Documentation ¶
Index ¶
- func InvalidateRedisCacheForUser(tokenCache TokenCache, username string) error
- type AccessTokenVerifier
- type AuthDriver
- type BaseNatsDriver
- type CacaoTokenAuth
- type DefaultUserResolver
- type KeycloakAuth
- type OAuth2
- type OAuth2Config
- type RFC7662AccessTokenVerifier
- type SimpleTokenAuth
- type TokenCache
- type UserProfile
- type UserProfileExtractor
- type UserResolver
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func InvalidateRedisCacheForUser ¶
func InvalidateRedisCacheForUser(tokenCache TokenCache, username string) error
InvalidateRedisCacheForUser ...
Types ¶
type AccessTokenVerifier ¶
type AccessTokenVerifier interface { // Verify accepts a single access token and validates it. If the token is valid, user profile information will be // returned. Otherwise, an error will be returned. Verify(accessToken string) (*UserProfile, error) }
AccessTokenVerifier is the primary interface used for verifying that an access token is legitimate. Any implementations of AccessTokenVerifier should do 2 things: 1. verify that an access token is valid. 2. obtain enough information about user to create a UserProfile object.
type AuthDriver ¶
type AuthDriver interface { // assumes gorilla mux; gives the ability to add additional handle functions for a given driver AddRoutes(router *mux.Router) // Authenticate is the primary method authenticate users // This should return a user object and err, if either is appropriate Authenticate(header http.Header) (user *service.UserModel, err error) }
AuthDriver is primary interface for authentication drivers
type BaseNatsDriver ¶
type BaseNatsDriver struct {
// contains filtered or unexported fields
}
BaseNatsDriver simply provides a way to interface with the query and events queue and provides no other authentication methods, other than getOrCreateUser()
type CacaoTokenAuth ¶
type CacaoTokenAuth struct { BaseNatsDriver TimeSrc func() time.Time // contains filtered or unexported fields }
CacaoTokenAuth authentication is a specific authenticator for cacao api tokens
func NewCacaoTokenAuth ¶
func NewCacaoTokenAuth(c config.Config, userServiceClient service.UserClient, tokenClient service.TokenClient, timeSrc func() time.Time) (*CacaoTokenAuth, error)
NewCacaoTokenAuth sets up the cacao api token auth driver
func (*CacaoTokenAuth) AddRoutes ¶
func (cta *CacaoTokenAuth) AddRoutes(router *mux.Router)
AddRoutes adds any extra needed routes for this auth driver
func (*CacaoTokenAuth) Authenticate ¶
Authenticate performs authentication per AuthDriver interface
type DefaultUserResolver ¶
type DefaultUserResolver struct {
BaseNatsDriver
}
DefaultUserResolver provides the default user resolver implementation, which uses BaseNatsDriver to get or record user information.
func NewDefaultUserResolver ¶
func NewDefaultUserResolver(c config.Config, userServiceClient service.UserClient) *DefaultUserResolver
NewDefaultUserResolver returns the default implementation of the UserResolver interface.
func (*DefaultUserResolver) GetOrCreateUser ¶
func (resolver *DefaultUserResolver) GetOrCreateUser( username, email, firstname, lastname string, isAdmin bool, ) (*service.UserModel, error)
GetOrCreateUser returns information about an authenticated user. If the user does not exist and automatic user creation is enabled, a new user will be created and returned. Only the username is used for lookup. The rest of the parameters are only used when a user is being created automatically.
type KeycloakAuth ¶
type KeycloakAuth struct { BaseNatsDriver // contains filtered or unexported fields }
KeycloakAuth authentication is a specific authenticator for Keycloak, though it might be usable for other oauth2 servers
func NewKeycloakAuth ¶
func NewKeycloakAuth(c config.Config, userServiceClient service.UserClient) (*KeycloakAuth, error)
NewKeycloakAuth creates a new KeycloakAuth using a configuration
func (*KeycloakAuth) AddRoutes ¶
func (kauth *KeycloakAuth) AddRoutes(router *mux.Router)
AddRoutes adds additional routes to gorilla mux
func (*KeycloakAuth) Authenticate ¶
Authenticate performs authentication per AuthDriver interface
type OAuth2 ¶
type OAuth2 struct {
// contains filtered or unexported fields
}
OAuth2 is the OAuth2 driver.
func NewCILogonOAuth2Driver ¶
NewCILogonOAuth2Driver returns an OAuth2 authentication driver for use with CILogon.
func NewGlobusOAuth2Driver ¶
NewGlobusOAuth2Driver returns an OAuth2 authentication driver for use with Globus.
func NewOAuth2Driver ¶
func NewOAuth2Driver( oauth2Config OAuth2Config, tokenVerifier AccessTokenVerifier, userResolver UserResolver, hmacSecret string, enablePostLogin bool, ) *OAuth2
NewOAuth2Driver returns a new OAuth2 authentication driver without any OAuth configuration settings. This is a lower-level function, primarily intended to be used either internally or for unit testing.
type OAuth2Config ¶
type OAuth2Config interface { AuthCodeURL(state string, opts ...oauth2.AuthCodeOption) string Client(ctx context.Context, t *oauth2.Token) *http.Client Exchange(ctx context.Context, code string, opts ...oauth2.AuthCodeOption) (*oauth2.Token, error) PasswordCredentialsToken(ctx context.Context, username, password string) (*oauth2.Token, error) TokenSource(ctx context.Context, t *oauth2.Token) oauth2.TokenSource }
OAuth2Config specifies the interface used by oauth2.Config so that we can mock it.
type RFC7662AccessTokenVerifier ¶
type RFC7662AccessTokenVerifier struct {
// contains filtered or unexported fields
}
RFC7662AccessTokenVerifier validates OAuth2 access tokens according to RFC 7662.
func NewRFC7662AccessTokenVerifier ¶
func NewRFC7662AccessTokenVerifier(introspectionURL string, profileExtractor UserProfileExtractor) *RFC7662AccessTokenVerifier
NewRFC7662AccessTokenVerifier returns a new access token verifier. Note that the claim names used to obtain attribute for the user profile are currently hard-coded. They're included in the struct itself in order to make it easy to customize them later if we need to.
func (*RFC7662AccessTokenVerifier) Verify ¶
func (v *RFC7662AccessTokenVerifier) Verify(accessToken string) (*UserProfile, error)
Verify verifies that an access token is valid using the method described in RFC 7662.
type SimpleTokenAuth ¶
type SimpleTokenAuth struct { BaseNatsDriver // contains filtered or unexported fields }
SimpleTokenAuth authentication is essentially a way to pass a token for authentication and authorization This method should only be used for development or demo purposes SimpleTokenAuth authentication also creates the initial admin user per global config
func NewSimpleTokenAuth ¶
func NewSimpleTokenAuth(c config.Config, userServiceClient service.UserClient) *SimpleTokenAuth
NewSimpleTokenAuth creates a new SimpleTokenAuth, given a configuration
func (*SimpleTokenAuth) AddRoutes ¶
func (*SimpleTokenAuth) AddRoutes(router *mux.Router)
AddRoutes adds additional routes, per AuthDriver
func (*SimpleTokenAuth) Authenticate ¶
Authenticate method authenticates and returns the user per the AuthDriver interface
type TokenCache ¶
type TokenCache interface { LookupToken(token string) (profile UserProfile, found bool) SaveToken(token string, profile UserProfile) }
TokenCache is the interface for caching access token. By caching access token and UserProfile, we can avoid making external calls to the auth provider for every single request, this will reduce latency. Another advantage of caching access token is that, this allows us to extend the user session longer than the access token's lifetime. This elevates the reliance on the frontend or user to maintain a valid access token for the entire duration of the session. The downside of extend user session longer than token lifetime is that revocation and expiration will not be reflected in cacao in a timely fashion.
func NewInMemoryTokenCache ¶
func NewInMemoryTokenCache(ttlSec uint) TokenCache
NewInMemoryTokenCache creates a new in-memory cache to cache access token & user profile
func NewRedisTokenCache ¶
func NewRedisTokenCache(conf config.Config) TokenCache
NewRedisTokenCache creates an access token cache based on Redis.
func NewTokenCache ¶
func NewTokenCache(conf config.Config) TokenCache
NewTokenCache creates a token cache instance. This will create a redis cache if redis config value is populated in config. Otherwise, it will fall back to an in-memory cache.
type UserProfile ¶
type UserProfile struct { Username string FirstName string LastName string Email string Attributes map[string]interface{} }
UserProfile contains information about an authorized user.
type UserProfileExtractor ¶
type UserProfileExtractor interface {
ExtractUserProfile(accessToken string, claims map[string]interface{}) (*UserProfile, error)
}
UserProfileExtractor extracts UserProfile from OAuth2 access token or claims.
func NewCILogonProfileExtractor ¶
func NewCILogonProfileExtractor(requiredIdentityProviderID string) UserProfileExtractor
NewCILogonProfileExtractor ...
func NewGlobusProfileExtractor ¶
func NewGlobusProfileExtractor(requiredIdentityProvider string) UserProfileExtractor
NewGlobusProfileExtractor ...
type UserResolver ¶
type UserResolver interface { // GetOrCreateUser returns information about an authenticated user. If the user does not exist and automatic user // creation is enabled, a new user will be created and returned. Only the username is used for lookup. The rest of // the parameters are only used when a user is being created automatically. GetOrCreateUser(username, email, firstname, lastname string, isAdmin bool) (*service.UserModel, error) }
UserResolver can be used to get information about an authenticated user.