midgardclient

package

v1.72.0 Latest Latest Go to latest Published: Jul 5, 2021 License: Apache-2.0 Imports: 25 Imported by: 5

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/PaloAltoNetworks/midgard-lib

Links

Open Source Insights

Documentation ¶

Overview ¶

Package midgardclient contains a client that can be used to retrieve an Aporeto JWT from various authentication sources.

Index ¶

func CredsToTLSConfig(creds *gaia.Credential) (tlsConfig *tls.Config, err error)
func ExtractJWTFromHeader(header http.Header) (string, error)
func NormalizeAuth(c *types.MidgardClaims) (claims []string)
func ParseCredentials(data []byte) (creds *gaia.Credential, tlsConfig *tls.Config, err error)
func UnsecureClaimsFromToken(token string) ([]string, error)
func VerifyToken(tokenString string, cert *x509.Certificate) (*types.MidgardClaims, error)
func VerifyTokenSignature(tokenString string, cert *x509.Certificate) ([]string, error)deprecated
type Client
- func NewClient(url string) *Client
- func NewClientWithTLS(url string, tlsConfig *tls.Config) *Client
type Option
type TokenManager
- func NewMidgardTokenManager(url string, validity time.Duration, tlsConfig *tls.Config) *TokenManagerdeprecated
- func (m *TokenManager) Issue(ctx context.Context) (token string, err error)
- func (m *TokenManager) Run(ctx context.Context, tokenCh chan string)

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

func CredsToTLSConfig ¶

func CredsToTLSConfig(creds *gaia.Credential) (tlsConfig *tls.Config, err error)

CredsToTLSConfig converts Crendential to *tlsConfig

func ExtractJWTFromHeader ¶

func ExtractJWTFromHeader(header http.Header) (string, error)

ExtractJWTFromHeader extracts the JWT from the given http.Header.

func NormalizeAuth ¶ added in v1.59.0

func NormalizeAuth(c *types.MidgardClaims) (claims []string)

NormalizeAuth normalizes the response to a simple structure.

func ParseCredentials ¶

func ParseCredentials(data []byte) (creds *gaia.Credential, tlsConfig *tls.Config, err error)

ParseCredentials parses the credential data.

func UnsecureClaimsFromToken ¶

func UnsecureClaimsFromToken(token string) ([]string, error)

UnsecureClaimsFromToken gets a token and returns the Aporeto claims contained inside. It is Unsecure in the sense that It doesn't verify the token signature, so the token must be first verified in order to use this function securely.

func VerifyToken ¶ added in v1.69.1

func VerifyToken(tokenString string, cert *x509.Certificate) (*types.MidgardClaims, error)

VerifyToken verifies the jwt locally using the given certificate.

func VerifyTokenSignature deprecated

func VerifyTokenSignature(tokenString string, cert *x509.Certificate) ([]string, error)

VerifyTokenSignature verifies the jwt locally using the given certificate.

Deprecated: VerifyTokenSignature is deprecated in favor of VerifyToken()

Types ¶

type Client ¶

type Client struct {
	TrackingType string
	// contains filtered or unexported fields
}

A Client allows to interract with a midgard server.

func NewClient ¶

func NewClient(url string) *Client

NewClient returns a new Client.

func NewClientWithTLS ¶

func NewClientWithTLS(url string, tlsConfig *tls.Config) *Client

NewClientWithTLS returns a new Client configured with the given x509.CAPool.

func (*Client) Authentify ¶

func (a *Client) Authentify(ctx context.Context, token string) ([]string, error)

Authentify authentifies the information included in the given token and returns a list of tag string containing the claims.

func (*Client) IssueFromAWSSecurityToken ¶

func (a *Client) IssueFromAWSSecurityToken(ctx context.Context, accessKeyID, secretAccessKey, token string, validity time.Duration, options ...Option) (string, error)

IssueFromAWSSecurityToken issues a Midgard jwt from a security token from amazon. If you don't pass anything, this function will try to retrieve the token using aws magic ip.

func (*Client) IssueFromAporetoIdentityToken ¶ added in v1.69.2

func (a *Client) IssueFromAporetoIdentityToken(ctx context.Context, token string, validity time.Duration, options ...Option) (string, error)

IssueFromAporetoIdentityToken issues a Midgard jwt from an existing one. This new token validity will be capped to the original expiration time and identity claims will be identical. This can be used to issued a token with restrictions without needing the original source of authentication.

func (*Client) IssueFromAzureIdentityToken ¶

func (a *Client) IssueFromAzureIdentityToken(ctx context.Context, token string, validity time.Duration, options ...Option) (string, error)

IssueFromAzureIdentityToken issues a Midgard jwt from a signed Azure identity document for the given validity duration.

func (*Client) IssueFromCertificate ¶

func (a *Client) IssueFromCertificate(ctx context.Context, validity time.Duration, options ...Option) (string, error)

IssueFromCertificate issues a Midgard jwt from a certificate for the given validity duration.

func (*Client) IssueFromGCPIdentityToken ¶

func (a *Client) IssueFromGCPIdentityToken(ctx context.Context, token string, validity time.Duration, options ...Option) (string, error)

IssueFromGCPIdentityToken issues a Midgard jwt from a signed GCP identity document for the given validity duration.

func (*Client) IssueFromGoogle ¶

func (a *Client) IssueFromGoogle(ctx context.Context, googleJWT string, validity time.Duration, options ...Option) (string, error)

IssueFromGoogle issues a Midgard jwt from a Google JWT for the given validity duration.

func (*Client) IssueFromLDAP ¶

func (a *Client) IssueFromLDAP(ctx context.Context, info *ldaputils.LDAPInfo, namespace string, provider string, validity time.Duration, options ...Option) (string, error)

IssueFromLDAP issues a Midgard JWT from an LDAP config for the given validity duration.

func (*Client) IssueFromOIDCStep1 ¶

func (a *Client) IssueFromOIDCStep1(ctx context.Context, namespace string, provider string, redirectURL string) (string, error)

IssueFromOIDCStep1 issues a Midgard jwt from a OICD provider. This is performing the first step to validate the issue requests and OIDC provider. It will return the OIDC auth endpoint

func (*Client) IssueFromOIDCStep2 ¶

func (a *Client) IssueFromOIDCStep2(ctx context.Context, code string, state string, validity time.Duration, options ...Option) (string, error)

IssueFromOIDCStep2 issues a Midgard jwt from a OICD provider. This is performing the second step to to exchange the code for a Midgard HWT.

func (*Client) IssueFromPCIdentityToken ¶ added in v1.69.2

func (a *Client) IssueFromPCIdentityToken(ctx context.Context, token string, validity time.Duration, options ...Option) (string, error)

IssueFromPCIdentityToken issues a Midgard jwt from a PCC token.

func (*Client) IssueFromSAMLStep1 ¶ added in v1.51.0

func (a *Client) IssueFromSAMLStep1(ctx context.Context, namespace string, provider string, redirectURL string) (string, error)

IssueFromSAMLStep1 issues a Midgard jwt from a SAML provider. This is performing the first step to validate the issue requests and OIDC provider. It will return the OIDC auth endpoint

func (*Client) IssueFromSAMLStep2 ¶ added in v1.51.0

func (a *Client) IssueFromSAMLStep2(ctx context.Context, response string, state string, validity time.Duration, options ...Option) (string, error)

IssueFromSAMLStep2 issues a Midgard jwt from a SAML provider. This is performing the second step to to exchange the code for a Midgard HWT.

func (*Client) IssueFromVince ¶

func (a *Client) IssueFromVince(ctx context.Context, account string, password string, otp string, validity time.Duration, options ...Option) (string, error)

IssueFromVince issues a Midgard jwt from a Vince for the given one time password and validity duration.

type Option ¶

type Option func(*issueOpts)

An Option is the type of various options You can add the issue requests.

func OptAudience ¶

func OptAudience(audience string) Option

OptAudience passes the requested audience for the token. Using OptAudience is deprecated. Switch to OptLimitAuthz. (TODO: Find real mapping as OptLimitAuthz does not exist)

func OptOpaque ¶

func OptOpaque(opaque map[string]string) Option

OptOpaque passes opaque data that will be included in the JWT.

func OptQuota ¶

func OptQuota(quota int) Option

OptQuota sets the maximum time the issued token can be used.

func OptRestrictNamespace ¶ added in v1.69.2

func OptRestrictNamespace(namespace string) Option

OptRestrictNamespace asks for a restricted token on the given namespace.

func OptRestrictNetworks ¶ added in v1.69.2

func OptRestrictNetworks(networks []string) Option

OptRestrictNetworks asks for a restricted token on the given networks.

func OptRestrictPermissions ¶ added in v1.69.2

func OptRestrictPermissions(permissions []string) Option

OptRestrictPermissions asks for a restricted token on the given permissions.

type TokenManager ¶

type TokenManager struct {
	// contains filtered or unexported fields
}

A TokenManager issues an renew tokens periodically.

func NewMidgardTokenManager deprecated

func NewMidgardTokenManager(url string, validity time.Duration, tlsConfig *tls.Config) *TokenManager

NewMidgardTokenManager returns a new TokenManager backed by midgard.

Deprecated: NewMidgardTokenManager() is deprecated in favor or go.aporeto.io/midgardlib/tokenmanager.NewX509TokenManager().

func (*TokenManager) Issue ¶

func (m *TokenManager) Issue(ctx context.Context) (token string, err error)

Issue issues a token.

func (*TokenManager) Run ¶

func (m *TokenManager) Run(ctx context.Context, tokenCh chan string)

Run runs the token renewal job.

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL