service

package
v0.0.0-...-95aad33 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jul 19, 2023 License: CC0-1.0 Imports: 25 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func BadToken 

func BadToken(claims *CommonClaims, flaw TokenFlaw, keyPath string) (token *jwt.Token, signedString string, err error)

BadToken creates invalid tokens for testing. To avoid exposing token spoofing capabilities, a limited number of bad token types will be supported.

func BuildMTLSConfig 

func BuildMTLSConfig() (*tls.Config, error)

func ChooseSigningKey 

func ChooseSigningKey(signingKeyPath, signingKey string) (*rsa.PrivateKey, error)

ChooseSigningKey will choose which signing key to use, either a file or an inline key. One or the other must be set, but not both.

func ConnectionClose 

func ConnectionClose(next http.Handler) http.Handler

ConnectionClose provides a convenience handler for closing the http connection

func GetFirstPartyCaveat 

func GetFirstPartyCaveat(um macaroon.Macaroon, caveatName string) (string, error)

GetFirstPartyCaveat extracts a first party caveat by name from macaroon

func GetLogEntry 

func GetLogEntry(r *http.Request) logrus.FieldLogger

func GetPrivateKey 

func GetPrivateKey(keyPath string) (*rsa.PrivateKey, error)

This method gets the private key from the file system. Given that the server is completely unable to fulfill its purpose without a signing key, a server should be considered invalid if it this function returns an error.

func JSONError 

func JSONError(w http.ResponseWriter, errorStatus int, statusText string, statusDescription string)

Follow RFC 7591 format for input errors

func LogEntrySetField 

func LogEntrySetField(r *http.Request, key string, value interface{})

func LogEntrySetFields 

func LogEntrySetFields(r *http.Request, fields map[string]interface{})

func NYI 

func NYI(w http.ResponseWriter, r *http.Request)

NYI provides a convenience handler for endpoints that are not yet implemented

func NewAPILogger 

func NewAPILogger() func(next http.Handler) http.Handler

func Redact 

func Redact(uri string) string

func StartBlacklist 

func StartBlacklist()

This function should only be called by main

func WriteHTTPSError 

func WriteHTTPSError(w http.ResponseWriter, e ssas.ErrorResponse, errorStatus int)

Types

type APILogger 

type APILogger struct {
	Logger logrus.FieldLogger
}

func (*APILogger) NewLogEntry 

func (l *APILogger) NewLogEntry(r *http.Request) middleware.LogEntry

type APILoggerEntry 

type APILoggerEntry struct {
	Logger logrus.FieldLogger
}

func (*APILoggerEntry) Panic 

func (l *APILoggerEntry) Panic(v interface{}, stack []byte)

func (*APILoggerEntry) Write 

func (l *APILoggerEntry) Write(status int, bytes int, header http.Header, elapsed time.Duration, extra interface{})

type Blacklist 

type Blacklist struct {
	sync.RWMutex

	ID string
	// contains filtered or unexported fields
}
var (
	TokenBlacklist *Blacklist

	TokenCacheLifetime time.Duration
)

func NewBlacklist 

func NewBlacklist(ctx context.Context, cacheTimeout time.Duration, cleanupInterval time.Duration) *Blacklist

NewBlacklist allows for easy Blacklist{} creation and manipulation during testing, and, outside a test suite, should not be called

func (*Blacklist) BlacklistToken 

func (t *Blacklist) BlacklistToken(ctx context.Context, tokenID string, blacklistExpiration time.Duration) error

BlacklistToken invalidates the specified tokenID

func (*Blacklist) IsTokenBlacklisted 

func (t *Blacklist) IsTokenBlacklisted(tokenID string) bool

IsTokenBlacklisted tests whether this tokenID is in the blacklist cache.

  • Tokens should expire before blacklist entries, so a tokenID for a recently expired token may return "true."
  • This queries the cache only, so if a tokenID has been blacklisted on a different instance, it will return "false" until the cached blacklist is refreshed from the database.

func (*Blacklist) LoadFromDatabase 

func (t *Blacklist) LoadFromDatabase() error

LoadFromDatabase refreshes unexpired blacklist entries from the database

type CommonClaims 

type CommonClaims struct {
	jwt.StandardClaims
	// AccessToken, MFAToken, ClientAssertion, or RegistrationToken
	TokenType string `json:"use,omitempty"`
	// In an MFA token, presence of an OktaID is taken as proof of username/password authentication
	OktaID   string `json:"oid,omitempty"`
	ClientID string `json:"cid,omitempty"`
	SystemID string `json:"sys,omitempty"`
	// In a registration token, GroupIDs contains a list of all groups this user is authorized to manage
	GroupIDs []string `json:"gid,omitempty"`
	Data     string   `json:"dat,omitempty"`
	Scopes   []string `json:"scp,omitempty"`
	// deprecated
	ACOID string `json:"aco,omitempty"`
	// deprecated
	UUID        string `json:"id,omitempty"`
	SystemXData string `json:"system_data,omitempty"`
}

CommonClaims contains the superset of claims that may be found in the token

type Server 

type Server struct {
	// contains filtered or unexported fields
}

Server configures and provisions an SSAS server

func NewServer 

func NewServer(name, port, version string, info interface{}, routes *chi.Mux, notSecure bool, useMTLS bool, signingKey *rsa.PrivateKey, ttl time.Duration, clientAssertAud string) *Server

NewServer correctly initializes an instance of the Server type.

func (*Server) CheckRequiredClaims 

func (s *Server) CheckRequiredClaims(claims *CommonClaims, requiredTokenType string) error

func (*Server) GetClientAssertionAudience 

func (s *Server) GetClientAssertionAudience() string

func (*Server) GetSystemIDFromMacaroon 

func (s *Server) GetSystemIDFromMacaroon(issuer string) (string, error)

GetSystemIDFromMacaroon returns the system id from macaroon and verify macaroon

func (*Server) ListRoutes 

func (s *Server) ListRoutes() ([]string, error)

func (*Server) LogRoutes 

func (s *Server) LogRoutes()

LogRoutes reports the routes supported by this server to the active log. Code is based on an example from https://itnext.io/structuring-a-production-grade-rest-api-in-golang-c0229b3feedc

func (*Server) MintToken 

func (s *Server) MintToken(claims *CommonClaims) (*jwt.Token, string, error)

MintToken generates a tokenstring that expires in tokenTTL time

func (*Server) MintTokenWithDuration 

func (s *Server) MintTokenWithDuration(claims *CommonClaims, duration time.Duration) (*jwt.Token, string, error)

MintTokenWithDuration generates a tokenstring that expires after a specific duration from now. If duration is <= 0, the token will be expired upon creation

func (*Server) Serve 

func (s *Server) Serve()

Serve starts the server listening for and responding to requests.

func (*Server) Stop 

func (s *Server) Stop()

Stops the server listening for and responding to requests.

func (*Server) VerifyClientSignedToken 

func (s *Server) VerifyClientSignedToken(ctx context.Context, tokenString string, trackingId string) (*jwt.Token, error)

func (*Server) VerifyToken 

func (s *Server) VerifyToken(tokenString string) (*jwt.Token, error)

type TokenFlaw 

type TokenFlaw int
const (
	Postdated TokenFlaw = iota
	Expired
	ExtremelyExpired
	BadSigner // Since the signing key is a parameter to BadToken(), this flaw must be introduced elsewhere
	BadIssuer
	MissingID
)

Source Files

View all Source files

Directories

Path Synopsis
Package main System-to-System Authentication Service
 Package main System-to-System Authentication Service
Package public (ssas/service/api/public) contains API functions, middleware, and a router designed to:
 Package public (ssas/service/api/public) contains API functions, middleware, and a router designed to:

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.