util

package

v1.3.0 Latest Latest Go to latest Published: Jul 19, 2022 License: Apache-2.0 Imports: 26 Imported by: 3

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/google/oauth2l

Links

Open Source Insights

Documentation ¶

Overview ¶

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

Contains authorization handler functions.

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

browser implements helper functions to interact with the OS's default internet browser. MacOs, Windows and Linux are the only supported OS.

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

clientIdFile implements several helper functions (wrapping around google package) to manipulate the OAuth Client ID file.

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

loopback implements an authorization code localhost server that handles 3LO loopback flows. (see AuthorizationCodeServer interface)

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

Index ¶

Constants
Variables
func BuildHeader(tokenType string, token string) string
func BuildRefreshTokenJSON(refreshToken string, creds *google.Credentials) string
func ClearCache() error
func Curl(settings *Settings, taskSettings *TaskSettings)
func CurlCommand(cli string, header string, url string, extraArgs ...string)
func EncodeClaims(settings *Settings) string
func Fetch(settings *Settings, taskSettings *TaskSettings)
func FetchToken(ctx context.Context, settings *Settings) (*oauth2.Token, error)
func FindJSONCredentials(ctx context.Context, settings *Settings) (*google.Credentials, error)
func GeneratePKCEParams() *authhandler.PKCEParams
func GenerateServiceAccountAccessToken(accessToken string, serviceAccount string, scope string) (*oauth2.Token, error)
func Get3LOAuthorizationHandler(state string, consentSettings ConsentPageSettings, ...) authhandler.AuthorizationHandler
func GetFirstRedirectURI(credentialsJSON string) (firstRedirectURI string, err error)
func GetListener(address string) (listener *net.Listener, serverAddress string, err error)
func GuessUnixHomeDir() string
func Header(settings *Settings, taskSettings *TaskSettings)
func Info(token string) int
func InsertCache(settings *Settings, token *oauth2.Token) error
func IsValidOauthClientIdFile(credentialsJSON string) (isValidCredFile bool)
func JWTTokenSource(ctx context.Context, settings *Settings) (oauth2.TokenSource, error)
func LookupCache(settings *Settings) (*oauth2.Token, error)
func MarshalWithExtras(token *oauth2.Token, indent string) ([]byte, error)
func OAuthJSONTokenSource(ctx context.Context, settings *Settings) (oauth2.TokenSource, error)
func Reset()
func SSOFetch(cli string, email string, scope string) (*oauth2.Token, error)
func StsExchange(accessToken string, encodedClaims string) (*oauth2.Token, error)
func Test(token string) int
func UnmarshalWithExtras(data []byte) (*oauth2.Token, error)
func Web()
func WebStop()
type AuthorizationCode
type AuthorizationCodeLocalhost
- func (lh *AuthorizationCodeLocalhost) Close()
- func (lh *AuthorizationCodeLocalhost) GetAuthenticationCode() (authCode AuthorizationCode, err error)
- func (lh *AuthorizationCodeLocalhost) IsListeningAndServing() (isLisAndServ bool)
- func (lh *AuthorizationCodeLocalhost) ListenAndServe(address string) (serverAddress string, err error)
- func (lh *AuthorizationCodeLocalhost) WaitForConsentPageToReturnControl() (err error)
- func (lh *AuthorizationCodeLocalhost) WaitForListeningAndServing(maxWaitTime time.Duration) (isLisAndServ bool, err error)
type AuthorizationCodeRequestStatus
type AuthorizationCodeServer
type AuthorizationCodeStatus
type Browser
- func (b *Browser) OpenURL(url string) error
type CacheKey
type ConsentPageSettings
type Settings
- func (s Settings) GetAuthType() string
type TaskSettings

Constants ¶

View Source

const (
	SERVER_STATUS_ENDPOINT_URL   = "/status/get"
	SERVER_LOOPBACK_ENDPOINT_URL = "/"
)

Loopback server endpoints

View Source

const CacheFileName = ".oauth2l"

View Source

const IamServiceAccountAccessTokenURL = "https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/%s:generateAccessToken"

IamServiceAccountAccessTokenURL is used for generating accesss token for a Service Account.

View Source

const StsURL = "https://securetoken.googleapis.com/v1alpha2/identitybindingtoken"

StsURL is Google's Secure Token Service endpoint used for obtaining STS token. TODO (andyzhao): Replace with https://sts.googleapis.com/v1/token when ready.

Variables ¶

View Source

var AuthTypeAPIKey = "apikey"

View Source

var AuthTypeJWT = "jwt"

View Source

var AuthTypeOAuth = "oauth"

View Source

var AuthTypeSSO = "sso"

View Source

var CacheLocation string = filepath.Join(GuessUnixHomeDir(), CacheFileName)

View Source

var DefaultScope = "https://www.googleapis.com/auth/cloud-platform"

View Source

var WebDirectory string = filepath.Join(GuessUnixHomeDir(), defaultWebPackageName)

Functions ¶

func BuildHeader ¶

func BuildHeader(tokenType string, token string) string

Returns the given token in standard header format.

func BuildRefreshTokenJSON ¶ added in v1.2.0

func BuildRefreshTokenJSON(refreshToken string, creds *google.Credentials) string

BuildRefreshTokenJSON attempts to construct a gcloud refresh token JSON using a refreshToken and an OAuth Client ID Credentials object. Empty string is returned if this is not possible.

func ClearCache ¶

func ClearCache() error

func Curl ¶

func Curl(settings *Settings, taskSettings *TaskSettings)

Fetches token with the given settings using Google Authenticator and use the token as header to make curl request.

func CurlCommand ¶

func CurlCommand(cli string, header string, url string, extraArgs ...string)

Executes curl command with provided header and params.

func EncodeClaims ¶ added in v1.1.0

func EncodeClaims(settings *Settings) string

EncodeClaims base64 encodes supported STS claims in settings

func Fetch ¶

func Fetch(settings *Settings, taskSettings *TaskSettings)

Fetches and prints the token in plain text with the given settings using Google Authenticator.

func FetchToken ¶ added in v1.2.0

func FetchToken(ctx context.Context, settings *Settings) (*oauth2.Token, error)

Returns a token from the given settings. Returns nil for API keys.

func FindJSONCredentials ¶ added in v1.2.0

func FindJSONCredentials(ctx context.Context, settings *Settings) (*google.Credentials, error)

FindJSONCredentials obtains credentials from settings or Application Default Credentials

func GeneratePKCEParams ¶ added in v1.3.0

func GeneratePKCEParams() *authhandler.PKCEParams

GeneratePKCEParams generates a unique PKCE challenge and verifier combination, using UUID, SHA256 encryption, and base64 URL encoding with no padding.

func GenerateServiceAccountAccessToken ¶ added in v1.2.0

func GenerateServiceAccountAccessToken(accessToken string, serviceAccount string, scope string) (*oauth2.Token, error)

GenerateServiceAccountAccessToken generates a Service Account access token using a User access token approved for at least one of the following scopes: * https://www.googleapis.com/auth/iam * https://www.googleapis.com/auth/cloud-platform

func Get3LOAuthorizationHandler ¶ added in v1.3.0

func Get3LOAuthorizationHandler(state string, consentSettings ConsentPageSettings,
	authCodeServer *AuthorizationCodeServer) authhandler.AuthorizationHandler

3LO authorization handler. Determines what algorithm to use to get the authorization code.

Note that the "state" parameter is used to prevent CSRF attacks.

func GetFirstRedirectURI ¶ added in v1.3.0

func GetFirstRedirectURI(credentialsJSON string) (firstRedirectURI string, err error)

getFirstRedirectURI returns the the first URI in "redirect_uris"

credentialsJSON represents the credentials json file.

Returns firstRedirectURI: is the address of the first URI in "redirect_uris". Returns err: if unable to process the credentialsJSON file.

func GetListener ¶ added in v1.3.0

func GetListener(address string) (listener *net.Listener, serverAddress string, err error)

GetListener gets a listener on the port specified in the address. If no port is specified in the address, an available port is assigned.

Input address: represents a localhost address. Its format is http://localhost[:port]

Returns listener Returns serverAddress: is the address of the listener. Its format is http://localhost[:port] Returns err: if not nil an error occurred when creating the listener.

func GuessUnixHomeDir ¶ added in v1.2.0

func GuessUnixHomeDir() string

func Header ¶

func Header(settings *Settings, taskSettings *TaskSettings)

Fetches and prints the token in header format with the given settings using Google Authenticator.

func Info ¶

func Info(token string) int

Fetches the information of the given token.

func InsertCache ¶

func InsertCache(settings *Settings, token *oauth2.Token) error

func IsValidOauthClientIdFile ¶ added in v1.3.0

func IsValidOauthClientIdFile(credentialsJSON string) (isValidCredFile bool)

IsValidOauthClientIdFile determines if a valid OAuth Client ID file can be created from a credentials json file.

credentialsJSON represents the credentials json file.

Returns isValidCredFile: true if it can be recreated, false otherwise.

func JWTTokenSource ¶ added in v1.2.0

func JWTTokenSource(ctx context.Context, settings *Settings) (oauth2.TokenSource, error)

func LookupCache ¶

func LookupCache(settings *Settings) (*oauth2.Token, error)

func MarshalWithExtras ¶ added in v1.2.2

func MarshalWithExtras(token *oauth2.Token, indent string) ([]byte, error)

Marshals the given oauth2.Token into a JSON bytearray and include Extra fields that normally would be omitted with default marshalling.

func OAuthJSONTokenSource ¶ added in v1.2.0

func OAuthJSONTokenSource(ctx context.Context, settings *Settings) (oauth2.TokenSource, error)

func Reset ¶

func Reset()

Resets the cache.

func SSOFetch ¶

func SSOFetch(cli string, email string, scope string) (*oauth2.Token, error)

Fetches and returns OAuth access token using SSO CLI.

func StsExchange ¶ added in v1.1.0

func StsExchange(accessToken string, encodedClaims string) (*oauth2.Token, error)

Exchanges an OAuth Access Token to an Sts token with base64 encoded claims

func Test ¶

func Test(token string) int

Tests the given token. Returns 0 for valid tokens. Otherwise returns 1.

func UnmarshalWithExtras ¶ added in v1.2.2

func UnmarshalWithExtras(data []byte) (*oauth2.Token, error)

Unmarshals the given JSON bytearray into oauth2.Token and include Extra fields that normally would be omitted with default unmarshalling.

func Web ¶ added in v1.1.0

func Web()

Runs the frontend/backend for OAuth2l Playground

func WebStop ¶ added in v1.1.0

func WebStop()

Closes the containers and removes stopped containers

Types ¶

type AuthorizationCode ¶ added in v1.3.0

type AuthorizationCode struct {
	Code  string
	State string
}

AuthorizationCode represents the authorization code

type AuthorizationCodeLocalhost ¶ added in v1.3.0

type AuthorizationCodeLocalhost struct {
	AuthCodeReqStatus   AuthorizationCodeStatus
	ConsentPageSettings ConsentPageSettings
	// contains filtered or unexported fields
}

AuthorizationCodeLocalhost implements AuthorizationCodeServer. See interface for description

func (*AuthorizationCodeLocalhost) Close ¶ added in v1.3.0

func (lh *AuthorizationCodeLocalhost) Close()

func (*AuthorizationCodeLocalhost) GetAuthenticationCode ¶ added in v1.3.0

func (lh *AuthorizationCodeLocalhost) GetAuthenticationCode() (authCode AuthorizationCode, err error)

func (*AuthorizationCodeLocalhost) IsListeningAndServing ¶ added in v1.3.0

func (lh *AuthorizationCodeLocalhost) IsListeningAndServing() (isLisAndServ bool)

func (*AuthorizationCodeLocalhost) ListenAndServe ¶ added in v1.3.0

func (lh *AuthorizationCodeLocalhost) ListenAndServe(address string) (serverAddress string, err error)

func (*AuthorizationCodeLocalhost) WaitForConsentPageToReturnControl ¶ added in v1.3.0

func (lh *AuthorizationCodeLocalhost) WaitForConsentPageToReturnControl() (err error)

func (*AuthorizationCodeLocalhost) WaitForListeningAndServing ¶ added in v1.3.0

func (lh *AuthorizationCodeLocalhost) WaitForListeningAndServing(maxWaitTime time.Duration) (isLisAndServ bool, err error)

type AuthorizationCodeRequestStatus ¶ added in v1.3.0

type AuthorizationCodeRequestStatus int

const (
	// Waiting for authorization code
	// (waiting for authorization code request to start,
	//	or for authorization code request to complete)
	WAITING AuthorizationCodeRequestStatus = iota
	// Athorization code successfully granted.
	GRANTED
	// Failed to grant authorization code
	FAILED
)

Phases of the authorization code

type AuthorizationCodeServer ¶ added in v1.3.0

type AuthorizationCodeServer interface {
	// Starts listening and serving on the provided address.
	// If no port is specified in the address, an available port is assigned.
	//
	// Input address: represents a localhost address. Its format is http://localhost[:port]
	//
	// Returns serverAddress: is the address of the listener. Its format is http://localhost[:port]
	// Returns err: if server fails to listen or serve.
	ListenAndServe(address string) (serverAddress string, err error)

	// Stops listening and serving.
	Close()

	// IsListeningAndServing determines if the server is listening and serving.
	//
	// Returns isLisAndServ: true if this is listening and serving, false otherwise.
	IsListeningAndServing() (isLisAndServ bool)

	// WaitForListeningAndServing waits until the server is listening and serving,
	// or until a timeout occurs.
	//
	// Input maxWaitTime: is the maximum time to wait for the server to start
	// listening and serving.
	//
	// Returns isLisAndServ: true if the server is listening and serving.
	// false if the server fails to listen and server before
	// Returns err: if isLisAndServ is false.
	WaitForListeningAndServing(maxWaitTime time.Duration) (isLisAndServ bool, err error)

	// Returns the AuthorizationCode.
	//
	// Returns authCode: represents the authorization code.
	// if not yet granted its value is an empty string.
	// Returns err: is not nil if the code has not been granted.
	GetAuthenticationCode() (authCode AuthorizationCode, err error)

	// WaitForConsentPageToReturnControl waits until the consent page returns control.
	//
	// Returns err: if the consent page fails to return control
	// within the maxWaitTime.
	WaitForConsentPageToReturnControl() (err error)
}

AuthorizationCodeServer represents a localhost server that handles the Loopback 3LO authorization

type AuthorizationCodeStatus ¶ added in v1.3.0

type AuthorizationCodeStatus struct {
	Status  AuthorizationCodeRequestStatus
	Details string
}

AuthorizationCodeStatus represents the state of the authorization code

type Browser ¶ added in v1.3.0

type Browser struct{}

Browser represents an internet browser.

func (*Browser) OpenURL ¶ added in v1.3.0

func (b *Browser) OpenURL(url string) error

Opens URL in a new broser tab.

type CacheKey ¶

type CacheKey struct {
	// The JSON credentials content downloaded from Google Cloud Console.
	CredentialsJSON string
	// If specified, use OAuth. Otherwise, JWT.
	Scope string
	// The audience field for JWT auth and UAT
	Audience string
	// The email used for SSO and domain-wide delegation.
	Email string
	// The Google API key
	APIKey string
	// The QuotaProject field for STS
	QuotaProject string
	// If specified, performs STS exchange on top of base OAuth
	Sts bool
	// Exchange User access token for Service Account access token.
	ServiceAccount string
}

The key struct that used to identify an auth token fetch operation.

type ConsentPageSettings ¶ added in v1.3.0

type ConsentPageSettings struct {
	// DisableAutoOpenConsentPage controls the feature to automatically
	// open the browser to vist the consent page
	DisableAutoOpenConsentPage bool
	// InteractionTimeout is the maximum time to wait for the user
	// to interact with the consent page
	InteractionTimeout time.Duration
}

ConsentPageSettings is a 3-legged-OAuth helper that contains the settings for the interaction with the consent page

type Settings ¶ added in v1.2.0

type Settings struct {
	// The JSON credentials content downloaded from Google Cloud Console.
	CredentialsJSON string
	// The authentication type.
	AuthType string
	// If specified, use OAuth. Otherwise, JWT.
	Scope string
	// The audience field for JWT auth
	Audience string
	// The Google API key
	APIKey string
	// This is only used for domain-wide delegation.
	// DEPRECATED
	User string
	// The email used for SSO and domain-wide delegation.
	Email string
	// A user specified project that is responsible for the request quota and
	// billing charges.
	QuotaProject string
	// AuthHandler is the AuthorizationHandler used for 3-legged OAuth flow.
	AuthHandler authhandler.AuthorizationHandler
	// State is a unique string used with AuthHandler.
	State string
	// Indicates that STS token exchange should be performed.
	Sts bool
	// Used for Service Account Impersonation.
	// Exchange User access token for Service Account access token.
	ServiceAccount string
}

An extensible structure that holds the credentials for Google API authentication.

func (Settings) GetAuthType ¶ added in v1.2.2

func (s Settings) GetAuthType() string

type TaskSettings ¶ added in v1.1.0

type TaskSettings struct {
	// AuthType determines which auth tool to use (sso vs sgauth)
	AuthType string
	// Output format for Fetch task
	Format string
	// CurlCli override for Curl task
	CurlCli string
	// Url endpoint for Curl task
	Url string
	// Extra args for Curl task
	ExtraArgs []string
	// SsoCli override for Sso task
	SsoCli string
	// Refresh expired access token in cache
	Refresh bool
}

An extensible structure that holds the settings used by different oauth2l tasks. These settings are used by oauth2l only and are not part of GUAC settings.

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL