Source
var (
	ErrNoValidatorCfg = errors.New("JOSE: no validator config")
	ErrNoSignerCfg    = errors.New("JOSE: no signer config")
)
View Source
var (
	ErrNoKeyFound = errors.New("no Keys has been found")
	ErrKeyExpired = errors.New("key exists but is expired")

	// Configuring with MaxKeyAgeNoCheck will skip key expiry check
	MaxKeyAgeNoCheck = time.Duration(-1)
)

Functions

func CalculateHeadersToPropagate added in v1.3.0

func CalculateHeadersToPropagate(propagationCfg [][]string, claims map[string]interface{}) (map[string]string, error)

func CanAccess

func CanAccess(roleKey string, claims map[string]interface{}, required []string) bool

func CanAccessNested

func CanAccessNested(roleKey string, claims map[string]interface{}, required []string) bool

func CompoundX5TKeyIDGetter added in v1.3.0

func CompoundX5TKeyIDGetter(key *jose.JSONWebKey) string

CompoundX5TKeyIDGetter extracts the key id from the jSONWebKey as the a compound string of the kid and the x5t

func CompoundX5TTokenKeyIDGetter added in v1.3.0

func CompoundX5TTokenKeyIDGetter(token *jwt.JSONWebToken) string

CompoundX5TTokenKeyIDGetter extracts the key id from the jSONWebToken as a compound string of the kid and x5t

func DecodeFingerprints

func DecodeFingerprints(in []string) ([][]byte, error)

func DefaultKeyIDGetter added in v1.3.0

func DefaultKeyIDGetter(key *jose.JSONWebKey) string

DefaultKeyIDGetter returns the default kid as JSONWebKey key id

func DefaultTokenKeyIDGetter added in v1.3.0

func DefaultTokenKeyIDGetter(token *jwt.JSONWebToken) string

DefaultTokenKeyIDGetter returns the default kid as the JSONWebKey key id

func NewSigner

func NewSigner(cfg *config.EndpointConfig, te auth0.RequestTokenExtractor) (*SignerConfig, Signer, error)

func NewValidator

func NewValidator(signatureConfig *SignatureConfig, ef ExtractorFactory) (*auth0.JWTValidator, error)

func ScopesAllMatcher added in v1.3.0

func ScopesAllMatcher(scopesKey string, claims map[string]interface{}, requiredScopes []string) bool

func ScopesAnyMatcher added in v1.3.0

func ScopesAnyMatcher(scopesKey string, claims map[string]interface{}, requiredScopes []string) bool

func ScopesDefaultMatcher added in v1.3.0

func ScopesDefaultMatcher(scopesKey string, claims map[string]interface{}, requiredScopes []string) bool

func SignFields

func SignFields(keys []string, signer Signer, response *proxy.Response) error

func X5TKeyIDGetter added in v1.3.0

func X5TKeyIDGetter(key *jose.JSONWebKey) string

X5TKeyIDGetter extracts the key id from the jSONWebKey as the x5t

func X5TTokenKeyIDGetter added in v1.3.0

func X5TTokenKeyIDGetter(token *jwt.JSONWebToken) string

X5TTokenKeyIDGetter extracts the key id from the jSONWebToken as the x5t

Types

type ChainedRejecterFactory

type ChainedRejecterFactory []RejecterFactory

ChainedRejecterFactory returns rejecters chaining every rejecter contained in tne collection

func (ChainedRejecterFactory) New

New returns a chainned rejected that evaluates all the rejecters until v is rejected or the chain is finished

type Claims added in v1.4.0

type Claims map[string]interface{}

func (Claims) Get added in v1.4.0

func (c Claims) Get(name string) (string, bool)

type Dialer

type Dialer struct {
	// contains filtered or unexported fields
}

func NewDialer

func NewDialer(cfg SecretProviderConfig) *Dialer

func (*Dialer) DialContext

func (d *Dialer) DialContext(ctx context.Context, network, address string) (net.Conn, error)

func (*Dialer) DialTLS

func (d *Dialer) DialTLS(network, addr string) (net.Conn, error)

type ExtractorFactory

type ExtractorFactory func(string) func(r *http.Request) (*jwt.JSONWebToken, error)

type FileKeyCacher added in v1.3.0

type FileKeyCacher struct {
	// contains filtered or unexported fields
}

func NewFileKeyCacher added in v1.3.0

func NewFileKeyCacher(data []byte, keyIdentifyStrategy string) (*FileKeyCacher, error)

func (*FileKeyCacher) Add added in v1.3.0

func (f *FileKeyCacher) Add(keyID string, _ []jose.JSONWebKey) (*jose.JSONWebKey, error)

func (*FileKeyCacher) Get added in v1.3.0

func (f *FileKeyCacher) Get(keyID string) (*jose.JSONWebKey, error)

type FixedRejecter

type FixedRejecter bool

FixedRejecter is a rejecter that always returns the same bool response

func (FixedRejecter) Reject

func (f FixedRejecter) Reject(_ map[string]interface{}) bool

Reject returns f

type JWKClient added in v1.3.0

type JWKClient struct {
	*auth0.JWKClient
	// contains filtered or unexported fields
}

func NewJWKClientWithCache added in v1.3.0

func NewJWKClientWithCache(options JWKClientOptions, extractor auth0.RequestTokenExtractor, keyCacher auth0.KeyCacher) *JWKClient

NewJWKClientWithCache creates a new JWKClient instance from the provided options and custom extractor and keycacher. Passing nil to keyCacher will create a persistent key cacher. the extractor is also saved in the extended JWKClient.

func (*JWKClient) GetSecret added in v1.3.0

func (j *JWKClient) GetSecret(r *http.Request) (interface{}, error)

GetSecret implements the GetSecret method of the SecretProvider interface.

type JWKClientOptions added in v1.3.0

type JWKClientOptions struct {
	auth0.JWKClientOptions
	KeyIdentifyStrategy string
}

type KeyCacher added in v1.3.0

type KeyCacher interface {
	Get(keyID string) (*jose.JSONWebKey, error)
	Add(keyID string, webKeys []jose.JSONWebKey) (*jose.JSONWebKey, error)
}

func NewMemoryKeyCacher added in v1.3.0

func NewMemoryKeyCacher(maxKeyAge time.Duration, maxCacheSize int, keyIdentifyStrategy string) KeyCacher

NewMemoryKeyCacher creates a new Keycacher interface with option to set max age of cached keys and max size of the cache.

type KeyIDGetter added in v1.3.0

type KeyIDGetter interface {
	Get(*jose.JSONWebKey) string
}

KeyIDGetter extracts a key id from a JSONWebKey

func KeyIDGetterFactory added in v1.3.0

func KeyIDGetterFactory(keyIdentifyStrategy string) KeyIDGetter

type KeyIDGetterFunc added in v1.3.0

type KeyIDGetterFunc func(*jose.JSONWebKey) string

KeyIDGetterFunc function conforming to the KeyIDGetter interface.

func (KeyIDGetterFunc) Get added in v1.3.0

func (f KeyIDGetterFunc) Get(key *jose.JSONWebKey) string

Get calls f(r)

type MemoryKeyCacher added in v1.3.0

type MemoryKeyCacher struct {
	// contains filtered or unexported fields
}

func (*MemoryKeyCacher) Add added in v1.3.0

func (mkc *MemoryKeyCacher) Add(keyID string, downloadedKeys []jose.JSONWebKey) (*jose.JSONWebKey, error)

Add adds a key into the cache and handles overflow

func (*MemoryKeyCacher) Get added in v1.3.0

func (mkc *MemoryKeyCacher) Get(keyID string) (*jose.JSONWebKey, error)

Get obtains a key from the cache, and checks if the key is expired

type NopRejecterFactory

type NopRejecterFactory struct{}

NopRejecterFactory is a factory returning rejecters accepting all the tokens

func (NopRejecterFactory) New

New returns a fixed rejecter that accepts all the tokens

type Rejecter

type Rejecter interface {
	Reject(map[string]interface{}) bool
}

Rejecter defines the interface for the components responsible for rejecting tokens.

type RejecterFactory

type RejecterFactory interface {
	New(logging.Logger, *config.EndpointConfig) Rejecter
}

RejecterFactory is a builder for rejecters

type RejecterFactoryFunc

type RejecterFactoryFunc func(logging.Logger, *config.EndpointConfig) Rejecter

RejecterFactoryFunc is an adapter to use a function as rejecter factory

func (RejecterFactoryFunc) New

New calls f(l, cfg)

type RejecterFunc

type RejecterFunc func(map[string]interface{}) bool

RejecterFunc is an adapter to use functions as rejecters

func (RejecterFunc) Reject

func (r RejecterFunc) Reject(v map[string]interface{}) bool

Reject calls r(v)

type SecretProviderConfig

type SecretProviderConfig struct {
	URI                 string
	CacheEnabled        bool
	CacheDuration       uint32
	Fingerprints        [][]byte
	Cs                  []uint16
	LocalCA             string
	AllowInsecure       bool
	LocalPath           string
	SecretURL           string
	CipherKey           []byte
	KeyIdentifyStrategy string
}

type SignatureConfig

type SignatureConfig struct {
	Alg                     string     `json:"alg"`
	URI                     string     `json:"jwk-url"`
	CacheEnabled            bool       `json:"cache,omitempty"`
	CacheDuration           uint32     `json:"cache_duration,omitempty"`
	Issuer                  string     `json:"issuer,omitempty"`
	Audience                []string   `json:"audience,omitempty"`
	Roles                   []string   `json:"roles,omitempty"`
	PropagateClaimsToHeader [][]string `json:"propagate-claims,omitempty"`
	RolesKey                string     `json:"roles_key,omitempty"`
	RolesKeyIsNested        bool       `json:"roles_key_is_nested,omitempty"`
	CookieKey               string     `json:"cookie_key,omitempty"`
	CipherSuites            []uint16   `json:"cipher_suites,omitempty"`
	DisableJWKSecurity      bool       `json:"disable_jwk_security"`
	Fingerprints            []string   `json:"jwk_fingerprints,omitempty"`
	LocalCA                 string     `json:"jwk_local_ca,omitempty"`
	LocalPath               string     `json:"jwk_local_path,omitempty"`
	SecretURL               string     `json:"secret_url,omitempty"`
	CipherKey               []byte     `json:"cypher_key,omitempty"`
	Scopes                  []string   `json:"scopes,omitempty"`
	ScopesKey               string     `json:"scopes_key,omitempty"`
	ScopesMatcher           string     `json:"scopes_matcher,omitempty"`
	KeyIdentifyStrategy     string     `json:"key_identify_strategy"`
}

func GetSignatureConfig

func GetSignatureConfig(cfg *config.EndpointConfig) (*SignatureConfig, error)

type Signer

type Signer func(interface{}) (string, error)

type SignerConfig

type SignerConfig struct {
	Alg                string   `json:"alg"`
	KeyID              string   `json:"kid"`
	URI                string   `json:"jwk-url"`
	FullSerialization  bool     `json:"full,omitempty"`
	KeysToSign         []string `json:"keys-to-sign,omitempty"`
	CipherSuites       []uint16 `json:"cipher_suites,omitempty"`
	DisableJWKSecurity bool     `json:"disable_jwk_security"`
	Fingerprints       []string `json:"jwk_fingerprints,omitempty"`
	LocalCA            string   `json:"jwk_local_ca,omitempty"`
	LocalPath          string   `json:"jwk_local_path,omitempty"`
	SecretURL          string   `json:"secret_url,omitempty"`
	CipherKey          []byte   `json:"cypher_key,omitempty"`
}

type TokenIDGetter added in v1.3.0

type TokenIDGetter interface {
	Get(*jwt.JSONWebToken) string
}

TokenIDGetter extracts the keyID from the JSON web token

func TokenIDGetterFactory added in v1.3.0

func TokenIDGetterFactory(keyIdentifyStrategy string) TokenIDGetter

TokenIDGetterFactory returns the TokenIDGetter from the keyIdentifyStrategy configuration string

type TokenKeyIDGetterFunc added in v1.3.0

type TokenKeyIDGetterFunc func(*jwt.JSONWebToken) string

TokenKeyIDGetterFunc function conforming to the TokenIDGetter interface.

func (TokenKeyIDGetterFunc) Get added in v1.3.0

Extract calls f(r)

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL