apiserver: k8s.io/apiserver/pkg/authentication/request/x509 Index | Files

package x509

import "k8s.io/apiserver/pkg/authentication/request/x509"

Package x509 provides a request authenticator that validates and extracts user information from client certificates

Index

Package Files

doc.go verify_options.go x509.go

Variables

var CommonNameUserConversion = UserConversionFunc(func(chain []*x509.Certificate) (*authenticator.Response, bool, error) {
    if len(chain[0].Subject.CommonName) == 0 {
        return nil, false, nil
    }
    return &authenticator.Response{
        User: &user.DefaultInfo{
            Name:   chain[0].Subject.CommonName,
            Groups: chain[0].Subject.Organization,
        },
    }, true, nil
})

CommonNameUserConversion builds user info from a certificate chain using the subject's CommonName

func DefaultVerifyOptions Uses

func DefaultVerifyOptions() x509.VerifyOptions

DefaultVerifyOptions returns VerifyOptions that use the system root certificates, current time, and requires certificates to be valid for client auth (x509.ExtKeyUsageClientAuth)

func NewDynamicCAVerifier Uses

func NewDynamicCAVerifier(verifyOptionsFn VerifyOptionFunc, auth authenticator.Request, allowedCommonNames StringSliceProvider) authenticator.Request

NewDynamicCAVerifier create a request.Authenticator by verifying a client cert on the request, then delegating to the wrapped auth TODO make the allowedCommonNames dynamic

func NewVerifier Uses

func NewVerifier(opts x509.VerifyOptions, auth authenticator.Request, allowedCommonNames sets.String) authenticator.Request

NewVerifier create a request.Authenticator by verifying a client cert on the request, then delegating to the wrapped auth

type Authenticator Uses

type Authenticator struct {
    // contains filtered or unexported fields
}

Authenticator implements request.Authenticator by extracting user info from verified client certificates

func New Uses

func New(opts x509.VerifyOptions, user UserConversion) *Authenticator

New returns a request.Authenticator that verifies client certificates using the provided VerifyOptions, and converts valid certificate chains into user.Info using the provided UserConversion

func NewDynamic Uses

func NewDynamic(verifyOptionsFn VerifyOptionFunc, user UserConversion) *Authenticator

NewDynamic returns a request.Authenticator that verifies client certificates using the provided VerifyOptionFunc (which may be dynamic), and converts valid certificate chains into user.Info using the provided UserConversion

func (*Authenticator) AuthenticateRequest Uses

func (a *Authenticator) AuthenticateRequest(req *http.Request) (*authenticator.Response, bool, error)

AuthenticateRequest authenticates the request using presented client certificates

type StaticStringSlice Uses

type StaticStringSlice []string

StaticStringSlice a StringSliceProvider that returns a fixed value

func (StaticStringSlice) Value Uses

func (s StaticStringSlice) Value() []string

Value returns the current string slice. Callers should never mutate the returned value.

type StringSliceProvider Uses

type StringSliceProvider interface {
    // Value returns the current string slice.  Callers should never mutate the returned value.
    Value() []string
}

StringSliceProvider is a way to get a string slice value. It is heavily used for authentication headers among other places.

type StringSliceProviderFunc Uses

type StringSliceProviderFunc func() []string

StringSliceProviderFunc is a function that matches the StringSliceProvider interface

func (StringSliceProviderFunc) Value Uses

func (d StringSliceProviderFunc) Value() []string

Value returns the current string slice. Callers should never mutate the returned value.

type UserConversion Uses

type UserConversion interface {
    User(chain []*x509.Certificate) (*authenticator.Response, bool, error)
}

UserConversion defines an interface for extracting user info from a client certificate chain

type UserConversionFunc Uses

type UserConversionFunc func(chain []*x509.Certificate) (*authenticator.Response, bool, error)

UserConversionFunc is a function that implements the UserConversion interface.

func (UserConversionFunc) User Uses

func (f UserConversionFunc) User(chain []*x509.Certificate) (*authenticator.Response, bool, error)

User implements x509.UserConversion

type Verifier Uses

type Verifier struct {
    // contains filtered or unexported fields
}

Verifier implements request.Authenticator by verifying a client cert on the request, then delegating to the wrapped auth

func (*Verifier) AuthenticateRequest Uses

func (a *Verifier) AuthenticateRequest(req *http.Request) (*authenticator.Response, bool, error)

AuthenticateRequest verifies the presented client certificate, then delegates to the wrapped auth

type VerifyOptionFunc Uses

type VerifyOptionFunc func() (x509.VerifyOptions, bool)

VerifyOptionFunc is function which provides a shallow copy of the VerifyOptions to the authenticator. This allows for cases where the options (particularly the CAs) can change. If the bool is false, then the returned VerifyOptions are ignored and the authenticator will express "no opinion". This allows a clear signal for cases where a CertPool is eventually expected, but not currently present.

func NewStaticVerifierFromFile Uses

func NewStaticVerifierFromFile(clientCA string) (VerifyOptionFunc, error)

NewStaticVerifierFromFile creates a new verification func from a file. It reads the content and then fails. It will return a nil function if you pass an empty CA file.

func StaticVerifierFn Uses

func StaticVerifierFn(opts x509.VerifyOptions) VerifyOptionFunc

StaticVerifierFn is a VerifyOptionFunc that always returns the same value. This allows verify options that cannot change.

Package x509 imports 12 packages (graph) and is imported by 103 packages. Updated 2019-12-08. Refresh now. Tools for package owners.