Documentation ¶
Overview ¶
Package x509 provides a request authenticator that validates and extracts user information from client certificates
Index ¶
Constants ¶
This section is empty.
Variables ¶
var CommonNameUserConversion = UserConversionFunc(func(chain []*x509.Certificate) (user.Info, bool, error) { if len(chain[0].Subject.CommonName) == 0 { return nil, false, nil } return &user.DefaultInfo{ Name: chain[0].Subject.CommonName, Groups: chain[0].Subject.Organization, }, true, nil })
CommonNameUserConversion builds user info from a certificate chain using the subject's CommonName
var DNSNameUserConversion = UserConversionFunc(func(chain []*x509.Certificate) (user.Info, bool, error) { if len(chain[0].DNSNames) == 0 { return nil, false, nil } return &user.DefaultInfo{Name: chain[0].DNSNames[0]}, true, nil })
DNSNameUserConversion builds user info from a certificate chain using the first DNSName on the certificate
var EmailAddressUserConversion = UserConversionFunc(func(chain []*x509.Certificate) (user.Info, bool, error) { var emailAddressOID asn1.ObjectIdentifier = []int{1, 2, 840, 113549, 1, 9, 1} if len(chain[0].EmailAddresses) == 0 { for _, name := range chain[0].Subject.Names { if name.Type.Equal(emailAddressOID) { return &user.DefaultInfo{Name: name.Value.(string)}, true, nil } } return nil, false, nil } return &user.DefaultInfo{Name: chain[0].EmailAddresses[0]}, true, nil })
EmailAddressUserConversion builds user info from a certificate chain using the first EmailAddress on the certificate
Functions ¶
func DefaultVerifyOptions ¶
func DefaultVerifyOptions() x509.VerifyOptions
DefaultVerifyOptions returns VerifyOptions that use the system root certificates, current time, and requires certificates to be valid for client auth (x509.ExtKeyUsageClientAuth)
func NewVerifier ¶ added in v1.5.1
func NewVerifier(opts x509.VerifyOptions, auth authenticator.Request, allowedCommonNames sets.String) authenticator.Request
NewVerifier create a request.Authenticator by verifying a client cert on the request, then delegating to the wrapped auth
Types ¶
type Authenticator ¶
type Authenticator struct {
// contains filtered or unexported fields
}
Authenticator implements request.Authenticator by extracting user info from verified client certificates
func New ¶
func New(opts x509.VerifyOptions, user UserConversion) *Authenticator
New returns a request.Authenticator that verifies client certificates using the provided VerifyOptions, and converts valid certificate chains into user.Info using the provided UserConversion
func (*Authenticator) AuthenticateRequest ¶
AuthenticateRequest authenticates the request using presented client certificates
type UserConversion ¶
UserConversion defines an interface for extracting user info from a client certificate chain
type UserConversionFunc ¶
UserConversionFunc is a function that implements the UserConversion interface.
func (UserConversionFunc) User ¶
func (f UserConversionFunc) User(chain []*x509.Certificate) (user.Info, bool, error)
User implements x509.UserConversion