gizmo: github.com/NYTimes/gizmo/auth/gcp Index | Files

package gcp

import "github.com/NYTimes/gizmo/auth/gcp"

Index

Package Files

iam.go identity.go metadata.go

Variables

var Issuers = map[string]bool{
    "accounts.google.com":         true,
    "https://accounts.google.com": true,
}

Issuers contains the known Google account issuers for identity tokens.

func GetDefaultEmail Uses

func GetDefaultEmail(ctx context.Context, addr string, hc *http.Client) (string, error)

GetDefaultEmail is a helper method for users on GCE or the 2nd generation GAE environment.

func IAMClaimsDecoderFunc Uses

func IAMClaimsDecoderFunc(_ context.Context, b []byte) (auth.ClaimSetter, error)

IAMClaimsDecoderFunc is an auth.ClaimsDecoderFunc for GCP identity tokens.

func IAMVerifyFunc Uses

func IAMVerifyFunc(vf func(ctx context.Context, cs IAMClaimSet) bool) auth.VerifyFunc

IAMVerifyFunc auth.VerifyFunc wrapper around the IAMClaimSet.

func IdentityClaimsDecoderFunc Uses

func IdentityClaimsDecoderFunc(_ context.Context, b []byte) (auth.ClaimSetter, error)

IdentityClaimsDecoderFunc is an auth.ClaimsDecoderFunc for GCP identity tokens.

func IdentityVerifyFunc Uses

func IdentityVerifyFunc(vf func(ctx context.Context, cs IdentityClaimSet) bool) auth.VerifyFunc

IdentityVerifyFunc auth.VerifyFunc wrapper around the IdentityClaimSet.

func NewDefaultIAMVerifier Uses

func NewDefaultIAMVerifier(ctx context.Context, cfg IAMConfig, clientFunc func(context.Context) *http.Client) (*auth.Verifier, error)

NewDefaultIAMVerifier will verify tokens that have the same default service account as the server running this verifier.

func NewDefaultIdentityVerifier Uses

func NewDefaultIdentityVerifier(ctx context.Context, cfg IdentityConfig) (*auth.Verifier, error)

NewDefaultIdentityVerifier will verify tokens that have the same default service account as the server running this verifier.

func NewIAMPublicKeySource Uses

func NewIAMPublicKeySource(ctx context.Context, cfg IAMConfig, clientFunc func(context.Context) *http.Client) (auth.PublicKeySource, error)

NewIAMPublicKeySource returns a PublicKeySource that uses the Google IAM service for fetching public keys of a given service account. The function for returning an HTTP client is to allow 1st generation App Engine users to lean on urlfetch.

func NewIAMTokenSource Uses

func NewIAMTokenSource(ctx context.Context, cfg IAMConfig) (oauth2.TokenSource, error)

NewIAMTokenSource returns an oauth2.TokenSource that uses Google's IAM services to sign a JWT with the default service account and the given audience. Users should use the Identity token source if they can. This client is meant to be used as a bridge for users as they transition from the 1st generation App Engine runtime to the 2nd generation. This implementation can be used in the 2nd gen runtime as it can reuse an http.Client.

func NewIdentityPublicKeySource Uses

func NewIdentityPublicKeySource(ctx context.Context, cfg IdentityConfig) (auth.PublicKeySource, error)

NewIdentityPublicKeySource fetches Google's public oauth2 certificates to be used with the auth.Verifier tool.

func NewIdentityTokenSource Uses

func NewIdentityTokenSource(cfg IdentityConfig) (oauth2.TokenSource, error)

NewIdentityTokenSource will use the GCP metadata services to generate GCP Identity tokens. More information on asserting GCP identities can be found here: https://cloud.google.com/compute/docs/instances/verifying-instance-identity

func ValidIAMClaims Uses

func ValidIAMClaims(cs IAMClaimSet, audience string) bool

ValidIAMClaims ensures the token audience issuers matches expectations.

func ValidIdentityClaims Uses

func ValidIdentityClaims(cs IdentityClaimSet, audience string) bool

ValidIdentityClaims ensures the token audience and issuers match expectations.

func VerifyIAMEmails Uses

func VerifyIAMEmails(ctx context.Context, emails []string, audience string) auth.VerifyFunc

VerifyIAMEmails is an auth.VerifyFunc that ensures IAMClaimSets are valid and have the expected email and audience in their payload.

func VerifyIdentityEmails Uses

func VerifyIdentityEmails(ctx context.Context, emails []string, audience string) auth.VerifyFunc

VerifyIdentityEmails is an auth.VerifyFunc that ensures IdentityClaimSets are valid and have the expected email and audience in their payload.

type ContextTokenSource Uses

type ContextTokenSource interface {
    ContextToken(context.Context) (*oauth2.Token, error)
}

ContextTokenSource is an oauth2.TokenSource that is capable of running on the 1st generation App Engine environment because it can create a urlfetch.Client from the given context.

func NewContextIAMTokenSource Uses

func NewContextIAMTokenSource(ctx context.Context, cfg IAMConfig) (ContextTokenSource, error)

NewContextIAMTokenSource returns an oauth2.TokenSource that uses Google's IAM services to sign a JWT with the default service account and the given audience. Users should use the Identity token source if they can. This client is meant to be used as a bridge for users as they transition from the 1st generation App Engine runtime to the 2nd generation. This implementation can be used in the 1st gen runtime as it allows users to pass a context.Context while fetching the token. The context allows the implementation to reuse clients while changing out the HTTP client under the hood.

type IAMClaimSet Uses

type IAMClaimSet struct {
    jws.ClaimSet

    // Email address of the default service account
    Email string `json:"email"`
}

IAMClaimSet contains just an email for service account identification.

func (IAMClaimSet) BaseClaims Uses

func (s IAMClaimSet) BaseClaims() *jws.ClaimSet

BaseClaims implements the auth.ClaimSetter interface.

type IAMConfig Uses

type IAMConfig struct {
    IAMAddress string `envconfig:"IAM_ADDR"` // optional, for testing

    Audience            string `envconfig:"IAM_AUDIENCE"`
    Project             string `envconfig:"IAM_PROJECT"`
    ServiceAccountEmail string `envconfig:"IAM_SERVICE_ACCOUNT_EMAIL"`

    // JSON contains the raw bytes from a JSON credentials file.
    // This field may be nil if authentication is provided by the
    // environment and not with a credentials file, e.g. when code is
    // running on Google Cloud Platform.
    JSON []byte
}

IAMConfig contains the information required for generating or verifying IAM JWTs.

type IdentityClaimSet Uses

type IdentityClaimSet struct {
    jws.ClaimSet

    // Email address of the default service account (only exists on GAE 2nd gen?)
    Email         string `json:"email"`
    EmailVerified bool   `json:"email_verified"`

    // Google metadata info (appears to only exist on GCE?)
    Google map[string]interface{} `json:"google"`
}

IdentityClaimSet holds all the expected values for the various versions of the GCP identity token. More details: https://cloud.google.com/compute/docs/instances/verifying-instance-identity#payload https://developers.google.com/identity/sign-in/web/backend-auth#calling-the-tokeninfo-endpoint

func (IdentityClaimSet) BaseClaims Uses

func (s IdentityClaimSet) BaseClaims() *jws.ClaimSet

BaseClaims implements the auth.ClaimSetter interface.

type IdentityConfig Uses

type IdentityConfig struct {
    Audience string `envconfig:"ID_AUDIENCE"`

    CertURL string `envconfig:"ID_CERT_URL"` // optional override for public key source

    Client *http.Client // optional override

    MetadataAddress string `envconfig:"ID_METADATA_ADDR"` // optional override for token and email retrieval
}

IdentityConfig contains the information required for generating or verifying identity JWTs.

Package gcp imports 18 packages (graph) and is imported by 1 packages. Updated 2019-03-13. Refresh now. Tools for package owners.