Documentation ¶
Index ¶
- Constants
- func CloseKeyStore()
- func FromContext(ctx context.Context) (*jwt.Token, bool)
- func GetBearerToken(r *http.Request, logger *logrus.Entry) string
- func GoDownloadLoop()
- func LoadKeyStore(config Config, keyDirectory string)
- func NewContext(ctx context.Context, token *jwt.Token) context.Context
- func ParseECPublicKeyFromPEM(key []byte) (pkey *ecdsa.PublicKey, rest []byte, err error)
- func ReadAllPublicKeys(keyDirectory string, mayLoadTestKeys bool) []*ecdsa.PublicKey
- func ReadPrivateKey(filePath string) *ecdsa.PrivateKey
- func ReadPublicKey(filePath string) []*ecdsa.PublicKey
- func ReloadKeyStore()
- func RequestLogFields(r *http.Request) logrus.Fields
- func RequestLogger(r *http.Request) *logrus.Entry
- func SubjectFromContext(ctx context.Context) (string, bool)
- type AlwaysAllow
- type AlwaysDeny
- type Authenticator
- type Config
- type JWT
- type KeyStore
- type Redirector
- type RedirectorResponse
Constants ¶
const StatusTokenExpired = 498
StatusTokenExpired is the HTTP status code that's returned when an expired token is used.
Variables ¶
This section is empty.
Functions ¶
func FromContext ¶
FromContext returns the Token value stored in ctx, if any.
func GetBearerToken ¶
GetBearerToken obtains the bearer token from the HTTP request, if there is any.
func GoDownloadLoop ¶
func GoDownloadLoop()
GoDownloadLoop starts the background download loop for new keys. Use CloseKeyStore() after calling this.
func LoadKeyStore ¶
LoadKeyStore loads all keys from a directory and stores them in the global key store.
func NewContext ¶
NewContext returns a copy of the context with a JWT token included.
func ParseECPublicKeyFromPEM ¶
ParseECPublicKeyFromPEM parses PEM encoded PKCS1 or PKCS8 public key This function is copied from jwt.ParseECPublicKeyFromPEM() and modified to support multiple keys in the same file. See https://github.com/dgrijalva/jwt-go/issues/317
func ReadAllPublicKeys ¶
ReadAllPublicKeys reads all *-public*.pem files in the root path as ECDSA public keys.
func ReadPrivateKey ¶
func ReadPrivateKey(filePath string) *ecdsa.PrivateKey
ReadPrivateKey reads a PEM file as ECDSA private key.
func ReadPublicKey ¶
ReadPublicKey reads a PEM file as ECDSA public key.
func ReloadKeyStore ¶
func ReloadKeyStore()
ReloadKeyStore reloads the global keystore from disk. The keystore is locked while the reload happens.
func RequestLogFields ¶
RequestLogFields returns request-specific fields.
func RequestLogger ¶
RequestLogger returns a logger with request-specific fields.
Types ¶
type AlwaysAllow ¶
type AlwaysAllow struct{}
AlwaysAllow is an always-allowing Authenticator.
func (AlwaysAllow) GenerateToken ¶
func (f AlwaysAllow) GenerateToken() (string, error)
GenerateToken always returns an error and never generates a token.
func (AlwaysAllow) Wrap ¶
func (f AlwaysAllow) Wrap(handler http.Handler) http.Handler
Wrap does nothing and allows all requests.
func (AlwaysAllow) WrapFunc ¶
func (f AlwaysAllow) WrapFunc(handlerFunc func(w http.ResponseWriter, r *http.Request)) http.Handler
WrapFunc does nothing and allows all requests.
type AlwaysDeny ¶
type AlwaysDeny struct{}
AlwaysDeny is an always-denying Authenticator.
func (AlwaysDeny) GenerateToken ¶
func (f AlwaysDeny) GenerateToken() (string, error)
GenerateToken always returns an error and never generates a token.
func (AlwaysDeny) Wrap ¶
func (f AlwaysDeny) Wrap(handler http.Handler) http.Handler
Wrap makes the wrapped handler uncallable because everything is rejected.
func (AlwaysDeny) WrapFunc ¶
func (f AlwaysDeny) WrapFunc(handlerFunc func(w http.ResponseWriter, r *http.Request)) http.Handler
WrapFunc makes the wrapped handlerFunc uncallable because everything is rejected.
type Authenticator ¶
type Authenticator interface { Wrap(handler http.Handler) http.Handler WrapFunc(handlerFunc func(w http.ResponseWriter, r *http.Request)) http.Handler GenerateToken() (string, error) }
Authenticator is an interface for authenting HTTP wrappers.
func Load ¶
func Load(conf Config) Authenticator
Load JWT authentication keys from ./jwtkeys and create a new JWT authenticator.
type Config ¶
type Config struct { // Used only for unit tests, so that they know where the temporary // directory created for this test is located. TestTempDir string `yaml:"-"` DisableSecurity bool `yaml:"disableSecurity"` PublicKeysURL string `yaml:"-"` DownloadKeysInterval time.Duration `yaml:"publicKeysDownloadInterval"` }
Config contains the package configuration.
func CreateTestConfig ¶
func CreateTestConfig() (conf Config, cleanup func())
CreateTestConfig creates a configuration + cleanup function.
type JWT ¶
type JWT struct {
// contains filtered or unexported fields
}
JWT is a HTTP handler that authenticates JWT bearer tokens.
func (*JWT) GenerateToken ¶
GenerateToken generates a new JWT token.
type KeyStore ¶
type KeyStore struct { // Private key used for generating JWTs. May be nil when no private key is loaded. MyPrivateKey *ecdsa.PrivateKey // Any key in this array is trusted as authoritative for received JWTs. TrustedPublicKeys []*ecdsa.PublicKey // contains filtered or unexported fields }
KeyStore contains a private and public keys.
func GetKeyStore ¶
func GetKeyStore() *KeyStore
GetKeyStore returns a shallow copy of the global KeyStore. This allows the global keystore to be modified while it is in use. The returned KeyStore should be used immediately, no references/copies kept.
type Redirector ¶
type Redirector struct {
// contains filtered or unexported fields
}
Redirector redirects a HTTP client to the URL on Flamenco Server to get a JWT token.
func NewRedirector ¶
func NewRedirector(managerID, managerSecret string, flamencoServer *url.URL) *Redirector
NewRedirector creates a new Redirector instance.
func (*Redirector) AddRoutes ¶
func (red *Redirector) AddRoutes(router *mux.Router)
AddRoutes adds HTTP routes to the muxer.
type RedirectorResponse ¶
type RedirectorResponse struct { // Where to get the token. TokenURL string `json:"tokenURL"` // Where to send the browser if the Token URL sends a 403 Forbidden. LoginURL string `json:"loginURL"` }
RedirectorResponse is sent to the browser when it asks for a token.