Documentation
¶
Overview ¶
SPDX-FileCopyrightText: 2017 Comcast Cable Communications Management, LLC SPDX-License-Identifier: Apache-2.0
SPDX-FileCopyrightText: 2017 Comcast Cable Communications Management, LLC SPDX-License-Identifier: Apache-2.0
SPDX-FileCopyrightText: 2017 Comcast Cable Communications Management, LLC SPDX-License-Identifier: Apache-2.0
SPDX-FileCopyrightText: 2017 Comcast Cable Communications Management, LLC SPDX-License-Identifier: Apache-2.0
SPDX-FileCopyrightText: 2017 Comcast Cable Communications Management, LLC SPDX-License-Identifier: Apache-2.0
SPDX-FileCopyrightText: 2017 Comcast Cable Communications Management, LLC SPDX-License-Identifier: Apache-2.0
SPDX-FileCopyrightText: 2017 Comcast Cable Communications Management, LLC SPDX-License-Identifier: Apache-2.0
SPDX-FileCopyrightText: 2017 Comcast Cable Communications Management, LLC SPDX-License-Identifier: Apache-2.0
Index ¶
- Constants
- Variables
- func DecodeRemoteClaimsResponse(_ context.Context, response *http.Response) (interface{}, error)
- func DecodeServerRequest(rb RequestBuilders) func(context.Context, *http.Request) (interface{}, error)
- func EncodeIssueResponse(_ context.Context, response http.ResponseWriter, value interface{}) error
- func NewClaimsEndpoint(cb ClaimBuilder) endpoint.Endpoint
- func NewIssueEndpoint(f Factory) endpoint.Endpoint
- func Unmarshal(configKey string, b ...RequestBuilder) func(TokenIn) (TokenOut, error)
- type BuildError
- type ClaimBuilder
- type ClaimBuilderFunc
- type ClaimBuilders
- type ClaimsHandler
- type DecodeClaimsError
- type Factory
- type InvalidPartnerIDError
- type IssueHandler
- type Options
- type PartnerID
- type RemoteClaims
- type Request
- type RequestBuilder
- type RequestBuilderFunc
- type RequestBuilders
- type TokenIn
- type TokenOut
- type Value
Constants ¶
const (
DefaultAlg = "RS256"
)
Variables ¶
var ( ErrRemoteURLRequired = errors.New("A URL for the remote claimer is required") ErrMissingKey = errors.New("A key is required for all claims and metadata values") )
var (
ErrVariableNotAllowed = errors.New("Either header/parameter or variable can specified, but not all three")
)
Functions ¶
func DecodeServerRequest ¶
func EncodeIssueResponse ¶
func EncodeIssueResponse(_ context.Context, response http.ResponseWriter, value interface{}) error
func NewClaimsEndpoint ¶
func NewClaimsEndpoint(cb ClaimBuilder) endpoint.Endpoint
NewClaimsEndpoint returns a go-kit endpoint that returns just the claims
func NewIssueEndpoint ¶
NewIssueEndpoint returns a go-kit endpoint for a token factory's NewToken method
Types ¶
type BuildError ¶ added in v0.4.1
type BuildError struct {
Err error
}
BuildError is the error type usually returned by RequestBuilder.Build to indicate what happened during each request builder.
func (BuildError) Error ¶ added in v0.4.1
func (be BuildError) Error() string
Error returns the nested error's Error text
func (BuildError) StatusCode ¶ added in v0.4.1
func (be BuildError) StatusCode() int
StatusCode returns the largest numeric HTTP status code of any embedded errors, or http.StatusBadRequest is none of the embedded errors reported status codes.
func (BuildError) Unwrap ¶ added in v0.4.1
func (be BuildError) Unwrap() error
type ClaimBuilder ¶
ClaimBuilder is a strategy for building token claims, given a token Request
type ClaimBuilderFunc ¶
type ClaimBuilders ¶
type ClaimBuilders []ClaimBuilder
ClaimBuilders implements a pipeline of ClaimBuilder instances, invoked in sequence.
func NewClaimBuilders ¶
func NewClaimBuilders(n random.Noncer, client xhttpclient.Interface, o Options) (ClaimBuilders, error)
NewClaimBuilders constructs a ClaimBuilders from configuration. The returned instance is typically used in configuration a token Factory. It can be used as a standalone service component with an endpoint.
The returned builders do not include those claims derived from HTTP requests. Claims derived from HTTP requests are handled by NewRequestBuilders and DecodeServerRequest.
type ClaimsHandler ¶
func NewClaimsHandler ¶
func NewClaimsHandler(e endpoint.Endpoint, rb RequestBuilders) ClaimsHandler
type DecodeClaimsError ¶ added in v0.3.0
func (*DecodeClaimsError) Error ¶ added in v0.3.0
func (dce *DecodeClaimsError) Error() string
func (*DecodeClaimsError) MarshalJSON ¶ added in v0.3.0
func (dce *DecodeClaimsError) MarshalJSON() ([]byte, error)
func (*DecodeClaimsError) Unwrap ¶ added in v0.3.0
func (dce *DecodeClaimsError) Unwrap() error
type Factory ¶
type Factory interface {
// NewToken uses a Request to produce a signed JWT token
NewToken(context.Context, *Request) (string, error)
}
Factory is a creation strategy for signed JWT tokens
func NewFactory ¶
NewFactory creates a token Factory from a Descriptor. The supplied Noncer is used if and only if d.Nonce is true. Alternatively, supplying a nil Noncer will disable nonce creation altogether. The token's key pair is registered with the given key Registry.
type InvalidPartnerIDError ¶ added in v0.4.1
type InvalidPartnerIDError struct{}
InvalidPartnerIDError is the error object returned when a blank, wildcard, or otherwise invalid partner id is submitted
func (InvalidPartnerIDError) Error ¶ added in v0.4.1
func (ipe InvalidPartnerIDError) Error() string
Error returns the error string associated with an invalid partner id
func (InvalidPartnerIDError) StatusCode ¶ added in v0.4.1
func (ipe InvalidPartnerIDError) StatusCode() int
type IssueHandler ¶
func NewIssueHandler ¶
func NewIssueHandler(e endpoint.Endpoint, rb RequestBuilders) IssueHandler
type Options ¶
type Options struct {
// Alg is the required JWT signing algorithm to use
Alg string
// Key describes the signing key to use
Key key.Descriptor
// Claims is an optional map of claims to add to every token emitted by this factory.
// Any claims here can be overridden by claims within a token Request.
//
// None of these claims receive any special processing. They are copied as is from the HTTP request
// or statically from configuration. For special processing around the partner id, set the PartnerID field.
Claims []Value
// Metadata describes non-claim data, which can be statically configured or supplied via a request
Metadata []Value
// PartnerID is the optional partner id configuration. If unset, no partner id processing is
// performed, though a partner id may still be configured as part of the claims.
PartnerID *PartnerID
// Nonce indicates whether a nonce (jti) should be applied to each token emitted
// by this factory.
Nonce bool
// DisableTime completely disables all time-based claims, such as iat. Setting this to true
// also causes Duration and NotBeforeDelta to be ignored.
DisableTime bool
// Duration specifies how long the token should be valid for. An exp claim is set
// using this duration from the current time if this field is positive.
Duration time.Duration
// DisableNotBefore specifically controls the nbf claim.
DisableNotBefore bool
// NotBeforeDelta is a golang duration that determines the nbf field. This field
// is parsed and added to the current time at the moment a token is issued. The result
// is set as an nbf claim. Note that the duration may be zero or negative.
//
// If either DisableTime or DisableNotBefore are true, this field is ignored and no nbf claim is emitted.
NotBeforeDelta time.Duration
// Remote specifies an optional external system that takes metadata from a token request
// and returns a set of claims to be merged into tokens returned by the Factory. Returned
// claims from the remote system do not override claims configured on the Factory.
Remote *RemoteClaims
}
Options holds the configurable information for a token Factory
type PartnerID ¶ added in v0.4.1
type PartnerID struct {
// Claim is the name of the claim key for the partner id. If unset, no claim is set.
Claim string
// Metadata is the name of the metadata key for the partner id. If unset, no metadata
// is set and thus the partner id won't be transmitted to remote systems.
Metadata string
// Header is the HTTP header containing the partner id
Header string
// Parameter is the HTTP parameter containing the partner id
Parameter string
// Default is the default value for the partner id
Default string
}
PartnerID describes how to extract the partner id from an HTTP request. Partner IDs require some special processing.
type RemoteClaims ¶
type RemoteClaims struct {
// Method is the HTTP method used to invoke the URL
Method string
// URL is the remote endpoint that is expected to receive Request.Metadata and return a JSON document
// which is merged into the token claims
URL string
}
RemoteClaims describes a remote HTTP endpoint that can produce claims given the metadata from a token request.
type Request ¶
type Request struct {
// Claims holds the extra claims to add to tokens. These claims will override any configured claims in a Factory,
// but will not override time-based claims such as nbf or exp.
Claims map[string]interface{}
// Metadata holds non-claim information about the request, usually garnered from the original HTTP request. This
// metadata is available to lower levels of infrastructure used by the Factory.
Metadata map[string]interface{}
}
Request is a token creation request. Clients can pass in arbitrary claims, typically things like "iss", to merge and override anything set on the factory via configuration.
func BuildRequest ¶
func BuildRequest(original *http.Request, rb RequestBuilders) (*Request, error)
BuildRequest applies a sequence of RequestBuilder instances to produce a token factory Request
func NewRequest ¶
func NewRequest() *Request
NewRequest returns an empty, fully initialized token Request
type RequestBuilder ¶
RequestBuilder is a strategy for building a token factory Request from an HTTP request.
Note: before invoking a RequestBuilder, calling code should parse the HTTP request form.
type RequestBuilderFunc ¶
type RequestBuilders ¶
type RequestBuilders []RequestBuilder
RequestBuilders represents a set of RequestBuilder strategies that can be invoked in sequence.
func NewRequestBuilders ¶
func NewRequestBuilders(o Options) (RequestBuilders, error)
NewRequestBuilders creates a RequestBuilders sequence given an Options configuration. Only claims and metadata that are HTTP-based are included in the results. Claims and metadata that are statically assigned values are handled by ClaimBuilder objects and are part of the Factory configuration.
type TokenIn ¶
type TokenIn struct {
fx.In
Noncer random.Noncer `optional:"true"`
Keys key.Registry
Unmarshaller config.Unmarshaller
Client xhttpclient.Interface `optional:"true"`
}
type TokenOut ¶
type TokenOut struct {
fx.Out
ClaimBuilder ClaimBuilder
Factory Factory
IssueHandler IssueHandler
ClaimsHandler ClaimsHandler
}
type Value ¶
type Value struct {
// Key is the key to use for this value. Typically, this is the name of a claim.
Key string
// Header is an HTTP header from which the value is pulled
Header string
// Parameter is a URL query parameter (including form data) from which the value is pulled
Parameter string
// Variable is a URL gorilla/mux variable from with the value is pulled
Variable string
// JSON is the value embedded as a JSON snippet. If this field is set, Value is ignored.
// Using this field is convenient to avoid viper's lowercasing of keys. It's also handy
// to embed arbitrary structures in claims.
JSON string
// Value is the statically assigned value from configuration
Value interface{}
}
Value describes how to extract a key/value pair from either an HTTP request or from configuration.
func (Value) IsFromHTTP ¶ added in v0.4.5
IsFromHTTP tests if this value is extracted from an HTTP request
func (Value) IsStatic ¶ added in v0.4.5
IsStatic tests if this value is statically configured and does not come from an HTTP request.
func (Value) RawMessage ¶ added in v0.4.5
func (v Value) RawMessage() (json.RawMessage, error)
RawMessage precomputes the JSON for this value. If the JSON field is set, it is verified by unmarshaling. Otherwise, the Value field is marshaled.
Source Files