navigaid

package
v1.14.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Dec 4, 2023 License: MIT Imports: 21 Imported by: 0

Documentation

Index

Examples

Constants

View Source 
const (
	TokenTypeAccessToken = "access_token"
	TokenTypeIDToken     = "id_token"
)

Known token types

Variables

This section is empty.

Functions

func AccessTokenEndpoint 

func AccessTokenEndpoint(serviceURL string) string

ImasJWKSEndpoint is a helper function that returns the v1 token endpoint URL given an URL that points to the access token service.

func HTTPMiddleware 

func HTTPMiddleware(jwks *JWKS, next http.Handler, annotate AnnotationFunc) http.Handler

HTTPMiddleware populates the request context with NavigaID authentication information. If there's an XRay segment on the context it will be decorated with the sub claim as the user and an "imid_org" annotation.

It is the responsibility of the individual handlers to act on authentication errors by calling GetAuth() and inspecting the error.

func ImasJWKSEndpoint 

func ImasJWKSEndpoint(serviceURL string) string

ImasJWKSEndpoint is a helper function that returns the v1 JWKS endpoint URL given an URL that points to the IMAS service.

func NewHTTPClient 

func NewHTTPClient() *http.Client

func NewTwirpAuthHook 

func NewTwirpAuthHook(log *logrus.Logger, jwks *JWKS, annotate AnnotationFunc) *twirp.ServerHooks

NewTwirpAuthHook creates a twirp server hook that requires a valid NavigaID access token and adds the authentication result to the request context.

func SetAuth 

func SetAuth(ctx context.Context, auth AuthInfo, err error) context.Context

SetClaims adds specified Claims to the context

func TwirpAuthenticate 

func TwirpAuthenticate(ctx context.Context, jwks *JWKS, annotate AnnotationFunc) (context.Context, error)

TwirpAuthenticate verifies that there is a valid access token and adds the authentication result to the request context.

Types

type AccessTokenResponse 

type AccessTokenResponse struct {
	AccessToken string `json:"access_token"`
	TokenType   string `json:"token_type"`
	ExpiresIn   int    `json:"expires_in"`
}

AccessTokenResponse is the response retrieved from navigaID.

type AccessTokenService 

type AccessTokenService struct {
	// contains filtered or unexported fields
}

AccessTokenService can validate access tokens and create access tokens from naviga-id tokens.

Example 
package main

import (
	"fmt"

	"github.com/navigacontentlab/panurge/navigaid"
)

func main() {
	service := navigaid.New(
		"https://access-token.stage.imid.infomaker.io/v1/token",
	)

	jwks := navigaid.NewJWKS(
		navigaid.ImasJWKSEndpoint("https://imas.stage.imid.infomaker.io"),
	)

	navigaIDToken := "..."

	at, err := service.NewAccessToken(navigaIDToken)
	if err != nil {
		fmt.Println(err)
	}

	claims, err := jwks.Validate(at.AccessToken)
	if err != nil {
		fmt.Println(err)
	}

	fmt.Printf("%#v\n", claims)
}

Output:

func New 

func New(tokenEndpoint string, options ...AccessTokenServiceOption) *AccessTokenService

New creates a new access token service with given options.

func (*AccessTokenService) NewAccessToken 

func (ats *AccessTokenService) NewAccessToken(navigaIDToken string) (*AccessTokenResponse, error)

NewAccessToken takes an navigaID token and returns an access token.

type AccessTokenServiceOption 

type AccessTokenServiceOption func(ats *AccessTokenService)

func WithAccessTokenClient 

func WithAccessTokenClient(client *http.Client) AccessTokenServiceOption

WithAccessTokenClient sets the HTTP client that should be used for access token requests.

type AnnotationFunc 

type AnnotationFunc func(ctx context.Context, organisation string, user string)

AnnotationFunc is used to add authentication annotations to the context.

type AuthInfo 

type AuthInfo struct {
	AccessToken string
	Claims      Claims
}

func GetAuth 

func GetAuth(ctx context.Context) (AuthInfo, error)

GetAutch retrieves authentication information from the context.

type Claims 

type Claims struct {
	jwt.RegisteredClaims

	Org         string           `json:"org"`
	Groups      []string         `json:"groups"`
	Userinfo    Userinfo         `json:"userinfo"`
	TokenType   string           `json:"ntt"`
	Permissions PermissionsClaim `json:"permissions"`
}

Claims contains information regarding what org and groups (and more), that the claim belongs to.

func (Claims) HasPermissionsInOrganisation 

func (c Claims) HasPermissionsInOrganisation(permissions ...string) bool

HasPermissionsInOrganisation checks if the holder has a set of permissions in the organisation.

func (Claims) HasPermissionsInUnit 

func (c Claims) HasPermissionsInUnit(unit string, permissions ...string) bool

HasPermissionsInUnit checks if the holder has a set of permissions in a unit, either directly, or inherited from the organisation.

func (Claims) Valid 

func (c Claims) Valid() error

type ErrNoToken 

type ErrNoToken struct{}

ErrNoToken is used to communicate that no bearer token was included in the request.

func (ErrNoToken) Error 

func (err ErrNoToken) Error() string

type JWKS 

type JWKS struct {
	// contains filtered or unexported fields
}

JWKS can validate access tokens using published JWKS.

func NewJWKS 

func NewJWKS(jwksEndpoint string, options ...JWKSOption) *JWKS

New creates a new access token validator.

func (*JWKS) Validate 

func (j *JWKS) Validate(accessToken string) (Claims, error)

Validate tries to validate a given access token by first parsing it and then looking up the "kid" to match with a jwk (which are cached locally).

func (*JWKS) ValidateToken 

func (j *JWKS) ValidateToken(token string, tokenType string) (Claims, error)

ValidateToken tries to validate a given JWT token by first parsing it and then looking up the "kid" to match with a jwk (which are cached locally).

type JWKSOption 

type JWKSOption func(j *JWKS)

JWKSOption is a function that controls the JWKS configuration.

func WithJwksClient 

func WithJwksClient(client *http.Client) JWKSOption

WithJwksClient sets the HTTP client that should be used for requests.

func WithJwksTTL 

func WithJwksTTL(ttl time.Duration) JWKSOption

WithJwksTTL can be used to change the default JWKS refresh rate

type MockServer 

type MockServer struct {
	Server       *httptest.Server
	PrivateKey   *rsa.PrivateKey
	PrivateKeyId string
	Client       *http.Client
}

func NewMockServer 

func NewMockServer(opts MockServerOptions) (*MockServer, error)

This mock server mocks two endpoints, one for creating new access tokens and another one for providing keys.

type MockServerOptions 

type MockServerOptions struct {
	Claims          Claims
	TTL             int    `json:"ttl"`
	PrivatePemKey   string `json:"private_pem_key"`
	PrivatePemKeyId string `json:"private_pem_key_id"`
}

type MockService added in v1.13.5 

type MockService struct {
	Mux        *http.ServeMux
	PrivateKey *rsa.PrivateKey
	// contains filtered or unexported fields
}

func NewMockService 

func NewMockService(opts MockServerOptions) (MockService, error)

This mock service mocks two endpoints, one for creating new access tokens and another one for providing keys.

func (MockService) ServeHTTP added in v1.13.5 

func (ms MockService) ServeHTTP(rw http.ResponseWriter, r *http.Request)

type PermissionsClaim 

type PermissionsClaim struct {
	Units map[string][]string `json:"units"`
	Org   []string            `json:"org"`
}

PermissionsClaim describes the permissions the holder has in an organisation-wide and per-unit context.

func (PermissionsClaim) PermissionsInOrganisation 

func (p PermissionsClaim) PermissionsInOrganisation() map[string]bool

HasPermissionsInOrganisation returns the permissions the holder has in the organisation.

func (PermissionsClaim) PermissionsInUnit 

func (p PermissionsClaim) PermissionsInUnit(unit string) map[string]bool

HasPermissionsInUnit returns the permissions the holder has in a unit, either directly, or inherited from the organisation.

type Transport 

type Transport struct {
	// Base is the base RoundTripper used to make HTTP requests.
	// If nil, http.DefaultTransport is used.
	Base http.RoundTripper
}

Transport is an http.RoundTripper that makes OAuth 2.0 HTTP requests based of the incoming NavigaID context.

func (*Transport) RoundTrip 

func (t *Transport) RoundTrip(req *http.Request) (*http.Response, error)

RoundTrip authorizes and authenticates the request with an access token from Transport's Source.

type Userinfo 

type Userinfo struct {
	GivenName  string `json:"given_name"`
	FamilyName string `json:"family_name"`
	Email      string `json:"email"`
	Picture    string `json:"picture"`
}

Userinfo contains name and similar data

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.