authentication

package

v0.0.0-...-b1a7a90 Latest Latest Go to latest Published: May 2, 2024 License: Apache-2.0 Imports: 23 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/openshift-kni/oran-o2ims

Links

Open Source Insights

Documentation ¶

Index ¶

Variables
func AddFlags(set *pflag.FlagSet)
func ContextWithSubject(parent context.Context, subject *Subject) context.Context
type HandlerWrapperBuilder
- func NewHandlerWrapper() *HandlerWrapperBuilder
type Subject
- func SubjectFromContext(ctx context.Context) *Subject

Constants ¶

This section is empty.

Variables ¶

View Source

var Guest = &Subject{
	Name: guestName,
	Claims: map[string]any{
		"sub": guestName,
	},
}

Guest is the subject used when no authentication has been performed.

Functions ¶

func AddFlags ¶

func AddFlags(set *pflag.FlagSet)

AddFlags adds the flags related to authentication to the given flag set.

func ContextWithSubject ¶

func ContextWithSubject(parent context.Context, subject *Subject) context.Context

ContextWithSubject creates a new context containing the given subject.

Types ¶

type HandlerWrapperBuilder ¶

type HandlerWrapperBuilder struct {
	// contains filtered or unexported fields
}

HandlerWrapperBuilder contains the data and logic needed to create a wrapper that knows how to convert an HTTP handler into another one that also performs authentication using the JSON web token from the authorization header.

The locations of the JSON web key sets used to verify the signatures of the tokens should be specified calling the AddKeysFile or AddKeysURL methods of the builder. If no JSON web key set location is specified then access will be granted to any client.

Don't create instances of this object directly, use the NewHandlerWrapper function instead.

func NewHandlerWrapper ¶

func NewHandlerWrapper() *HandlerWrapperBuilder

NewHandlerWrapper creates a builder that can then be configured and used to create authentication handler wrappers. This wrapper is a function that transforms an HTTP handler into another that performs authentication using the JWT token in the authorization header.

func (*HandlerWrapperBuilder) AddKeysFile ¶

func (b *HandlerWrapperBuilder) AddKeysFile(value string) *HandlerWrapperBuilder

AddKeysFile adds a file containing a JSON web key set that will be used to verify the signatures of the tokens. The keys from this file will be loaded when a token is received containing an unknown key identifier.

If no keys file or URL are provided then all requests will be accepted and the guest subject Will be added to the context.

func (*HandlerWrapperBuilder) AddKeysURL ¶

func (b *HandlerWrapperBuilder) AddKeysURL(value string) *HandlerWrapperBuilder

AddKeysURL sets the URL containing a JSON web key set that will be used to verify the signatures of the tokens. The keys from these URLs will be loaded when a token is received containing an unknown key identifier.

If no keys file or URL are provided then all requests will be accepted and the guest subject Will be added to the context.

func (*HandlerWrapperBuilder) AddPublicPath ¶

func (b *HandlerWrapperBuilder) AddPublicPath(value string) *HandlerWrapperBuilder

AddPublicPath adds a regular expression that defines parts of the URL space that considered public, and therefore require no authentication. This method may be called multiple times and then all the given regular expressions will be used to check what parts of the URL space are public.

func (*HandlerWrapperBuilder) Build ¶

func (b *HandlerWrapperBuilder) Build() (result func(http.Handler) http.Handler, err error)

Build uses the data stored in the builder to create a new authentication handler.

func (*HandlerWrapperBuilder) SetFlags ¶

func (b *HandlerWrapperBuilder) SetFlags(flags *pflag.FlagSet) *HandlerWrapperBuilder

SetFlags sets the command line flags that should be used to configure the wrapper. This is optional.

func (*HandlerWrapperBuilder) SetGuestSubject ¶

func (b *HandlerWrapperBuilder) SetGuestSubject(value *Subject) *HandlerWrapperBuilder

SetGuestSubject sets the subject that will be added to the context for public parts of the URL space if no authentication details are provided in the request. The default is to use the built-in guest subject, which has only one 'guest' identity.

func (*HandlerWrapperBuilder) SetKeysCA ¶

func (b *HandlerWrapperBuilder) SetKeysCA(value *x509.CertPool) *HandlerWrapperBuilder

SetKeysCA sets the certificate authorities that will be trusted when verifying the certificate of the web server where keys are loaded from.

func (*HandlerWrapperBuilder) SetKeysCAFile ¶

func (b *HandlerWrapperBuilder) SetKeysCAFile(value string) *HandlerWrapperBuilder

SetKeysCAFile sets the file containing the certificates of the certificate authorities that will be trusted when verifying the certificate of the web server where keys are loaded from.

func (*HandlerWrapperBuilder) SetKeysInsecure ¶

func (b *HandlerWrapperBuilder) SetKeysInsecure(value bool) *HandlerWrapperBuilder

SetKeysInsecure sets the flag that indicates that the certificate of the web server where the keys are loaded from should not be checked. The default is false and changing it to true makes the token verification insecure, so refrain from doing that in security sensitive environments.

func (*HandlerWrapperBuilder) SetKeysToken ¶

func (b *HandlerWrapperBuilder) SetKeysToken(value string) *HandlerWrapperBuilder

SetKeysToken sets the bearer token that will be used in the HTTP requests to download JSON web key sets. This is optional, by default no token is used.

func (*HandlerWrapperBuilder) SetKeysTokenFile ¶

func (b *HandlerWrapperBuilder) SetKeysTokenFile(value string) *HandlerWrapperBuilder

SetKeysTokenFile sets the name of the file containing the bearer token that will be used in the HTTP requests to download JSON web key sets.

This is intended for use when running inside a Kubernetes cluster and using service account tokens for authentication. In that case it is convenient to set this to the following value:

/run/secrets/kubernetes.io/serviceaccount/token

Kubernetes writes in that file the token of the service account of the pod. That token grants access to the following JSON web key set URL, which should be set using the AddKeysURL method:

https://kubernetes/openid/v1/jwks

This is optional, by default no token file is used.

func (*HandlerWrapperBuilder) SetLogger ¶

func (b *HandlerWrapperBuilder) SetLogger(value *slog.Logger) *HandlerWrapperBuilder

SetLogger sets the logger that the middleware will use to send messages to the log. This is mandatory.

func (*HandlerWrapperBuilder) SetRealm ¶

func (b *HandlerWrapperBuilder) SetRealm(value string) *HandlerWrapperBuilder

SetRealm sets the realm that will be returned in the WWW-Authenticate request when authentication fails. This optional and the default value is O2IMS.

func (*HandlerWrapperBuilder) SetTolerance ¶

func (b *HandlerWrapperBuilder) SetTolerance(value time.Duration) *HandlerWrapperBuilder

SetTolerance sets the maximum time that a token will be considered valid after it has expired. For example, to accept requests with tokens that have expired up to five minutes ago:

wrapper, err := authentication.NewHandler().
	SetLogger(logger).
	SetKeysURL("https://...").
	SetTolerance(5 * time.Minute).
	Build()
if err != nil {
	...
}

The default value is zero tolerance.

type Subject ¶

type Subject struct {
	// Token is the raw token.
	Token string

	// Name is the name of the subject, typically extracted from the 'sub' claim.
	Name string

	// Claims is the complete set of claims extracted from the token.
	Claims map[string]any
}

Subject represents an entity, such as person or a service account.

func SubjectFromContext ¶

func SubjectFromContext(ctx context.Context) *Subject

SubjectFromContext extracts the subject from the context. Panics if there is no subject in the context.

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL