Documentation ¶
Index ¶
- Constants
- Variables
- type AccessToken
- type AccessTokenIssuer
- type Authenticator
- type AuthorizationServer
- type AuthorizationService
- type AuthorizationServiceImpl
- type Authorizer
- type ErrorHandler
- type LogErrorHandler
- type LoggerAuthorizationService
- type OAuth2Request
- type OAuth2Response
- type PasswordAuthenticator
- type RefreshTokenAuthenticator
- type RefreshTokenIssuer
- type Resource
- type Scope
- type Scopes
- type Subject
- type SubjectID
- type TokenIssuer
- type TokenRequest
- type TokenResponse
Constants ¶
const ( GrantTypeRefreshToken = "refresh_token" GrantTypePassword = "password" AccessTypeOnline = "online" AccessTypeOffline = "offline" )
Variables ¶
var ErrAuthenticationFailed = errors.New("authentication failed")
ErrAuthenticationFailed is returned when authentication fails.
This error should only be returned if credential verification fails. Any other error (eg. connection problems) should be returned directly.
ErrUnauthorized is returned when a client did not provide any credentials and the authorization server does not support anonymous access. TODO: this could be moved to another component to make anonymous access check global.
Functions ¶
This section is empty.
Types ¶
type AccessToken ¶
AccessToken is a credential issued to a registry client described in the AccessToken Authentication Specification.
type AccessTokenIssuer ¶
type AccessTokenIssuer interface {
IssueAccessToken(ctx context.Context, service string, subject Subject, grantedScopes []Scope) (AccessToken, error)
}
AccessTokenIssuer issues a token described in the Token Authentication Specification.
type Authenticator ¶
type Authenticator struct { PasswordAuthenticator RefreshTokenAuthenticator }
Authenticator is a facade combining a PasswordAuthenticator and a RefreshTokenAuthenticator.
type AuthorizationServer ¶ added in v0.1.0
type AuthorizationServer struct { Service AuthorizationService ErrorHandler ErrorHandler }
AuthorizationServer implements the Docker Registry v2 authentication specification.
func (AuthorizationServer) OAuth2Handler ¶ added in v0.1.0
func (s AuthorizationServer) OAuth2Handler(w http.ResponseWriter, r *http.Request)
OAuth2Handler implements the Docker Registry v2 OAuth2 authentication specification.
func (AuthorizationServer) ServeHTTP ¶ added in v0.1.0
func (s AuthorizationServer) ServeHTTP(w http.ResponseWriter, r *http.Request)
ServeHTTP implements the http.Handler interface.
Use it to register the AuthorizationServer directly as an HTTP handler. Otherwise, register the handler in an HTTP router directly:
- GET / -> AuthorizationServer.TokenHandler
- POST / -> AuthorizationServer.OAuth2Handler
func (AuthorizationServer) TokenHandler ¶ added in v0.1.0
func (s AuthorizationServer) TokenHandler(w http.ResponseWriter, r *http.Request)
TokenHandler implements the Docker Registry v2 authentication specification.
type AuthorizationService ¶ added in v0.1.0
type AuthorizationService interface { // TokenHandler implements the [Docker Registry v2 authentication] specification. // // [Docker Registry v2 authentication]: https://github.com/distribution/distribution/blob/main/docs/spec/auth/token.md TokenHandler(ctx context.Context, r TokenRequest) (TokenResponse, error) // OAuth2Handler implements the [Docker Registry v2 OAuth2 authentication] specification. // // [Docker Registry v2 OAuth2 authentication]: https://github.com/distribution/distribution/blob/main/docs/spec/auth/oauth.md OAuth2Handler(ctx context.Context, r OAuth2Request) (OAuth2Response, error) }
AuthorizationService defines an interface for the Docker Registry v2 authentication.
type AuthorizationServiceImpl ¶ added in v0.1.0
type AuthorizationServiceImpl struct { Authenticator Authenticator Authorizer Authorizer TokenIssuer TokenIssuer }
AuthorizationServiceImpl implements the Docker Registry v2 authentication specification.
func (AuthorizationServiceImpl) OAuth2Handler ¶ added in v0.1.0
func (s AuthorizationServiceImpl) OAuth2Handler(ctx context.Context, r OAuth2Request) (OAuth2Response, error)
func (AuthorizationServiceImpl) TokenHandler ¶ added in v0.1.0
func (s AuthorizationServiceImpl) TokenHandler(ctx context.Context, r TokenRequest) (TokenResponse, error)
TokenHandler implements the Docker Registry v2 authentication specification.
type Authorizer ¶
type Authorizer interface {
Authorize(ctx context.Context, subject Subject, requestedScopes []Scope) ([]Scope, error)
}
Authorizer authorizes an access request to a list of resources (scopes) and returns the list of granted scopes.
type ErrorHandler ¶
type ErrorHandler interface {
Handle(err error)
}
ErrorHandler acts as the terminal handler for errors.
type LogErrorHandler ¶
LogErrorHandler logs an error using slog.Logger.
func (LogErrorHandler) Handle ¶
func (h LogErrorHandler) Handle(err error)
type LoggerAuthorizationService ¶ added in v0.3.0
type LoggerAuthorizationService struct { Service AuthorizationService Logger *slog.Logger }
LoggerAuthorizationService acts as a middleware for an [AUthorizationService] and logs every request.
func (LoggerAuthorizationService) OAuth2Handler ¶ added in v0.3.0
func (s LoggerAuthorizationService) OAuth2Handler(ctx context.Context, r OAuth2Request) (OAuth2Response, error)
OAuth2Handler implements [AUthorizationService] and logs every request.
func (LoggerAuthorizationService) TokenHandler ¶ added in v0.3.0
func (s LoggerAuthorizationService) TokenHandler(ctx context.Context, r TokenRequest) (TokenResponse, error)
TokenHandler implements [AUthorizationService] and logs every request.
type OAuth2Request ¶
type OAuth2Request struct { GrantType string Service string ClientID string AccessType string Scopes Scopes Username string Password string RefreshToken string }
OAuth2Request implements the token request defined in the Docker Registry v2 OAuth2 authentication specification.
type OAuth2Response ¶
type OAuth2Response struct { Token string `json:"access_token"` Scope string `json:"scope,omitempty"` ExpiresIn int `json:"expires_in,omitempty"` IssuedAt string `json:"issued_at,omitempty"` RefreshToken string `json:"refresh_token,omitempty"` }
OAuth2Response implements the token response defined in the Docker Registry v2 OAuth2 authentication specification.
type PasswordAuthenticator ¶
type PasswordAuthenticator interface {
AuthenticatePassword(ctx context.Context, username string, password string) (Subject, error)
}
PasswordAuthenticator authenticates a subject using the "password" grant or basic auth.
It returns an ErrAuthenticationFailed error in case credentials are invalid.
type RefreshTokenAuthenticator ¶
type RefreshTokenAuthenticator interface {
AuthenticateRefreshToken(ctx context.Context, service string, refreshToken string) (Subject, error)
}
RefreshTokenAuthenticator authenticates a refresh token.
type RefreshTokenIssuer ¶
type RefreshTokenIssuer interface {
IssueRefreshToken(ctx context.Context, service string, subject Subject) (string, error)
}
RefreshTokenIssuer issues a token that a client can use to issue a new access token for a subject without presenting credentials again.
type Resource ¶
Resource describes a resource by type and name.
func (Resource) Compare ¶ added in v0.1.0
Compare compares this with another instance of Resource. It compares the values of Type and Name (in this order) and returns a value following the mechanics of cmp.Compare.
type Scope ¶
Scope describes an access request to a specific resource.
func ParseScope ¶
ParseScope parses a scope string into a formal structure according to the Token Scope documentation.
General scope format: resourceType[(resourceClass)]:resourceName:action[,action...]
ParseScope returns an error if the scope format is invalid.
func ParseScopes ¶
ParseScopes calls ParseScope for each scope in the list. If any of the scopes is invalid, ParseScopes returns an empty slice and an error.
func (Scope) Compare ¶ added in v0.1.0
Compare compares this with another instance of Scope. It compares the values of Resource and Actions (in this order) and returns a value following the mechanics of cmp.Compare.
Note that the values of Actions are always cloned and sorted before comparison, so this is not a cheap operation.
type Scopes ¶
type Scopes []Scope
Scopes is a list of Scope instances.
func (Scopes) Compare ¶ added in v0.1.0
Compare compares this with another instance of Scopes. It compares the values of each Scope and returns a value following the mechanics of cmp.Compare.
Note that the values of Scope.Actions are always cloned and sorted before comparison, so this is not a cheap operation.
type Subject ¶
type Subject interface { // ID returns the identifier of the Subject. ID() SubjectID // Attribute returns an attribute value and a boolean flag that shows whether the value exists or not. Attribute(key string) (any, bool) // Attributes are arbitrary key-value pairs that helps an Authorizer to make authorization decisions. // // Attributes MAY return a copy of it's internal map to avoid modifications. // As a result, it MAY be a relatively expensive operation and SHOULD only be used when necessary. // Prefer using Attribute instead. Attributes() map[string]any }
Subject contains information about the authenticated subject. For most (authorization) use cases, the information provided by Subject should be enough. However, custom implementations may provide additional behavior to help authorization decisions. That being said, it's up to the integrator to make sure all authenticators are compatible with such implementations.
type SubjectID ¶
SubjectID is the primary identifier of a Subject (a username or an arbitrary ID (eg. UUID)), but it is not necessarily globally unique: authenticators can federate between various providers and/or subject types (eg. human vs machine users). Therefore, SubjectID alone SHOULD NOT be used as a reference to the Subject if uniqueness cannot be guaranteed across the federated providers. The amount of information necessary to compose a key is an implementation/configuration detail, but the ID, the type of subject (if any) and the provider (if any) are generally enough to compose a globally (ie. across all providers) unique key.
SubjectID appears in the "sub" claim of JWTs issued as access tokens.
func SubjectIDFromString ¶
SubjectIDFromString returns a new SubjectID constructed from a string.
type TokenIssuer ¶
type TokenIssuer struct { AccessTokenIssuer RefreshTokenIssuer }
TokenIssuer is a facade combining an AccessTokenIssuer and a RefreshTokenIssuer.
type TokenRequest ¶
type TokenRequest struct { Service string ClientID string Offline bool Scopes Scopes Anonymous bool Username string Password string }
TokenRequest implements the token request defined in the Docker Registry v2 authentication specification.
func (TokenRequest) Validate ¶
func (r TokenRequest) Validate() error
type TokenResponse ¶
type TokenResponse struct { Token string `json:"access_token"` RefreshToken string `json:"refresh_token,omitempty"` ExpiresIn int `json:"expires_in,omitempty"` }
TokenResponse implements the token response defined in the Docker Registry v2 authentication specification.