cmd

package
v0.0.0-...-b95b076 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jan 15, 2018 License: Apache-2.0 Imports: 25 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

View Source 
var (
	// GOPATH - GOPATH value at the time of build.
	GOPATH = ""

	// Version - version time.RFC3339.
	Version = goGetTag
	// ReleaseTag - release tag in TAG.%Y-%m-%dT%H-%M-%SZ.
	ReleaseTag = goGetTag
	// CommitID - latest commit id.
	CommitID = goGetTag
	// ShortCommitID - first 12 characters from CommitID.
	ShortCommitID = CommitID[:12]
)

DO NOT EDIT THIS FILE DIRECTLY. These are build-time constants set through ‘buildscripts/gen-ldflags.go’.

Functions

This section is empty.

Types

type Assertion 

type Assertion struct {
	XMLName            xml.Name
	ID                 string `xml:"ID,attr"`
	Version            string `xml:"Version,attr"`
	XS                 string `xml:"xmlns:xs,attr"`
	XSI                string `xml:"xmlns:xsi,attr"`
	SAML               string `xml:"xmlns:saml,attr"`
	IssueInstant       string `xml:"IssueInstant,attr"`
	Issuer             Issuer `xml:"Issuer"`
	Subject            Subject
	Conditions         Conditions
	AuthnStatements    []AuthnStatement `xml:"AuthnStatement,omitempty"`
	AttributeStatement AttributeStatement
}

Assertion - contains assertions if any.

type AssumeRoleWithSAMLResult 

type AssumeRoleWithSAMLResult struct {
	// The identifiers for the temporary security credentials that the operation
	// returns.
	AssumedRoleUser AssumedRoleUser `xml:",omitempty"`

	// The value of the Recipient attribute of the SubjectConfirmationData element
	// of the SAML assertion.
	Audience string `xml:",omitempty"`

	// The temporary security credentials, which include an access key ID, a secret
	// access key, and a security (or session) token.
	//
	// Note: The size of the security token that STS APIs return is not fixed. We
	// strongly recommend that you make no assumptions about the maximum size. As
	// of this writing, the typical size is less than 4096 bytes, but that can vary.
	// Also, future updates to AWS might require larger sizes.
	Credentials credentials.Credential `xml:",omitempty"`

	// The value of the Issuer element of the SAML assertion.
	Issuer string `xml:",omitempty"`

	// A hash value based on the concatenation of the Issuer response value, the
	// AWS account ID, and the friendly name (the last part of the ARN) of the SAML
	// provider in IAM. The combination of NameQualifier and Subject can be used
	// to uniquely identify a federated user.
	//
	// The following pseudocode shows how the hash value is calculated:
	//
	// BASE64 ( SHA1 ( "https://example.com/saml" + "123456789012" + "/MySAMLIdP"
	// ) )
	NameQualifier string `xml:",omitempty"`

	// A percentage value that indicates the size of the policy in packed form.
	// The service rejects any policy with a packed size greater than 100 percent,
	// which means the policy exceeded the allowed space.
	PackedPolicySize int64 `xml:",omitempty"`

	// The value of the NameID element in the Subject element of the SAML assertion.
	Subject string `xml:",omitempty"`

	// The format of the name ID, as defined by the Format attribute in the NameID
	// element of the SAML assertion. Typical examples of the format are transient
	// or persistent.
	//
	// If the format includes the prefix urn:oasis:names:tc:SAML:2.0:nameid-format,
	// that prefix is removed. For example, urn:oasis:names:tc:SAML:2.0:nameid-format:transient
	// is returned as transient. If the format includes any other prefix, the format
	// is returned with no modifications.
	SubjectType string `xml:",omitempty"`
}

AssumeRoleWithSAMLResult - Contains the response to a successful AssumeRoleWithSAML request, including temporary AWS credentials that can be used to make AWS requests. Please also see https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/AssumeRoleWithSAMLResponse

type AssumedRoleUser 

type AssumedRoleUser struct {
	// The ARN of the temporary security credentials that are returned from the
	// AssumeRole action. For more information about ARNs and how to use them in
	// policies, see IAM Identifiers (http://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html)
	// in Using IAM.
	//
	// Arn is a required field
	Arn string

	// A unique identifier that contains the role ID and the role session name of
	// the role that is being assumed. The role ID is generated by AWS when the
	// role is created.
	//
	// AssumedRoleId is a required field
	AssumedRoleID string `xml:"AssumeRoleId"`
}

AssumedRoleUser - The identifiers for the temporary security credentials that the operation returns. Please also see https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/AssumedRoleUser

type Attribute 

type Attribute struct {
	XMLName         xml.Name
	Name            string           `xml:",attr"`
	FriendlyName    string           `xml:",attr,omitempty"`
	NameFormat      string           `xml:",attr"`
	AttributeValues []AttributeValue `xml:"AttributeValue"`
}

Attribute --

type AttributeStatement 

type AttributeStatement struct {
	XMLName    xml.Name
	Attributes []Attribute `xml:"Attribute"`
}

AttributeStatement --

type AttributeValue 

type AttributeValue struct {
	XMLName xml.Name
	Type    string `xml:"xsi:type,attr"`
	Value   string `xml:",innerxml"`
}

AttributeValue --

type Audience 

type Audience struct {
	XMLName xml.Name
	Value   string `xml:",innerxml"`
}

Audience --

type AudienceRestriction 

type AudienceRestriction struct {
	XMLName   xml.Name
	Audiences []Audience `xml:"Audience"`
}

AudienceRestriction --

type AuthnContext 

type AuthnContext struct {
	XMLName              xml.Name
	AuthnContextClassRef AuthnContextClassRef `xml:"AuthnContextClassRef"`
}

AuthnContext --

type AuthnContextClassRef 

type AuthnContextClassRef struct {
	XMLName   xml.Name
	SAML      string `xml:"xmlns:saml,attr"`
	Transport string `xml:",innerxml"`
}

AuthnContextClassRef --

type AuthnStatement 

type AuthnStatement struct {
	XMLName             xml.Name
	AuthnInstant        string       `xml:",attr"`
	SessionNotOnOrAfter string       `xml:",attr,omitempty"`
	SessionIndex        string       `xml:",attr,omitempty"`
	AuthnContext        AuthnContext `xml:"AuthnContext"`
}

AuthnStatement --

type CanonicalizationMethod 

type CanonicalizationMethod struct {
	XMLName   xml.Name
	Algorithm string `xml:"Algorithm,attr"`
}

CanonicalizationMethod - Use of Exclusive Canonicalization ensures that signatures created over SAML messages embedded in an XML context can be verified independent of that context.

type Conditions 

type Conditions struct {
	XMLName              xml.Name
	NotBefore            string                `xml:",attr"`
	NotOnOrAfter         string                `xml:",attr"`
	AudienceRestrictions []AudienceRestriction `xml:"AudienceRestriction,omitempty"`
}

Conditions --

type DigestMethod 

type DigestMethod struct {
	XMLName   xml.Name
	Algorithm string `xml:"Algorithm,attr"`
}

DigestMethod - algorithm used for generating the digest.

type DigestValue 

type DigestValue struct {
	XMLName xml.Name
}

DigestValue - digest value.

type Issuer 

type Issuer struct {
	XMLName xml.Name
	SAML    string `xml:"xmlns:saml,attr"`
	URL     string `xml:",innerxml"`
}

Issuer - http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf The <Issuer> element, with complex type NameIDType, provides information about the issuer of a SAML assertion or protocol message.

type KeyInfo 

type KeyInfo struct {
	XMLName  xml.Name
	X509Data struct {
		XMLName         xml.Name
		X509Certificate X509Certificate `xml:",innerxml"`
	} `xml:",innerxml"`
}

KeyInfo - SAML does not require the use of <ds:KeyInfo>, nor does it impose any restrictions on its use. Therefore, <ds:KeyInfo> MAY be absent.

type NameID 

type NameID struct {
	XMLName         xml.Name
	Format          string `xml:",attr"`
	SPNameQualifier string `xml:",attr,omitempty"`
	Value           string `xml:",innerxml"`
}

NameID --

type Options 

type Options struct {
	SP             saml.ServiceProvider
	IDPMetadata    *saml.EntityDescriptor
	IDPMetadataURL url.URL
	HTTPClient     *http.Client

	// Initiates IDP initiated login.
	AllowIDPInitiated bool
}

Options represents the parameters for creating a new middleware

type Response 

type Response struct {
	XMLName      xml.Name
	SAMLP        string `xml:"xmlns:samlp,attr"`
	SAML         string `xml:"xmlns:saml,attr"`
	SAMLSIG      string `xml:"xmlns:samlsig,attr"`
	Destination  string `xml:"Destination,attr"`
	ID           string `xml:"ID,attr"`
	Version      string `xml:"Version,attr"`
	IssueInstant string `xml:"IssueInstant,attr"`
	InResponseTo string `xml:"InResponseTo,attr"`

	Issuer    Issuer    `xml:"Issuer"`
	Signature Signature `xml:"Signature"`
	Status    Status    `xml:"Status"`
	// contains filtered or unexported fields
}

Response - saml assertion response obtained after parsing base64 encoded SAML assertion response from identity provider.

func ParseSAMLResponse 

func ParseSAMLResponse(samlAssertion string) (*Response, error)

ParseSAMLResponse - parses base64 encoded SAML assertion response XML.

func (*Response) Validate 

func (r *Response) Validate() error

Validate - validate the saml response, this is a non-exhaustive check currently validates only - A valid SAML version - A valid ID - A valid signature value

type SAMLMiddleware 

type SAMLMiddleware struct {
	ServiceProvider   saml.ServiceProvider
	AllowIDPInitiated bool
	CookieName        string
	CookieMaxAge      time.Duration
}

SAMLMiddleware implements middleware than allows a web application to support SAML.

It implements http.Handler so that it can provide the metadata and ACS endpoints, typically /SAML2/Meta and /SAML2/ACS, respectively.

It also provides middleware, RequireAccount which redirects users to the auth process if they do not have session credentials.

When redirecting the user through the SAML auth flow, the middlware assigns a temporary cookie with a random name beginning with "saml_". The value of the cookie is a signed JSON Web Token containing the original URL requested and the SAML request ID. The random part of the name corresponds to the RelayState parameter passed through the SAML flow.

When validating the SAML response, the RelayState is used to look up the correct cookie, validate that the SAML request ID, and redirect the user back to their original URL.

Sessions are established by issuing a JSON Web Token (JWT) as a session cookie once the SAML flow has succeeded. The JWT token contains the authenticated attributes from the SAML assertion.

When issuing JSON Web Tokens, a signing key is required. Because the SAML service provider already has a private key, we borrow that key to sign the JWTs as well.

func New 

func New(opts Options) (*SAMLMiddleware, error)

New creates a new SAMLMiddleware

func (*SAMLMiddleware) AssertionConsumerHandler 

func (m *SAMLMiddleware) AssertionConsumerHandler(w http.ResponseWriter, r *http.Request)

AssertionConsumerHandler - implements http.Handler and serves the SAML Assertion Consumer specific HTTP endpoint URI.

func (*SAMLMiddleware) Authorize 

func (m *SAMLMiddleware) Authorize(w http.ResponseWriter, r *http.Request, assertion *saml.Assertion)

Authorize is invoked by ServeHTTP when we have a new, valid SAML assertion. It sets a cookie that contains a signed JWT containing the assertion attributes. It then redirects the user's browser to the original URL contained in RelayState.

func (*SAMLMiddleware) LoginHandler 

func (m *SAMLMiddleware) LoginHandler(w http.ResponseWriter, r *http.Request)

LoginHandler is SAML login http.Handler - that logs you in. associated with a valid session. If the request is not associated with a valid session, then rather than serve the request, the middlware redirects the user to start the SAML auth flow.

func (*SAMLMiddleware) LogoutHandler 

func (m *SAMLMiddleware) LogoutHandler(w http.ResponseWriter, r *http.Request)

LogoutHandler is SAML logout http.Handler - that logs you out.

func (*SAMLMiddleware) SAMLMetadataHandler 

func (m *SAMLMiddleware) SAMLMetadataHandler(w http.ResponseWriter, r *http.Request)

SAMLMetadataHandler - implements http.Handler and serves the SAML Metadata specific HTTP endpoint URI.

type STSError 

type STSError struct {
	Code           string
	Description    string
	HTTPStatusCode int
}

STSError structure

type STSErrorCode 

type STSErrorCode int

STSErrorCode type of error status. 

const (
	ErrSTSNone STSErrorCode = iota
	ErrSTSExpiredToken
	ErrSTSIDPRejectedClaim
	ErrSTSInvalidIdentityToken
	ErrSTSMalformedPolicyDocument
	ErrSTSInternalError
)

Error codes, non exhaustive list - http://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithSAML.html

type STSErrorResponse 

type STSErrorResponse struct {
	XMLName   xml.Name `xml:"ErrorResponse" json:"-"`
	Code      string
	Message   string
	RequestID string `xml:"RequestId"`
	HostID    string `xml:"HostId"`
}

STSErrorResponse - error response format

type Signature 

type Signature struct {
	XMLName    xml.Name
	ID         string `xml:"Id,attr"`
	SignedInfo struct {
		XMLName                xml.Name
		CanonicalizationMethod CanonicalizationMethod
		SignatureMethod        SignatureMethod
		SamlsigReference       struct {
			XMLName      xml.Name
			URI          string       `xml:"URI,attr"`
			Transforms   Transforms   `xml:",innerxml"`
			DigestMethod DigestMethod `xml:",innerxml"`
			DigestValue  DigestValue  `xml:",innerxml"`
		}
	}
	SignatureValue struct {
		XMLName xml.Name
		Value   string `xml:",innerxml"`
	}
	KeyInfo KeyInfo
}

Signature - An XML Signature that protects the integrity of and authenticates the issuer of the assertion

type SignatureMethod 

type SignatureMethod struct {
	XMLName   xml.Name
	Algorithm string `xml:"Algorithm,attr"`
}

SignatureMethod - defines algorithm used to generate assertion signature.

type Status 

type Status struct {
	XMLName    xml.Name
	StatusCode struct {
		XMLName xml.Name
		Value   string `xml:",attr"`
	} `xml:"StatusCode"`
}

Status - <Status> element contains a code representing the status of the activity carried out in response to the corresponding request.

type Subject 

type Subject struct {
	XMLName             xml.Name
	NameID              NameID
	SubjectConfirmation SubjectConfirmation
}

Subject --

type SubjectConfirmation 

type SubjectConfirmation struct {
	XMLName                 xml.Name
	Method                  string `xml:",attr"`
	SubjectConfirmationData SubjectConfirmationData
}

SubjectConfirmation --

type SubjectConfirmationData 

type SubjectConfirmationData struct {
	XMLName      xml.Name
	InResponseTo string `xml:",attr"`
	NotOnOrAfter string `xml:",attr"`
	Recipient    string `xml:",attr"`
}

SubjectConfirmationData --

type TokenClaims 

type TokenClaims struct {
	jwt.StandardClaims
	Attributes map[string][]string `json:"attr"`
}

TokenClaims - extends jwt standard claims with SAML attributes.

type Transforms 

type Transforms struct {
	XMLName   xml.Name
	Transform []struct {
		XMLName   xml.Name
		Algorithm string `xml:"Algorithm,attr"`
	}
}

Transforms - Signatures in SAML messages SHOULD NOT contain transforms other than the enveloped signature transform (with the identifier http://www.w3.org/2000/09/xmldsig#enveloped-signature) or the exclusive

Canonicalization transforms (with the identifier http://www.w3.org/2001/10/xml-exc-c14n# or http://www.w3.org/2001/10/xml-exc-c14n#WithComments). Verifiers of signatures MAY reject signatures that contain other transform algorithms as invalid. If they do not, verifiers MUST ensure that no content of the SAML message is excluded from the signature. This can be accomplished by establishing out-of-band agreement as to what transforms are acceptable, or by applying the transforms manually to the content and reverifying the result as consisting of the same SAML message.

type X509Certificate 

type X509Certificate struct {
	XMLName xml.Name
	Cert    string `xml:",innerxml"`
}

X509Certificate - base64 encoded x.509 certificate data.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.