auth

package
v0.9.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Feb 21, 2023 License: MIT Imports: 26 Imported by: 0

Documentation

Overview

Package auth handles openid connect and jwt (for access tokens) authentication and authorization.

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func AppendCertsToSystemPool added in v0.1.0 

func AppendCertsToSystemPool(pemFile string) (*x509.CertPool, error)

AppendCertsToSystemPool adds certificates to system cert pool. If it is not possible to get system pool, certificates are added to an emptycert pool.

func Func 

func Func(verifier Verifier, th *TokenHandler, l *zap.SugaredLogger, claimConfig ClaimConfig) func(ctx context.Context) (context.Context, error)

Func creates a authentication function that can be used in combination with grpc middleware.

The function verifies two kinds of tokens: First, it verfifies with the given key, if the token is a valid jwt token. If the token is valid access is granted for machines.

If the above fails it checks if the token is a valid oidc token. If successful access is granted to a user.

In both (successful) cases it extracts the user and adds it in the current context.

Reflection and list requests are not authorized.

func NewTLSTransportFromCertPool added in v0.1.0 

func NewTLSTransportFromCertPool(pool *x509.CertPool) *http.Transport

NewTLSTransportFromCertPool creates a new *http.Transport form cert pool.

func NewVerifier 

func NewVerifier(url, clientID string, timeout time.Duration, transport http.RoundTripper) (*oidc.IDTokenVerifier, error)

NewVerifier creates a new oidc verifier.

func StreamAuthorizeInterceptor 

func StreamAuthorizeInterceptor(rwRoles ...string) grpc.StreamServerInterceptor

StreamAuthorizeInterceptor authorizes GRPC streams.

func StreamMethodNameInterceptor 

func StreamMethodNameInterceptor() grpc.StreamServerInterceptor

StreamMethodNameInterceptor adds GRPC method name to context.

func UnaryAuthorizeInterceptor 

func UnaryAuthorizeInterceptor(rwRoles ...string) grpc.UnaryServerInterceptor

UnaryAuthorizeInterceptor authorizes GRPC requests.

func UnaryMethodNameInterceptor 

func UnaryMethodNameInterceptor() grpc.UnaryServerInterceptor

UnaryMethodNameInterceptor adds GRPC method name to context.

Types

type Asker 

type Asker struct {
	// contains filtered or unexported fields
}

Asker asks for username and password.

func NewAsker 

func NewAsker(opts ...Option) *Asker

NewAsker creates a new Asker.

func (*Asker) Ask 

func (a *Asker) Ask(in io.Reader, out io.Writer) (*Credentials, error)

Ask aks the username and password.

type ClaimConfig added in v0.9.0 

type ClaimConfig struct {
	// contains filtered or unexported fields
}

ClaimConfig configures how to get username and roles from claims.

func NewClaimConfig added in v0.9.0 

func NewClaimConfig(username, roles string) ClaimConfig

NewClaimConfig creates a new ClaimConfig.

func (ClaimConfig) Roles added in v0.9.0 

func (c ClaimConfig) Roles(claims claims) []string

Roles gets the roles from claims map.

func (ClaimConfig) Username added in v0.9.0 

func (c ClaimConfig) Username(claims claims) string

Username gets the username from claims map.

type Client 

type Client struct {
	// contains filtered or unexported fields
}

Client handles requests to the keycloak server.

func NewClient 

func NewClient(endPoint, clientID string, opts ...ClientOption) (*Client, error)

NewClient creates a new client with a configured token endpoint.

func (*Client) Refresh 

func (c *Client) Refresh(t *Token) (*Token, error)

Refresh refreshes a token if it expires in 10 seconds from now.

func (*Client) Token 

func (c *Client) Token(username, password string, out io.Writer) (*Token, error)

Token returns an OAUTH 2.0 token with Password Grant type.

type ClientOption 

type ClientOption func(a *Client)

ClientOption is a functional option to configure the Client.

func WithTimeout 

func WithTimeout(timeout time.Duration) ClientOption

WithTimeout overrides the default timeout of the httpclient.

func WithTransport added in v0.1.0 

func WithTransport(transport http.RoundTripper) ClientOption

WithTransport overrides the default transport of the httpclient.

type Credentials 

type Credentials struct {
	Username string
	Password string
}

Credentials contains username and password.

type Option 

type Option func(a *Asker)

Option is a functional option to configure the Asker.

func WithDfltUsername 

func WithDfltUsername(username string) Option

WithDfltUsername offers a dflt username in prompt.

func WithPrompt 

func WithPrompt(prompt string) Option

WithPrompt overrides default `Enter Username` prompt.

type Token 

type Token struct {
	Username     string    `yaml:"-"`
	ISS          string    `yaml:"-"`
	AUD          string    `yaml:"-"`
	RefreshToken string    `yaml:"refresh_token"`
	IDToken      string    `yaml:"id_token"`
	AccessToken  string    `yaml:"access_token"`
	Expiry       time.Time `yaml:"-"`
}

Token holds all necessary token info.

func NewToken 

func NewToken(idToken, refreshToken string) (*Token, error)

NewToken creates a new Token from idToken and refreshToken.

type TokenClaims 

type TokenClaims struct {
	jwt.RegisteredClaims
	Namespaces []string `json:"namespaces,omitempty"`
}

TokenClaims is like jwt standard claims with additional list of namespaces.

type TokenHandler 

type TokenHandler struct {
	// contains filtered or unexported fields
}

TokenHandler creates tokens.

func NewTokenHandler 

func NewTokenHandler(secret, issuer string) *TokenHandler

NewTokenHandler creates a now TokenHandler

func (*TokenHandler) Create 

func (t *TokenHandler) Create(id string, expires time.Duration, namespaces ...string) (string, error)

Create creates a new token. If expires is 0, it never expires.

func (*TokenHandler) IsMachine 

func (t *TokenHandler) IsMachine(token string) (bool, error)

IsMachine checks if token is a machine token issued by lslb service.

func (*TokenHandler) Validate 

func (t *TokenHandler) Validate(token string) (*User, error)

Validate validates a token. If successful it returns a machine user.

type TokenKind 

type TokenKind int

TokenKind defines the kind of token. There are two possible tokens: machine and users. 

const (
	MachineToken TokenKind = iota // machine
	UserToken                     // user
)

Two possible tokens: machine and users. User tokens are issued by oidc provider, where machine tokens are issued by discovery service.

func (TokenKind) String 

func (i TokenKind) String() string

type User 

type User struct {
	Username   string
	Email      string
	Roles      []string
	Namespaces []string
	ExpiresAt  time.Time
	Kind       TokenKind
}

User is a oicd user.

func UserFromContext 

func UserFromContext(ctx context.Context) (User, bool)

UserFromContext gets user from context.

func (User) HasNamespace 

func (u User) HasNamespace(namespaces ...string) bool

HasNamespace returns true if user has one of namespaces.

func (User) HasRole 

func (u User) HasRole(roles ...string) bool

HasRole returns true if user has one of roles.

func (User) IsMachine 

func (u User) IsMachine() bool

IsMachine returns true if the token corresponds to a machine token and false if it is a user token.

func (User) IsUser 

func (u User) IsUser() bool

IsUser returns true if the token corresponds to a user token and false if it is a machine token.

type Verifier 

type Verifier interface {
	Verify(ctx context.Context, rawIDToken string) (*oidc.IDToken, error)
}

Verifier verifers an OIDC token.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.