auth

package

v0.0.0-...-9b598c7 Latest Latest Go to latest Published: Jun 28, 2023 License: Apache-2.0 Imports: 26 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/bf2fc6cc711aee1a0c2a/kas-fleet-manager

Links

Open Source Insights

Documentation ¶

Index ¶

Constants
func GetFilterByOrganisationFromContext(ctx context.Context) bool
func GetIsAdminFromContext(ctx context.Context) bool
func ParseJWTKeys(jwtKeyFilePath, jwtCAFilePath string) (*rsa.PrivateKey, *rsa.PublicKey, error)
func SetFilterByOrganisationContext(ctx context.Context, filterByOrganisation bool) context.Context
func SetIsAdminContext(ctx context.Context, isAdmin bool) context.Context
func SetTokenInContext(ctx context.Context, token *jwt.Token) context.Context
func UseOperatorAuthorisationMiddleware(router *mux.Router, jwkValidIssuerURI string, clusterIdVar string, ...)
type AdminRoleAuthZConfig
- func NewAdminAuthZConfig() *AdminRoleAuthZConfig
- func (c *AdminRoleAuthZConfig) AddFlags(fs *pflag.FlagSet)
- func (c *AdminRoleAuthZConfig) GetRoleMapping() map[string][]string
- func (c *AdminRoleAuthZConfig) ReadFiles() error
- func (c *AdminRoleAuthZConfig) Validate(env *environments.Env) error
type AuditLogMiddleware
- func NewAuditLogMiddleware() AuditLogMiddleware
type AuthAgentService
type AuthAgentServiceMock
- func (mock *AuthAgentServiceMock) GetClientID(clusterID string) (string, error)
- func (mock *AuthAgentServiceMock) GetClientIDCalls() []struct{ ... }
type AuthHelper
- func NewAuthHelper(jwtKeyFilePath, jwtCAFilePath, ocmTokenIssuer string) (*AuthHelper, error)
- func (authHelper *AuthHelper) CreateJWTWithClaims(account *amv1.Account, jwtClaims jwt.MapClaims) (*jwt.Token, error)
- func (authHelper *AuthHelper) CreateSignedJWT(account *amv1.Account, jwtClaims jwt.MapClaims) (string, error)
- func (authHelper *AuthHelper) GetJWTFromSignedToken(signedToken string) (*jwt.Token, error)
- func (authHelper *AuthHelper) NewAccount(username, name, email string, orgId string) (*amv1.Account, error)
type ContextConfig
- func NewContextConfig() *ContextConfig
- func (c *ContextConfig) AddFlags(fs *pflag.FlagSet)
- func (c *ContextConfig) ReadFiles() error
type KFMClaims
- func GetClaimsFromContext(ctx context.Context) (KFMClaims, error)
- func (c *KFMClaims) GetAccountId() (string, error)
- func (c *KFMClaims) GetClientID() (string, error)
- func (c *KFMClaims) GetOrgId() (string, error)
- func (c *KFMClaims) GetUsername() (string, error)
- func (c *KFMClaims) IsOrgAdmin() bool
- func (c *KFMClaims) VerifyIssuer(cmp string, req bool) bool
type RequireIssuerMiddleware
- func NewRequireIssuerMiddleware() RequireIssuerMiddleware
type RequireOrgIDMiddleware
- func NewRequireOrgIDMiddleware() RequireOrgIDMiddleware
type RequireTermsAcceptanceMiddleware
- func NewRequireTermsAcceptanceMiddleware() RequireTermsAcceptanceMiddleware
type RoleConfig
type RolesAuthorizationMiddleware
- func NewRolesAuthzMiddleware(config *AdminRoleAuthZConfig) RolesAuthorizationMiddleware
type RolesConfiguration

Constants ¶

View Source

const (
	TokenExpMin = 30
	JwkKID      = "kastestkey"
)

Variables ¶

This section is empty.

Functions ¶

func GetFilterByOrganisationFromContext ¶

func GetFilterByOrganisationFromContext(ctx context.Context) bool

func GetIsAdminFromContext ¶

func GetIsAdminFromContext(ctx context.Context) bool

func ParseJWTKeys ¶

func ParseJWTKeys(jwtKeyFilePath, jwtCAFilePath string) (*rsa.PrivateKey, *rsa.PublicKey, error)

Parses JWT Private and Public Keys from the given path

func SetFilterByOrganisationContext ¶

func SetFilterByOrganisationContext(ctx context.Context, filterByOrganisation bool) context.Context

func SetIsAdminContext ¶

func SetIsAdminContext(ctx context.Context, isAdmin bool) context.Context

func SetTokenInContext ¶

func SetTokenInContext(ctx context.Context, token *jwt.Token) context.Context

func UseOperatorAuthorisationMiddleware ¶

func UseOperatorAuthorisationMiddleware(router *mux.Router, jwkValidIssuerURI string, clusterIdVar string, clusterService AuthAgentService)

Types ¶

type AdminRoleAuthZConfig ¶

type AdminRoleAuthZConfig struct {
	RolesConfigFile string
	RolesConfig     RoleConfig
}

AdminRoleAuthZConfig is the configuration of the role authZ middleware.

func NewAdminAuthZConfig ¶

func NewAdminAuthZConfig() *AdminRoleAuthZConfig

NewAdminAuthZConfig creates a default AdminRoleAuthZConfig which is enabled and uses the production configuration.

func (*AdminRoleAuthZConfig) AddFlags ¶

func (c *AdminRoleAuthZConfig) AddFlags(fs *pflag.FlagSet)

AddFlags adds required flags for the role authZ configuration.

func (*AdminRoleAuthZConfig) GetRoleMapping ¶

func (c *AdminRoleAuthZConfig) GetRoleMapping() map[string][]string

GetRoleMapping will create a map of the required roles. The key will be the HTTP method and value will be a list of allowed roles for that specific HTTP method.

func (*AdminRoleAuthZConfig) ReadFiles ¶

func (c *AdminRoleAuthZConfig) ReadFiles() error

ReadFiles will read and validate the contents of the configuration file.

func (*AdminRoleAuthZConfig) Validate ¶

func (c *AdminRoleAuthZConfig) Validate(env *environments.Env) error

type AuditLogMiddleware ¶

type AuditLogMiddleware interface {
	AuditLog(code errors.ServiceErrorCode) func(handler http.Handler) http.Handler
}

func NewAuditLogMiddleware ¶

func NewAuditLogMiddleware() AuditLogMiddleware

type AuthAgentService ¶

type AuthAgentService interface {
	GetClientID(clusterID string) (string, error)
}

type AuthAgentServiceMock ¶

type AuthAgentServiceMock struct {
	// GetClientIDFunc mocks the GetClientID method.
	GetClientIDFunc func(clusterID string) (string, error)
	// contains filtered or unexported fields
}

AuthAgentServiceMock is a mock implementation of AuthAgentService.

func TestSomethingThatUsesAuthAgentService(t *testing.T) {

	// make and configure a mocked AuthAgentService
	mockedAuthAgentService := &AuthAgentServiceMock{
		GetClientIDFunc: func(clusterID string) (string, error) {
			panic("mock out the GetClientID method")
		},
	}

	// use mockedAuthAgentService in code that requires AuthAgentService
	// and then make assertions.

}

func (*AuthAgentServiceMock) GetClientID ¶

func (mock *AuthAgentServiceMock) GetClientID(clusterID string) (string, error)

GetClientID calls GetClientIDFunc.

func (*AuthAgentServiceMock) GetClientIDCalls ¶

func (mock *AuthAgentServiceMock) GetClientIDCalls() []struct {
	ClusterID string
}

GetClientIDCalls gets all the calls that were made to GetClientID. Check the length with:

len(mockedAuthAgentService.GetClientIDCalls())

type AuthHelper ¶

type AuthHelper struct {
	JWTPrivateKey *rsa.PrivateKey
	JWTCA         *rsa.PublicKey
	// contains filtered or unexported fields
}

func NewAuthHelper ¶

func NewAuthHelper(jwtKeyFilePath, jwtCAFilePath, ocmTokenIssuer string) (*AuthHelper, error)

Creates an auth helper to be used for creating new accounts and jwt.

func (*AuthHelper) CreateJWTWithClaims ¶

func (authHelper *AuthHelper) CreateJWTWithClaims(account *amv1.Account, jwtClaims jwt.MapClaims) (*jwt.Token, error)

Creates a JSON web token with the claims specified. By default, this will create an ocm JWT if the issuer was not specified in the given claims. Any given claim with nil value will be removed from the claims

func (*AuthHelper) CreateSignedJWT ¶

func (authHelper *AuthHelper) CreateSignedJWT(account *amv1.Account, jwtClaims jwt.MapClaims) (string, error)

Creates a signed token. By default, this will create a signed ocm token if the issuer was not specified in the given claims.

func (*AuthHelper) GetJWTFromSignedToken ¶

func (authHelper *AuthHelper) GetJWTFromSignedToken(signedToken string) (*jwt.Token, error)

func (*AuthHelper) NewAccount ¶

func (authHelper *AuthHelper) NewAccount(username, name, email string, orgId string) (*amv1.Account, error)

Creates a new account with the specified values

type ContextConfig ¶

type ContextConfig struct {
}

func NewContextConfig ¶

func NewContextConfig() *ContextConfig

func (*ContextConfig) AddFlags ¶

func (c *ContextConfig) AddFlags(fs *pflag.FlagSet)

func (*ContextConfig) ReadFiles ¶

func (c *ContextConfig) ReadFiles() error

type KFMClaims ¶

type KFMClaims jwt.MapClaims

func GetClaimsFromContext ¶

func GetClaimsFromContext(ctx context.Context) (KFMClaims, error)

func (*KFMClaims) GetAccountId ¶

func (c *KFMClaims) GetAccountId() (string, error)

func (*KFMClaims) GetClientID ¶

func (c *KFMClaims) GetClientID() (string, error)

func (*KFMClaims) GetOrgId ¶

func (c *KFMClaims) GetOrgId() (string, error)

func (*KFMClaims) GetUsername ¶

func (c *KFMClaims) GetUsername() (string, error)

func (*KFMClaims) IsOrgAdmin ¶

func (c *KFMClaims) IsOrgAdmin() bool

func (*KFMClaims) VerifyIssuer ¶

func (c *KFMClaims) VerifyIssuer(cmp string, req bool) bool

type RequireIssuerMiddleware ¶

type RequireIssuerMiddleware interface {
	// RequireIssuer checks if the iss field in the JWT claim matches one of the given issuers.
	// If it does not, then the specified code is returned.
	RequireIssuer(issuers []string, code errors.ServiceErrorCode) func(handler http.Handler) http.Handler
}

func NewRequireIssuerMiddleware ¶

func NewRequireIssuerMiddleware() RequireIssuerMiddleware

type RequireOrgIDMiddleware ¶

type RequireOrgIDMiddleware interface {
	// RequireOrgID will check that org_id is set as part of the JWT claims in the
	// request and that it is not empty and return code ServiceErrorCode in case
	// the previous conditions are not true
	RequireOrgID(code errors.ServiceErrorCode) func(handler http.Handler) http.Handler
}

func NewRequireOrgIDMiddleware ¶

func NewRequireOrgIDMiddleware() RequireOrgIDMiddleware

type RequireTermsAcceptanceMiddleware ¶

type RequireTermsAcceptanceMiddleware interface {
	// RequireTermsAcceptance will check that the user has accepted the required terms.
	// The current implementation is backed by OCM and can be disabled with the "enabled" flag set to false.
	RequireTermsAcceptance(enabled bool, amsClient ocm.AMSClient, code errors.ServiceErrorCode) func(handler http.Handler) http.Handler
}

func NewRequireTermsAcceptanceMiddleware ¶

func NewRequireTermsAcceptanceMiddleware() RequireTermsAcceptanceMiddleware

type RoleConfig ¶

type RoleConfig []RolesConfiguration

RoleConfig represents the role configuration.

type RolesAuthorizationMiddleware ¶

type RolesAuthorizationMiddleware interface {
	// RequireRealmRole will check the given realm role exists in the request token
	RequireRealmRole(roleName string, code errors.ServiceErrorCode) func(handler http.Handler) http.Handler
	// RequireRolesForMethods will check that at least one of the realm roles exists in the request token based on the http method in the request
	RequireRolesForMethods(code errors.ServiceErrorCode) func(handler http.Handler) http.Handler
}

RolesAuthorizationMiddleware can be used to perform RBAC authorization checks on endpoints

func NewRolesAuthzMiddleware ¶

func NewRolesAuthzMiddleware(config *AdminRoleAuthZConfig) RolesAuthorizationMiddleware

type RolesConfiguration ¶

type RolesConfiguration struct {
	HTTPMethod string   `yaml:"method"`
	RoleNames  []string `yaml:"roles"`
}

RolesConfiguration is the configuration of required roles per HTTP method of the admin API.

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL