pantheon_auth

package

v0.0.0-...-34714f6 Latest Latest Go to latest Published: Feb 20, 2024 License: MIT Imports: 5 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/pantheon-systems/go-certauth

Links

Open Source Insights

Documentation ¶

Index ¶

Constants
func PantheonSiteAuth(allowedOUs, siteOUs []string, allowSelf bool) []certauth.AuthorizationChecker
func ParseSiteEnvFromCN(clientCN string) (string, string, error)
type PantheonSiteAuthChecker
- func (check PantheonSiteAuthChecker) CheckAuthorization(clientOU []string, clientCN string) (map[certauth.ContextKey]certauth.ContextValue, error)
- func (check PantheonSiteAuthChecker) CheckAuthorizationWithParams(clientOU []string, clientCN string, ps httprouter.Params) (map[certauth.ContextKey]certauth.ContextValue, error)

Constants ¶

View Source

const (
	// PantheonSite is used as the request context key identifying the client's Site (if present)
	PantheonSite = contextKey("Pantheon Site")

	//PantheonEnv is used as the request context key identifying the client's environment
	// (if present)
	PantheonEnv = contextKey("Pantheon Env")
)

Variables ¶

This section is empty.

Functions ¶

func PantheonSiteAuth ¶

func PantheonSiteAuth(allowedOUs, siteOUs []string, allowSelf bool) []certauth.AuthorizationChecker

Helper function which produces AuthorizationCheckers suitable for use in Pantheon HTTP servers. This function accepts three lists which determine which clients pass authorization checks and produces 2 AuthorizationCheckers to implement these checks. `allowedOUs` determines which client OUs will be allowed to pass authorization checks. Clients with an OU within `siteOUs` will be subject to an additional check for valid site authorization. See below for a description of how site authorization works. Requests are allowed if they pass `allowedOUs` *and* site authorization (if applicable). Note that this means `siteOUs` should be a subset of `allowedOUs` otherwise site authorization checks will always fail. See also the documentation for AllowSpecificOUandCNs for more details on the behavior of `allowedOUs`.

Site authorization checks are intended to protect resources belonging to one site (i.e. with a `site` URI parameter) from being accessed by requests from other sites. For example: if site A makes a request for information belonging to site B, that request should fail the site authorization check.

The way this works hinges on the use of URI parameters with the `httprouter` framework. Essentially, the server can define certain URIs as being site-specific by adding a `site` URI parameter. The site authorization check then compares the `site` URI parameter with the `site` determined from the client certificate's CommonName. If they match, then the request is allowed.

However, this check should only be run for some clients, particularly client's that have authenticated as a site (rather than, for example, a backend service). To conditionally apply this check, the `siteOUs` parameter allows you to specify which Organizational Units this site authorization check should be run for.

In order for site authorization checks to be run, a few things must be true: 1. The server must be using the `httprouter` framework. 2. The server must define the `site` URI parameter in the URI path. 3. The request must be performed against one of the URIs with the `site` parameter. 4. At least one of the request's OUs must be present in the `siteOUs` option of `PantheonSiteAuth` If all of these conditions are true, then an additional check is performed. The workflow for this check is: 1. Parse the request x509's CommonName to obtain the site ID. 2. Obtain the site ID from the URI parameters. 3. Ensure the site ID from the CommonName and site ID from the URI parameters match.

func ParseSiteEnvFromCN ¶

func ParseSiteEnvFromCN(clientCN string) (string, string, error)

ParseSiteEnvFromCN parses a site id and environment from the provided CN. Also validates that the site ID is a valid UUID. Returns (site, environment, nil) if the clientCN is valid. Returns ("", "", err) if an error occurs.

Types ¶

type PantheonSiteAuthChecker ¶

type PantheonSiteAuthChecker struct {
	SiteOUs   []string
	AllowSelf bool
}

PantheonSiteAuth is an instance of AuthorizationChecker which performs pantheon-specific site authorization checks. See documentation for PantheonSiteAuth for details.

func (PantheonSiteAuthChecker) CheckAuthorization ¶

func (check PantheonSiteAuthChecker) CheckAuthorization(
	clientOU []string, clientCN string,
) (map[certauth.ContextKey]certauth.ContextValue, error)

func (PantheonSiteAuthChecker) CheckAuthorizationWithParams ¶

func (check PantheonSiteAuthChecker) CheckAuthorizationWithParams(
	clientOU []string, clientCN string, ps httprouter.Params,
) (map[certauth.ContextKey]certauth.ContextValue, error)

Source Files ¶

View all Source files

pantheon_auth.go

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL