callouthook

package

v0.0.0-...-147f0cf Latest Latest Go to latest Published: Oct 27, 2023 License: MIT Imports: 11 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/hiveot/hub

Documentation ¶

Index ¶

type NatsCalloutHook
- func EnableNatsCalloutHook(srv *service.NatsMsgServer) (*NatsCalloutHook, error)
- func (chook *NatsCalloutHook) GetCounters() (int, int)
type NatsCalloutVerifier
- func NewNatsCoVerifier(msgServer *service.NatsMsgServer, caCert *x509.Certificate) *NatsCalloutVerifier

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

This section is empty.

Types ¶

type NatsCalloutHook ¶

type NatsCalloutHook struct {
	// contains filtered or unexported fields
}

NatsCalloutHook provides an easy-to-use hook to enable callout in the NATS server. It combines the various parts needed to function, such as account, nkeys, auth request handler and auth response creator. Intended for handling callouts in server mode. Not for use in operator mode. (that is a lot of work just to get your own authn handler called)

func EnableNatsCalloutHook ¶

func EnableNatsCalloutHook(
	srv *service.NatsMsgServer,

) (*NatsCalloutHook, error)

EnableNatsCalloutHook create an instance of the NATS callout hook for use with NKey based configuration options. This configures the server to use callout hooks and subscribes to requests using the given connection.

Reload the server options for it to take effect.

NOTE: If password users are defined, server will report an error "Authorization callout user %q not valid". This is because auth.go:291 which does a check but skips nkeys if any user is defined in natsOpts. As this is a check only, it can be ignored. However it would be better to let the callout validator to handle the password auth and not apply these in nats users options.

serverOpts is the server mode options struct to update
issuerAccountName is the name of the account used to issue the JWT tokens
issuerAccountKey is the key-pair of the account used to issue the JWT tokens
nc is the nats connection to use
authnVerifier is the callback handler to verify an authn request

func (*NatsCalloutHook) GetCounters ¶

func (chook *NatsCalloutHook) GetCounters() (int, int)

GetCounters return the number of success and failed callout requests

type NatsCalloutVerifier ¶

type NatsCalloutVerifier struct {
	// contains filtered or unexported fields
}

NatsCalloutVerifier provides client verification using callout hooks.

callout -> handler -> tokenizer -> verify ? auth -> server -> createToken -> tokenizer -> create ? needs authz ?

This support authentication using password, nkey, certificate, and jwt token To use, provide 'VerifyAuthnReq' to EnableNatsCalloutHook(), which determines the authn method to use.

func NewNatsCoVerifier ¶

func NewNatsCoVerifier(
	msgServer *service.NatsMsgServer, caCert *x509.Certificate) *NatsCalloutVerifier

func (*NatsCalloutVerifier) VerifyAuthnReq ¶

func (v *NatsCalloutVerifier) VerifyAuthnReq(claims *jwt.AuthorizationRequestClaims) (clientID string, err error)

VerifyAuthnReq the authentication request For use with the callout hook to verify various means of authentication. claims contains various possible svc methods: password, nkey, jwt, certs

Note that NATS server can already authenticate password, nkey, cert, and jwt tokens. However, NATS doesn't do multiple methods of password, nkey,cert and jwt. This verifier does them all. Since the server is updated with client auth info, actual verification goes back to the server. effectively a very roundabout way of doing what the server should have been able to.

func (*NatsCalloutVerifier) VerifyClientCert ¶

func (v *NatsCalloutVerifier) VerifyClientCert(claims *jwt.AuthorizationRequestClaims) (string, error)

VerifyClientCert checks that a client certificate is used to connect and is that of the claimed clientID. There is no documentation on how to use this so this uses the claims.TLS.VerifiedChains field, as the claims.TLS.Cert field is empty.

func (*NatsCalloutVerifier) VerifyNKey ¶

func (v *NatsCalloutVerifier) VerifyNKey(claims *jwt.AuthorizationRequestClaims) (string, error)

VerifyNKey claim Don't use this as it is incomplete. nats-server nkey change is embedded deep into its auth code and can't be easily separated. Workaround: let server handle NKeys through static config.

See also nats-server auth.go:990 for dealing with nkeys. It aint pretty.

func (*NatsCalloutVerifier) VerifyPassword ¶

func (v *NatsCalloutVerifier) VerifyPassword(claims *jwt.AuthorizationRequestClaims) (string, error)

VerifyPassword checks the password claim

func (*NatsCalloutVerifier) VerifyToken ¶

func (v *NatsCalloutVerifier) VerifyToken(claims *jwt.AuthorizationRequestClaims) (string, error)

VerifyToken verifies any JWT token

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL