secure

package
v0.0.0-...-28c23ed Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Apr 24, 2024 License: MIT Imports: 22 Imported by: 5

Documentation

Index

Constants

View Source 
const (
	// ErrInvalidToken is returned when the token is invalid.
	ErrInvalidToken = Status("token is invalid")
	// ErrExpiredToken is returned when the token is expired.
	ErrExpiredToken = Status("token is expired")
	// ErrInvalidTokenType is returned when the token type is invalid.
	ErrInvalidTokenType = Status("token type is invalid")
	// ErrInvalidTokenSignature is returned when the token signature is invalid.
	ErrInvalidTokenSignature = Status("token signature is invalid")
	// ErrUnsupportedSigningMethod is returned when the signing method is not supported.
	ErrUnsupportedSigningMethod = Status("unsupported signing method")
	// ErrUnsupportedTokenType is returned when the token type is not supported.
	ErrUnsupportedTokenType = Status("unsupported token type")
	// ErrUnsupportedOperation is returned when the operation is not supported.
	ErrUnsupportedOperation = Status("unsupported operation")
	// ErrInvalidAuthExprOutput is returned when the authorization expression does not return a boolean.
	ErrInvalidAuthExprOutput = Status("authorization expression must return a boolean")
	// ErrUnauthenticated is returned when the user is not authenticated.
	ErrUnauthenticated = Status("unauthenticated")
	// ErrPermissionDenied is returned when the user does not have permission to perform the operation.
	ErrPermissionDenied = Status("permission denied")
)
View Source 
const (
	AUTH_HEADER_KEY    = "Authorization"
	AUTH_SCHEMA_BASIC  = "basic"
	AUTH_SCHEMA_BEARER = "bearer"
)
View Source 
const (
	TOKEN_TYPE_BEARER  = "Bearer"
	TOKEN_TYPE_REFRESH = "Refresh"
)
View Source 
const (
	DEFAULT_PASSWORD_SYMBOLS = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789!@#$%^&*()-_=+,.?/:;{}[]`~"
)

Variables

This section is empty.

Functions

func AuthFuncAuthenticated 

func AuthFuncAuthenticated(user *Identity) error

AuthFuncAuthenticated returns an AuthFunc that requires the identity is authenticated.

func Authorize 

func Authorize(ctx context.Context, auth ...AuthFunc) error

Authorize authorizes the identity in the given context with the given auth functions.

func MaskString 

func MaskString(origin string) string

MaskString masks the given string. The middle third of the given string will be masked with asterisks.

func RandString 

func RandString(l int, s string) (string, error)

RandString randomly generates l length string from the given symbols.

Types

type AuthFunc 

type AuthFunc func(user *Identity) error

AuthFunc is a function that authorizes an identity.

func AuthFuncExpiression 

func AuthFuncExpiression(script string) AuthFunc

AuthFuncExpiression returns an AuthFunc that evaluates the given expression. The expression must return a boolean. The expression is evaluated with the identity as the context. Example: 

AuthFuncExpiression(`Token().Realm() == "default"`)

func AuthFuncRequireRealm 

func AuthFuncRequireRealm(realm string) AuthFunc

AuthFuncRequireRealm returns an AuthFunc that requires the identity has the given realm.

func AuthFuncRequireSchema 

func AuthFuncRequireSchema(schema string) AuthFunc

AuthFuncRequireSchema returns an AuthFunc that requires the identity has the given schema.

func AuthFuncRequireScope 

func AuthFuncRequireScope(scope string) AuthFunc

AuthFuncRequireScope returns an AuthFunc that requires the identity has the given scope.

type ClientAuthorizer 

type ClientAuthorizer struct {
	// contains filtered or unexported fields
}

ClientAuthorizer provides client-side grpc interceptors for authorization.

func NewClientAuthorizer 

func NewClientAuthorizer(cred credentials.PerRPCCredentials) *ClientAuthorizer

NewClientAuthorizer returns a new ClientAuthorizer with the given credentials.

func (*ClientAuthorizer) StreamClientInterceptor 

func (auth *ClientAuthorizer) StreamClientInterceptor() grpc.StreamClientInterceptor

StreamClientInterceptor returns a grpc.StreamClientInterceptor that authorizes the client connection with the given credentials.

func (*ClientAuthorizer) UnaryClientInterceptor 

func (auth *ClientAuthorizer) UnaryClientInterceptor() grpc.UnaryClientInterceptor

UnaryClientInterceptor returns a grpc.UnaryClientInterceptor that authorizes the client connection with the given credentials.

type ExtendedClaims 

type ExtendedClaims struct {
	jwt.RegisteredClaims
	// the `typ` (Type) claim. A custom claim to identify the type of the token.
	Type string `json:"typ,omitempty"`
	// the `realm` (Realm) claim. A custom claim to identify the realm of the token.
	Realm string `json:"realm,omitempty"`
	// the `azp` (Authorized party) claim. See https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.3
	Client string `json:"azp,omitempty"`
	// the `scope` (Scope) claim. See https://datatracker.ietf.org/doc/html/rfc6749#section-3.3
	// Note: the scope claim is a space-separated list of scopes, not a JSON array.
	Scope string `json:"scope,omitempty"`
}

ExtendedClaims is a custom claims type that extends the default claims with additional claims.

type Identity 

type Identity struct {
	// contains filtered or unexported fields
}

Identity represents the result of authentication.

func IdentityFromContext 

func IdentityFromContext(ctx context.Context) *Identity

IdentityFromContext returns the identity from the given context.

func NewIdentity 

func NewIdentity(schema string, token *Token) *Identity

NewIdentity returns a new Identity with the given schema and token.

func (*Identity) Schema 

func (i *Identity) Schema() string

Schema returns the schema of the identity.

func (*Identity) Token 

func (i *Identity) Token() *Token

Token returns the token of the identity.

type InMemoryTokenStore 

type InMemoryTokenStore struct {
	// contains filtered or unexported fields
}

InMemoryTokenStore is an in-memory token store.

func (*InMemoryTokenStore) Issue 

func (s *InMemoryTokenStore) Issue(token *Token, ttl time.Duration) (string, error)

func (*InMemoryTokenStore) Renew 

func (s *InMemoryTokenStore) Renew(value string, ttl time.Duration) (string, error)

func (*InMemoryTokenStore) Revoke 

func (s *InMemoryTokenStore) Revoke(value string) (*Token, error)

func (*InMemoryTokenStore) Verify 

func (s *InMemoryTokenStore) Verify(value string) (*Token, error)

type JsonWebTokenStore 

type JsonWebTokenStore struct {
	// contains filtered or unexported fields
}

JsonWebTokenStore is a token store that uses JSON Web Tokens (JWT) to store tokens.

func NewJsonWebTokenStore 

func NewJsonWebTokenStore(tokenIssuer, tokenAudience, signingAlgName string, signingKeyData, verifyKeyData keyData) (*JsonWebTokenStore, error)

NewJsonWebTokenStore creates a new JSON Web Token (JWT) token store.

func (*JsonWebTokenStore) Issue 

func (s *JsonWebTokenStore) Issue(token *Token, ttl time.Duration) (string, error)

func (*JsonWebTokenStore) Renew 

func (s *JsonWebTokenStore) Renew(value string, ttl time.Duration) (string, error)

func (*JsonWebTokenStore) Revoke 

func (s *JsonWebTokenStore) Revoke(_ string) (*Token, error)

func (*JsonWebTokenStore) Verify 

func (s *JsonWebTokenStore) Verify(value string) (*Token, error)

type RedisTokenConfig 

type RedisTokenConfig interface {
	GetStore() string
	GetBucket() string
	GetAccessTokenTTL() time.Duration
	GetRefreshTokenTTL() time.Duration
	GetIssuer() string
	GetAudience() string
	GetSigningMethod() string
	GetPublicKey() []byte
	GetPrivateKey() []byte
}

type RedisTokenStore 

type RedisTokenStore struct {
	// contains filtered or unexported fields
}

RedisTokenStore is a token store that uses Redis to store tokens.

func NewRedisTokenStore 

func NewRedisTokenStore(rdb rueidis.Client, bkt string) (*RedisTokenStore, error)

NewRedisTokenStore creates a new Redis token store.

func (*RedisTokenStore) Issue 

func (s *RedisTokenStore) Issue(token *Token, ttl time.Duration) (string, error)

func (*RedisTokenStore) Renew 

func (s *RedisTokenStore) Renew(value string, ttl time.Duration) (string, error)

func (*RedisTokenStore) Revoke 

func (s *RedisTokenStore) Revoke(value string) (*Token, error)

func (*RedisTokenStore) Verify 

func (s *RedisTokenStore) Verify(value string) (*Token, error)

type ServerAuthorizer 

type ServerAuthorizer struct {
	// contains filtered or unexported fields
}

ServerAuthorizer provides server-side grpc interceptors for authorization.

func NewServerAuthorizer 

func NewServerAuthorizer(stores map[string]TokenStore) *ServerAuthorizer

NewServerAuthorizer returns a new ServerAuthorizer with the given token stores. The key of the map stores is the authentication schema.

func (*ServerAuthorizer) StreamServerInterceptor 

func (auth *ServerAuthorizer) StreamServerInterceptor() grpc.StreamServerInterceptor

StreamServerInterceptor returns a grpc.StreamServerInterceptor that authorizes the identity in the context.

func (*ServerAuthorizer) UnaryServerInterceptor 

func (auth *ServerAuthorizer) UnaryServerInterceptor() grpc.UnaryServerInterceptor

UnaryServerInterceptor returns a grpc.UnaryServerInterceptor that authorizes the identity in the context.

type Status 

type Status string

Status represents an error status.

func (Status) Error 

func (s Status) Error() string

func (Status) GRPCStatus 

func (s Status) GRPCStatus() *status.Status

GRPCStatus returns the gRPC status for the error. Implements the GRPCStatus() method, see status.FromError(error).

type Token 

type Token struct {
	// contains filtered or unexported fields
}

Token is used to authenticate a user. All fields are private so will not be modified outside of this package.

func NewToken 

func NewToken(ttype, realm, client, subject string, scope []string) *Token

NewToken creates a new token.

func (*Token) Client 

func (t *Token) Client() string

func (*Token) ExpiresAt 

func (t *Token) ExpiresAt() time.Time

func (*Token) HasScope 

func (t *Token) HasScope(scope string) bool

func (*Token) IsExpired 

func (t *Token) IsExpired() bool

func (*Token) IssuedAt 

func (t *Token) IssuedAt() time.Time

func (*Token) MarshalJSON 

func (t *Token) MarshalJSON() ([]byte, error)

func (*Token) Realm 

func (t *Token) Realm() string

func (*Token) Scope 

func (t *Token) Scope() []string

func (*Token) Subject 

func (t *Token) Subject() string

func (*Token) UnmarshalJSON 

func (t *Token) UnmarshalJSON(data []byte) error

type TokenStore 

type TokenStore interface {
	// Issue issues a new token with the given ttl.
	Issue(token *Token, ttl time.Duration) (string, error)
	// Renew renews the token and returns the new one.
	Renew(value string, ttl time.Duration) (string, error)
	// Verify verifies the token and returns the token if valid.
	Verify(value string) (*Token, error)
	// Revoke revokes the token and returns the token if revoked.
	Revoke(value string) (*Token, error)
}

TokenStore used to manage tokens.

func NewTokenStore 

func NewTokenStore(cfg config.SecureTokenConfig, rdb rueidis.Client) (TokenStore, error)

NewTokenStore returns a new TokenStore with the given config. There are three types of token stores: jwt, redis, and memory. rueidis.Client is required if the type of token store is redis.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.