jose

package module
v2.0.2 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: May 2, 2022 License: Apache-2.0 Imports: 23 Imported by: 0

README

krakend-jose

JOSE component for the KrakenD framework

Documentation

Index

Constants

View Source
const (
	ValidatorNamespace = "github.com/devopsfaith/krakend-jose/validator"
	SignerNamespace    = "github.com/devopsfaith/krakend-jose/signer"
)

Variables

View Source
var (
	ErrInsecureJWKSource = errors.New("JWK client is using an insecure connection to the JWK service")
	ErrPinnedKeyNotFound = errors.New("JWK client did not find a pinned key")
)
View Source
var (
	ErrNoValidatorCfg = errors.New("no validator config")
	ErrNoSignerCfg    = errors.New("no signer config")
)
View Source
var (
	ErrNoKeyFound = errors.New("no Keys have been found")
	ErrKeyExpired = errors.New("key exists but is expired")

	// Configuring with MaxKeyAgeNoCheck will skip key expiry check
	MaxKeyAgeNoCheck = time.Duration(-1)
)

Functions

func CalculateHeadersToPropagate

func CalculateHeadersToPropagate(propagationCfg [][]string, claims map[string]interface{}) (map[string]string, error)

func CanAccess

func CanAccess(roleKey string, claims map[string]interface{}, required []string) bool

func CanAccessNested

func CanAccessNested(roleKey string, claims map[string]interface{}, required []string) bool

func CompoundX5TKeyIDGetter

func CompoundX5TKeyIDGetter(key *jose.JSONWebKey) string

CompoundX5TKeyIDGetter extracts the key id from the jSONWebKey as the a compound string of the kid and the x5t

func CompoundX5TTokenKeyIDGetter

func CompoundX5TTokenKeyIDGetter(token *jwt.JSONWebToken) string

CompoundX5TTokenKeyIDGetter extracts the key id from the jSONWebToken as a compound string of the kid and x5t

func DecodeFingerprints

func DecodeFingerprints(in []string) ([][]byte, error)

func DefaultKeyIDGetter

func DefaultKeyIDGetter(key *jose.JSONWebKey) string

DefaultKeyIDGetter returns the default kid as JSONWebKey key id

func DefaultTokenKeyIDGetter

func DefaultTokenKeyIDGetter(token *jwt.JSONWebToken) string

DefaultTokenKeyIDGetter returns the default kid as the JSONWebKey key id

func NewSigner

func NewSigner(cfg *config.EndpointConfig, te auth0.RequestTokenExtractor) (*SignerConfig, Signer, error)

func NewValidator

func NewValidator(signatureConfig *SignatureConfig, ef ExtractorFactory) (*auth0.JWTValidator, error)

func ScopesAllMatcher

func ScopesAllMatcher(scopesKey string, claims map[string]interface{}, requiredScopes []string) bool

func ScopesAnyMatcher

func ScopesAnyMatcher(scopesKey string, claims map[string]interface{}, requiredScopes []string) bool

func ScopesDefaultMatcher

func ScopesDefaultMatcher(scopesKey string, claims map[string]interface{}, requiredScopes []string) bool

func SignFields

func SignFields(keys []string, signer Signer, response *proxy.Response) error

func X5TKeyIDGetter

func X5TKeyIDGetter(key *jose.JSONWebKey) string

X5TKeyIDGetter extracts the key id from the jSONWebKey as the x5t

func X5TTokenKeyIDGetter

func X5TTokenKeyIDGetter(token *jwt.JSONWebToken) string

X5TTokenKeyIDGetter extracts the key id from the jSONWebToken as the x5t

Types

type ChainedRejecterFactory

type ChainedRejecterFactory []RejecterFactory

ChainedRejecterFactory returns rejecters chaining every rejecter contained in tne collection

func (ChainedRejecterFactory) New

New returns a chainned rejected that evaluates all the rejecters until v is rejected or the chain is finished

type Claims

type Claims map[string]interface{}

func (Claims) Get

func (c Claims) Get(name string) (string, bool)

type Dialer

type Dialer struct {
	// contains filtered or unexported fields
}

func NewDialer

func NewDialer(cfg SecretProviderConfig) *Dialer

func (*Dialer) DialContext

func (d *Dialer) DialContext(ctx context.Context, network, address string) (net.Conn, error)

func (*Dialer) DialTLS

func (d *Dialer) DialTLS(network, addr string) (net.Conn, error)

type ExtractorFactory

type ExtractorFactory func(string) func(r *http.Request) (*jwt.JSONWebToken, error)

type FileKeyCacher

type FileKeyCacher struct {
	// contains filtered or unexported fields
}

func NewFileKeyCacher

func NewFileKeyCacher(data []byte, keyIdentifyStrategy string) (*FileKeyCacher, error)

func (*FileKeyCacher) Add

func (f *FileKeyCacher) Add(keyID string, _ []jose.JSONWebKey) (*jose.JSONWebKey, error)

func (*FileKeyCacher) Get

func (f *FileKeyCacher) Get(keyID string) (*jose.JSONWebKey, error)

type FixedRejecter

type FixedRejecter bool

FixedRejecter is a rejecter that always returns the same bool response

func (FixedRejecter) Reject

func (f FixedRejecter) Reject(_ map[string]interface{}) bool

Reject returns f

type JWKClient

type JWKClient struct {
	*auth0.JWKClient
	// contains filtered or unexported fields
}

func NewJWKClientWithCache

func NewJWKClientWithCache(options JWKClientOptions, extractor auth0.RequestTokenExtractor, keyCacher auth0.KeyCacher) *JWKClient

NewJWKClientWithCache creates a new JWKClient instance from the provided options and custom extractor and keycacher. Passing nil to keyCacher will create a persistent key cacher. the extractor is also saved in the extended JWKClient.

func (*JWKClient) GetSecret

func (j *JWKClient) GetSecret(r *http.Request) (interface{}, error)

GetSecret implements the GetSecret method of the SecretProvider interface.

type JWKClientOptions

type JWKClientOptions struct {
	auth0.JWKClientOptions
	KeyIdentifyStrategy string
}

type KeyCacher

type KeyCacher interface {
	Get(keyID string) (*jose.JSONWebKey, error)
	Add(keyID string, webKeys []jose.JSONWebKey) (*jose.JSONWebKey, error)
}

func NewMemoryKeyCacher

func NewMemoryKeyCacher(maxKeyAge time.Duration, maxCacheSize int, keyIdentifyStrategy string) KeyCacher

NewMemoryKeyCacher creates a new Keycacher interface with option to set max age of cached keys and max size of the cache.

type KeyIDGetter

type KeyIDGetter interface {
	Get(*jose.JSONWebKey) string
}

KeyIDGetter extracts a key id from a JSONWebKey

func KeyIDGetterFactory

func KeyIDGetterFactory(keyIdentifyStrategy string) KeyIDGetter

type KeyIDGetterFunc

type KeyIDGetterFunc func(*jose.JSONWebKey) string

KeyIDGetterFunc function conforming to the KeyIDGetter interface.

func (KeyIDGetterFunc) Get

func (f KeyIDGetterFunc) Get(key *jose.JSONWebKey) string

Get calls f(r)

type MemoryKeyCacher

type MemoryKeyCacher struct {
	// contains filtered or unexported fields
}

func (*MemoryKeyCacher) Add

func (mkc *MemoryKeyCacher) Add(keyID string, downloadedKeys []jose.JSONWebKey) (*jose.JSONWebKey, error)

Add adds a key into the cache and handles overflow

func (*MemoryKeyCacher) Get

func (mkc *MemoryKeyCacher) Get(keyID string) (*jose.JSONWebKey, error)

Get obtains a key from the cache, and checks if the key is expired

type NopRejecterFactory

type NopRejecterFactory struct{}

NopRejecterFactory is a factory returning rejecters accepting all the tokens

func (NopRejecterFactory) New

New returns a fixed rejecter that accepts all the tokens

type Rejecter

type Rejecter interface {
	Reject(map[string]interface{}) bool
}

Rejecter defines the interface for the components responsible for rejecting tokens.

type RejecterFactory

type RejecterFactory interface {
	New(logging.Logger, *config.EndpointConfig) Rejecter
}

RejecterFactory is a builder for rejecters

type RejecterFactoryFunc

type RejecterFactoryFunc func(logging.Logger, *config.EndpointConfig) Rejecter

RejecterFactoryFunc is an adapter to use a function as rejecter factory

func (RejecterFactoryFunc) New

New calls f(l, cfg)

type RejecterFunc

type RejecterFunc func(map[string]interface{}) bool

RejecterFunc is an adapter to use functions as rejecters

func (RejecterFunc) Reject

func (r RejecterFunc) Reject(v map[string]interface{}) bool

Reject calls r(v)

type SecretProviderConfig

type SecretProviderConfig struct {
	URI                 string
	CacheEnabled        bool
	CacheDuration       uint32
	Fingerprints        [][]byte
	Cs                  []uint16
	LocalCA             string
	AllowInsecure       bool
	LocalPath           string
	SecretURL           string
	CipherKey           []byte
	KeyIdentifyStrategy string
}

type SignatureConfig

type SignatureConfig struct {
	Alg                     string     `json:"alg"`
	URI                     string     `json:"jwk_url"`
	CacheEnabled            bool       `json:"cache,omitempty"`
	CacheDuration           uint32     `json:"cache_duration,omitempty"`
	Issuer                  string     `json:"issuer,omitempty"`
	Audience                []string   `json:"audience,omitempty"`
	Roles                   []string   `json:"roles,omitempty"`
	PropagateClaimsToHeader [][]string `json:"propagate_claims,omitempty"`
	RolesKey                string     `json:"roles_key,omitempty"`
	RolesKeyIsNested        bool       `json:"roles_key_is_nested,omitempty"`
	CookieKey               string     `json:"cookie_key,omitempty"`
	CipherSuites            []uint16   `json:"cipher_suites,omitempty"`
	DisableJWKSecurity      bool       `json:"disable_jwk_security"`
	Fingerprints            []string   `json:"jwk_fingerprints,omitempty"`
	LocalCA                 string     `json:"jwk_local_ca,omitempty"`
	LocalPath               string     `json:"jwk_local_path,omitempty"`
	SecretURL               string     `json:"secret_url,omitempty"`
	CipherKey               []byte     `json:"cypher_key,omitempty"`
	Scopes                  []string   `json:"scopes,omitempty"`
	ScopesKey               string     `json:"scopes_key,omitempty"`
	ScopesMatcher           string     `json:"scopes_matcher,omitempty"`
	KeyIdentifyStrategy     string     `json:"key_identify_strategy"`
	OperationDebug          bool       `json:"operation_debug,omitempty"`
}

func GetSignatureConfig

func GetSignatureConfig(cfg *config.EndpointConfig) (*SignatureConfig, error)

type Signer

type Signer func(interface{}) (string, error)

type SignerConfig

type SignerConfig struct {
	Alg                string   `json:"alg"`
	KeyID              string   `json:"kid"`
	URI                string   `json:"jwk_url"`
	FullSerialization  bool     `json:"full,omitempty"`
	KeysToSign         []string `json:"keys_to_sign,omitempty"`
	CipherSuites       []uint16 `json:"cipher_suites,omitempty"`
	DisableJWKSecurity bool     `json:"disable_jwk_security"`
	Fingerprints       []string `json:"jwk_fingerprints,omitempty"`
	LocalCA            string   `json:"jwk_local_ca,omitempty"`
	LocalPath          string   `json:"jwk_local_path,omitempty"`
	SecretURL          string   `json:"secret_url,omitempty"`
	CipherKey          []byte   `json:"cypher_key,omitempty"`
}

type TokenIDGetter

type TokenIDGetter interface {
	Get(*jwt.JSONWebToken) string
}

TokenIDGetter extracts the keyID from the JSON web token

func TokenIDGetterFactory

func TokenIDGetterFactory(keyIdentifyStrategy string) TokenIDGetter

TokenIDGetterFactory returns the TokenIDGetter from the keyIdentifyStrategy configuration string

type TokenKeyIDGetterFunc

type TokenKeyIDGetterFunc func(*jwt.JSONWebToken) string

TokenKeyIDGetterFunc function conforming to the TokenIDGetter interface.

func (TokenKeyIDGetterFunc) Get

Extract calls f(r)

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL