oidc

package
v0.13.1 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jul 14, 2023 License: MPL-2.0 Imports: 53 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	OperationalStateField                  = "OperationalState"
	DisableDiscoveredConfigValidationField = "DisableDiscoveredConfigValidation"
	VersionField                           = "Version"
	NameField                              = "Name"
	DescriptionField                       = "Description"
	FilterField                            = "Filter"
	IssuerField                            = "Issuer"
	ClientIdField                          = "ClientId"
	ClientSecretField                      = "ClientSecret"
	CtClientSecretField                    = "CtClientSecret"
	ClientSecretHmacField                  = "ClientSecretHmac"
	MaxAgeField                            = "MaxAge"
	SigningAlgsField                       = "SigningAlgs"
	ApiUrlField                            = "ApiUrl"
	AudClaimsField                         = "AudClaims"
	CertificatesField                      = "Certificates"
	ClaimsScopesField                      = "ClaimsScopes"
	AccountClaimMapsField                  = "AccountClaimMaps"
	TokenClaimsField                       = "TokenClaims"
	UserinfoClaimsField                    = "UserinfoClaims"
	KeyIdField                             = "KeyId"
)
View Source 
const (
	SigningAlgVO       voName = "SigningAlgs"
	CertificateVO      voName = "Certificates"
	AudClaimVO         voName = "AudClaims"
	ClaimsScopesVO     voName = "ClaimsScopes"
	AccountClaimMapsVO voName = "AccountClaimMaps"
)
View Source 
const (
	// AttemptExpiration defines the TTL for an authentication attempt
	AttemptExpiration = 5 * 60 * time.Second

	// FinalRedirectEndpoint is the endpoint that the oidc callback redirect
	// client to after the callback is complete.
	FinalRedirectEndpoint = "%s/authentication-complete"

	// AuthenticationErrorsEndpoint is the endpoint that will returned as the final redirect
	// from the callback when there are auth errors
	AuthenticationErrorsEndpoint = "%s/authentication-error"

	// CallbackEndpoint is the endpoint for the oidc callback which will be
	// included in the auth URL returned when an authen attempted is kicked off.
	CallbackEndpoint = "%s/v1/auth-methods/oidc:authenticate:callback"
)
View Source 
const (
	DefaultClaimsScope = "openid"
)
View Source 
const (
	Subtype = subtypes.Subtype("oidc")
)
View Source 
const TestFakeManagedGroupFilter = `"/foo" == "bar"`

Variables

This section is empty.

Functions

func Callback 

func Callback(
	ctx context.Context,
	oidcRepoFn OidcRepoFactory,
	iamRepoFn IamRepoFactory,
	atRepoFn AuthTokenRepoFactory,
	am *AuthMethod,
	state, code string,
) (finalRedirect string, e error)

Callback is an oidc domain service function for processing a successful OIDC Authentication Response from an IdP oidc callback. On success, it returns a final redirect URL for the response to the IdP.

Callback can return several errors including errors.Forbidden for requests with non-unique states (which are replays)

For more info on a successful OIDC Authentication Response see: https://openid.net/specs/openid-connect-core-1_0.html#AuthResponse

The service operation includes:

* Decrypt the state which has been encrypted with the OIDC DEK. If decryption fails, and error is returned. Decrypted state payload includes the token_request_id, nonce and final_redirect_url.

* Exchange the callbackCodeParameter for provider tokens and validate the tokens. Call UserInfo endpoint using access token.

* Use oidc.(Repository).upsertAccount to create/update account using ID Tokens claims. The "sub" claim as external ID and setting email and full name for the account.

* Use iam.(Repository).LookupUserWithLogin(...) look up the iam.User matching the Account.

* Use the authtoken.(Repository).CreateAuthToken(...) to create a pending auth token for the authenticated user.

func EncodeCertificates 

func EncodeCertificates(ctx context.Context, certs ...*x509.Certificate) ([]string, error)

EncodeCertificates will encode a number of x509 certificates to PEMs.

func ParseCertificates 

func ParseCertificates(ctx context.Context, pems ...string) ([]*x509.Certificate, error)

ParseCertificates will parse a number of certificates PEMs to x509s.

func StartAuth 

func StartAuth(ctx context.Context, oidcRepoFn OidcRepoFactory, authMethodId string, opt ...Option) (authUrl *url.URL, tokenId string, e error)

StartAuth accepts a request to start an OIDC authentication/authorization attempt. It returns two URLs and a tokenId. authUrl is an OIDC authorization request URL. The authUrl includes a "state" parameter which is encrypted and has a payload which includes (among other things) the final redirect (calculated from the clientInfo), a token_request_id, and nonce. The tokenUrl is the URL theclient can use to retrieve the results of the user's OIDC authentication attempt. The tokenId is an encrypted payload for the POST request to the tokenUrl.

If the auth method is in an InactiveState, then an error is returned.

Options supported:

WithRoundTripPayload(string) provides an option for a client roundtrip payload. This payload will be added to the final redirect as a query parameter.

func SupportedAlgorithm 

func SupportedAlgorithm(a Alg) bool

SupportedAlgorithm returns true iff the provided algorithm is supported by boundary.

func TestConvertToUrls 

func TestConvertToUrls(t testing.TB, urls ...string) []*url.URL

TestConvertToUrls will convert URL string representations to a slice of *url.URL

func TestPendingToken 

func TestPendingToken(
	t testing.TB,
	tokenRepo *authtoken.Repository,
	user *iam.User,
	acct *Account,
	tokenRequestId string,
) *authtoken.AuthToken

TestPendingToken will create a pending auth token for the tokenRequestId (aka public id)

func TestSortAuthMethods 

func TestSortAuthMethods(t testing.TB, methods []*AuthMethod)

TestSortAuthMethods will sort the provided auth methods by public id and it will sort each auth method's embedded value objects (algs, auds, certs, callbacks)

func TestTokenRequestId 

func TestTokenRequestId(
	t testing.TB,
	am *AuthMethod,
	kms *kms.Kms,
	expIn time.Duration,
	tokenPublicId string,
) string

TestTokenRequestId will make a request.Token and encrypt/encode within a request.Wrapper. the returned string can be used as a parameter for functions like: oidc.TokenRequest

func TokenRequest 

func TokenRequest(ctx context.Context, kms *kms.Kms, atRepoFn AuthTokenRepoFactory, authMethodId, tokenRequestId string) (*authtoken.AuthToken, error)

TokenRequest is an oidc domain service function for processing a token request from a Boundary client. Token requests are the result of a Boundary client polling the tokenUrl they received via StartAuth. On success, it returns Boundary token.

* Decrypt the tokenRequestId. If encryption fails, it returns an error.

* Use the authtoken.(Repository).IssueAuthToken to issue the request id's token and mark it as issued in the repo. If the token is already issue, an error is returned.

func UnwrapMessage added in v0.2.1 

func UnwrapMessage(ctx context.Context, encodedWrappedMsg string) (*request.Wrapper, error)

UnwrapMessage does just that, it unwraps the encoded request.Wrapper proto message

Types

type Account 

type Account struct {
	*store.Account
	// contains filtered or unexported fields
}

Account contains an OIDC auth account. It is assigned to an OIDC AuthMethod and updates/deletes to that AuthMethod are cascaded to its Accounts.

func AllocAccount 

func AllocAccount() *Account

AllocAccount makes an empty one in memory

func NewAccount 

func NewAccount(ctx context.Context, authMethodId string, subject string, opt ...Option) (*Account, error)

NewAccount creates a new in memory Account assigned to OIDC AuthMethod. WithIssuer, WithFullName, WithEmail, WithName and WithDescription are the only valid options. All other options are ignored.

Subject equals the locally unique and never reassigned identifier within the Issuer for the End-User, which is intended to be consumed by the Client.

Issuer equals the Verifiable Identifier for an Issuer. An Issuer Identifier is a case sensitive URL using the https scheme that contains scheme, host, and optionally, port number and path components and no query or fragment components.

FullName equals the End-User's full name in displayable form including all name parts, possibly including titles and suffixes, ordered according to the End-User's locale and preferences.

Email equals the End-User's preferred e-mail address. Its value MUST conform to the RFC 5322 [RFC5322] addr-spec syntax. The RP MUST NOT rely upon this value being unique

See: https://openid.net/specs/openid-connect-core-1_0.html

func TestAccount 

func TestAccount(t testing.TB, conn *db.DB, am *AuthMethod, subject string, opt ...Option) *Account

TestAccount creates a test oidc auth account.

func (*Account) Clone 

func (a *Account) Clone() *Account

Clone an Account.

func (*Account) GetLoginName added in v0.11.1 

func (a *Account) GetLoginName() string

GetLoginName returns the login name, which will always be empty as this type doesn't currently support login name

func (*Account) SetTableName 

func (a *Account) SetTableName(n string)

SetTableName sets the table name.

func (*Account) TableName 

func (a *Account) TableName() string

TableName returns the table name.

type AccountClaimMap added in v0.2.1 

type AccountClaimMap struct {
	*store.AccountClaimMap
	// contains filtered or unexported fields
}

AccountClaimMap defines optional OIDC scope values that are used to request claims, in addition to the default scope of "openid" (see: DefaultClaimsScope).

func AllocAccountClaimMap added in v0.2.1 

func AllocAccountClaimMap() AccountClaimMap

AllocClaimsScope makes an empty one in memory

func NewAccountClaimMap added in v0.2.1 

func NewAccountClaimMap(ctx context.Context, authMethodId, fromClaim string, toClaim AccountToClaim) (*AccountClaimMap, error)

func (*AccountClaimMap) Clone added in v0.2.1 

func (cs *AccountClaimMap) Clone() *AccountClaimMap

Clone a AccountClaimMap

func (*AccountClaimMap) SetTableName added in v0.2.1 

func (s *AccountClaimMap) SetTableName(n string)

SetTableName sets the table name.

func (*AccountClaimMap) TableName added in v0.2.1 

func (s *AccountClaimMap) TableName() string

TableName returns the table name.

type AccountToClaim added in v0.2.1 

type AccountToClaim string
const (
	ToSubClaim   AccountToClaim = "sub"
	ToEmailClaim AccountToClaim = "email"
	ToNameClaim  AccountToClaim = "name"
)

func ConvertToAccountToClaim added in v0.2.1 

func ConvertToAccountToClaim(ctx context.Context, s string) (AccountToClaim, error)

type Alg 

type Alg string

Alg represents asymmetric signing algorithms 

const (
	// JOSE asymmetric signing algorithm values as defined by RFC 7518.
	//
	// See: https://tools.ietf.org/html/rfc7518#section-3.1
	RS256 Alg = "RS256" // RSASSA-PKCS-v1.5 using SHA-256
	RS384 Alg = "RS384" // RSASSA-PKCS-v1.5 using SHA-384
	RS512 Alg = "RS512" // RSASSA-PKCS-v1.5 using SHA-512
	ES256 Alg = "ES256" // ECDSA using P-256 and SHA-256
	ES384 Alg = "ES384" // ECDSA using P-384 and SHA-384
	ES512 Alg = "ES512" // ECDSA using P-521 and SHA-512
	PS256 Alg = "PS256" // RSASSA-PSS using SHA256 and MGF1-SHA256
	PS384 Alg = "PS384" // RSASSA-PSS using SHA384 and MGF1-SHA384
	PS512 Alg = "PS512" // RSASSA-PSS using SHA512 and MGF1-SHA512
	EdDSA Alg = "EdDSA"
)

type AudClaim 

type AudClaim struct {
	*store.AudClaim
	// contains filtered or unexported fields
}

AudClaim defines an audience claim for an OIDC auth method. It is assigned to an OIDC AuthMethod and updates/deletes to that AuthMethod are cascaded to its AudClaims. AudClaims are value objects of an AuthMethod, therefore there's no need for oplog metadata, since only the AuthMethod will have metadata because it's the root aggregate.

see aud claim in the oidc spec: https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest

func AllocAudClaim 

func AllocAudClaim() AudClaim

AllocAudClaim make an empty one in memory.

func NewAudClaim 

func NewAudClaim(ctx context.Context, authMethodId string, audClaim string) (*AudClaim, error)

NewAudClaim creates a new in memory audience claim assigned to an OIDC AuthMethod. It supports no options. If an AuthMethod as assigned AudClaims, then ID tokens issued from the provider must contain one of the assigned audiences to be valid.

For more info on oidc aud claims, see the oidc spec: https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest

func (*AudClaim) Clone 

func (c *AudClaim) Clone() *AudClaim

Clone an AudClaim

func (*AudClaim) SetTableName 

func (c *AudClaim) SetTableName(n string)

SetTableName sets the table name.

func (*AudClaim) TableName 

func (c *AudClaim) TableName() string

TableName returns the table name.

type AuthMethod 

type AuthMethod struct {
	*store.AuthMethod
	// contains filtered or unexported fields
}

AuthMethod contains an OIDC auth method configuration. It is owned by a scope. AuthMethods can have Accounts, AudClaims, CallbackUrls, Certificates, SigningAlgs. AuthMethods also have one State at any given time which determines it's behavior for many its operations.

func AllocAuthMethod 

func AllocAuthMethod() AuthMethod

AllocAuthMethod makes an empty one in memory

func NewAuthMethod 

func NewAuthMethod(ctx context.Context, scopeId string, clientId string, clientSecret ClientSecret, opt ...Option) (*AuthMethod, error)

NewAuthMethod creates a new in memory AuthMethod assigned to scopeId. WithMaxAge, WithName and WithDescription are the only valid options. All other options are ignored.

State equals the state of the OIDC auth method. State is not a supported parameter when creating new AuthMethod's since it must be Inactive for all new AuthMethods.

Issuer equals a URL that identifies the OIDC provider. Boundary will strip off anything beyond scheme, host and port

ClientId equals an OAuth 2.0 Client Identifier valid at the Authorization Server.

ClientSecret equals the client's secret which will be encrypted when stored in the database and an hmac representation will also be stored when ever the secret changes. The secret is not returned via the API, the hmac is returned so callers can determine if it's been updated.

MaxAge equals the Maximum Authentication Age. Specifies the allowable elapsed time in seconds since the last time the End-User was actively authenticated by the OP. If the elapsed time is greater than this value, the OP MUST attempt to actively re-authenticate the End-User. A value -1 basically forces the IdP to re-authenticate the End-User. Zero is not a valid value.

See: https://openid.net/specs/openid-connect-core-1_0.html

Supports the options of WithMaxAge, WithSigningAlgs, WithAudClaims, WithApiUrl and WithCertificates and all other options are ignored.

func TestAuthMethod 

func TestAuthMethod(
	t testing.TB,
	conn *db.DB,
	databaseWrapper wrapping.Wrapper,
	scopeId string,
	state AuthMethodState,
	clientId string,
	clientSecret ClientSecret,
	opt ...Option,
) *AuthMethod

TestAuthMethod creates a test oidc auth method. WithName, WithDescription, WithMaxAge, WithApiUrl, WithIssuer, WithCertificates, WithAudClaims, and WithSigningAlgs options are supported.

func (*AuthMethod) Clone 

func (a *AuthMethod) Clone() *AuthMethod

Clone an AuthMethod.

func (*AuthMethod) SetTableName 

func (a *AuthMethod) SetTableName(n string)

SetTableName sets the table name.

func (*AuthMethod) TableName 

func (a *AuthMethod) TableName() string

TableName returns the table name.

type AuthMethodState 

type AuthMethodState string

AuthMethodState defines the possible states for an oidc auth method 

const (
	UnknownState       AuthMethodState = "unknown"
	InactiveState      AuthMethodState = "inactive"
	ActivePrivateState AuthMethodState = "active-private"
	ActivePublicState  AuthMethodState = "active-public"
)

type AuthTokenRepoFactory 

type AuthTokenRepoFactory func() (*authtoken.Repository, error)

AuthTokenRepoFactory is used by "service functions" to create a new auth token repo

type Certificate 

type Certificate struct {
	*store.Certificate
	// contains filtered or unexported fields
}

Certificate defines a certificate to use as part of a trust root when connecting to the auth method's OIDC Provider. It is assigned to an OIDC AuthMethod and updates/deletes to that AuthMethod are cascaded to its Certificates. Certificates are value objects of an AuthMethod, therefore there's no need for oplog metadata, since only the AuthMethod will have metadata because it's the root aggregate.

func AllocCertificate 

func AllocCertificate() Certificate

AllocCertificate makes an empty one in memory

func NewCertificate 

func NewCertificate(ctx context.Context, authMethodId string, certificatePem string) (*Certificate, error)

NewCertificate creates a new in memory certificate assigned to and OIDC auth method.

func (*Certificate) Clone 

func (c *Certificate) Clone() *Certificate

Clone a Certificate

func (*Certificate) SetTableName 

func (c *Certificate) SetTableName(n string)

SetTableName sets the table name.

func (*Certificate) TableName 

func (c *Certificate) TableName() string

TableName returns the table name.

type ClaimMap added in v0.3.0 

type ClaimMap struct {
	To   string
	From string
}

ClaimMap defines the To and From of an oidc claim map

func ParseAccountClaimMaps added in v0.2.1 

func ParseAccountClaimMaps(ctx context.Context, m ...string) ([]ClaimMap, error)

ParseAccountClaimMaps will parse the inbound claim maps

type ClaimsScope added in v0.2.1 

type ClaimsScope struct {
	*store.ClaimsScope
	// contains filtered or unexported fields
}

ClaimsScope defines optional OIDC scope values that are used to request claims, in addition to the default scope of "openid" (see: DefaultClaimsScope).

see: https://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims

func AllocClaimsScope added in v0.2.1 

func AllocClaimsScope() ClaimsScope

AllocClaimsScope makes an empty one in memory

func NewClaimsScope added in v0.2.1 

func NewClaimsScope(ctx context.Context, authMethodId, claimsScope string) (*ClaimsScope, error)

func (*ClaimsScope) Clone added in v0.2.1 

func (cs *ClaimsScope) Clone() *ClaimsScope

Clone a ClaimsScope

func (*ClaimsScope) SetTableName added in v0.2.1 

func (s *ClaimsScope) SetTableName(n string)

SetTableName sets the table name.

func (*ClaimsScope) TableName added in v0.2.1 

func (s *ClaimsScope) TableName() string

TableName returns the table name.

type ClientSecret 

type ClientSecret string

ClientSecret equals an AuthMethod's client secret. This type provides a wrapper so the secret isn't inadvertently leaked into a log or error.

func (ClientSecret) GoString added in v0.4.0 

func (s ClientSecret) GoString() string

GoString will redact the client_secret.

func (ClientSecret) MarshalJSON 

func (s ClientSecret) MarshalJSON() ([]byte, error)

MarshalJSON will redact the client_secret.

func (ClientSecret) String 

func (s ClientSecret) String() string

String will redact the client_secret.

type HTTPClient 

type HTTPClient interface {
	Do(req *http.Request) (*http.Response, error)
}

type IamRepoFactory 

type IamRepoFactory func() (*iam.Repository, error)

IamRepoFactory is used by "service functions" to create a new iam repo

type ManagedGroup added in v0.3.0 

type ManagedGroup struct {
	*store.ManagedGroup
	// contains filtered or unexported fields
}

ManagedGroup contains an OIDC managed group. It is assigned to an OIDC AuthMethod and updates/deletes to that AuthMethod are cascaded to its Managed Groups.

func AllocManagedGroup added in v0.3.0 

func AllocManagedGroup() *ManagedGroup

AllocManagedGroup makes an empty one in memory

func NewManagedGroup added in v0.3.0 

func NewManagedGroup(ctx context.Context, authMethodId string, filter string, opt ...Option) (*ManagedGroup, error)

NewManagedGroup creates a new in memory ManagedGroup assigned to OIDC AuthMethod. Supported options are withName and withDescription.

func TestManagedGroup added in v0.3.0 

func TestManagedGroup(t testing.TB, conn *db.DB, am *AuthMethod, filter string, opt ...Option) *ManagedGroup

TestManagedGroup creates a test oidc managed group.

func (*ManagedGroup) Clone added in v0.3.0 

func (mg *ManagedGroup) Clone() *ManagedGroup

Clone a ManagedGroup.

func (*ManagedGroup) SetTableName added in v0.3.0 

func (mg *ManagedGroup) SetTableName(n string)

SetTableName sets the table name.

func (*ManagedGroup) TableName added in v0.3.0 

func (mg *ManagedGroup) TableName() string

TableName returns the table name.

type ManagedGroupMemberAccount added in v0.3.0 

type ManagedGroupMemberAccount struct {
	*store.ManagedGroupMemberAccount
	// contains filtered or unexported fields
}

ManagedGroupMemberAccount contains a mapping between a managed group and a member account

func AllocManagedGroupMemberAccount added in v0.3.0 

func AllocManagedGroupMemberAccount() *ManagedGroupMemberAccount

AllocManagedGroupMemberAccount makes an empty one in memory

func NewManagedGroupMemberAccount added in v0.3.0 

func NewManagedGroupMemberAccount(ctx context.Context, managedGroupId string, memberId string, opt ...Option) (*ManagedGroupMemberAccount, error)

NewManagedGroupMemberAccount creates a new in memory ManagedGroupMemberAccount assigned to a managed group within an OIDC AuthMethod. Supported options are withName and withDescription.

func TestManagedGroupMember added in v0.3.0 

func TestManagedGroupMember(t testing.TB, conn *db.DB, managedGroupId, memberId string, opt ...Option) *ManagedGroupMemberAccount

TestManagedGroupMember adds given account IDs to a managed group

func (*ManagedGroupMemberAccount) Clone added in v0.3.0 

func (mg *ManagedGroupMemberAccount) Clone() *ManagedGroupMemberAccount

Clone a ManagedGroupMemberAccount.

func (*ManagedGroupMemberAccount) SetTableName added in v0.3.0 

func (mg *ManagedGroupMemberAccount) SetTableName(n string)

SetTableName sets the table name.

func (*ManagedGroupMemberAccount) TableName added in v0.3.0 

func (mg *ManagedGroupMemberAccount) TableName() string

TableName returns the table name.

type OidcRepoFactory 

type OidcRepoFactory func() (*Repository, error)

OidcRepoFactory is used by "service functions" to create a new oidc repo

type Option 

type Option func(*options)

Option - how Options are passed as arguments.

func WithAccountClaimMap added in v0.2.1 

func WithAccountClaimMap(acm map[string]AccountToClaim) Option

WithAccountClaimMap provides an option for specifying an Account Claim map.

func WithApiUrl 

func WithApiUrl(urls *url.URL) Option

WithApiUrl provides optional api URL to use in the various

func WithAudClaims 

func WithAudClaims(aud ...string) Option

WithAudClaims provides optional audience claims

func WithAuthMethod 

func WithAuthMethod(am *AuthMethod) Option

WithAuthMethod provides an option for passing an AuthMethod to the operation

func WithCertificates 

func WithCertificates(certs ...*x509.Certificate) Option

WithCertificates provides optional certificates.

func WithClaimsScopes added in v0.2.1 

func WithClaimsScopes(claimsScope ...string) Option

WithClaimsScopes provides optional claims scopes

func WithDescription 

func WithDescription(desc string) Option

WithDescription provides an optional description.

func WithDryRun 

func WithDryRun() Option

WithDryRun provides an option to do a "dry run" of a write operation, which will run verification steps and return any errors, but will not persist the data into the repository.

func WithEmail 

func WithEmail(email string) Option

WithEmail provides an optional email address for the account.

func WithForce 

func WithForce() Option

WithForce provides an option to force the write operation, regardless of whether or not it's pre-verification succeeds.

func WithFullName 

func WithFullName(n string) Option

WithFullName provides an optional full name for the account.

func WithIssuer 

func WithIssuer(iss *url.URL) Option

WithIssuer provides an option for specifying an issuer.

func WithKeyId 

func WithKeyId(id string) Option

WithKeyId provides an option for specifying a key id.

func WithLimit 

func WithLimit(l int) Option

WithLimit provides an option to provide a limit. Intentionally allowing negative integers. If WithLimit < 0, then unlimited results are returned. If WithLimit == 0, then default limits are used for results.

func WithMaxAge 

func WithMaxAge(max int) Option

WithMaxAge provides an optional max age. Specifies the allowable elapsed time in seconds since the last time the End-User was actively authenticated by the OP. If the elapsed time is greater than this value, the OP MUST attempt to actively re-authenticate the End-User. A value -1 basically forces the IdP to re-authenticate the End-User. Zero is not a valid value.

see: https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest

func WithName 

func WithName(name string) Option

WithName provides an optional name.

func WithOperationalState 

func WithOperationalState(state AuthMethodState) Option

WithOperationalState provides an option for specifying an issuer.

func WithOrderByCreateTime 

func WithOrderByCreateTime(ascending bool) Option

WithOrderByCreateTime provides an option to specify ordering by the CreateTime field.

func WithPublicId 

func WithPublicId(publicId string) Option

WithPublicId provides an option for passing a public id to the operation

func WithReader added in v0.3.0 

func WithReader(reader db.Reader) Option

WithReader provides an option for specifying a reader to use for the operation.

func WithRoundtripPayload 

func WithRoundtripPayload(payload string) Option

WithRoundTripPayload provides an option for passing an payload to be roundtripped during an authentication process.

func WithSigningAlgs 

func WithSigningAlgs(alg ...Alg) Option

WithSigningAlgs provides optional signing algorithms

func WithUnauthenticatedUser 

func WithUnauthenticatedUser(enabled bool) Option

WithUnauthenticatedUser provides an option for filtering results for an unauthenticated users.

type Repository 

type Repository struct {
	// contains filtered or unexported fields
}

Repository is the oidc repository

func NewRepository 

func NewRepository(ctx context.Context, r db.Reader, w db.Writer, kms *kms.Kms, opt ...Option) (*Repository, error)

NewRepository creates a new oidc Repository. Supports the options: WithLimit which sets a default limit on results returned by repo operations.

func (*Repository) CreateAccount 

func (r *Repository) CreateAccount(ctx context.Context, scopeId string, a *Account, opt ...Option) (*Account, error)

CreateAccount inserts an Account, a, into the repository and returns a new Account containing its PublicId. a is not changed. a must contain a valid AuthMethodId. a must not contain a PublicId. The PublicId is generated and assigned by this method. a must not contain an Issuer. The Issuer is retrieved from the auth method. If it does not contain an Issuer an error is returned.

a must contain a valid Subject. a.Subject must be unique for an a.AuthMethod/Issuer pair.

Both a.Name and a.Description are optional. If a.Name is set, it must be unique within a.AuthMethodId.

WithPublicId is currently the only valid option.

func (*Repository) CreateAuthMethod 

func (r *Repository) CreateAuthMethod(ctx context.Context, am *AuthMethod, opt ...Option) (*AuthMethod, error)

CreateAuthMethod creates am (*AuthMethod) in the repo along with its associated embedded optional value objects of SigningAlgs, AudClaims, and Certificates and returns the newly created AuthMethod (with its PublicId set)

The AuthMethod's public id and version must be empty (zero values).

All options are ignored.

func (*Repository) CreateManagedGroup added in v0.3.0 

func (r *Repository) CreateManagedGroup(ctx context.Context, scopeId string, mg *ManagedGroup, opt ...Option) (*ManagedGroup, error)

CreateManagedGroup inserts an ManagedGroup, mg, into the repository and returns a new ManagedGroup containing its PublicId. mg is not changed. mg must contain a valid AuthMethodId. mg must not contain a PublicId. The PublicId is generated and assigned by this method.

Both mg.Name and mg.Description are optional. If mg.Name is set, it must be unique within mg.AuthMethodId.

func (*Repository) DeleteAccount 

func (r *Repository) DeleteAccount(ctx context.Context, scopeId, withPublicId string, opt ...Option) (int, error)

DeleteAccount deletes the account for the provided id from the repository returning a count of the number of records deleted. All options are ignored.

func (*Repository) DeleteAuthMethod 

func (r *Repository) DeleteAuthMethod(ctx context.Context, publicId string, _ ...Option) (int, error)

DeleteAuthMethod will delete the auth method from the repository. It is idempotent so if the auth method was not found, return 0 (no rows affected) and nil. No options are currently supported.

func (*Repository) DeleteManagedGroup added in v0.3.0 

func (r *Repository) DeleteManagedGroup(ctx context.Context, scopeId, withPublicId string, opt ...Option) (int, error)

DeleteManagedGroup deletes the managed group for the provided id from the repository returning a count of the number of records deleted. All options are ignored.

func (*Repository) ListAccounts 

func (r *Repository) ListAccounts(ctx context.Context, withAuthMethodId string, opt ...Option) ([]*Account, error)

ListAccounts in an auth method and supports WithLimit option.

func (*Repository) ListAuthMethods 

func (r *Repository) ListAuthMethods(ctx context.Context, scopeIds []string, opt ...Option) ([]*AuthMethod, error)

ListAuthMethods returns a slice of AuthMethods for the scopeId. The WithUnauthenticatedUser, WithLimit and WithOrder options are supported and all other options are ignored.

func (*Repository) ListManagedGroupMembershipsByGroup added in v0.3.0 

func (r *Repository) ListManagedGroupMembershipsByGroup(ctx context.Context, withGroupId string, opt ...Option) ([]*ManagedGroupMemberAccount, error)

ListManagedGroupMembershipsByGroup lists managed group memberships via the group ID and supports WithLimit option.

func (*Repository) ListManagedGroupMembershipsByMember added in v0.3.0 

func (r *Repository) ListManagedGroupMembershipsByMember(ctx context.Context, withAcctId string, opt ...Option) ([]*ManagedGroupMemberAccount, error)

ListManagedGroupMembershipsByMember lists managed group memberships via the member (account) ID and supports WithLimit option.

func (*Repository) ListManagedGroups added in v0.3.0 

func (r *Repository) ListManagedGroups(ctx context.Context, withAuthMethodId string, opt ...Option) ([]*ManagedGroup, error)

ListManagedGroups in an auth method and supports WithLimit option.

func (*Repository) LookupAccount 

func (r *Repository) LookupAccount(ctx context.Context, withPublicId string, opt ...Option) (*Account, error)

LookupAccount will look up an account in the repository. If the account is not found, it will return nil, nil. All options are ignored.

func (*Repository) LookupAuthMethod 

func (r *Repository) LookupAuthMethod(ctx context.Context, publicId string, opt ...Option) (*AuthMethod, error)

LookupAuthMethod will lookup an auth method in the repo, along with its associated Value Objects of SigningAlgs, CallbackUrls, AudClaims and Certificates. If it's not found, it will return nil, nil. The WithUnauthenticatedUser options is supported and all other options are ignored.

func (*Repository) LookupManagedGroup added in v0.3.0 

func (r *Repository) LookupManagedGroup(ctx context.Context, withPublicId string, opt ...Option) (*ManagedGroup, error)

LookupManagedGroup will look up a managed group in the repository. If the managed group is not found, it will return nil, nil. All options are ignored.

func (*Repository) MakeInactive 

func (r *Repository) MakeInactive(ctx context.Context, authMethodId string, version uint32, _ ...Option) (*AuthMethod, error)

MakeInactive will transision an OIDC auth method from either the ActivePrivateState or the ActivePublicState to the InactiveState. No options are supported.

func (*Repository) MakePrivate 

func (r *Repository) MakePrivate(ctx context.Context, authMethodId string, version uint32, opt ...Option) (*AuthMethod, error)

MakePrivate will transision an OIDC auth method from either the InactiveState or the ActivePublicState to the ActivePrivateState. If transitioning from the InactiveState, the transition will only succeed if the auth method is complete and the oidc.ValidateAuthMethod(...) succeeds. If the WithForce option is provided, oidc.ValidateAuthMethod(...) success is not required.

func (*Repository) MakePublic 

func (r *Repository) MakePublic(ctx context.Context, authMethodId string, version uint32, opt ...Option) (*AuthMethod, error)

MakePublic will transision an OIDC auth method from either the InactiveState or the ActivePrivateState to the ActivePublicState. If transitioning from the InactiveState, the transition will only succeed if the auth method is complete and the oidc.ValidateAuthMethod(...) succeeds. If the WithForce option is provided, oidc.ValidateAuthMethod(...) success is not required.

func (*Repository) SetManagedGroupMemberships added in v0.3.0 

func (r *Repository) SetManagedGroupMemberships(ctx context.Context, am *AuthMethod, acct *Account, mgs []*ManagedGroup, _ ...Option) ([]*ManagedGroupMemberAccount, int, error)

SetManagedGroupMemberships will set the managed groups for the given account ID. If mgs is empty, the set of groups the account belongs to will be cleared. It returns the set of managed group IDs.

mgs contains the set of managed groups that matched. It must contain the group's version as this is used to ensure consistency between when the filter attached to the managed group was run and the point at which we are adding the account to the group.

func (*Repository) UpdateAccount 

func (r *Repository) UpdateAccount(ctx context.Context, scopeId string, a *Account, version uint32, fieldMaskPaths []string, opt ...Option) (*Account, int, error)

UpdateAccount updates the repository entry for a.PublicId with the values in a for the fields listed in fieldMaskPaths. It returns a new Account containing the updated values and a count of the number of records updated. a is not changed.

a must contain a valid PublicId. Only a.Name and a.Description can be updated. If a.Name is set to a non-empty string, it must be unique within a.AuthMethodId.

An attribute of a will be set to NULL in the database if the attribute in a is the zero value and it is included in fieldMaskPaths.

func (*Repository) UpdateAuthMethod 

func (r *Repository) UpdateAuthMethod(ctx context.Context, am *AuthMethod, version uint32, fieldMaskPaths []string, opt ...Option) (*AuthMethod, int, error)

UpdateAuthMethod will retrieve the auth method from the repository, and update it based on the field masks provided.

The auth method will not be persisted in the repository if the auth method's OperationalStatus is currently ActivePublic or ActivePrivate and the update would have resulted in an incomplete/non-operational auth method.

During update, the auth method will be tested/validated against its provider's published OIDC discovery document. If this validation succeeds, the auth method is persisted in the repository, and the written auth method is returned.

fieldMaskPaths provides field_mask.proto paths for fields that should be updated. Fields will be set to NULL if the field is a zero value and included in fieldMask. Name, Description, Issuer, ClientId, ClientSecret, MaxAge are all updatable fields. The AuthMethod's Value Objects of SigningAlgs, CallbackUrls, AudClaims and Certificates are also updatable. if no updatable fields are included in the fieldMaskPaths, then an error is returned.

Options supported:

* WithDryRun: when this option is provided, the auth method is retrieved from the repo, updated based on the fieldMask, tested via Repository.ValidateDiscoveryInfo, the results of the update are returned, and and any errors reported. The updates are not peristed to the repository.

* WithForce: when this option is provided, the auth method is persisted in the repository without testing it's validity against its provider's published OIDC discovery document. Even if this option is provided, the auth method will not be persisted in the repository when the update would have resulted in an incomplete/non-operational auth method and it's OperationalStatus is currently ActivePublic or ActivePrivate.

Also, a successful update will invalidate (delete) the Repository's cache of the oidc.Provider for the AuthMethod.

func (*Repository) UpdateManagedGroup added in v0.3.0 

func (r *Repository) UpdateManagedGroup(ctx context.Context, scopeId string, mg *ManagedGroup, version uint32, fieldMaskPaths []string, opt ...Option) (*ManagedGroup, int, error)

UpdateManagedGroup updates the repository entry for mg.PublicId with the values in mg for the fields listed in fieldMaskPaths. It returns a new ManagedGroup containing the updated values and a count of the number of records updated. mg is not changed.

mg must contain a valid PublicId. Only mg.Name, mg.Description, and mg.Filter can be updated. If mg.Name is set to a non-empty string, it must be unique within mg.AuthMethodId.

An attribute of a will be set to NULL in the database if the attribute in a is the zero value and it is included in fieldMaskPaths.

func (*Repository) ValidateDiscoveryInfo 

func (r *Repository) ValidateDiscoveryInfo(ctx context.Context, opt ...Option) error

ValidateDiscoveryInfo will test/validate the provided AuthMethod against the info from it's discovery URL.

It will verify that all required fields for a working AuthMethod have values.

If the AuthMethod is complete, ValidateDiscoveryInfo retrieves the auth method's OpenID Configuration document. The values in the AuthMethod (and associated data) are validated with the retrieved document. The issuer and id token signing algorithm in the configuration are validated with the retrieved document. ValidateDiscoveryInfo also verifies the authorization, token, and userinfo endpoints by connecting to each and uses any certificates in the configuration as trust anchors to confirm connectivity.

Options supported are: WithPublicId, WithAuthMethod

type SigningAlg 

type SigningAlg struct {
	*store.SigningAlg
	// contains filtered or unexported fields
}

SigningAlg defines an signing algorithm supported by an OIDC auth method. It is assigned to an OIDC AuthMethod and updates/deletes to that AuthMethod are cascaded to its SigningAlgs. SigningAlgs are value objects of an AuthMethod, therefore there's no need for oplog metadata, since only the AuthMethod will have metadata because it's the root aggregate.

func AllocSigningAlg 

func AllocSigningAlg() SigningAlg

AllocSigningAlg makes an empty one in memory

func NewSigningAlg 

func NewSigningAlg(ctx context.Context, authMethodId string, alg Alg) (*SigningAlg, error)

NewSigningAlg creates a new in memory signing alg assigned to an OIDC AuthMethod. It supports no options.

func (*SigningAlg) Clone 

func (s *SigningAlg) Clone() *SigningAlg

Clone a SigningAlg

func (*SigningAlg) SetTableName 

func (s *SigningAlg) SetTableName(n string)

SetTableName sets the table name.

func (*SigningAlg) TableName 

func (s *SigningAlg) TableName() string

TableName returns the table name.

Source Files

View all Source files

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.