Documentation
¶
Overview ¶
Package auth can be used for authentication and authorization Copyright 2018 Portworx
Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.
Copyright 2018 Portworx ¶
Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.
Copyright 2022 Portworx ¶
Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.
Package auth is a generated GoMock package.
Copyright 2019 Portworx ¶
Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.
Copyright 2019 Portworx ¶
Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.
Copyright 2018 Portworx ¶
Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.
Copyright 2018 Portworx ¶
Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.
Copyright 2019 Portworx ¶
Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.
Package auth can be used for authentication and authorization Copyright 2019 Portworx
Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.
Index ¶
- Constants
- Variables
- func ContextSaveUserInfo(ctx context.Context, u *UserInfo) context.Context
- func Enabled() bool
- func IsGuest(ctx context.Context) bool
- func IsJwtToken(authstring string) bool
- func NoAuth() *noauth
- func ParseToDuration(s string) (time.Duration, error)
- func Token(claims *Claims, signature *Signature, options *Options) (string, error)
- func TokenIssuer(rawtoken string) (string, error)
- type Authenticator
- type Claims
- type InterceptorContextkey
- type JWKSAuthConfig
- type JWKSAuthenticator
- type JwtAuthConfig
- type JwtAuthenticator
- type MockAuthenticator
- type MockAuthenticatorMockRecorder
- type OIDCAuthConfig
- type OIDCAuthenticator
- type Options
- type Signature
- func NewSignatureECDSA(pem []byte) (*Signature, error)
- func NewSignatureECDSAFromFile(filename string) (*Signature, error)
- func NewSignatureRSA(pem []byte) (*Signature, error)
- func NewSignatureRSAFromFile(filename string) (*Signature, error)
- func NewSignatureSharedSecret(secret string) (*Signature, error)
- type TokenGenerator
- type UserInfo
- type UsernameClaimType
Constants ¶
const ( // SecondDef is the abbrevation for seconds SecondDef = "s" // MinuteDef is the abbrevation for minutes MinuteDef = "m" // HourDef is the abbrevation for hours HourDef = "h" // DayDef is the abbrevation for days DayDef = "d" // YearDef is the abbrevation for years YearDef = "y" // Day is the duration of hours in a day Day = time.Hour * 24 // Year is the duration of days in a year Year = Day * 365 )
Variables ¶
var ( // Inst returns the instance of system token manager. // This function can be overridden for testing purposes InitSystemTokenManager = func(tg TokenGenerator) { systemTokenInst = tg } // SystemTokenManagerInst returns the systemTokenManager instance SystemTokenManagerInst = func() TokenGenerator { return systemTokenInst } )
var ( // SecondRegex is a regular expression for finding seconds as a duration SecondRegex = regexp.MustCompile("^([0-9]+)" + SecondDef + "$") // MinuteRegex is a regular expression for finding minutes as a duration MinuteRegex = regexp.MustCompile("^([0-9]+)" + MinuteDef + "$") // HourRegex is a regular expression for finding hours as a duration HourRegex = regexp.MustCompile("^([0-9]+)" + HourDef + "$") // DayRegex is a regular expression for finding days as a duration DayRegex = regexp.MustCompile("^([0-9]+)" + DayDef + "$") // YearRegex is a regular expression for finding years as a duration YearRegex = regexp.MustCompile("^([0-9]+)" + YearDef + "$") )
Functions ¶
func ContextSaveUserInfo ¶
ContextSaveUserInfo saves user information in the context for other functions to consume
func IsJwtToken ¶
IsJwtToken returns true if the provided string is a valid jwt token
func ParseToDuration ¶
ParseToDuration takes in a "human" type duration and changes it to time.Duration. The format for a human type is <number><type>. For example: Five days: 5d; one year: 1y.
func TokenIssuer ¶
TokenIssuer returns the issuer for the raw JWT token.
Types ¶
type Authenticator ¶
type Authenticator interface {
// AuthenticateToken validates the token and returns the claims
AuthenticateToken(context.Context, string) (*Claims, error)
}
Authenticator interface validates and extracts the claims from a raw token
func NewIteratingMultiAuthenticator ¶ added in v0.0.8
func NewIteratingMultiAuthenticator( issuer string, authenticators []Authenticator, ) (Authenticator, error)
NewIteratingMultiAuthenticator returns Authenticator implementation that iterates over all the supplied authenticators to authenticate a token. All authenticators must use the same issuer.
func NewMultiAuthenticatorByClientID ¶ added in v0.0.8
func NewMultiAuthenticatorByClientID( issuer string, authenticatorsByClientID map[string]Authenticator, ) (Authenticator, error)
NewMultiAuthenticatorByClientID returns Authenticator implementation that assumes that the audience field in the token contains just the client ID, which is also the key in the authenticators map passed to this function. All authenticators must use the same issuer.
type Claims ¶
type Claims struct {
// Issuer is the token issuer. For selfsigned token do not prefix
// with `https://`.
Issuer string `json:"iss"`
// Subject identifier. Unique ID of this account
Subject string `json:"sub" yaml:"sub"`
// Account name
Name string `json:"name" yaml:"name"`
// Account email
Email string `json:"email" yaml:"email"`
// Audience is the intended audience for this claim. Can be a string or []string or []interface{}.
// Use GetAudience() to interpret the value correctly.
Audience interface{} `json:"aud,omitempty" yaml:"aud,omitempty"`
// Roles of this account
Roles []string `json:"roles,omitempty" yaml:"roles,omitempty"`
// (optional) Groups in which this account is part of
Groups []string `json:"groups,omitempty" yaml:"groups,omitempty"`
// UsernameClaim indicates which claim has the user name. It should be set by the authenticator when
// authenticating the raw token.
UsernameClaim UsernameClaimType `json:"usernameClaim,omitempty" yaml:"usernameClaim,omitempty"`
}
Claims provides information about the claims in the token See https://openid.net/specs/openid-connect-core-1_0.html#IDToken for more information.
func TokenClaims ¶
TokenClaims returns the claims for the raw JWT token.
func (*Claims) GetAudience ¶ added in v0.0.8
GetAudience returns the audience from the claims
func (*Claims) GetUsername ¶ added in v0.0.8
GetUsername returns the username from the claims
func (*Claims) ValidateUsername ¶ added in v0.0.8
ValidateUsername validates that the claim that is suppposed to contain the username is present
type InterceptorContextkey ¶
type InterceptorContextkey string
Keys to store data in gRPC context. Use these keys to retrieve the data from the gRPC context
const ( // Key to store in the token claims in gRPC context InterceptorContextTokenKey InterceptorContextkey = "tokenclaims" )
type JWKSAuthConfig ¶ added in v0.0.6
type JWKSAuthConfig struct {
// Issuer of the tokens.
// This value must equal the `iss` value in the token.
Issuer string
// JWKSUrl is the actual URL to the public key in jwks format
// e.g. https://www.googleapis.com/oauth2/v3/certs
JWKSUrl string
// UsernameClaim has the location of the unique id for the user.
// If empty, "sub" will be used for the user name unique id.
UsernameClaim UsernameClaimType
// Namespace sets the namespace for all custom claims. For example
// if the claims had the key: "https://mynamespace/roles", then
// the namespace would be "https://mynamespace/".
Namespace string
}
JWKSAuthConfig configures an JWKS connection
type JWKSAuthenticator ¶ added in v0.0.6
type JWKSAuthenticator struct {
OIDCAuthenticator
// contains filtered or unexported fields
}
JWKSAuthenticator is used to validate tokens with an JWKS
func NewJWKSAuthenticator ¶ added in v0.0.6
func NewJWKSAuthenticator(config *JWKSAuthConfig) (*JWKSAuthenticator, error)
NewJWKSAuthenticator returns a new JWKS authenticator where the issuer must be the same host as the JWKSUrl
c := &JWKSAuthConfig{
Issuer: "https://some.token.authority",
JWKSUrl: "https://some.token.authority:3030/.well-known/jwks.json",
}
a, err := NewJWKSAuthenticator(c)
func NewJWKSWithIssuerAuthenticator ¶ added in v0.0.6
func NewJWKSWithIssuerAuthenticator(config *JWKSAuthConfig) (*JWKSAuthenticator, error)
NewJWKSWithIssuerAuthenticator returns a new JWKS authenticator where the issuer can be a different host from the JWKSUrl.
Note, that this may cause a security issue if the config provider is malicious. You should know what you are doing if you use this model.
c := &JWKSAuthConfig{
Issuer: "https://anther.host"
JWKSUrl: "https://some.token.authority/.well-known/jwks.json",
}
a, err := NewJWKSAuthenticator(c)
type JwtAuthConfig ¶
type JwtAuthConfig struct {
SharedSecret []byte
// RsaPublicPem is the contents of the RSA public key file
RsaPublicPem []byte
// ECDSPublicPem is the contents of the ECDS public key file
ECDSPublicPem []byte
// UsernameClaim has the location of the unique id for the user.
// If empty, "sub" will be used for the user name unique id.
UsernameClaim UsernameClaimType
}
JwtAuthConfig provides JwtAuthenticator the keys to validate the token
type JwtAuthenticator ¶
type JwtAuthenticator struct {
// contains filtered or unexported fields
}
JwtAuthenticator definition. It contains the raw bytes of the keys and their objects as returned by the Jwt package
func NewJwtAuthenticator ¶ added in v0.0.2
func NewJwtAuthenticator(config *JwtAuthConfig) (*JwtAuthenticator, error)
New returns a JwtAuthenticator
func (*JwtAuthenticator) AuthenticateToken ¶
AuthenticateToken determines if a token is valid and if it is, returns the information in the claims.
type MockAuthenticator ¶ added in v0.0.8
type MockAuthenticator struct {
// contains filtered or unexported fields
}
MockAuthenticator is a mock of Authenticator interface.
func NewMockAuthenticator ¶ added in v0.0.8
func NewMockAuthenticator(ctrl *gomock.Controller) *MockAuthenticator
NewMockAuthenticator creates a new mock instance.
func (*MockAuthenticator) AuthenticateToken ¶ added in v0.0.8
AuthenticateToken mocks base method.
func (*MockAuthenticator) EXPECT ¶ added in v0.0.8
func (m *MockAuthenticator) EXPECT() *MockAuthenticatorMockRecorder
EXPECT returns an object that allows the caller to indicate expected use.
type MockAuthenticatorMockRecorder ¶ added in v0.0.8
type MockAuthenticatorMockRecorder struct {
// contains filtered or unexported fields
}
MockAuthenticatorMockRecorder is the mock recorder for MockAuthenticator.
func (*MockAuthenticatorMockRecorder) AuthenticateToken ¶ added in v0.0.8
func (mr *MockAuthenticatorMockRecorder) AuthenticateToken(arg0, arg1 interface{}) *gomock.Call
AuthenticateToken indicates an expected call of AuthenticateToken.
type OIDCAuthConfig ¶
type OIDCAuthConfig struct {
// Issuer of the OIDC tokens
// e.g. https://accounts.google.com
Issuer string
// ClientID is the client id provided by the OIDC
ClientID string
// SkipClientIDCheck skips a verification on tokens which are returned
// from the OIDC without the client ID set
SkipClientIDCheck bool
// SkipIssuerCheck skips verification of the issuer URL.
SkipIssuerCheck bool
// UsernameClaim has the location of the unique id for the user.
// If empty, "sub" will be used for the user name unique id.
UsernameClaim UsernameClaimType
// Namespace sets the namespace for all custom claims. For example
// if the claims had the key: "https://mynamespace/roles", then
// the namespace would be "https://mynamespace/".
Namespace string
}
OIDCAuthConfig configures an OIDC connection
type OIDCAuthenticator ¶
type OIDCAuthenticator struct {
// contains filtered or unexported fields
}
OIDCAuthenticator is used to validate tokens with an OIDC
func NewOIDCAuthenticator ¶ added in v0.0.2
func NewOIDCAuthenticator(config *OIDCAuthConfig) (*OIDCAuthenticator, error)
NewOIDC returns a new OIDC authenticator
func (*OIDCAuthenticator) AuthenticateToken ¶
func (o *OIDCAuthenticator) AuthenticateToken(ctx context.Context, rawtoken string) (*Claims, error)
AuthenticateToken will verify the validity of the provided token with the OIDC
type Options ¶
type Options struct {
// Expiration time in Unix format as per JWT standard
Expiration int64
// IATSubtract is the time duration you would like to remove from
// the token IAT (Issue At Time). This is useful as a guard against
// NTP drift within a cluster. Without this option, your token may
// be denied due to the IAT being greater than the current time.
IATSubtract time.Duration
}
Options provide any options to apply to the token
type Signature ¶
type Signature struct {
Type jwt.SigningMethod
Key interface{}
}
Signature describes the signature type using definitions from the jwt package
func NewSignatureECDSA ¶
func NewSignatureRSA ¶
func NewSignatureRSAFromFile ¶
type TokenGenerator ¶
type TokenGenerator interface {
// GetToken returns a token which can be used for
// authentication and communication from node to node.
GetToken(opts *Options) (string, error)
// Issuer returns the token issuer for this generator necessary
// for registering the authenticator in the SDK.
Issuer() string
// GetAuthenticator returns an authenticator for this issuer used by the SDK
GetAuthenticator() (Authenticator, error)
}
TokenGenerator allows for the creation of tokens
type UserInfo ¶
type UserInfo struct {
// Username is the unique id of the user. According to the configuration of
// the storage system, this could be the 'sub', 'name', or 'email' from
// the claims in the token.
Username string
// Claims holds the claims required by the storage system
Claims Claims
// Guest marks whether the user is unauthenticated
Guest bool
}
UserInfo contains information about the user taken from the token
func NewGuestUser ¶
func NewGuestUser() *UserInfo
NewGuestUser creates UserInfo for the system guest user
func NewUserInfoFromContext ¶
NewUserInfoFromContext returns user information in the context if available. If not available means that the system is running without auth.
type UsernameClaimType ¶
type UsernameClaimType string
UsernameClaimType holds the claims type to be used as the unique id for the user
const ( // default type is sub UsernameClaimTypeDefault UsernameClaimType = "" // UsernameClaimTypeSubject requests to use "sub" as the claims for the // ID of the user UsernameClaimTypeSubject UsernameClaimType = "sub" // UsernameClaimTypeEmail requests to use "name" as the claims for the // ID of the user UsernameClaimTypeEmail UsernameClaimType = "email" // UsernameClaimTypeName requests to use "name" as the claims for the // ID of the user UsernameClaimTypeName UsernameClaimType = "name" )
Source Files
¶
Directories
¶
| Path | Synopsis |
|---|---|
|
Package ownership manages access to resources Copyright 2019 Portworx
|
Package ownership manages access to resources Copyright 2019 Portworx |
|
Package role manages roles in Kvdb and provides validation Copyright 2022 Pure Storage
|
Package role manages roles in Kvdb and provides validation Copyright 2022 Pure Storage |