Documentation ¶
Index ¶
- Constants
- Variables
- type AuthenticatedAuthorizationBuilder
- type AuthenticatedSecurityFilterBuilder
- type AuthenticationProvider
- type Authorization
- type AuthorizationCodeProvider
- type AuthorizationFunc
- type BasicAuthenticationProviderBuilder
- type BearerAndSsoProvider
- type BearerAuthenticationProviderBuilder
- type ClaimsMapper
- type CredentialsProvider
- type CredentialsSource
- type JwKey
- type JwKeys
- type LoginForm
- type LoginFormAuthenticationProviderBuilder
- type LoginFormConfiguration
- type OpenIdConfiguration
- type OpenIdIdentityProviderBuilder
- type Origin
- type Realm
- type SSOAuthenticationProviderBuilder
- type Scope
- type TokenData
- type TokenIntrospection
- type TokenIntrospector
- type TokenResponse
- type UnauthenticatedAuthorizationBuilder
- type UnauthenticatedSecurityFilterBuilder
- type User
- type UserEnrichmentFunction
Constants ¶
const ( DefaultAnonymousAccess = false DefaultAuthenticatedAccess = true )
const ( FormRealm = "Form" DefaultTemplate = "<!DOCTYPE html>" + "<html lang=\"en\">" + "<head>" + " <meta charset=\"UTF-8\">" + " <title>{{.Title}}</title>" + "</head>" + "<body>" + "<h2>{{.Header}}</h2>" + "{{.Error}}" + "<form action=\"{{.Action}}\" method=\"post\">" + " <label for=\"{{.UsernameField}}\">{{.UsernameLabel}}</label><br>" + " <input type=\"text\" id=\"{{.UsernameField}}\" name=\"{{.UsernameField}}\"><br>" + " <label for=\"{{.PasswordField}}\">{{.PasswordLabel}}</label><br>" + " <input type=\"password\" id=\"{{.PasswordField}}\" name=\"{{.PasswordField}}\"><br><br>" + " <input type=\"hidden\" id=\"target\" name=\"{{.TargetField}}\" value=\"{{.Target}}\"><br><br>" + " <input type=\"submit\" value=\"{{.SubmitLabel}}\">" + "</form>" + "</body>" + "</html>" DefaultAction = "/login" DefaultTitle = "Login" DefaultHeader = "Login" DefaultUsernameField = "username" DefaultPasswordField = "password" DefaultTargetField = "target" DefaultSubmitLabel = "Login" DefaultUsernameLabel = "Username:" DefaultPasswordLabel = "Password:" DefaultErrorExpression = "<h1>Error: {{.Error}}</h1>" )
const ( AuthorizationCodeUrl = "%s?response_type=code%s&client_id=%s&redirect_uri=%s&state=%s" ScopesQueryParameter = "&scope=%s" UnsupportedKeyType = err.ErrorF("unsupported key type: %s") ModulusDecodingError = err.ErrorF("error decoding key %s modulus: %v") ExponentDecodingError = err.ErrorF("error decoding key %s exponent: %v") NoJwksUriError = err.ErrorF("unable to refresh. no jwks uri provided") FailedToRefreshJwks = err.ErrorF("failed to refresh jwks: %v") InvalidClainsError = err.ErrorF("invalid claims: %s") )
const ( SSORealm = "SSO" DefaultAuthorizationReplyHandlerEndpoint = "/sso/authorization" DefaultAuthenticatedEndpoint = "/" )
const BasicRealm = "Basic"
const BearerRealm = "Bearer"
Variables ¶
var Anonymous = &User{}
Anonymous is a special user that is used to represent anonymous users. An authentication provider implementation may return the Anonymous user to indicate that the request is authenticated/allowed, but the user is not known. The authorization may still deny access to anonymous users.
var DefaultClaimsMapper = func(claims *jwt.MapClaims) (*User, error) { if claims == nil { return nil, InvalidClainsError.WithValues("no claims") } user := &User{Data: claims, Active: true} isType := true if value, found := (*claims)["sub"]; !found { return nil, InvalidClainsError.WithValues("claims has no subject") } else if user.OriginId, isType = value.(string); !isType { return nil, InvalidClainsError.WithValues("subject is not a string") } user.Username = user.OriginId if value, found := (*claims)["iss"]; found { if user.Origin, isType = value.(string); !isType { return nil, InvalidClainsError.WithValues("issuer is not a string") } } if value, found := (*claims)["scope"]; found { var e error user.Scopes, e = translateScopes(value) if e != nil { return nil, e } } return user, nil }
var UserAttributeName = "WE-SEC-USER"
Functions ¶
This section is empty.
Types ¶
type AuthenticatedAuthorizationBuilder ¶
type AuthenticatedAuthorizationBuilder interface { Authorize(...Authorization) AuthenticatedSecurityFilterBuilder Anonymous() AuthenticatedSecurityFilterBuilder Authentication(...AuthenticationProvider) AuthenticatedAuthorizationBuilder }
type AuthenticatedSecurityFilterBuilder ¶
type AuthenticatedSecurityFilterBuilder interface { Path(paths ...string) AuthenticatedAuthorizationBuilder OnAuthentication(triggers ...func(*User, we.RequestScope)) AuthenticatedSecurityFilterBuilder Build() we.Filter }
type AuthenticationProvider ¶
type AuthenticationProvider interface { // Authenticate Tries to authenticate the incoming request. Each provider should extract from the incoming request // the information required to authenticate it. If none of the required attributes are present in the request, then the // provider should return a nil user and no error. If the request does have authentication credentials, and they // cannot be validated, then it should return an error. Successful authentication returns a user object and no error. Authenticate(headers http.Header, scope we.RequestScope) (*User, error) // Realm returns the provider authentication realm. Each provider should authenticate users for a distinct realm // within the same application. This realm is used to identify the authentication provider when checking if the user // is still value Realm() string // IsValid checks if the provided user is still authenticated IsValid(user *User) bool // Challenge returns the authentication challenge to be sent to the client with WWW-Authenticate header. It should not // contain the realm, which is added by the filter. An empty challenge means that the provider does not produce // WWW-Authenticate response headers Challenge() string // Endpoints are specific endpoints the authorization provider reports as being handled by the filter also, regardless // if they fall under any specific path they are authenticating. Typically they will only report endpoints used // in SSO or login form authenticators Endpoints() []string }
AuthenticationProvider is an interface for authentication provider implementations. Authentication providers can be addedto a security filter to provider users that will be added to the request scope.
type Authorization ¶
func All ¶
func All(authorizations ...Authorization) Authorization
func Either ¶
func Either(authorizations ...Authorization) Authorization
type AuthorizationFunc ¶
func (AuthorizationFunc) IsAuthorized ¶
func (f AuthorizationFunc) IsAuthorized(user *User, scope we.RequestScope) bool
type BasicAuthenticationProviderBuilder ¶
type BasicAuthenticationProviderBuilder interface { Realm(string) BasicAuthenticationProviderBuilder CredentialsProvider(CredentialsProvider) BasicAuthenticationProviderBuilder Build() AuthenticationProvider }
func BasicAuthenticationProvider ¶
func BasicAuthenticationProvider(users ...User) BasicAuthenticationProviderBuilder
type BearerAndSsoProvider ¶
type BearerAndSsoProvider interface { TokenIntrospector AuthorizationCodeProvider TokenIntrospector() TokenIntrospector AuthorizationCodeProvider() AuthorizationCodeProvider }
type BearerAuthenticationProviderBuilder ¶
type BearerAuthenticationProviderBuilder interface { Realm(string) BearerAuthenticationProviderBuilder Challenge(string) BearerAuthenticationProviderBuilder SessionsSupported(bool) BearerAuthenticationProviderBuilder Introspector(TokenIntrospector) BearerAuthenticationProviderBuilder Build() AuthenticationProvider }
func BearerAuthenticationProvider ¶
func BearerAuthenticationProvider() BearerAuthenticationProviderBuilder
type ClaimsMapper ¶
type CredentialsProvider ¶
type CredentialsProvider interface { Authenticate(username, password string) (*User, error) Get(username string) *User }
func DefaultCredentialsProvider ¶
func DefaultCredentialsProvider(users ...User) CredentialsProvider
type CredentialsSource ¶
type CredentialsSource interface { CredentialsProvider Add(User) *User Delete(string) *User }
func InMemoryCredentialsProvider ¶
func InMemoryCredentialsProvider(credentials ...User) CredentialsSource
type JwKey ¶
type JwKey struct { Id string `json:"kid"` Type string `json:"kty"` Algorithm string `json:"alg"` Use string `json:"use"` Modulus string `json:"n"` Exponent string `json:"e"` X5TS256 string `json:"x5t#S256,omitempty"` X5T string `json:"x5t,omitempty"` X5C []string `json:"x5c,omitempty"` }
JwKey represents a json web key for RSA keys (at the moment only RSA keys are supported)
type LoginForm ¶
type LoginForm interface { Generate(error string, target string) string Configuration() *LoginFormConfiguration }
func CustomLoginForm ¶
func CustomLoginForm(configuration LoginFormConfiguration, customTemplate string) LoginForm
func DefaultLoginForm ¶
func DefaultLoginForm(configuration LoginFormConfiguration) LoginForm
type LoginFormAuthenticationProviderBuilder ¶
type LoginFormAuthenticationProviderBuilder interface { Realm(string) BasicAuthenticationProviderBuilder CredentialsProvider(CredentialsProvider) BasicAuthenticationProviderBuilder LoginForm(LoginForm) LoginFormAuthenticationProviderBuilder Required(bool) LoginFormAuthenticationProviderBuilder RedirectToForm(bool) LoginFormAuthenticationProviderBuilder DefaultAuthenticatedRedirectionPath(string) LoginFormAuthenticationProviderBuilder Build() AuthenticationProvider }
func LoginFormAuthenticationProvider ¶
func LoginFormAuthenticationProvider(users ...User) LoginFormAuthenticationProviderBuilder
type LoginFormConfiguration ¶
type OpenIdConfiguration ¶
type OpenIdConfiguration struct { Issuer string `json:"issuer"` AuthorizationEndpoint string `json:"authorization_endpoint"` TokenEndpoint string `json:"token_endpoint"` TokenEndpointAuthMethodsSupported []string `json:"token_endpoint_auth_methods_supported"` TokenEndpointAuthSigningAlgValuesSupported []string `json:"token_endpoint_auth_signing_alg_values_supported"` UserinfoEndpoint string `json:"userinfo_endpoint"` JwksUri string `json:"jwks_uri"` EndSessionEndpoint string `json:"end_session_endpoint"` ScopesSupported []string `json:"scopes_supported"` ResponseTypesSupported []string `json:"response_types_supported"` SubjectTypesSupported []string `json:"subject_types_supported"` IdTokenSigningAlgValuesSupported []string `json:"id_token_signing_alg_values_supported"` IdTokenEncryptionAlgValuesSupported []string `json:"id_token_encryption_alg_values_supported"` ClaimTypesSupported []string `json:"claim_types_supported"` ClaimsSupported []string `json:"claims_supported"` ClaimsParameterSupported bool `json:"claims_parameter_supported"` ServiceDocumentation string `json:"service_documentation"` UiLocalesSupported []string `json:"ui_locales_supported"` CodeChallengeMethodsSupported []string `json:"code_challenge_methods_supported"` }
type OpenIdIdentityProviderBuilder ¶
type OpenIdIdentityProviderBuilder interface { OpenIdConfigurationEndpoint(path string) OpenIdIdentityProviderBuilder IntrospectionEndpoint(path string) OpenIdIdentityProviderBuilder UserEnrichment(function UserEnrichmentFunction) OpenIdIdentityProviderBuilder TokenEndpoint(path string) OpenIdIdentityProviderBuilder JwksEndpoint(path string) OpenIdIdentityProviderBuilder Jwks(jwks []JwKey) OpenIdIdentityProviderBuilder JwtValidationFallback(fallbackToIntrospection bool) OpenIdIdentityProviderBuilder ClaimsMapper(mapper ClaimsMapper) OpenIdIdentityProviderBuilder Scope(scope ...string) OpenIdIdentityProviderBuilder Client(client, secret string) OpenIdIdentityProviderBuilder Tls(config *tls.Config) OpenIdIdentityProviderBuilder Build() BearerAndSsoProvider }
func OpenIdIdentityProvider ¶
func OpenIdIdentityProvider(openIdUrl string) OpenIdIdentityProviderBuilder
type SSOAuthenticationProviderBuilder ¶
type SSOAuthenticationProviderBuilder interface { RedirectToRequestedUrl(redirect bool) SSOAuthenticationProviderBuilder Address(string) SSOAuthenticationProviderBuilder DynamicAddress(dynamic bool) SSOAuthenticationProviderBuilder DefaultAuthenticatedEndpoint(string) SSOAuthenticationProviderBuilder Realm(string) SSOAuthenticationProviderBuilder AuthorizationCodeProvider(AuthorizationCodeProvider) SSOAuthenticationProviderBuilder AuthorizationReplyHandler(string) SSOAuthenticationProviderBuilder Build() AuthenticationProvider }
func SSOAuthenticationProvider ¶
func SSOAuthenticationProvider() SSOAuthenticationProviderBuilder
type TokenData ¶
type TokenData struct { Raw string Claims *jwt.MapClaims Introspection *TokenIntrospection }
type TokenIntrospection ¶
type TokenIntrospection struct { Raw []byte `json:"-"` RawMap map[string]any `json:"-"` Active bool `json:"active"` Scope any `json:"scope"` Scopes []string `json:"-"` ClientId string `json:"client_id"` Username string `json:"username"` Type string `json:"token_type"` Expiration int64 `json:"exp"` Issued int64 `json:"iat"` Starting int64 `json:"nbf"` Subject string `json:"sub"` Audience any `json:"aud"` Audiences []string `json:"-"` Issuer string `json:"iss"` TokenId string `json:"jti"` }
type TokenIntrospector ¶
TokenIntrospector allows introspecting a bearer token and return a user for it. If there are no means to translate the token to a user, an error must be returned.
type TokenResponse ¶
type UnauthenticatedAuthorizationBuilder ¶
type UnauthenticatedAuthorizationBuilder interface { Authorize(...Authorization) UnauthenticatedSecurityFilterBuilder Anonymous() UnauthenticatedSecurityFilterBuilder Authentication(...AuthenticationProvider) UnauthenticatedAuthorizationBuilder }
type UnauthenticatedSecurityFilterBuilder ¶
type UnauthenticatedSecurityFilterBuilder interface { Authentication(...AuthenticationProvider) AuthenticatedSecurityFilterBuilder OnAuthentication(triggers ...func(*User, we.RequestScope)) UnauthenticatedSecurityFilterBuilder Path(paths ...string) UnauthenticatedAuthorizationBuilder Build() we.Filter }
func Filter ¶
func Filter(restricted bool) UnauthenticatedSecurityFilterBuilder