Documentation
¶
Overview ¶
Package authn provides mTLS-based authentication for forwarding Azure credentials into local containers. It enables DefaultAzureCredential to work inside Docker containers by providing a host-side token server that the in-container azd shim communicates with over mTLS.
Index ¶
- Constants
- func ClientTLSConfig(b *Bundle) (*tls.Config, error)
- func GetToken(scope string) (string, time.Time, error)
- func ServerTLSConfig(b *Bundle) (*tls.Config, error)
- func WriteCertsToDir(b *Bundle, dir string) error
- type AzdTokenProvider
- type Bundle
- type Server
- type ServerConfig
- type TokenProvider
- type TokenRequest
- type TokenResponse
Constants ¶
const DefaultCertValidity = 24 * time.Hour
DefaultCertValidity is the validity duration for ephemeral mTLS certificates.
Variables ¶
This section is empty.
Functions ¶
func ClientTLSConfig ¶
ClientTLSConfig creates a tls.Config for the client with mTLS enabled. It uses the client certificate and trusts the CA from the bundle.
func GetToken ¶
GetToken retrieves a token for the given scope by calling the azd CLI. It runs "azd auth token --scope <scope> --output json" and parses the result.
SECURITY: Never log the returned token string or raw command output.
func ServerTLSConfig ¶
ServerTLSConfig creates a tls.Config for the server with mTLS enabled. It requires and verifies client certificates using the CA from the bundle.
func WriteCertsToDir ¶
WriteCertsToDir writes the CA certificate, client certificate, and client key to the specified directory. These files can be mounted into a container. The files created are:
- ca.pem: CA certificate
- client.pem: Client certificate
- client-key.pem: Client private key
Types ¶
type AzdTokenProvider ¶
type AzdTokenProvider struct{}
AzdTokenProvider implements TokenProvider by calling the azd CLI.
type Bundle ¶
type Bundle struct {
CACertPEM []byte
ServerCertPEM []byte
ServerKeyPEM []byte
ClientCertPEM []byte
ClientKeyPEM []byte
}
Bundle holds PEM-encoded mTLS certificate material. A Bundle is safe for concurrent use once created; its fields should not be modified.
func GenerateBundle ¶
GenerateBundle creates a complete set of ephemeral certificates for mTLS authentication. It generates a self-signed CA, a server certificate, and a client certificate. All certificates are valid for 24 hours and use ECDSA P-256 keys. extraSANs are additional DNS names or IP addresses to add to the server certificate.
type Server ¶
type Server struct {
Config ServerConfig
// contains filtered or unexported fields
}
Server is an mTLS token server that forwards Azure credential requests to the host's azd CLI.
type ServerConfig ¶
type ServerConfig struct {
// Port to listen on. Use 0 for auto-assign.
Port int
// Bind address. Empty string auto-detects: 0.0.0.0 on Linux, 127.0.0.1 elsewhere.
Bind string
// CertsDir is the directory to write client certs. Empty string uses a temp dir.
CertsDir string
// AllowedScopes is a comma-separated list of allowed scopes, or "*" for all.
AllowedScopes string
// ExtraSANs are additional DNS names or IP addresses for the server certificate.
ExtraSANs []string
// OnReady is called after the server starts listening, with the actual port.
OnReady func(port int)
}
ServerConfig holds the configuration for the mTLS token server.
type TokenProvider ¶
TokenProvider retrieves Azure access tokens for the given scope.
type TokenRequest ¶
type TokenRequest struct {
Scopes []string `json:"scopes"`
}
TokenRequest is the HTTP API request accepted by the token server.
type TokenResponse ¶
TokenResponse is the HTTP API response returned by the token server.
Source Files