jose

package module
v1.3.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Feb 19, 2021 License: Apache-2.0 Imports: 22 Imported by: 4

README

krakend-jose

JOSE component for the KrakenD framework

Documentation

Index

Constants

View Source 
const (
	ValidatorNamespace = "github.com/devopsfaith/krakend-jose/validator"
	SignerNamespace    = "github.com/devopsfaith/krakend-jose/signer"
)

Variables

View Source 
var (
	ErrInsecureJWKSource = errors.New("JWK client is using an insecure connection to the JWK service")
	ErrPinnedKeyNotFound = errors.New("JWK client did not find a pinned key")
)
View Source 
var (
	ErrNoValidatorCfg = errors.New("JOSE: no validator config")
	ErrNoSignerCfg    = errors.New("JOSE: no signer config")
)
View Source 
var (
	ErrNoKeyFound = errors.New("no Keys has been found")
	ErrKeyExpired = errors.New("key exists but is expired")

	// Configuring with MaxKeyAgeNoCheck will skip key expiry check
	MaxKeyAgeNoCheck = time.Duration(-1)
)
View Source 
var (
	// DefaultEnabledCipherSuites is a collection of secure cipher suites to use
	DefaultEnabledCipherSuites = []uint16{
		tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
		tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
		tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
		tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
		tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
		tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
	}
)

Functions

func CalculateHeadersToPropagate added in v1.3.0 

func CalculateHeadersToPropagate(propagationCfg [][]string, claims map[string]interface{}) (map[string]string, error)

func CanAccess 

func CanAccess(roleKey string, claims map[string]interface{}, required []string) bool

func CanAccessNested 

func CanAccessNested(roleKey string, claims map[string]interface{}, required []string) bool

func CompoundX5TKeyIDGetter added in v1.3.0 

func CompoundX5TKeyIDGetter(key *jose.JSONWebKey) string

CompoundX5TKeyIDGetter extracts the key id from the jSONWebKey as the a compound string of the kid and the x5t

func CompoundX5TTokenKeyIDGetter added in v1.3.0 

func CompoundX5TTokenKeyIDGetter(token *jwt.JSONWebToken) string

CompoundX5TTokenKeyIDGetter extracts the key id from the jSONWebToken as a compound string of the kid and x5t

func DecodeFingerprints 

func DecodeFingerprints(in []string) ([][]byte, error)

func DefaultKeyIDGetter added in v1.3.0 

func DefaultKeyIDGetter(key *jose.JSONWebKey) string

DefaultKeyIDGetter returns the default kid as JSONWebKey key id

func DefaultTokenKeyIDGetter added in v1.3.0 

func DefaultTokenKeyIDGetter(token *jwt.JSONWebToken) string

DefaultTokenKeyIDGetter returns the default kid as the JSONWebKey key id

func NewSigner 

func NewSigner(cfg *config.EndpointConfig, te auth0.RequestTokenExtractor) (*SignerConfig, Signer, error)

func NewValidator 

func NewValidator(signatureConfig *SignatureConfig, ef ExtractorFactory) (*auth0.JWTValidator, error)

func ScopesAllMatcher added in v1.3.0 

func ScopesAllMatcher(scopesKey string, claims map[string]interface{}, requiredScopes []string) bool

func ScopesAnyMatcher added in v1.3.0 

func ScopesAnyMatcher(scopesKey string, claims map[string]interface{}, requiredScopes []string) bool

func ScopesDefaultMatcher added in v1.3.0 

func ScopesDefaultMatcher(scopesKey string, claims map[string]interface{}, requiredScopes []string) bool

func SignFields 

func SignFields(keys []string, signer Signer, response *proxy.Response) error

func X5TKeyIDGetter added in v1.3.0 

func X5TKeyIDGetter(key *jose.JSONWebKey) string

X5TKeyIDGetter extracts the key id from the jSONWebKey as the x5t

func X5TTokenKeyIDGetter added in v1.3.0 

func X5TTokenKeyIDGetter(token *jwt.JSONWebToken) string

X5TTokenKeyIDGetter extracts the key id from the jSONWebToken as the x5t

Types

type ChainedRejecterFactory 

type ChainedRejecterFactory []RejecterFactory

ChainedRejecterFactory returns rejecters chaining every rejecter contained in tne collection

func (ChainedRejecterFactory) New 

func (c ChainedRejecterFactory) New(l logging.Logger, cfg *config.EndpointConfig) Rejecter

New returns a chainned rejected that evaluates all the rejecters until v is rejected or the chain is finished

type Dialer 

type Dialer struct {
	// contains filtered or unexported fields
}

func NewDialer 

func NewDialer(cfg SecretProviderConfig) *Dialer

func (*Dialer) DialContext 

func (d *Dialer) DialContext(ctx context.Context, network, address string) (net.Conn, error)

func (*Dialer) DialTLS 

func (d *Dialer) DialTLS(network, addr string) (net.Conn, error)

type ExtractorFactory 

type ExtractorFactory func(string) func(r *http.Request) (*jwt.JSONWebToken, error)

type FileKeyCacher added in v1.3.0 

type FileKeyCacher struct {
	// contains filtered or unexported fields
}

func NewFileKeyCacher added in v1.3.0 

func NewFileKeyCacher(data []byte, keyIdentifyStrategy string) (*FileKeyCacher, error)

func (*FileKeyCacher) Add added in v1.3.0 

func (f *FileKeyCacher) Add(keyID string, _ []jose.JSONWebKey) (*jose.JSONWebKey, error)

func (*FileKeyCacher) Get added in v1.3.0 

func (f *FileKeyCacher) Get(keyID string) (*jose.JSONWebKey, error)

type FixedRejecter 

type FixedRejecter bool

FixedRejecter is a rejecter that always returns the same bool response

func (FixedRejecter) Reject 

func (f FixedRejecter) Reject(_ map[string]interface{}) bool

Reject returns f

type JWKClient added in v1.3.0 

type JWKClient struct {
	*auth0.JWKClient
	// contains filtered or unexported fields
}

func NewJWKClientWithCache added in v1.3.0 

func NewJWKClientWithCache(options JWKClientOptions, extractor auth0.RequestTokenExtractor, keyCacher auth0.KeyCacher) *JWKClient

NewJWKClientWithCache creates a new JWKClient instance from the provided options and custom extractor and keycacher. Passing nil to keyCacher will create a persistent key cacher. the extractor is also saved in the extended JWKClient.

func SecretProvider 

func SecretProvider(cfg SecretProviderConfig, te auth0.RequestTokenExtractor) (*JWKClient, error)

func (*JWKClient) GetSecret added in v1.3.0 

func (j *JWKClient) GetSecret(r *http.Request) (interface{}, error)

GetSecret implements the GetSecret method of the SecretProvider interface.

type JWKClientOptions added in v1.3.0 

type JWKClientOptions struct {
	auth0.JWKClientOptions
	KeyIdentifyStrategy string
}

type KeyCacher added in v1.3.0 

type KeyCacher interface {
	Get(keyID string) (*jose.JSONWebKey, error)
	Add(keyID string, webKeys []jose.JSONWebKey) (*jose.JSONWebKey, error)
}

func NewMemoryKeyCacher added in v1.3.0 

func NewMemoryKeyCacher(maxKeyAge time.Duration, maxCacheSize int, keyIdentifyStrategy string) KeyCacher

NewMemoryKeyCacher creates a new Keycacher interface with option to set max age of cached keys and max size of the cache.

type KeyIDGetter added in v1.3.0 

type KeyIDGetter interface {
	Get(*jose.JSONWebKey) string
}

KeyIDGetter extracts a key id from a JSONWebKey

func KeyIDGetterFactory added in v1.3.0 

func KeyIDGetterFactory(keyIdentifyStrategy string) KeyIDGetter

type KeyIDGetterFunc added in v1.3.0 

type KeyIDGetterFunc func(*jose.JSONWebKey) string

KeyIDGetterFunc function conforming to the KeyIDGetter interface.

func (KeyIDGetterFunc) Get added in v1.3.0 

func (f KeyIDGetterFunc) Get(key *jose.JSONWebKey) string

Get calls f(r)

type MemoryKeyCacher added in v1.3.0 

type MemoryKeyCacher struct {
	// contains filtered or unexported fields
}

func (*MemoryKeyCacher) Add added in v1.3.0 

func (mkc *MemoryKeyCacher) Add(keyID string, downloadedKeys []jose.JSONWebKey) (*jose.JSONWebKey, error)

Add adds a key into the cache and handles overflow

func (*MemoryKeyCacher) Get added in v1.3.0 

func (mkc *MemoryKeyCacher) Get(keyID string) (*jose.JSONWebKey, error)

Get obtains a key from the cache, and checks if the key is expired

type NopRejecterFactory 

type NopRejecterFactory struct{}

NopRejecterFactory is a factory returning rejecters accepting all the tokens

func (NopRejecterFactory) New 

func (NopRejecterFactory) New(_ logging.Logger, _ *config.EndpointConfig) Rejecter

New returns a fixed rejecter that accepts all the tokens

type Rejecter 

type Rejecter interface {
	Reject(map[string]interface{}) bool
}

Rejecter defines the interface for the components responsible for rejecting tokens.

type RejecterFactory 

type RejecterFactory interface {
	New(logging.Logger, *config.EndpointConfig) Rejecter
}

RejecterFactory is a builder for rejecters

type RejecterFactoryFunc 

type RejecterFactoryFunc func(logging.Logger, *config.EndpointConfig) Rejecter

RejecterFactoryFunc is an adapter to use a function as rejecter factory

func (RejecterFactoryFunc) New 

func (f RejecterFactoryFunc) New(l logging.Logger, cfg *config.EndpointConfig) Rejecter

New calls f(l, cfg)

type RejecterFunc 

type RejecterFunc func(map[string]interface{}) bool

RejecterFunc is an adapter to use functions as rejecters

func (RejecterFunc) Reject 

func (r RejecterFunc) Reject(v map[string]interface{}) bool

Reject calls r(v)

type SecretProviderConfig 

type SecretProviderConfig struct {
	URI                 string
	CacheEnabled        bool
	CacheDuration       uint32
	Fingerprints        [][]byte
	Cs                  []uint16
	LocalCA             string
	AllowInsecure       bool
	LocalPath           string
	SecretURL           string
	CipherKey           []byte
	KeyIdentifyStrategy string
}

type SignatureConfig 

type SignatureConfig struct {
	Alg                     string     `json:"alg"`
	URI                     string     `json:"jwk-url"`
	CacheEnabled            bool       `json:"cache,omitempty"`
	CacheDuration           uint32     `json:"cache_duration,omitempty"`
	Issuer                  string     `json:"issuer,omitempty"`
	Audience                []string   `json:"audience,omitempty"`
	Roles                   []string   `json:"roles,omitempty"`
	PropagateClaimsToHeader [][]string `json:"propagate-claims,omitempty"`
	RolesKey                string     `json:"roles_key,omitempty"`
	RolesKeyIsNested        bool       `json:"roles_key_is_nested,omitempty"`
	CookieKey               string     `json:"cookie_key,omitempty"`
	CipherSuites            []uint16   `json:"cipher_suites,omitempty"`
	DisableJWKSecurity      bool       `json:"disable_jwk_security"`
	Fingerprints            []string   `json:"jwk_fingerprints,omitempty"`
	LocalCA                 string     `json:"jwk_local_ca,omitempty"`
	LocalPath               string     `json:"jwk_local_path,omitempty"`
	SecretURL               string     `json:"secret_url,omitempty"`
	CipherKey               []byte     `json:"cypher_key,omitempty"`
	Scopes                  []string   `json:"scopes,omitempty"`
	ScopesKey               string     `json:"scopes_key,omitempty"`
	ScopesMatcher           string     `json:"scopes_matcher,omitempty"`
	KeyIdentifyStrategy     string     `json:"key_identify_strategy"`
}

func GetSignatureConfig 

func GetSignatureConfig(cfg *config.EndpointConfig) (*SignatureConfig, error)

type Signer 

type Signer func(interface{}) (string, error)

type SignerConfig 

type SignerConfig struct {
	Alg                string   `json:"alg"`
	KeyID              string   `json:"kid"`
	URI                string   `json:"jwk-url"`
	FullSerialization  bool     `json:"full,omitempty"`
	KeysToSign         []string `json:"keys-to-sign,omitempty"`
	CipherSuites       []uint16 `json:"cipher_suites,omitempty"`
	DisableJWKSecurity bool     `json:"disable_jwk_security"`
	Fingerprints       []string `json:"jwk_fingerprints,omitempty"`
	LocalCA            string   `json:"jwk_local_ca,omitempty"`
	LocalPath          string   `json:"jwk_local_path,omitempty"`
	SecretURL          string   `json:"secret_url,omitempty"`
	CipherKey          []byte   `json:"cypher_key,omitempty"`
}

type TokenIDGetter added in v1.3.0 

type TokenIDGetter interface {
	Get(*jwt.JSONWebToken) string
}

TokenIDGetter extracts the keyID from the JSON web token

func TokenIDGetterFactory added in v1.3.0 

func TokenIDGetterFactory(keyIdentifyStrategy string) TokenIDGetter

TokenIDGetterFactory returns the TokenIDGetter from the keyIdentifyStrategy configuration string

type TokenKeyIDGetterFunc added in v1.3.0 

type TokenKeyIDGetterFunc func(*jwt.JSONWebToken) string

TokenKeyIDGetterFunc function conforming to the TokenIDGetter interface.

func (TokenKeyIDGetterFunc) Get added in v1.3.0 

func (f TokenKeyIDGetterFunc) Get(token *jwt.JSONWebToken) string

Extract calls f(r)

Source Files

View all Source files

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.