auth

package

v0.5.0 Latest Latest Go to latest Published: Apr 19, 2024 License: MIT Imports: 13 Imported by: 5

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/portward/registry-auth

Links

Open Source Insights

Documentation ¶

Index ¶

Constants
Variables
type AccessToken
type AccessTokenIssuer
type Authenticator
type AuthorizationServer
- func (s AuthorizationServer) OAuth2Handler(w http.ResponseWriter, r *http.Request)
- func (s AuthorizationServer) ServeHTTP(w http.ResponseWriter, r *http.Request)
- func (s AuthorizationServer) TokenHandler(w http.ResponseWriter, r *http.Request)
type AuthorizationService
type AuthorizationServiceImpl
- func (s AuthorizationServiceImpl) OAuth2Handler(ctx context.Context, r OAuth2Request) (OAuth2Response, error)
- func (s AuthorizationServiceImpl) TokenHandler(ctx context.Context, r TokenRequest) (TokenResponse, error)
type Authorizer
type ErrorHandler
type LogErrorHandler
- func (h LogErrorHandler) Handle(err error)
type LoggerAuthorizationService
- func (s LoggerAuthorizationService) OAuth2Handler(ctx context.Context, r OAuth2Request) (OAuth2Response, error)
- func (s LoggerAuthorizationService) TokenHandler(ctx context.Context, r TokenRequest) (TokenResponse, error)
type OAuth2Request
- func (r OAuth2Request) Validate() error
type OAuth2Response
type PasswordAuthenticator
type RefreshTokenAuthenticator
type RefreshTokenIssuer
type Resource
- func (r Resource) Compare(other Resource) int
- func (r Resource) Equals(other Resource) bool
- func (r Resource) String() string
type Scope
- func ParseScope(scope string) (Scope, error)
- func ParseScopes(scopes []string) ([]Scope, error)
- func (s Scope) Compare(other Scope) int
- func (s Scope) Equals(other Scope) bool
- func (s Scope) String() string
type Scopes
- func (s Scopes) Compare(other Scopes) int
- func (s Scopes) Equals(other Scopes) bool
- func (s Scopes) String() string
type Subject
type SubjectID
- func SubjectIDFromString(id string) SubjectID
type TokenIssuer
type TokenRequest
- func (r TokenRequest) Validate() error
type TokenResponse

Constants ¶

View Source

const (
	GrantTypeRefreshToken = "refresh_token"
	GrantTypePassword     = "password"

	AccessTypeOnline  = "online"
	AccessTypeOffline = "offline"
)

Variables ¶

View Source

var ErrAuthenticationFailed = errors.New("authentication failed")

ErrAuthenticationFailed is returned when authentication fails.

This error should only be returned if credential verification fails. Any other error (eg. connection problems) should be returned directly.

View Source

var ErrUnauthorized = errors.New("unauthorized")

ErrUnauthorized is returned when a client did not provide any credentials and the authorization server does not support anonymous access. TODO: this could be moved to another component to make anonymous access check global.

Functions ¶

This section is empty.

Types ¶

type AccessToken ¶

type AccessToken struct {
	Payload string

	ExpiresIn time.Duration
	IssuedAt  time.Time
}

AccessToken is a credential issued to a registry client described in the AccessToken Authentication Specification.

type AccessTokenIssuer ¶

type AccessTokenIssuer interface {
	IssueAccessToken(ctx context.Context, service string, subject Subject, grantedScopes []Scope) (AccessToken, error)
}

AccessTokenIssuer issues a token described in the Token Authentication Specification.

type Authenticator ¶

type Authenticator struct {
	PasswordAuthenticator
	RefreshTokenAuthenticator
}

Authenticator is a facade combining a PasswordAuthenticator and a RefreshTokenAuthenticator.

type AuthorizationServer ¶ added in v0.1.0

type AuthorizationServer struct {
	Service AuthorizationService

	ErrorHandler ErrorHandler
}

AuthorizationServer implements the Docker Registry v2 authentication specification.

func (AuthorizationServer) OAuth2Handler ¶ added in v0.1.0

func (s AuthorizationServer) OAuth2Handler(w http.ResponseWriter, r *http.Request)

OAuth2Handler implements the Docker Registry v2 OAuth2 authentication specification.

func (AuthorizationServer) ServeHTTP ¶ added in v0.1.0

func (s AuthorizationServer) ServeHTTP(w http.ResponseWriter, r *http.Request)

ServeHTTP implements the http.Handler interface.

Use it to register the AuthorizationServer directly as an HTTP handler. Otherwise, register the handler in an HTTP router directly:

GET / -> AuthorizationServer.TokenHandler
POST / -> AuthorizationServer.OAuth2Handler

func (AuthorizationServer) TokenHandler ¶ added in v0.1.0

func (s AuthorizationServer) TokenHandler(w http.ResponseWriter, r *http.Request)

TokenHandler implements the Docker Registry v2 authentication specification.

type AuthorizationService ¶ added in v0.1.0

type AuthorizationService interface {
	// TokenHandler implements the [Docker Registry v2 authentication] specification.
	//
	// [Docker Registry v2 authentication]: https://github.com/distribution/distribution/blob/main/docs/spec/auth/token.md
	TokenHandler(ctx context.Context, r TokenRequest) (TokenResponse, error)

	// OAuth2Handler implements the [Docker Registry v2 OAuth2 authentication] specification.
	//
	// [Docker Registry v2 OAuth2 authentication]: https://github.com/distribution/distribution/blob/main/docs/spec/auth/oauth.md
	OAuth2Handler(ctx context.Context, r OAuth2Request) (OAuth2Response, error)
}

AuthorizationService defines an interface for the Docker Registry v2 authentication.

type AuthorizationServiceImpl ¶ added in v0.1.0

type AuthorizationServiceImpl struct {
	Authenticator Authenticator
	Authorizer    Authorizer
	TokenIssuer   TokenIssuer
}

AuthorizationServiceImpl implements the Docker Registry v2 authentication specification.

func (AuthorizationServiceImpl) OAuth2Handler ¶ added in v0.1.0

func (s AuthorizationServiceImpl) OAuth2Handler(ctx context.Context, r OAuth2Request) (OAuth2Response, error)

func (AuthorizationServiceImpl) TokenHandler ¶ added in v0.1.0

func (s AuthorizationServiceImpl) TokenHandler(ctx context.Context, r TokenRequest) (TokenResponse, error)

TokenHandler implements the Docker Registry v2 authentication specification.

type Authorizer ¶

type Authorizer interface {
	Authorize(ctx context.Context, subject Subject, requestedScopes []Scope) ([]Scope, error)
}

Authorizer authorizes an access request to a list of resources (scopes) and returns the list of granted scopes.

type ErrorHandler ¶

type ErrorHandler interface {
	Handle(err error)
}

ErrorHandler acts as the terminal handler for errors.

type LogErrorHandler ¶

type LogErrorHandler struct {
	Logger *slog.Logger
}

LogErrorHandler logs an error using slog.Logger.

func (LogErrorHandler) Handle ¶

func (h LogErrorHandler) Handle(err error)

type LoggerAuthorizationService ¶ added in v0.3.0

type LoggerAuthorizationService struct {
	Service AuthorizationService
	Logger  *slog.Logger
}

LoggerAuthorizationService acts as a middleware for an [AUthorizationService] and logs every request.

func (LoggerAuthorizationService) OAuth2Handler ¶ added in v0.3.0

func (s LoggerAuthorizationService) OAuth2Handler(ctx context.Context, r OAuth2Request) (OAuth2Response, error)

OAuth2Handler implements [AUthorizationService] and logs every request.

func (LoggerAuthorizationService) TokenHandler ¶ added in v0.3.0

func (s LoggerAuthorizationService) TokenHandler(ctx context.Context, r TokenRequest) (TokenResponse, error)

TokenHandler implements [AUthorizationService] and logs every request.

type OAuth2Request ¶

type OAuth2Request struct {
	GrantType string

	Service    string
	ClientID   string
	AccessType string
	Scopes     Scopes

	Username     string
	Password     string
	RefreshToken string
}

OAuth2Request implements the token request defined in the Docker Registry v2 OAuth2 authentication specification.

func (OAuth2Request) Validate ¶

func (r OAuth2Request) Validate() error

TODO: oauth2 error

type OAuth2Response ¶

type OAuth2Response struct {
	Token        string `json:"access_token"`
	Scope        string `json:"scope,omitempty"`
	ExpiresIn    int    `json:"expires_in,omitempty"`
	IssuedAt     string `json:"issued_at,omitempty"`
	RefreshToken string `json:"refresh_token,omitempty"`
}

OAuth2Response implements the token response defined in the Docker Registry v2 OAuth2 authentication specification.

type PasswordAuthenticator ¶

type PasswordAuthenticator interface {
	AuthenticatePassword(ctx context.Context, username string, password string) (Subject, error)
}

PasswordAuthenticator authenticates a subject using the "password" grant or basic auth.

It returns an ErrAuthenticationFailed error in case credentials are invalid.

type RefreshTokenAuthenticator ¶

type RefreshTokenAuthenticator interface {
	AuthenticateRefreshToken(ctx context.Context, service string, refreshToken string) (Subject, error)
}

RefreshTokenAuthenticator authenticates a refresh token.

type RefreshTokenIssuer ¶

type RefreshTokenIssuer interface {
	IssueRefreshToken(ctx context.Context, service string, subject Subject) (string, error)
}

RefreshTokenIssuer issues a token that a client can use to issue a new access token for a subject without presenting credentials again.

type Resource ¶

type Resource struct {
	Type string `json:"type"`
	Name string `json:"name"`
}

Resource describes a resource by type and name.

func (Resource) Compare ¶ added in v0.1.0

func (r Resource) Compare(other Resource) int

Compare compares this with another instance of Resource. It compares the values of Type and Name (in this order) and returns a value following the mechanics of cmp.Compare.

func (Resource) Equals ¶ added in v0.1.0

func (r Resource) Equals(other Resource) bool

Equals returns true if the other instance equals to this one, otherwise it returns false.

func (Resource) String ¶

func (r Resource) String() string

type Scope ¶

type Scope struct {
	Resource
	Actions []string `json:"actions"`
}

Scope describes an access request to a specific resource.

func ParseScope ¶

func ParseScope(scope string) (Scope, error)

ParseScope parses a scope string into a formal structure according to the Token Scope documentation.

General scope format: resourceType[(resourceClass)]:resourceName:action[,action...]

ParseScope returns an error if the scope format is invalid.

func ParseScopes ¶

func ParseScopes(scopes []string) ([]Scope, error)

ParseScopes calls ParseScope for each scope in the list. If any of the scopes is invalid, ParseScopes returns an empty slice and an error.

func (Scope) Compare ¶ added in v0.1.0

func (s Scope) Compare(other Scope) int

Compare compares this with another instance of Scope. It compares the values of Resource and Actions (in this order) and returns a value following the mechanics of cmp.Compare.

Note that the values of Actions are always cloned and sorted before comparison, so this is not a cheap operation.

func (Scope) Equals ¶ added in v0.1.0

func (s Scope) Equals(other Scope) bool

Equals returns true if the other instance equals to this one, otherwise it returns false.

func (Scope) String ¶

func (s Scope) String() string

type Scopes ¶

type Scopes []Scope

Scopes is a list of Scope instances.

func (Scopes) Compare ¶ added in v0.1.0

func (s Scopes) Compare(other Scopes) int

Compare compares this with another instance of Scopes. It compares the values of each Scope and returns a value following the mechanics of cmp.Compare.

Note that the values of Scope.Actions are always cloned and sorted before comparison, so this is not a cheap operation.

func (Scopes) Equals ¶ added in v0.1.0

func (s Scopes) Equals(other Scopes) bool

Equals returns true if the other instance equals to this one, otherwise it returns false.

func (Scopes) String ¶

func (s Scopes) String() string

type Subject ¶

type Subject interface {
	// ID returns the identifier of the Subject.
	ID() SubjectID

	// Attribute returns an attribute value and a boolean flag that shows whether the value exists or not.
	Attribute(key string) (any, bool)

	// Attributes are arbitrary key-value pairs that helps an Authorizer to make authorization decisions.
	//
	// Attributes MAY return a copy of it's internal map to avoid modifications.
	// As a result, it MAY be a relatively expensive operation and SHOULD only be used when necessary.
	// Prefer using Attribute instead.
	Attributes() map[string]any
}

Subject contains information about the authenticated subject. For most (authorization) use cases, the information provided by Subject should be enough. However, custom implementations may provide additional behavior to help authorization decisions. That being said, it's up to the integrator to make sure all authenticators are compatible with such implementations.

type SubjectID ¶

type SubjectID interface {
	String() string
	Equals(other SubjectID) bool
}

SubjectID is the primary identifier of a Subject (a username or an arbitrary ID (eg. UUID)), but it is not necessarily globally unique: authenticators can federate between various providers and/or subject types (eg. human vs machine users). Therefore, SubjectID alone SHOULD NOT be used as a reference to the Subject if uniqueness cannot be guaranteed across the federated providers. The amount of information necessary to compose a key is an implementation/configuration detail, but the ID, the type of subject (if any) and the provider (if any) are generally enough to compose a globally (ie. across all providers) unique key.

SubjectID appears in the "sub" claim of JWTs issued as access tokens.

func SubjectIDFromString ¶

func SubjectIDFromString(id string) SubjectID

SubjectIDFromString returns a new SubjectID constructed from a string.

type TokenIssuer ¶

type TokenIssuer struct {
	AccessTokenIssuer
	RefreshTokenIssuer
}

TokenIssuer is a facade combining an AccessTokenIssuer and a RefreshTokenIssuer.

type TokenRequest ¶

type TokenRequest struct {
	Service  string
	ClientID string
	Offline  bool
	Scopes   Scopes

	Anonymous bool
	Username  string
	Password  string
}

TokenRequest implements the token request defined in the Docker Registry v2 authentication specification.

func (TokenRequest) Validate ¶

func (r TokenRequest) Validate() error

type TokenResponse ¶

type TokenResponse struct {
	Token        string `json:"access_token"`
	RefreshToken string `json:"refresh_token,omitempty"`
	ExpiresIn    int    `json:"expires_in,omitempty"`
}

TokenResponse implements the token response defined in the Docker Registry v2 authentication specification.

Source Files ¶

View all Source files

Directories ¶

Path	Synopsis
authn
authz
token
jwt

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL