Documentation
¶
Index ¶
Constants ¶
View Source
const ( // GuestRoleName defines role name for an unauthenticated user GuestRoleName = "guest" // TLSUserRoleName defines a generic role name for an authenticated user TLSUserRoleName = "tls_user" // JWTUserRoleName defines a generic role name for an authenticated user JWTUserRoleName = "jwt_user" // DPoPUserRoleName defines a generic role name for an authenticated user DPoPUserRoleName = "dpop_user" // AWSUserRoleName defines a generic role name for an authenticated user AWSUserRoleName = "aws_user" // DefaultSubjectClaim defines default JWT Subject claim DefaultSubjectClaim = "sub" // DefaultRoleClaim defines default Role claim DefaultRoleClaim = "email" // DefaultTenantClaim defines default Tenant claim DefaultTenantClaim = "tenant" )
View Source
const CacheTTL = 5 * time.Minute
CacheTTL defines TTL for AWS cache
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type AWSIdentityMap ¶ added in v0.17.0
type AWSIdentityMap struct {
// DefaultAuthenticatedRole specifies role name for identity, if not found in maps
DefaultAuthenticatedRole string `json:"default_authenticated_role" yaml:"default_authenticated_role"`
// Enable TLS identities
Enabled bool `json:"enabled" yaml:"enabled"`
// Roles is a map of role to TLS identity
Roles map[string][]string `json:"roles" yaml:"roles"`
// AllowedAccounts is a list of allowed AWS accounts,
// if empty, all accounts are allowed
AllowedAccounts []string `json:"allowed_accounts" yaml:"allowed_accounts"`
}
AWSIdentityMap provides roles for AWS
type CallerIdentity ¶ added in v0.17.0
type CallerIdentity struct {
GetCallerIdentityResponse struct {
GetCallerIdentityResult struct {
Account string `json:"Account"`
Arn string `json:"Arn"`
UserID string `json:"UserId"`
} `json:"GetCallerIdentityResult"`
ResponseMetadata struct {
RequestID string `json:"RequestId"`
} `json:"ResponseMetadata"`
} `json:"GetCallerIdentityResponse"`
}
CallerIdentity represents the Identity of the caller AWS Caller Identity Response documentation: https://docs.aws.amazon.com/STS/latest/APIReference/API_GetCallerIdentity.html
type GenericIdentityMap ¶ added in v0.17.0
type GenericIdentityMap struct {
// DefaultAuthenticatedRole specifies role name for identity, if not found in maps
DefaultAuthenticatedRole string `json:"default_authenticated_role" yaml:"default_authenticated_role"`
// Enable TLS identities
Enabled bool `json:"enabled" yaml:"enabled"`
// Roles is a map of role to TLS identity
Roles map[string][]string `json:"roles" yaml:"roles"`
}
GenericIdentityMap provides roles mapping
type IdentityMap ¶
type IdentityMap struct {
// DebugLogs allows to add extra debog logs
DebugLogs bool `json:"debug_logs" yaml:"debug_logs"`
// Strict mode returns error if any Auth method fails,
// without strict mode, it will try all methods and return
Strict bool `json:"strict" yaml:"strict"`
// TLS identity map
TLS GenericIdentityMap `json:"tls" yaml:"tls"`
// JWT identity map
JWT JWTIdentityMap `json:"jwt" yaml:"jwt"`
// DPoP identity map
DPoP JWTIdentityMap `json:"jwt_dpop" yaml:"jwt_dpop"`
// AWS identity map
AWS AWSIdentityMap `json:"aws" yaml:"aws"`
}
IdentityMap contains configuration for the roles
type IdentityProvider ¶
type IdentityProvider interface {
// ApplicableForRequest returns true if the provider is applicable for the request
ApplicableForRequest(*http.Request) bool
// IdentityFromRequest returns identity from the request
IdentityFromRequest(*http.Request) (identity.Identity, error)
// ApplicableForContext returns true if the provider is applicable for the request
ApplicableForContext(ctx context.Context) bool
// IdentityFromContext returns identity from the request
IdentityFromContext(ctx context.Context, uri string) (identity.Identity, error)
}
IdentityProvider interface to extract identity from requests
func New ¶
func New(config *IdentityMap, jwt jwt.Parser) (IdentityProvider, error)
New returns Authz provider instance
type JWTIdentityMap ¶
type JWTIdentityMap struct {
// DefaultAuthenticatedRole specifies role name for identity, if not found in maps
DefaultAuthenticatedRole string `json:"default_authenticated_role" yaml:"default_authenticated_role"`
// Enable JWT identities
Enabled bool `json:"enabled" yaml:"enabled"`
// Issuer specifies the token issuer to check for
Issuer string `json:"issuer" yaml:"issuer"`
// Audience specifies the token audience to check for
Audience string `json:"audience" yaml:"audience"`
// SubjectClaim specifies claim name to be used as Subject,
// by default it's `sub`, but can be changed to `email` etc
SubjectClaim string `json:"subject_claim" yaml:"subject_claim"`
// RoleClaim specifies claim name to be used for role mapping,
// by default it's `email`, but can be changed to `sub` etc
RoleClaim string `json:"role_claim" yaml:"role_claim"`
// TenantClaim specifies claim name to be used for tenant mapping,
// by default it's `tenant`, but can be changed to `org` etc
TenantClaim string `json:"tenant_claim" yaml:"tenant_claim"`
// Roles is a map of role to JWT identity
Roles map[string][]string `json:"roles" yaml:"roles"`
}
JWTIdentityMap provides roles for JWT
Source Files
Click to show internal directories.
Click to hide internal directories.