core

package

v0.0.0-...-c041881 Latest Latest Go to latest Published: Apr 3, 2024 License: MPL-2.0 Imports: 5 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/hashicorp/cap

Links

Open Source Insights

Documentation ¶

Index ¶

Constants
type Assertion
- func (a *Assertion) Attributes() []Attribute
- func (a *Assertion) Issuer() string
- func (a *Assertion) SubjectNameID() string
type Attribute
type AuthnRequest
- func (a *AuthnRequest) CreateXMLDocument(indent int) ([]byte, error)
type BaseID
type Comparison
type Conditions
type ConfirmationMethod
type EncryptedID
type Extensions
type IDPEntry
type IDPList
type Issuer
type NameFormat
type NameID
type NameIDFormat
type NameIDPolicy
type NameIDType
type RequestResponseCommon
type RequestedAuthnContext
type Response
- func (r *Response) Assertions() []Assertion
- func (r *Response) Issuer() string
type Scoping
type ServiceBinding
type StatusCodeType
type StatusRequestType
type Subject
type SubjectConfirmation
type SubjectConfirmationData
type TBD

Constants ¶

View Source

const (
	SAMLVersion2 = "2.0"
)

Variables ¶

This section is empty.

Functions ¶

This section is empty.

Types ¶

type Assertion ¶

type Assertion struct {
	types.Assertion
}

Assertion is a SAML Assertion element. See 2.3.3 http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf

func (*Assertion) Attributes ¶

func (a *Assertion) Attributes() []Attribute

Attributes returns the attributes of the Assertion. If there is no AttributeStatement or no contained Attributes, an empty list is returned.

func (*Assertion) Issuer ¶

func (a *Assertion) Issuer() string

Issuer returns the issuer of the Assertion if it exists. Otherwise, it returns an empty string.

func (*Assertion) SubjectNameID ¶

func (a *Assertion) SubjectNameID() string

SubjectNameID returns the value of the NameID element if it exists in the Subject of the Assertion. Otherwise, it returns an empty string.

type Attribute ¶

type Attribute struct {
	types.Attribute
}

Attribute is a SAML Attribute element. See 2.7.3.1 http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf

type AuthnRequest ¶

type AuthnRequest struct {
	XMLName xml.Name `xml:"urn:oasis:names:tc:SAML:2.0:protocol AuthnRequest"`

	StatusRequestType

	Subject              *Subject
	NameIDPolicy         *NameIDPolicy `xml:",omitempty"`
	Conditions           *Conditions
	RequestedAuthContext *RequestedAuthnContext
	Scoping              *Scoping

	ForceAuthn bool `xml:",attr,omitempty"`
	IsPassive  bool `xml:",attr,omitempty"`

	AssertionConsumerServiceIndex string `xml:",attr,omitempty"`
	AssertionConsumerServiceURL   string `xml:",attr"`

	// A URI reference that identifies a SAML protocol binding to be used when
	// returning the Response message.
	ProtocolBinding ServiceBinding `xml:",attr"`

	AttributeConsumingServiceIndex string `xml:",attr,omitempty"`
	ProviderName                   string `xml:",attr,omitempty"`
}

See 3.4.1 http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf TODO Finish this

func (*AuthnRequest) CreateXMLDocument ¶

func (a *AuthnRequest) CreateXMLDocument(indent int) ([]byte, error)

CreateXMLDocument creates an AuthnRequest XML document.

type BaseID ¶

type BaseID struct {
	NameQualifier   string `xml:",attr,omitempty"`
	SPNameQualifier string `xml:",attr,omitempty"`
}

See 2.2.1 http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf

type Comparison ¶

type Comparison string

Comparison specifies the comparison method used to evaluate the requested context classes or statements. Possible values: "exact", "minimum", "maximum", "better"

const (
	// ComparisonExact requires that the resulting authentication context in the authentication
	// statement MUST be the exact match of at least one of the authentication contexts specified.
	ComparisonExact Comparison = "exact" // default

	// ComparisonMin requires that the resulting authentication context in the authentication
	// statement MUST be at least as strong (as deemed by the responder) as one of the authentication
	// contexts specified.
	ComparsionMin Comparison = "minimum"

	// ComparisonMax requires that the resulting authentication context in the authentication
	// statement MUST be stronger (as deemed by the responder) than any one of the authentication contexts
	// specified.
	ComparsionMax Comparison = "maximum"

	// ComparisonBetter requires that the resulting authentication context in the authentication
	// statement MUST be as strong as possible (as deemed by the responder) without exceeding the strength
	// of at least one of the authentication contexts specified.
	ComparisonBetter Comparison = "better"
)

type Conditions ¶

type Conditions struct{}

type ConfirmationMethod ¶

type ConfirmationMethod string

ConfirmationMethod indicates the sepcific method to be used by the relying parte to determine that the request or message came from a system entity that is associated with the subject of the assertion, within the context of a particular profile.

See 3. http://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf

const (
	// ConfirmationMethodHolderOfKey indicates that the key holder itself can confirm
	// itself as the subject. If this method is given, the SubjectConfirmationData MUST
	// contain one or more KeyInfo elements, where KeyInfo identifies a cryptographic key.
	//
	// See 3.1 http://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf
	ConfirmationMethodHolderOfKey ConfirmationMethod = "urn:oasis:names:tc:SAML:2.0:cm:holder-of-key"

	// ConfirmationMethodSenderVouches indicates that no other information is available about
	// the context of use of the assertion.
	//
	// See 3.2 http://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf
	ConfirmationMethodSenderVouches ConfirmationMethod = "urn:oasis:names:tc:SAML:2.0:cm:sender-vouches"

	// ConfirmationMethodBearer indicates that the bearer can confirm itself as the subject.
	//
	// See 3.3 http://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf
	ConfirmationMethodBearer ConfirmationMethod = "urn:oasis:names:tc:SAML:2.0:cm:bearer"
)

type EncryptedID ¶

type EncryptedID struct {
	EncryptedData xmlenc.EncryptedData
	EncryptedKey  xmlenc.EncryptedKey
}

See 2.2.3 http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf

type Extensions ¶

type Extensions struct{}

type IDPEntry ¶

type IDPEntry struct {
	// ProviderID is the unique identifier of the identity provider.
	ProviderID string `xml:",attr"`

	// Name is a human-readable name for the identity provider.
	Name string

	// Loc is a URI reference representing the location of a profile-specific endpoint
	// supporting the authentication request protocol.
	Loc string
}

IDPEntry specifies a single identity provider trusted by the requester to authenticate the presenter. See 3.4.1.3 http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf

type IDPList ¶

type IDPList struct {
	IDPEntry    []*IDPEntry
	GetComplete []string // TODO is this correct?
}

IDPList specifies the identity providers trusted by the requester to authenticate the presenter. See 3.4.1.3 http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf

type Issuer ¶

type Issuer struct {
	XMLName xml.Name `xml:"urn:oasis:names:tc:SAML:2.0:assertion Issuer"`

	NameIDType
}

Issuer, with type NameIDType, provides information about the issuer of a SAML assertion. See 2.2.5 http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf

type NameFormat ¶

type NameFormat string

const (
	NameFormatURI NameFormat = "urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
)

type NameID ¶

type NameID = NameIDType

See 2.2.3 http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf

type NameIDFormat ¶

type NameIDFormat string

See 8.3 http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf

const (
	// See 8.3.1 - 8.3.8 http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf
	NameIDFormatUnspecified                NameIDFormat = "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
	NameIDFormatEmail                      NameIDFormat = "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
	NameIDFormatX509SubjectName            NameIDFormat = "urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName"
	NameIDFormatWindowsDomainQualifiedName NameIDFormat = "urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName"
	NameIDFormatKerberos                   NameIDFormat = "urn:oasis:names:tc:SAML:2.0:nameid-format:kerberos"
	NameIDFormatEntity                     NameIDFormat = "urn:oasis:names:tc:SAML:2.0:nameid-format:entity"
	NameIDFormatPersistent                 NameIDFormat = "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"
	NameIDFormatTransient                  NameIDFormat = "urn:oasis:names:tc:SAML:2.0:nameid-format:transient"
)

type NameIDPolicy ¶

type NameIDPolicy struct {
	Format          NameIDFormat `xml:",omitempty"`
	SPNameQualifier string       `xml:",attr,omitempty"`
	AllowCreate     bool         `xml:",attr"`
}

NameIDPolicy specifies constraints on the name identifier to be used to represent the requested subject. See 3.4.1.1 http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf

type NameIDType ¶

type NameIDType struct {
	NameQualifier   string       `xml:",attr,omitempty"`
	SPNameQualifier string       `xml:",attr,omitempty"`
	Format          NameIDFormat `xml:",attr,omitempty"`
	SPProvidedID    string       `xml:",attr,omitempty"`

	Value string `xml:",chardata"`
}

See 2.2.2 http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf

type RequestResponseCommon ¶

type RequestResponseCommon struct {
	ID      string `xml:",attr"` // required
	Version string `xml:",attr"` // required

	// The time instant of issue of the request.
	IssueInstant time.Time   `xml:",attr"`           // required
	Consent      string      `xml:",attr,omitempty"` // optional TODO: define constants
	Issuer       *Issuer     // recommended
	Singature    string      `xml:",omitempty"` // recommended
	Extensions   *Extensions // optional
	Destination  string      `xml:",attr"`
}

See 3.2 http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf

type RequestedAuthnContext ¶

type RequestedAuthnContext struct {
	XMLName xml.Name `xml:"urn:oasis:names:tc:SAML:2.0:protocol RequestedAuthnContext"`

	AuthnContextClassRef []string   `xml:"urn:oasis:names:tc:SAML:2.0:assertion AuthnContextClassRef"`
	Comparison           Comparison `xml:",attr"`
}

RequestedAuthnContext specifies the authentication context requirements of authentication statements returned in response to a request or query. See 3.3.2.2.1 http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf

type Response ¶

type Response struct {
	types.Response
}

Response is a SAML Response element. See 3.3.3 http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf

func (*Response) Assertions ¶

func (r *Response) Assertions() []Assertion

Assertions returns the assertions in the Response.

func (*Response) Issuer ¶

func (r *Response) Issuer() string

Issuer returns the issuer of the Response if it exists. Otherwise, it returns an empty string.

type Scoping ¶

type Scoping struct {
	// ProxyCount specifies the number of proxying indirections permissible between the
	// identity provider that receives this AuthnRequest and the identity provider who
	// ultimately authenticates the principal.
	ProxyCount int `xml:",attr"`

	IDPList *IDPList

	RequesterID []string
}

Scoping ... (TODO: not important for the first MVP) See 3.4.1.2 http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf

type ServiceBinding ¶

type ServiceBinding string

const (
	ServiceBindingHTTPPost     ServiceBinding = "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
	ServiceBindingHTTPRedirect ServiceBinding = "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
	ServiceBindingSOAP         ServiceBinding = "urn:oasis:names:tc:SAML:2.0:bindings:SOAP"
)

type StatusCodeType ¶

type StatusCodeType string

StatusCodeType defines the possible status codes in a SAML Response. The possible status codes are defined in: 3.2.2.2 http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf

const (
	// StatusCodeSuccess indicates that the request succeeded.
	StatusCodeSuccess StatusCodeType = "urn:oasis:names:tc:SAML:2.0:status:Success"

	// StatusCodeRequester indicates that the request could not be performed due to
	// an error on the part of the requester.
	StatusCodeRequester StatusCodeType = "urn:oasis:names:tc:SAML:2.0:status:Requester"

	// StatusCodeResponder indicatest that the request could not be performed due to
	// an error on the part of the SAML responder or SAML authority.
	StatusCodeResponder StatusCodeType = "urn:oasis:names:tc:SAML:2.0:status:Responder"

	// StatusCodeVersionMismatch indicates that the SAML responder could not process the
	// request because the version of the request message was incorrect.
	StatusCodeVersionMismatch StatusCodeType = "urn:oasis:names:tc:SAML:2.0:status:VersionMismatch"

	// StatusCodeAuthnFailed indicates that the responding provider was unable to successfully
	// authenticate the principal.
	StatusCodeAuthnFailed StatusCodeType = "urn:oasis:names:tc:SAML:2.0:status:AuthnFailed"

	// StatusCodeInvalidAttrNameOrValue indicates that an unexpected or invalid content was
	// encountered within a <saml:Attribute> or <saml:AttributeValue> element.
	StatusCodeInvalidAttrNameOrValue StatusCodeType = "urn:oasis:names:tc:SAML:2.0:status:InvalidAttrNameOrValue"

	// StatusCodeInvalidNameIDPolicy indicates that the responding provider cannot or will not support the
	// requested name identifier policy.
	StatusCodeInvalidNameIDPolicy StatusCodeType = "urn:oasis:names:tc:SAML:2.0:status:InvalidNameIDPolicy"

	// StatusCodeNoAuthnContext indicates that the specified authentication context requirements cannot
	// be met by the responder.
	StatusCodeNoAuthnContext StatusCodeType = "urn:oasis:names:tc:SAML:2.0:status:NoAuthnContext"

	// StatusCodeNoAvailableIDP indicates that the Used by an intermediary to indicate that none of the
	// supported identity provider <Loc> elements in an <IDPList> can be resolved or that none of the
	// supported identity providers are available.
	StatusCodeNoAvailableIDP StatusCodeType = "urn:oasis:names:tc:SAML:2.0:status:NoAvailableIDP"

	// StatusCodeNoPassive indicates that the responding provider cannot authenticate the principal passively,
	// as has been requested.
	StatusCodeNoPassive StatusCodeType = "urn:oasis:names:tc:SAML:2.0:status:NoPassive"

	// StatusCodeNoSupportedIDP is used by an intermediary to indicate that none of the identity providers in an
	// <IDPList> are supported by the intermediary.
	StatusCodeNoSupportedIDP StatusCodeType = "urn:oasis:names:tc:SAML:2.0:status:NoSupportedIDP"

	// StatusCodePartialLogout is used by a session authority to indicate to a session participant that it
	// was not able to propagate logout to all other session participants.
	StatusCodePartialLogout StatusCodeType = "urn:oasis:names:tc:SAML:2.0:status:PartialLogout"

	// StatusCodeProxyCountExceeded indicates that a responding provider cannot authenticate the principal
	// directly and is not permitted to proxy the request further.
	StatusCodeProxyCountExceeded StatusCodeType = "urn:oasis:names:tc:SAML:2.0:status:ProxyCountExceeded"

	// StatusCodeRequestDenied indicates that the SAML responder or SAML authority is able to process the
	// request but has chosen not to respond. This status code MAY be used when there is concern about the
	// security context of the request message or the sequence of request messages received from a particular
	// requester.
	StatusCodeRequestDenied StatusCodeType = "urn:oasis:names:tc:SAML:2.0:status:RequestDenied"

	// StatusCodeRequestUnsupported indicates that the SAML responder or SAML authority does not support the
	// request.
	StatusCodeRequestUnsupported StatusCodeType = "urn:oasis:names:tc:SAML:2.0:status:RequestUnsupported"

	// StatusCodeRequestVersionDeprecated indicates that the SAML responder cannot process any requests with
	// the protocol version specified in the request.
	StatusCodeRequestVersionDeprecated StatusCodeType = "urn:oasis:names:tc:SAML:2.0:status:RequestVersionDeprecated"

	// StatusCodeRequestRequestVersionTooHigh indicates that the SAML responder cannot process the request because
	// the protocol version specified in the request message is a major upgrade from the highest protocol version
	// supported by the responder.
	StatusCodeRequestRequestVersionTooHigh StatusCodeType = "urn:oasis:names:tc:SAML:2.0:status:RequestVersionTooHigh"

	// StatusCodeRequestRequestVersionTooLow indicates that the SAML responder cannot process the request because
	// the protocol version specified in the request message is too low.
	StatusCodeRequestVersionTooLow StatusCodeType = "urn:oasis:names:tc:SAML:2.0:status:RequestVersionTooLow"

	// StatusCodeRequestResourceNotRecognized indicates that the resource value provided in the request message is
	// invalid or unrecognized.
	StatusCodeResourceNotRecognized StatusCodeType = "urn:oasis:names:tc:SAML:2.0:status:ResourceNotRecognized"

	// StatusCodeTooManyResponses indicates that the response message would contain more elements than the SAML
	// responder is able to return.
	StatusCodeTooManyResponses StatusCodeType = "urn:oasis:names:tc:SAML:2.0:status:TooManyResponses"

	// StatusCodeUnknownAttrProfile indicates that an entity that has no knowledge of a particular attribute
	// profile has been presented with an attribute drawn from that profile.
	StatusCodeUnknownAttrProfile StatusCodeType = "urn:oasis:names:tc:SAML:2.0:status:UnknownAttrProfile"

	// StatusCodeUnknownPrincipal indicates that the responding provider does not recognize the principal
	// specified or implied by the request.
	StatusCodeUnknownPrincipal StatusCodeType = "urn:oasis:names:tc:SAML:2.0:status:UnknownPrincipal"

	// StatusCodeUnsupportedBinding indicates that the SAML responder cannot properly fulfill the request using
	// the protocol binding specified in the request.
	StatusCodeUnsupportedBinding StatusCodeType = "urn:oasis:names:tc:SAML:2.0:status:UnsupportedBinding"
)

type StatusRequestType ¶

type StatusRequestType struct {
	RequestResponseCommon
}

See 3.2.1 http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf

type Subject ¶

type Subject struct {
	XMLName xml.Name `xml:"urn:oasis:names:tc:SAML:2.0:assertion Subject"`

	SubjectConfirmation []*SubjectConfirmation

	BaseID      *BaseID      // optional
	NameID      *NameID      // optional
	EncryptedID *EncryptedID // optional
}

Subject specifies the requested subject of the resulting assertion(s). If entirely omitted or if no identifier is included, the presenter of the message is presumed to be the requested subject.

See 2.4 http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf

type SubjectConfirmation ¶

type SubjectConfirmation struct {
	Method ConfirmationMethod `xml:",attr"` // required

	SubjectConfirmationData *SubjectConfirmationData // optional

	BaseID      *BaseID      // optional
	NameID      *NameID      // optional
	EncryptedID *EncryptedID // optional
}

See 2.4.1.1 http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf

type SubjectConfirmationData ¶

type SubjectConfirmationData struct {
	NotBefore    time.Time `xml:",attr"` // optional
	NotOnOrAfter time.Time `xml:",attr"` // optional
	Recipient    string    `xml:",attr"` // optional
	InResponseTo string    `xml:",attr"` // optional
	Address      string    `xml:",attr"` // optional
}

See 2.4.1.2 http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf

type TBD ¶

type TBD struct{}

Indicates that an attribute is yet to be defined. It is only used to for development purposes.

Source Files ¶

View all Source files

Directories ¶

Path	Synopsis
fixtures

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL