Back to godoc.org

Package token

v0.4.4
Latest Go to latest

The latest major version is .

Published: May 5, 2020 | License: Apache-2.0 | Module: github.com/xmidt-org/themis

Index

Constants

const (
	DefaultAlg = "RS256"
)

Variables

var (
	ErrRemoteURLRequired = errors.New("A URL for the remote claimer is required")
)
var (
	ErrVariableNotAllowed = errors.New("Either header/parameter or variable can specified, but not all three")
)

func DecodeRemoteClaimsResponse

func DecodeRemoteClaimsResponse(_ context.Context, response *http.Response) (interface{}, error)

func DecodeServerRequest

func DecodeServerRequest(rb RequestBuilders) func(context.Context, *http.Request) (interface{}, error)

func EncodeIssueResponse

func EncodeIssueResponse(_ context.Context, response http.ResponseWriter, value interface{}) error

func NewClaimsEndpoint

func NewClaimsEndpoint(cb ClaimBuilder) endpoint.Endpoint

NewClaimsEndpoint returns a go-kit endpoint that returns just the claims

func NewIssueEndpoint

func NewIssueEndpoint(f Factory) endpoint.Endpoint

NewIssueEndpoint returns a go-kit endpoint for a token factory's NewToken method

func Unmarshal

func Unmarshal(configKey string, b ...RequestBuilder) func(TokenIn) (TokenOut, error)

Unmarshal returns an uber/fx style factory that produces the relevant components for a single token factory.

type BuildError

type BuildError struct {
	Err error
}

BuildError is the error type usually returned by RequestBuilder.Build to indicate what happened during each request builder.

func (BuildError) Error

func (be BuildError) Error() string

Error returns the nested error's Error text

func (BuildError) StatusCode

func (be BuildError) StatusCode() int

StatusCode returns the largest numeric HTTP status code of any embedded errors, or http.StatusBadRequest is none of the embedded errors reported status codes.

func (BuildError) Unwrap

func (be BuildError) Unwrap() error

type ClaimBuilder

type ClaimBuilder interface {
	AddClaims(context.Context, *Request, map[string]interface{}) error
}

ClaimBuilder is a strategy for building token claims, given a token Request

type ClaimBuilderFunc

type ClaimBuilderFunc func(context.Context, *Request, map[string]interface{}) error

func (ClaimBuilderFunc) AddClaims

func (cbf ClaimBuilderFunc) AddClaims(ctx context.Context, tr *Request, target map[string]interface{}) error

type ClaimBuilders

type ClaimBuilders []ClaimBuilder

ClaimBuilders implements a pipeline of ClaimBuilder instances, invoked in sequence.

func NewClaimBuilders

func NewClaimBuilders(n random.Noncer, client xhttpclient.Interface, o Options) (ClaimBuilders, error)

NewClaimBuilders constructs a ClaimBuilders from configuration. The returned instance is typically used in configuration a token Factory. It can be used as a standalone service component with an endpoint.

The returned builders do not include those claims derived from HTTP requests. Claims derived from HTTP requests are handled by NewRequestBuilders and DecodeServerRequest.

func (ClaimBuilders) AddClaims

func (cbs ClaimBuilders) AddClaims(ctx context.Context, r *Request, target map[string]interface{}) error

type ClaimsHandler

type ClaimsHandler http.Handler

type DecodeClaimsError

type DecodeClaimsError struct {
	URL        string
	StatusCode int
	Err        error
}

func (*DecodeClaimsError) Error

func (dce *DecodeClaimsError) Error() string

func (*DecodeClaimsError) MarshalJSON

func (dce *DecodeClaimsError) MarshalJSON() ([]byte, error)

func (*DecodeClaimsError) Unwrap

func (dce *DecodeClaimsError) Unwrap() error

type Factory

type Factory interface {
	// NewToken uses a Request to produce a signed JWT token
	NewToken(context.Context, *Request) (string, error)
}

Factory is a creation strategy for signed JWT tokens

func NewFactory

func NewFactory(o Options, cb ClaimBuilder, kr key.Registry) (Factory, error)

NewFactory creates a token Factory from a Descriptor. The supplied Noncer is used if and only if d.Nonce is true. Alternatively, supplying a nil Noncer will disable nonce creation altogether. The token's key pair is registered with the given key Registry.

type InvalidPartnerIDError

type InvalidPartnerIDError struct{}

InvalidPartnerIDError is the error object returned when a blank, wildcard, or otherwise invalid partner id is submitted

func (InvalidPartnerIDError) Error

func (ipe InvalidPartnerIDError) Error() string

Error returns the error string associated with an invalid partner id

func (InvalidPartnerIDError) StatusCode

func (ipe InvalidPartnerIDError) StatusCode() int

type IssueHandler

type IssueHandler http.Handler

type Options

type Options struct {
	// Alg is the required JWT signing algorithm to use
	Alg string

	// Key describes the signing key to use
	Key key.Descriptor

	// Claims is an optional map of claims to add to every token emitted by this factory.
	// Any claims here can be overridden by claims within a token Request.
	//
	// None of these claims receive any special processing.  They are copied as is from the HTTP request
	// or statically from configuration.  For special processing around the partner id, set the PartnerID field.
	Claims map[string]Value

	// Metadata describes non-claim data, which can be statically configured or supplied via a request
	Metadata map[string]Value

	// PartnerID is the optional partner id configuration.  If unset, no partner id processing is
	// performed, though a partner id may still be configured as part of the claims.
	PartnerID *PartnerID

	// Nonce indicates whether a nonce (jti) should be applied to each token emitted
	// by this factory.
	Nonce bool

	// DisableTime completely disables all time-based claims, such as iat.  Setting this to true
	// also causes Duration and NotBeforeDelta to be ignored.
	DisableTime bool

	// Duration specifies how long the token should be valid for.  An exp claim is set
	// using this duration from the current time if this field is positive.
	Duration time.Duration

	// DisableNotBefore specifically controls the nbf claim.
	DisableNotBefore bool

	// NotBeforeDelta is a golang duration that determines the nbf field.  This field
	// is parsed and added to the current time at the moment a token is issued.  The result
	// is set as an nbf claim.  Note that the duration may be zero or negative.
	//
	// If either DisableTime or DisableNotBefore are true, this field is ignored and no nbf claim is emitted.
	NotBeforeDelta time.Duration

	// Remote specifies an optional external system that takes metadata from a token request
	// and returns a set of claims to be merged into tokens returned by the Factory.  Returned
	// claims from the remote system do not override claims configured on the Factory.
	Remote *RemoteClaims
}

Options holds the configurable information for a token Factory

type PartnerID

type PartnerID struct {
	// Claim is the name of the claim key for the partner id.  If unset, no claim is set.
	Claim string

	// Metadata is the name of the metadata key for the partner id.  If unset, no metadata
	// is set and thus the partner id won't be transmitted to remote systems.
	Metadata string

	// Header is the HTTP header containing the partner id
	Header string

	// Parameter is the HTTP parameter containing the partner id
	Parameter string

	// Default is the default value for the partner id
	Default string
}

PartnerID describes how to extract the partner id from an HTTP request. Partner IDs require some special processing.

type RemoteClaims

type RemoteClaims struct {
	// Method is the HTTP method used to invoke the URL
	Method string

	// URL is the remote endpoint that is expected to receive Request.Metadata and return a JSON document
	// which is merged into the token claims
	URL string
}

RemoteClaims describes a remote HTTP endpoint that can produce claims given the metadata from a token request.

type Request

type Request struct {
	// Claims holds the extra claims to add to tokens.  These claims will override any configured claims in a Factory,
	// but will not override time-based claims such as nbf or exp.
	Claims map[string]interface{}

	// Metadata holds non-claim information about the request, usually garnered from the original HTTP request.  This
	// metadata is available to lower levels of infrastructure used by the Factory.
	Metadata map[string]interface{}
}

Request is a token creation request. Clients can pass in arbitrary claims, typically things like "iss", to merge and override anything set on the factory via configuration.

func BuildRequest

func BuildRequest(original *http.Request, rb RequestBuilders) (*Request, error)

BuildRequest applies a sequence of RequestBuilder instances to produce a token factory Request

func NewRequest

func NewRequest() *Request

NewRequest returns an empty, fully initialized token Request

type RequestBuilder

type RequestBuilder interface {
	Build(*http.Request, *Request) error
}

RequestBuilder is a strategy for building a token factory Request from an HTTP request.

Note: before invoking a RequestBuilder, calling code should parse the HTTP request form.

type RequestBuilderFunc

type RequestBuilderFunc func(*http.Request, *Request) error

func (RequestBuilderFunc) Build

func (rbf RequestBuilderFunc) Build(original *http.Request, tr *Request) error

type RequestBuilders

type RequestBuilders []RequestBuilder

RequestBuilders represents a set of RequestBuilder strategies that can be invoked in sequence.

func NewRequestBuilders

func NewRequestBuilders(o Options) (RequestBuilders, error)

NewRequestBuilders creates a RequestBuilders sequence given an Options configuration. Only claims and metadata that are HTTP-based are included in the results. Claims and metadata that are statically assigned values are handled by ClaimBuilder objects and are part of the Factory configuration.

func (RequestBuilders) Build

func (rbs RequestBuilders) Build(original *http.Request, tr *Request) error

Build invokes each request builder in sequence. Prior to invoking any of the chain of builders,

type TokenIn

type TokenIn struct {
	fx.In

	Noncer       random.Noncer `optional:"true"`
	Keys         key.Registry
	Unmarshaller config.Unmarshaller
	Client       xhttpclient.Interface `optional:"true"`
}

type TokenOut

type TokenOut struct {
	fx.Out

	ClaimBuilder  ClaimBuilder
	Factory       Factory
	IssueHandler  IssueHandler
	ClaimsHandler ClaimsHandler
}

type Value

type Value struct {
	// Header is an HTTP header from which the value is pulled
	Header string

	// Parameter is a URL query parameter (including form data) from which the value is pulled
	Parameter string

	// Variable is a URL gorilla/mux variable from with the value is pulled
	Variable string

	// Value is the statically assigned value from configuration
	Value interface{}
}

Value represents information pulled from either the HTTP request or statically, via config.

Package Files

Documentation was rendered with GOOS=linux and GOARCH=amd64.

Jump to identifier

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to identifier