Documentation ¶
Index ¶
- Variables
- type AuthServiceListener
- type Authenticator
- type GoogleCloudTokenAuthenticator
- type GoogleServiceAccount
- type GoogleServiceAccountRoleCollection
- type GoogleTokenClaims
- type GoogleTokenService
- type GoogleWorkspaceClient
- type GoogleWorkspaceClientReader
- type IdentityAccessManagementClient
- func (i *IdentityAccessManagementClient) LoadBindingForGoogleServiceAccount(uid GoogleServiceAccount) (PolicyBindings, error)
- func (i *IdentityAccessManagementClient) LoadRoleCollection() GoogleServiceAccountRoleCollection
- func (i *IdentityAccessManagementClient) RefreshRoleAndBindingsForIdentityAwareProxy(ctx context.Context) error
- type IdentityAccessManagementReader
- type Listener
- type PolicyBinding
- type PolicyBindingCollection
- type PolicyBindings
- type ProxyServiceListener
- type Role
- type TokenVerifier
Constants ¶
This section is empty.
Variables ¶
var ( // ErrUnknownTokenType is given when token type is not identifiable. ErrUnknownTokenType = errors.New("unknown token type") // ErrMissingJWK is given when no JWK can be found in cache or retrieved. ErrMissingJWK = errors.New("missing jwk") )
var ErrInvalidGoogleCloudAuthentication = errors.New("invalid google cloud authentication")
ErrInvalidGoogleCloudAuthentication is given as a general error when Authenticate(...) is not successful.
var ErrNoIdentityAwareProxyRoleForUser = errors.New("no iap role found")
ErrNoIdentityAwareProxyRoleForUser is returned when user does not have role for IAP.
Functions ¶
This section is empty.
Types ¶
type AuthServiceListener ¶
type AuthServiceListener struct {
// contains filtered or unexported fields
}
AuthServiceListener is an implementation use authenticator on /auth-path.
func NewAuthServiceListener ¶
func NewAuthServiceListener(ctx context.Context, host, xForwardedUrlHeader string, port uint16, auth Authenticator) (*AuthServiceListener, error)
NewAuthServiceListener creates a new HTTP-server for /auth-endpoint. Open(ctx context.Context) must be invoked to listen.
func (*AuthServiceListener) Close ¶
func (a *AuthServiceListener) Close(ctx context.Context) error
Close listener. Blocking.
func (*AuthServiceListener) ListenAndServe ¶
func (a *AuthServiceListener) ListenAndServe(_ context.Context) error
ListenAndServe listener for incoming requests. Blocking.
func (*AuthServiceListener) ListenAndServeWithTLS ¶
func (a *AuthServiceListener) ListenAndServeWithTLS(_ context.Context, key, cert []byte) error
func (*AuthServiceListener) Port ¶
func (a *AuthServiceListener) Port() int
Port returns port of running listener.
type Authenticator ¶
type Authenticator interface {
Authenticate(ctx context.Context, credentials string, requestUrl url.URL) error
}
Authenticator is generic interface for authentication.
type GoogleCloudTokenAuthenticator ¶
type GoogleCloudTokenAuthenticator struct {
// contains filtered or unexported fields
}
GoogleCloudTokenAuthenticator is an implementation of Authenticator interface.
func NewGoogleCloudTokenAuthenticator ¶
func NewGoogleCloudTokenAuthenticator(v TokenVerifier[*GoogleTokenClaims], c cache.Cache[string, cache.ExpiryCacheValue[GoogleServiceAccount]], i IdentityAccessManagementReader, g GoogleWorkspaceClientReader, e []url.URL) (*GoogleCloudTokenAuthenticator, error)
NewGoogleCloudTokenAuthenticator returns an implementation of interface Authenticator
func (*GoogleCloudTokenAuthenticator) Authenticate ¶
func (g *GoogleCloudTokenAuthenticator) Authenticate(ctx context.Context, credentials string, requestUrl url.URL) error
Authenticate verifies if Google credentials are valid.
type GoogleServiceAccount ¶
type GoogleServiceAccount string
GoogleServiceAccount is custom type representation of identifier in Google Cloud (email).
type GoogleServiceAccountRoleCollection ¶
type GoogleServiceAccountRoleCollection map[GoogleServiceAccount]PolicyBindingCollection
GoogleServiceAccountRoleCollection is a collection of service account id to bindings per role.
type GoogleTokenClaims ¶
type GoogleTokenClaims struct { Email string `json:"email"` jwt.RegisteredClaims }
GoogleTokenClaims extends standard JWT claims with claim email.
type GoogleTokenService ¶
type GoogleTokenService struct {
// contains filtered or unexported fields
}
GoogleTokenService is a backend representation to manage authn/authz of Google Tokens.
func NewGoogleTokenService ¶
func NewGoogleTokenService(ctx context.Context, jwkCache cache.Cache[string, cache.ExpiryCacheValue[keyfunc.Keyfunc]], refreshPublicCertsInterval, leeway time.Duration) (*GoogleTokenService, error)
NewGoogleTokenService creates a new token service for Google Tokens.
func (*GoogleTokenService) Verify ¶
func (t *GoogleTokenService) Verify(ctx context.Context, tokenString, aud string, tokenClaims *GoogleTokenClaims) error
Verify transform base64 encoded token string into a Token representation while verifying claims and audience.
type GoogleWorkspaceClient ¶
type GoogleWorkspaceClient struct {
// contains filtered or unexported fields
}
GoogleWorkspaceClient is an implementation of interface GoogleWorkspaceReader.
func NewGoogleWorkspaceClient ¶
func NewGoogleWorkspaceClient(ctx context.Context, credentials *google.Credentials) (*GoogleWorkspaceClient, error)
NewGoogleWorkspaceClient creates new client for Google Workspace.
func (*GoogleWorkspaceClient) ListGoogleServiceAccounts ¶
func (g *GoogleWorkspaceClient) ListGoogleServiceAccounts(ctx context.Context, groupEmail string) ([]GoogleServiceAccount, error)
ListGoogleServiceAccounts returns list of Google Service Accounts inside Google Workspace groups.
type GoogleWorkspaceClientReader ¶
type GoogleWorkspaceClientReader interface {
ListGoogleServiceAccounts(ctx context.Context, groupEmail string) ([]GoogleServiceAccount, error)
}
GoogleWorkspaceClientReader interface abstracts functions required.
type IdentityAccessManagementClient ¶
type IdentityAccessManagementClient struct {
// contains filtered or unexported fields
}
IdentityAccessManagementClient is a service implementation to retrieve bindings from Google Cloud.
func NewIdentityAccessManagementClient ¶
func NewIdentityAccessManagementClient(ctx context.Context, googleWorkspaceClient GoogleWorkspaceClientReader, credentials *google.Credentials, refresh time.Duration) (*IdentityAccessManagementClient, error)
NewIdentityAccessManagementClient generates an implementation of PolicyBindingReader.
func (*IdentityAccessManagementClient) LoadBindingForGoogleServiceAccount ¶
func (i *IdentityAccessManagementClient) LoadBindingForGoogleServiceAccount(uid GoogleServiceAccount) (PolicyBindings, error)
LoadBindingForGoogleServiceAccount look up which bindings (roles and expressions) google service account has.
func (*IdentityAccessManagementClient) LoadRoleCollection ¶
func (i *IdentityAccessManagementClient) LoadRoleCollection() GoogleServiceAccountRoleCollection
LoadRoleCollection retrieve entire collection of policy bindings per user.
func (*IdentityAccessManagementClient) RefreshRoleAndBindingsForIdentityAwareProxy ¶
func (i *IdentityAccessManagementClient) RefreshRoleAndBindingsForIdentityAwareProxy(ctx context.Context) error
RefreshRoleAndBindingsForIdentityAwareProxy load UserRoleCollection into local memory for usage.
type IdentityAccessManagementReader ¶
type IdentityAccessManagementReader interface { RefreshRoleAndBindingsForIdentityAwareProxy(ctx context.Context) error LoadBindingForGoogleServiceAccount(uid GoogleServiceAccount) (PolicyBindings, error) LoadRoleCollection() GoogleServiceAccountRoleCollection }
IdentityAccessManagementReader is an interface to abstract PolicyBindingService.
type Listener ¶
type Listener interface { Shutdown(ctx context.Context) error Port() int ListenAndServe(ctx context.Context) error ListenAndServeWithTLS(ctx context.Context, key, cert []byte) }
Listener is an interface for a listener implementation.
type PolicyBinding ¶
PolicyBinding is a struct to retain policy information (of what is relevant).
type PolicyBindingCollection ¶
type PolicyBindingCollection map[Role]PolicyBindings
PolicyBindingCollection is custom map type for Role to policy bindings.
type PolicyBindings ¶
type PolicyBindings []PolicyBinding
PolicyBindings is a list of bindings attached to a role.
type ProxyServiceListener ¶
type ProxyServiceListener struct {
// contains filtered or unexported fields
}
ProxyServiceListener is an implementation of reverse proxy to use authenticator, either HTTP(S) and/or CONNECT.