iam

package

v1.4.2 Latest Latest Go to latest Published: Sep 25, 2023 License: UPL-1.0 Imports: 26 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/oracle/nosql-go-sdk

Links

Open Source Insights

Documentation ¶

Overview ¶

Package iam provides authorization provider implementations for clients that connect to cloud via IAM (Oracle Identity and Access Management).

Index ¶

func DefaultBodyHeaders() []string
func DefaultDelegationHeaders() []string
func DefaultGenericHeaders() []string
func GetBodyHash(request *http.Request) (hashString string, err error)
func IsConfigurationProviderValid(conf ConfigurationProvider) (ok bool, err error)
func PrivateKeyFromBytes(pemData []byte, password *string) (key *rsa.PrivateKey, e error)
func PrivateKeyFromBytesWithPassword(pemData, password []byte) (key *rsa.PrivateKey, e error)
type ConfigurationProvider
type HTTPRequestSigner
type KeyProvider
type SignatureProvider
type SignerBodyHashPredicate

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

func DefaultBodyHeaders ¶

func DefaultBodyHeaders() []string

DefaultBodyHeaders list of default body headers that is used in signing

func DefaultDelegationHeaders ¶ added in v1.4.1

func DefaultDelegationHeaders() []string

DefaultDelegationHeaders list of default headers that is used in signing with delegation token

func DefaultGenericHeaders ¶

func DefaultGenericHeaders() []string

DefaultGenericHeaders list of default generic headers that is used in signing

func GetBodyHash ¶

func GetBodyHash(request *http.Request) (hashString string, err error)

GetBodyHash creates a base64 string from the hash of body the request

func IsConfigurationProviderValid ¶

func IsConfigurationProviderValid(conf ConfigurationProvider) (ok bool, err error)

IsConfigurationProviderValid Tests all parts of the configuration provider do not return an error

func PrivateKeyFromBytes ¶

func PrivateKeyFromBytes(pemData []byte, password *string) (key *rsa.PrivateKey, e error)

PrivateKeyFromBytes is a helper function that will produce a RSA private key from bytes. This function is deprecated in favour of PrivateKeyFromBytesWithPassword Deprecated

func PrivateKeyFromBytesWithPassword ¶

func PrivateKeyFromBytesWithPassword(pemData, password []byte) (key *rsa.PrivateKey, e error)

PrivateKeyFromBytesWithPassword is a helper function that will produce a RSA private key from bytes and a password.

Types ¶

type ConfigurationProvider ¶

type ConfigurationProvider interface {
	KeyProvider
	TenancyOCID() (string, error)
	UserOCID() (string, error)
	KeyFingerprint() (string, error)
	Region() (string, error)
	SecurityTokenFile() (string, error)
}

ConfigurationProvider wraps information about the account owner

func ConfigurationProviderFromFile ¶

func ConfigurationProviderFromFile(configFilePath, privateKeyPassword string) (ConfigurationProvider, error)

ConfigurationProviderFromFile creates a configuration provider from a configuration file by reading the "DEFAULT" profile.

func ConfigurationProviderFromFileWithProfile ¶

func ConfigurationProviderFromFileWithProfile(configFilePath, profile, privateKeyPassword string) (ConfigurationProvider, error)

ConfigurationProviderFromFileWithProfile creates a configuration provider from a configuration file and the given profile.

func NewRawConfigurationProvider ¶

func NewRawConfigurationProvider(tenancy, user, region, fingerprint, privateKey string, privateKeyPassphrase *string) ConfigurationProvider

NewRawConfigurationProvider will create a ConfigurationProvider with the arguments of the function

func SessionTokenProviderFromFileWithProfile ¶ added in v1.4.2

func SessionTokenProviderFromFileWithProfile(configFilePath, profile, privateKeyPassword string) (ConfigurationProvider, error)

type HTTPRequestSigner ¶

type HTTPRequestSigner interface {
	Sign(r *http.Request) error
	ExpirationTime() time.Time
}

HTTPRequestSigner the interface to sign a request

func DefaultRequestSigner ¶

func DefaultRequestSigner(provider KeyProvider) HTTPRequestSigner

DefaultRequestSigner creates a signer with default parameters.

func DelegationRequestSigner ¶ added in v1.4.1

func DelegationRequestSigner(provider KeyProvider) HTTPRequestSigner

DelegationRequestSigner creates a signer with parameters including delegation token.

func DelegationRequestSignerExcludeBody ¶ added in v1.4.1

func DelegationRequestSignerExcludeBody(provider KeyProvider) HTTPRequestSigner

DelegationRequestSignerExcludeBody creates a signer without hash the body but including delegation token.

func NewSignerFromOCIRequestSigner ¶

func NewSignerFromOCIRequestSigner(oldSigner HTTPRequestSigner, predicate SignerBodyHashPredicate) (HTTPRequestSigner, error)

NewSignerFromOCIRequestSigner creates a copy of the request signer and attaches the new SignerBodyHashPredicate returns an error if the passed signer is not of type ociRequestSigner

func RequestSigner ¶

func RequestSigner(provider KeyProvider, genericHeaders, bodyHeaders []string) HTTPRequestSigner

RequestSigner creates a signer that utilizes the specified headers for signing and the default predicate for using the body of the request as part of the signature

func RequestSignerExcludeBody ¶

func RequestSignerExcludeBody(provider KeyProvider) HTTPRequestSigner

RequestSignerExcludeBody creates a signer without hash the body.

func RequestSignerWithBodyHashingPredicate ¶

func RequestSignerWithBodyHashingPredicate(provider KeyProvider, genericHeaders, bodyHeaders []string, shouldHashBody SignerBodyHashPredicate) HTTPRequestSigner

RequestSignerWithBodyHashingPredicate creates a signer that utilizes the specified headers for signing, as well as a predicate for using the body of the request and bodyHeaders parameter as part of the signature

type KeyProvider ¶

type KeyProvider interface {
	PrivateRSAKey() (*rsa.PrivateKey, error)
	KeyID() (string, error)
	ExpirationTime() time.Time
}

KeyProvider interface that wraps information about the key's account owner

type SignatureProvider ¶

type SignatureProvider struct {
	// contains filtered or unexported fields
}

SignatureProvider is an signature provider for use with cloud IAM.

This implements the nosqldb.AuthorizationProvider interface.

func NewRawSignatureProvider ¶

func NewRawSignatureProvider(tenancy, user, region, fingerprint, compartmentID, privateKeyOrFile string, privateKeyPassphrase *string) (*SignatureProvider, error)

NewRawSignatureProvider creates a signature provider based on the raw credentials given (no files necessary).

privateKeyPassphrase is only required if the private key uses a passphrase.

compartmentID is optional; if empty, the tenancyOCID is used in its place.

privateKeyOrFile specifies the private key or full path to the private key file.

func NewSessionTokenSignatureProvider ¶ added in v1.4.2

func NewSessionTokenSignatureProvider() (*SignatureProvider, error)

NewSessionTokenSignatureProvider Creates a SignatureProvider using a temporary session token read from a token file.

The configuration file used is '~/.oci/config'. See [SDK Configuration File] for details of the file's contents and format. The "DEFAULT" profile is used.

The path of token file is read from the configuration, using the value of field 'security_token_file'.

See [Session Token-Based Authentication] for more details of session-token-based authentication.

You can use the OCI CLI to authenticate and create a token. See [Token-based Authentication for the CLI].

When using this constructor, the user has a default compartment for all tables. It is the root compartment of the user's tenancy.

[SDK Configuration File]: https://docs.cloud.oracle.com/iaas/Content/API/Concepts/sdkconfig.htm Session Token-Based Authentication]: https://docs.oracle.com/en-us/iaas/Content/API/Concepts/sdk_authentication_methods.htm#sdk_authentication_methods_session_token [Token-based Authentication for the CLI]: https://docs.oracle.com/en-us/iaas/Content/API/SDKDocs/clitoken.htm

func NewSessionTokenSignatureProviderFromFile ¶ added in v1.4.2

func NewSessionTokenSignatureProviderFromFile(configFilePath, ociProfile, privateKeyPassphrase string) (*SignatureProvider, error)

NewSessionTokenSignatureProviderFromFile Creates a SignatureProvider using a temporary session token read from a token file, using the ociProfile specified in the OCI configuration file configFilePath. See [SDK Configuration File] for details of the file's contents and format.

The path of token file is read from the configuration, using the value of field 'security_token_file'.

See [Session Token-Based Authentication] for more details of session-token-based authentication.

You can use the OCI CLI to authenticate and create a token. See [Token-based Authentication for the CLI].

privateKeyPassphrase is only required if the private key uses a passphrase and it is not specified in the "pass_phrase" field in the OCI configuration file.

When using this constructor, the user has a default compartment for all tables. It is the root compartment of the user's tenancy.

[SDK Configuration File]: https://docs.cloud.oracle.com/iaas/Content/API/Concepts/sdkconfig.htm Session Token-Based Authentication]: https://docs.oracle.com/en-us/iaas/Content/API/Concepts/sdk_authentication_methods.htm#sdk_authentication_methods_session_token [Token-based Authentication for the CLI]: https://docs.oracle.com/en-us/iaas/Content/API/SDKDocs/clitoken.htm

func NewSignatureProvider ¶

func NewSignatureProvider() (*SignatureProvider, error)

NewSignatureProvider creates a signature provider using the "DEFAULT" profile specified in the default OCI configuration file ~/.oci/config. See https://docs.cloud.oracle.com/iaas/Content/API/Concepts/sdkconfig.htm for details of the configuration file's contents and format.

This signature provider uses the tenancyOCID that is the "tenancy" field specified in the configuration file as compartmentID.

func NewSignatureProviderFromFile ¶

func NewSignatureProviderFromFile(configFilePath, ociProfile, privateKeyPassphrase, compartmentID string) (*SignatureProvider, error)

NewSignatureProviderFromFile creates a signature provider using the ociProfile specified in the OCI configuration file configFilePath. See https://docs.cloud.oracle.com/iaas/Content/API/Concepts/sdkconfig.htm for details of the configuration file's contents and format.

ociProfile is optional; if empty, "DEFAULT" will be used.

privateKeyPassphrase is only required if the private key uses a passphrase and it is not specified in the "pass_phrase" field in the OCI configuration file.

compartmentID is optional; if empty, the tenancyOCID is used in its place. If specified, it represents a compartment id or name. If using a nested compartment, specify the full compartment path relative to the root compartment as compartmentID. For example, if using rootCompartment.compartmentA.compartmentB, the compartmentID should be set to compartmentA.compartmentB.

func NewSignatureProviderWithConfiguration ¶

func NewSignatureProviderWithConfiguration(configProvider ConfigurationProvider, compartmentID string) (*SignatureProvider, error)

NewSignatureProviderWithConfiguration creates a signature provider with the supplied configuration.

The compartmentID specifies the OCID of compartment to which the Oracle NoSQL tables belong. If empty, the tenancy OCID is used.

This function can be used in the following cases:

1. If other NewSignatureProviderXXX() variants declared in the package do not meet application requirements, you can provide an implementation of the ConfigurationProvider interface and create a signature provider with it.

2. If your application uses OCI-GO-SDK as a dependency, you can use one of the ConfigurationProvider implementations from OCI-GO-SDK and create a signature provider with it.

func NewSignatureProviderWithInstancePrincipal ¶

func NewSignatureProviderWithInstancePrincipal(compartmentID string) (*SignatureProvider, error)

NewSignatureProviderWithInstancePrincipal creates a signature provider with instance principal. This can be used for applications that access NoSQL cloud service from within an Oracle Compute Instance.

The compartmentID specifies the OCID of compartment to which the Oracle NoSQL tables belong. If empty, the tenancy OCID is used.

func NewSignatureProviderWithInstancePrincipalDelegation ¶ added in v1.4.1

func NewSignatureProviderWithInstancePrincipalDelegation(compartmentID string, delegationToken string) (*SignatureProvider, error)

NewDelegationSignatureProviderWithInstancePrincipal creates a signature provider with instance principal using a delegation token. This can be used for applications that access NoSQL cloud service from within an Oracle Compute Instance. The delegation token allows the instance to assume the privileges of the user for which the token was created.

The compartmentID specifies the OCID of compartment to which the Oracle NoSQL tables belong. If empty, the tenancy OCID is used.

func NewSignatureProviderWithInstancePrincipalDelegationFromFile ¶ added in v1.4.1

func NewSignatureProviderWithInstancePrincipalDelegationFromFile(compartmentID string, delegationTokenFile string) (*SignatureProvider, error)

NewSignatureProviderWithInstancePrincipalDelegationFromFile creates a signature provider with instance principal using a delegation token read from a file. This can be used for applications that access NoSQL cloud service from within an Oracle Compute Instance. The delegation token allows the instance to assume the privileges of the user for which the token was created. The file must contain only the delegation token string.

The compartmentID specifies the OCID of compartment to which the Oracle NoSQL tables belong. If empty, the tenancy OCID is used.

func NewSignatureProviderWithResourcePrincipal ¶

func NewSignatureProviderWithResourcePrincipal(compartmentID string) (*SignatureProvider, error)

NewSignatureProviderWithResourcePrincipal creates a signature provider with resource principal. This can be used for applications that access NoSQL cloud service from within a function that executes on Oracle Functions.

The compartmentID specifies the OCID of compartment to which the Oracle NoSQL tables belong. If empty, the tenancy OCID is used.

Resource principal is configured using the following environment variables:

OCI_RESOURCE_PRINCIPAL_VERSION
OCI_RESOURCE_PRINCIPAL_RPST
OCI_RESOURCE_PRINCIPAL_PRIVATE_PEM
OCI_RESOURCE_PRINCIPAL_PRIVATE_PEM_PASSPHRASE
OCI_RESOURCE_PRINCIPAL_REGION

Where OCI_RESOURCE_PRINCIPAL_VERSION specifies a resource principal version. Current version is 2.2.

OCI_RESOURCE_PRINCIPAL_RPST specifies a resource principal session token or a path to the file that stores the token.

OCI_RESOURCE_PRINCIPAL_PRIVATE_PEM specifies an RSA private key in pem format or a path to private key file.

OCI_RESOURCE_PRINCIPAL_PRIVATE_PEM_PASSPHRASE specifies a passphrase for the private key or a path to the file that stores the passphrase. This is optional, only required if the private key has a passphrase.

OCI_RESOURCE_PRINCIPAL_REGION specifies an OCI region identifier.

Note that if your application is deployed to Oracle Functions, these environment variables are already set inside the container in which the function executes.

func (*SignatureProvider) AuthorizationScheme ¶

func (p *SignatureProvider) AuthorizationScheme() string

AuthorizationScheme returns "Signature" for this provider which means the requests must be signed before sending out

func (*SignatureProvider) AuthorizationString ¶

func (p *SignatureProvider) AuthorizationString(req auth.Request) (auth string, err error)

AuthorizationString isn't used for IAM; instead, each individual request is signed via SignHTTPRequest()

func (*SignatureProvider) Close ¶

func (p *SignatureProvider) Close() error

Close releases resources allocated by the provider and sets closed state for the provider. Currently nothing to release

func (*SignatureProvider) Profile ¶

func (p *SignatureProvider) Profile() ConfigurationProvider

Profile returns the profile used for the signature provider.

func (*SignatureProvider) SetDelegationToken ¶ added in v1.4.1

func (p *SignatureProvider) SetDelegationToken(delegationToken string) (*SignatureProvider, error)

SetDelegationToken is used to set a delegation token for the signature provider. Passing an empty string will configure the provider to not use delegation.

func (*SignatureProvider) SetDelegationTokenFromFile ¶ added in v1.4.1

func (p *SignatureProvider) SetDelegationTokenFromFile(delegationTokenFile string) (*SignatureProvider, error)

SetDelegationTokenFromFile is used to set a delegation token for the signature provider based on the string contents of a file. The file must have the token istelf and nothing else.

func (*SignatureProvider) SignHTTPRequest ¶

func (p *SignatureProvider) SignHTTPRequest(req *http.Request) error

SignHTTPRequest signs the request, add the signature to the Authentication: header, add the Date: header, and add the "X-Nosql-Compartment-Id" header

The Authorization header looks like:

Signature version=n,headers=<>,keyId=<>,algorithm="rsa-sha256",signature="..."

This method uses the cached signature if it was generated within the expiry time specified in signatureExpiry. Else it gets the current date/time and uses that to generate a new signature.

type SignerBodyHashPredicate ¶

type SignerBodyHashPredicate func(r *http.Request) bool

SignerBodyHashPredicate a function that allows to disable/enable body hashing of requests and headers associated with body content

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL