gcp

package
v1.3.5 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Dec 20, 2019 License: Apache-2.0 Imports: 25 Imported by: 1

Documentation

Index

Constants

This section is empty.

Variables

View Source 
var Issuers = map[string]bool{
	"accounts.google.com":         true,
	"https://accounts.google.com": true,
}

Issuers contains the known Google account issuers for identity tokens.

Functions

func GetDefaultEmail 

func GetDefaultEmail(ctx context.Context, addr string, hc *http.Client) (string, error)

GetDefaultEmail is a helper method for users on GCE or the 2nd generation GAE environment.

func IAMClaimsDecoderFunc 

func IAMClaimsDecoderFunc(_ context.Context, b []byte) (auth.ClaimSetter, error)

IAMClaimsDecoderFunc is an auth.ClaimsDecoderFunc for GCP identity tokens.

func IAMVerifyFunc 

func IAMVerifyFunc(vf func(ctx context.Context, cs IAMClaimSet) bool) auth.VerifyFunc

IAMVerifyFunc auth.VerifyFunc wrapper around the IAMClaimSet.

func IdentityClaimsDecoderFunc 

func IdentityClaimsDecoderFunc(_ context.Context, b []byte) (auth.ClaimSetter, error)

IdentityClaimsDecoderFunc is an auth.ClaimsDecoderFunc for GCP identity tokens.

func IdentityVerifyFunc 

func IdentityVerifyFunc(vf func(ctx context.Context, cs IdentityClaimSet) bool) auth.VerifyFunc

IdentityVerifyFunc auth.VerifyFunc wrapper around the IdentityClaimSet.

func NewDefaultIAMVerifier 

func NewDefaultIAMVerifier(ctx context.Context, cfg IAMConfig, clientFunc func(context.Context) *http.Client) (*auth.Verifier, error)

NewDefaultIAMVerifier will verify tokens that have the same default service account as the server running this verifier.

func NewDefaultIdentityVerifier added in v0.3.2 

func NewDefaultIdentityVerifier(ctx context.Context, cfg IdentityConfig) (*auth.Verifier, error)

NewDefaultIdentityVerifier will verify tokens that have the same default service account as the server running this verifier.

func NewIAMPublicKeySource 

func NewIAMPublicKeySource(ctx context.Context, cfg IAMConfig, clientFunc func(context.Context) *http.Client) (auth.PublicKeySource, error)

NewIAMPublicKeySource returns a PublicKeySource that uses the Google IAM service for fetching public keys of a given service account. The function for returning an HTTP client is to allow 1st generation App Engine users to lean on urlfetch.

func NewIAMTokenSource 

func NewIAMTokenSource(ctx context.Context, cfg IAMConfig) (oauth2.TokenSource, error)

NewIAMTokenSource returns an oauth2.TokenSource that uses Google's IAM services to sign a JWT with the default service account and the given audience. Users should use the Identity token source if they can. This client is meant to be used as a bridge for users as they transition from the 1st generation App Engine runtime to the 2nd generation. This implementation can be used in the 2nd gen runtime as it can reuse an http.Client.

func NewIdentityPublicKeySource 

func NewIdentityPublicKeySource(ctx context.Context, cfg IdentityConfig) (auth.PublicKeySource, error)

NewIdentityPublicKeySource fetches Google's public oauth2 certificates to be used with the auth.Verifier tool.

func NewIdentityTokenSource 

func NewIdentityTokenSource(cfg IdentityConfig) (oauth2.TokenSource, error)

NewIdentityTokenSource will use the GCP metadata services to generate GCP Identity tokens. More information on asserting GCP identities can be found here: https://cloud.google.com/compute/docs/instances/verifying-instance-identity

func ValidIAMClaims 

func ValidIAMClaims(cs IAMClaimSet, audience string) bool

ValidIAMClaims ensures the token audience issuers matches expectations.

func ValidIdentityClaims 

func ValidIdentityClaims(cs IdentityClaimSet, audience string) bool

ValidIdentityClaims ensures the token audience and issuers match expectations.

func VerifyIAMEmails 

func VerifyIAMEmails(ctx context.Context, emails []string, audience string) auth.VerifyFunc

VerifyIAMEmails is an auth.VerifyFunc that ensures IAMClaimSets are valid and have the expected email and audience in their payload.

func VerifyIdentityEmails 

func VerifyIdentityEmails(ctx context.Context, emails []string, audience string) auth.VerifyFunc

VerifyIdentityEmails is an auth.VerifyFunc that ensures IdentityClaimSets are valid and have the expected email and audience in their payload.

Types

type Authenticator added in v1.3.0 

type Authenticator struct {
	// contains filtered or unexported fields
}

Authenticator leans on Google's OAuth user flow to capture a Google Identity JWS and use it in a local, short lived HTTP cookie. The `Middleware` function manages login redirects, OAuth callbacks, dropping the HTTP cookie and adding the JWS claims information to the request context. User information and the JWS token can be retrieved from the context via GetInfo function. The Authenticator can also be used for checking service-to-service authentication via an Authorization header containing a Google Identity JWS, which can be generated using this package's IdentityTokenSource. The user state in the web login flow is encrypted using Google KMS. Ensure the service account being used has permissions to encrypt and decrypt.

func NewAuthenticator added in v1.3.0 

func NewAuthenticator(ctx context.Context, cfg AuthenticatorConfig) (Authenticator, error)

NewAuthenticator will instantiate a new Authenticator, which can be used for verifying a number of authentication styles within the Google Cloud Platform ecosystem.

func (Authenticator) LogOut added in v1.3.0 

func (c Authenticator) LogOut(w http.ResponseWriter)

LogOut can be used to clear an existing session. It will add an HTTP cookie with a -1 "MaxAge" to the response to remove the cookie from the logged in user's browser.

func (Authenticator) Middleware added in v1.3.0 

func (c Authenticator) Middleware(h http.Handler) http.Handler

Middleware will handle login redirects, OAuth callbacks, header exceptions, custom exceptions, verifying inbound Google ID or IAM JWS' within HTTP cookies or Authorization headers and, if the user passes all checks, it will add the user claims to the inbound request context.

type AuthenticatorConfig added in v1.3.0 

type AuthenticatorConfig struct {
	// CookieName will be used for the local HTTP cookie name.
	CookieName string

	// KMSKeyName is used by a Google KMS client for encrypting and decrypting state
	// tokens within the oauth exchange.
	KMSKeyName string
	// UnsafeState can be used to skip the encryption of the "state" token
	// within the auth flow.
	UnsafeState bool

	// AuthConfig is used by Authenticator.Middleware and callback to enable the
	// Google OAuth flow.
	AuthConfig *oauth2.Config

	// HeaderExceptions can optionally be included. Any requests that include any of
	// the headers included will skip all Authenticator.Middlware checks and no
	// claims information will be added to the context.
	// This can be useful for unspoofable headers like Google App Engine's
	// "X-AppEngine-*" headers for Google Task Queues.
	HeaderExceptions []string

	// CustomExceptionsFunc allows any custom exceptions based on the request. For
	// example, looking for specific URIs.  Return true if should be allowed.  If
	// false is returned, normal cookie-based authentication happens.
	CustomExceptionsFunc func(context.Context, *http.Request) bool

	// IDConfig will be used to verify the Google Identity JWS when it is inbound
	// in the HTTP cookie.
	IDConfig IdentityConfig
	// IDVerifyFunc allows developers to add their own verification on the user
	// claims. For example, one could enable access for anyone with an email domain
	// of "@example.com".
	IDVerifyFunc func(context.Context, IdentityClaimSet) bool

	// Logger will be used to log any errors encountered during the auth flow.
	Logger log.Logger
}

AuthenticatorConfig encapsulates the needs of the Authenticator.

type ContextTokenSource 

type ContextTokenSource interface {
	ContextToken(context.Context) (*oauth2.Token, error)
}

ContextTokenSource is an oauth2.TokenSource that is capable of running on the 1st generation App Engine environment because it can create a urlfetch.Client from the given context.

func NewContextIAMTokenSource 

func NewContextIAMTokenSource(ctx context.Context, cfg IAMConfig) (ContextTokenSource, error)

NewContextIAMTokenSource returns an oauth2.TokenSource that uses Google's IAM services to sign a JWT with the default service account and the given audience. Users should use the Identity token source if they can. This client is meant to be used as a bridge for users as they transition from the 1st generation App Engine runtime to the 2nd generation. This implementation can be used in the 1st gen runtime as it allows users to pass a context.Context while fetching the token. The context allows the implementation to reuse clients while changing out the HTTP client under the hood.

type IAMClaimSet 

type IAMClaimSet struct {
	jws.ClaimSet

	// Email address of the default service account
	Email string `json:"email"`
}

IAMClaimSet contains just an email for service account identification.

func (IAMClaimSet) BaseClaims 

func (s IAMClaimSet) BaseClaims() *jws.ClaimSet

BaseClaims implements the auth.ClaimSetter interface.

type IAMConfig 

type IAMConfig struct {
	IAMAddress string `envconfig:"IAM_ADDR"` // optional, for testing

	Audience            string `envconfig:"IAM_AUDIENCE"`
	Project             string `envconfig:"IAM_PROJECT"`
	ServiceAccountEmail string `envconfig:"IAM_SERVICE_ACCOUNT_EMAIL"`

	// JSON contains the raw bytes from a JSON credentials file.
	// This field may be nil if authentication is provided by the
	// environment and not with a credentials file, e.g. when code is
	// running on Google Cloud Platform.
	JSON []byte
}

IAMConfig contains the information required for generating or verifying IAM JWTs.

type IdentityClaimSet 

type IdentityClaimSet struct {
	jws.ClaimSet

	// Email address of the default service account (only exists on GAE 2nd gen?)
	Email         string `json:"email"`
	EmailVerified bool   `json:"email_verified"`

	// Google metadata info (appears to only exist on GCE?)
	Google map[string]interface{} `json:"google"`
}

IdentityClaimSet holds all the expected values for the various versions of the GCP identity token. More details: https://cloud.google.com/compute/docs/instances/verifying-instance-identity#payload https://developers.google.com/identity/sign-in/web/backend-auth#calling-the-tokeninfo-endpoint

func GetUserClaims added in v1.3.0 

func GetUserClaims(ctx context.Context) (IdentityClaimSet, error)

GetUserClaims will return the Google identity claim set if it exists in the context. This can be used in coordination with the Authenticator.Middleware.

func (IdentityClaimSet) BaseClaims 

func (s IdentityClaimSet) BaseClaims() *jws.ClaimSet

BaseClaims implements the auth.ClaimSetter interface.

type IdentityConfig 

type IdentityConfig struct {
	Audience string `envconfig:"ID_AUDIENCE"`

	CertURL string `envconfig:"ID_CERT_URL"` // optional override for public key source

	Client *http.Client // optional override

	MetadataAddress string `envconfig:"ID_METADATA_ADDR"` // optional override for token and email retrieval
}

IdentityConfig contains the information required for generating or verifying identity JWTs.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.