auth

package
v0.41.2 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: May 22, 2024 License: Apache-2.0 Imports: 29 Imported by: 10

Documentation

Index

Constants

View Source
const (
	//OIDCLabelKey is used to filter out all the informers that related to OIDC work
	OIDCLabelKey = "oidc"

	// OIDCTokenRoleLabelSelector is the label selector for the OIDC token creator role and rolebinding informers
	OIDCLabelSelector = OIDCLabelKey
)
View Source
const (
	AuthHeaderKey = "Authorization"
)
View Source
const (
	TokenExpirationTime = time.Hour
)

Variables

This section is empty.

Functions

func DeleteOIDCServiceAccountIfExists added in v0.40.0

func DeleteOIDCServiceAccountIfExists(ctx context.Context, serviceAccountLister corev1listers.ServiceAccountLister, kubeclient kubernetes.Interface, gvk schema.GroupVersionKind, objectMeta metav1.ObjectMeta) error

DeleteOIDCServiceAccountIfExists makes sure the given resource does not have an OIDC service account. If it does that service account is deleted.

func EnsureOIDCServiceAccountExistsForResource

func EnsureOIDCServiceAccountExistsForResource(ctx context.Context, serviceAccountLister corev1listers.ServiceAccountLister, kubeclient kubernetes.Interface, gvk schema.GroupVersionKind, objectMeta metav1.ObjectMeta) error

EnsureOIDCServiceAccountExistsForResource makes sure the given resource has an OIDC service account with an owner reference to the resource set.

func GetAudience

func GetAudience(gvk schema.GroupVersionKind, objectMeta metav1.ObjectMeta) string

GetAudience returns the audience string for the given object in the format <group>/<kind>/<namespace>/<name>

func GetJWTExpiry added in v0.40.0

func GetJWTExpiry(token string) (time.Time, error)

GetJWTExpiry returns the expiry time of the token in UTC

func GetJWTFromHeader

func GetJWTFromHeader(header http.Header) string

GetJWTFromHeader Returns the JWT from the Authorization header

func GetOIDCServiceAccountForResource

func GetOIDCServiceAccountForResource(gvk schema.GroupVersionKind, objectMeta metav1.ObjectMeta) *v1.ServiceAccount

GetOIDCServiceAccountForResource returns the service account to use for OIDC authentication for the given resource.

func GetOIDCServiceAccountNameForResource

func GetOIDCServiceAccountNameForResource(gvk schema.GroupVersionKind, objectMeta metav1.ObjectMeta) string

GetOIDCServiceAccountNameForResource returns the service account name to use for OIDC authentication for the given resource.

func SetAuthHeader

func SetAuthHeader(jwt string, header http.Header)

SetAuthHeader sets Authorization header with the given JWT

func SetupOIDCServiceAccount added in v0.40.0

func SetupOIDCServiceAccount(ctx context.Context, flags feature.Flags, serviceAccountLister corev1listers.ServiceAccountLister, kubeclient kubernetes.Interface, gvk schema.GroupVersionKind, objectMeta metav1.ObjectMeta, marker OIDCIdentityStatusMarker, setAuthStatus func(a *duckv1.AuthStatus)) pkgreconciler.Event

Types

type IDToken

type IDToken struct {
	Issuer          string
	Audience        []string
	Subject         string
	Expiry          time.Time
	IssuedAt        time.Time
	AccessTokenHash string
}

type OIDCIdentityStatusMarker added in v0.40.0

type OIDCIdentityStatusMarker interface {
	MarkOIDCIdentityCreatedSucceeded()
	MarkOIDCIdentityCreatedSucceededWithReason(reason, messageFormat string, messageA ...interface{})
	MarkOIDCIdentityCreatedFailed(reason, messageFormat string, messageA ...interface{})
}

type OIDCTokenProvider

type OIDCTokenProvider struct {
	// contains filtered or unexported fields
}

func NewOIDCTokenProvider

func NewOIDCTokenProvider(ctx context.Context) *OIDCTokenProvider

func (*OIDCTokenProvider) GetJWT

func (c *OIDCTokenProvider) GetJWT(serviceAccount types.NamespacedName, audience string) (string, error)

GetJWT returns a JWT from the given service account for the given audience.

func (*OIDCTokenProvider) GetNewJWT added in v0.40.0

func (c *OIDCTokenProvider) GetNewJWT(serviceAccount types.NamespacedName, audience string) (string, error)

GetNewJWT returns a new JWT from the given service account for the given audience without using the token cache.

type OIDCTokenVerifier

type OIDCTokenVerifier struct {
	// contains filtered or unexported fields
}

func NewOIDCTokenVerifier

func NewOIDCTokenVerifier(ctx context.Context) *OIDCTokenVerifier

func (*OIDCTokenVerifier) VerifyJWT

func (c *OIDCTokenVerifier) VerifyJWT(ctx context.Context, jwt, audience string) (*IDToken, error)

VerifyJWT verifies the given JWT for the expected audience and returns the parsed ID token.

func (*OIDCTokenVerifier) VerifyJWTFromRequest added in v0.40.0

func (tokenVerifier *OIDCTokenVerifier) VerifyJWTFromRequest(ctx context.Context, r *http.Request, audience *string, response http.ResponseWriter) error

VerifyJWTFromRequest will verify the incoming request contains the correct JWT token

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL