README
¶
certauth
This package provides TLS certificate based authentication middleware. Our goal is
compatibility with net/http, httprouter and possibly other popular Go HTTP
routers.
Usage
Examples of usage with various http router libs in the ./examples directory.
Contributing
@TODO: a couple steps
Acknowledgments
A big thanks to the https://github.com/unrolled/secure project whose approach to writing middleware helped us figure out our approach to creating this project.
TODO
- add support for github.com/julienschmidt/httprouter
- add examples for using with net/http and httprouter
- makefile with gvt for deps now that we're depending on httprouter
- circle.yml
- add helper for compatibility with negroni (example: https://github.com/unrolled/secure/blob/v1/secure.go#L110-L111)
Documentation
¶
Index ¶
- Constants
- type AllowSpecificOUandCNs
- type Auth
- func (a *Auth) CheckAuthorization(verifiedCert *x509.Certificate, ps httprouter.Params) (map[ContextKey]ContextValue, error)
- func (a *Auth) Handler(h http.Handler) http.Handler
- func (a *Auth) Process(w http.ResponseWriter, r *http.Request) (*http.Request, error)
- func (a *Auth) ProcessWithParams(w http.ResponseWriter, r *http.Request, ps httprouter.Params) (*http.Request, error)
- func (a *Auth) RouterHandler(h httprouter.Handle) httprouter.Handle
- func (a *Auth) ValidateRequest(r *http.Request) error
- type AuthOption
- type AuthorizationChecker
- type ContextKey
- type ContextValue
- type Options
Constants ¶
const ( //HasAuthorizedOU is used as the request context key, adding info about the authorized OU if authorization succeded HasAuthorizedOU = contextKey("Has Authorized OU") //HasAuthorizedCN is used as the request context key, adding info about the authroized CN if authorization succeeded HasAuthorizedCN = contextKey("Has Authorized CN") )
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type AllowSpecificOUandCNs ¶
AllowSpecificOUandCNs is an AuthorizationChecker which allows access to resources for the specific Organizational Units and common names. If any of the client's OUs match (i.e. `==`) any of the server's allowed OUs, *and* the client's CN matches (i.e. `==`) one of the server's allowed CNs, the request is allowed. If `OUs` is empty or nil, the client's OU is ignored, and only the CN is used to determine authorization. If `CNs` is empty or nil, the client's CN is ignored, and only the OU is used to determine authorization. If both `OUs` and `CNs` are empty or nil, all requests are allowed. Site resources are not considered specially. CheckAuthorizationWithParams has exactly the same behavior as CheckAuthorization (i.e. the parameters are ignored).
func (AllowSpecificOUandCNs) CheckAuthorization ¶
func (allow AllowSpecificOUandCNs) CheckAuthorization( clientOU []string, clientCN string, ) (map[ContextKey]ContextValue, error)
func (AllowSpecificOUandCNs) CheckAuthorizationWithParams ¶
func (allow AllowSpecificOUandCNs) CheckAuthorizationWithParams( clientOU []string, clientCN string, ps httprouter.Params, ) (map[ContextKey]ContextValue, error)
type Auth ¶
type Auth struct {
// contains filtered or unexported fields
}
Auth is an instance of the middleware
func New ¶
func New(opts ...AuthOption) *Auth
func (*Auth) CheckAuthorization ¶
func (a *Auth) CheckAuthorization( verifiedCert *x509.Certificate, ps httprouter.Params, ) (map[ContextKey]ContextValue, error)
CheckAuthorization runs each of the AuthorizationCheckers configured for the server and returns an error if any of them return False. See the documentation for AuthorizationChecker for more details.
func (*Auth) Handler ¶
Handler implements the http.HandlerFunc for integration with the standard net/http lib.
func (*Auth) Process ¶
Process validates a request and sets context parameters according to the configured AuthorizationCheckers. Returns an http.Request with additional context values applied, or an error if something went wrong. In practice, this just calls ProcessWithParams.
func (*Auth) ProcessWithParams ¶
func (a *Auth) ProcessWithParams( w http.ResponseWriter, r *http.Request, ps httprouter.Params, ) (*http.Request, error)
ProcessWithParams validates a request and sets context parameters according to the configured AuthorizationCheckers. Returns an http.Request with additional context values applied, or an error if something went wrong.
func (*Auth) RouterHandler ¶
func (a *Auth) RouterHandler(h httprouter.Handle) httprouter.Handle
RouterHandler implements the httprouter.Handle for integration with github.com/julienschmidt/httprouter
type AuthOption ¶
type AuthOption func(*Auth)
AuthOption is a type of function for configuring an Auth
func WithCheckers ¶
func WithCheckers(checkers ...AuthorizationChecker) AuthOption
WithCheckers configures an Auth with the given checkers so that the Auth will pass when all the checkers in any WithCheckers AuthOption pass. eg: New(WithCheckers(A), WithCheckers(B,C)) will pass on `A || (B && C)`
func WithErrorHandler ¶
func WithErrorHandler(handler http.Handler) AuthOption
func WithHeaders ¶
func WithHeaders() AuthOption
type AuthorizationChecker ¶
type AuthorizationChecker interface {
// CheckAuthorization is called for requests which do not use the `httprouter` framework.
// `clientOU` and `clientCN` are set to the values determined from the x509 client certificate.
CheckAuthorization(clientOU []string, clientCN string) (map[ContextKey]ContextValue, error)
// CheckAuthorizationWithParams is called for requests which use the `httprouter` framework.
// This allows the authorization behavior to respond to the resource that's being requested.
CheckAuthorizationWithParams(
clientOU []string, clientCN string, ps httprouter.Params,
) (map[ContextKey]ContextValue, error)
}
AuthorizationChecker provides an interface for checking request authorization programatically. The CheckAuthorization* methods will be called upon a request to verify that the provided client is authorized to access the requested resource. If authorization is allowed, the AuthorizationChecker should return a nil error value. If authorization is denied, the AuthorizationChecker should return an error value with some description of why the request is being denied. If the request is allowed, the AuthorizationChecker may return a map of key/value pairs. These key/value pairs are added to the request's context using `context.WithValue` by the middleware. Downstream applications can then use these values if desired. See the methods for a description of which Allow* method is chosen depending on the request.
func AllowOUsandCNs ¶
func AllowOUsandCNs(allowedOUs, allowedCNs []string) AuthorizationChecker
AllowOUsandCNs is a convenience function which produces an AuthorizationChecker from a list of allowed OUs and CNs. Requests are allowed if one of their OUs is contained in `allowedOUs` and their CN is contained in `allowedCNs`. Either of `allowedOUs` or `allowedCNs` is permitted to be nil, which disables checking that field.
type ContextKey ¶
type ContextKey interface{}
ContextKey and ContextValue are type aliases to make the code a bit more readable.
type ContextValue ¶
type ContextValue interface{}
type Options ¶
type Options struct {
// AllowedOUs is an exact string match against the Client Certs OU's
// This gets injected into AuthorizationCheckers using AllowOUsandCNs.
AllowedOUs []string
// AllowedCNs is an exact string match against the Client Certs CN
// This gets injected into AuthorizationCheckers using AllowOUsandCNs.
AllowedCNs []string
// Performs Authorization checks
// Each check validates that the client is authorized to the requested resource.
// See documentation for AuthorizationChecker for details on the checks.
AuthorizationCheckers []AuthorizationChecker
// Populate Headers with auth info
SetReqHeaders bool
// Default handler
AuthErrorHandler http.HandlerFunc
}
**DEPRECATED** use New with AuthOptions instead Options is the configuration for a Auth handler
Source Files
Directories