iam

package

v0.4.1 Latest Latest Go to latest Published: Jul 29, 2022 License: Apache-2.0 Imports: 13 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/armory-io/go-commons

Links

Open Source Insights

README ¶

armory-cloud-iam

This is the Go version of lib-jvm-armory-cloud-iam

Core Package

The core package provides a principal service instance that retrieve JWKs from the Armory auth server and verifies the JWT on Armory-specific authorization headers. It accepts the following signing algorithms for JWT verification: RS256, RS384, RS512, PS256, PS384, PS512, ES256, ES384, ES512, ES256K, HS256, HS384, HS512, EdDSA

See the `examples directory to learn how to create the instance and verify the jwt. See Yeti for a real world example.

The principal service needs to be instantiated before verification. It is recommended that the JWT public keys url is set in the service's app config, since staging and prod auth servers are at different locations.

err := auth.CreatePrincipalServiceInstance(config.Auth.JWT.JWTKeysUrl); err != nil {
    log.Fatal("failed to initialize principal service")
}

This instance can be accessed later with:


psi := iam.GetPrincipalServiceInstance();

JWT Verification: Gorilla Mux Middleware

The ArmoryCloudPrincipalMiddleware accepts valid JWTs and rejects requests that do not pass JWT verfication on Armory-specific auth headers. It is up to the service that consumes this library to specify which paths and where in the mux handler chain this middleware will execute in.


http.Handle("/", psi.ArmoryCloudPrincipalMiddleware(r))

Pass in optional validators for verifying specific scopes or other properties on the principal required by your service. The validators will execute after the principal is fetched and verified.

// myCustomValidator checks if the user can access deployment information.
func myCustomValidator(p *ArmoryCloudPrincipal) error {
    if p.HasScope() {
        return nil
    }
    if p.OrgName == "myOrg" {
        return nil
    }
    return errors.New("not authorized")
}

The validators need to be passed in when creating the principal service instance.

err := iam.CreatePrincipalServiceInstance(config.Auth.JWT.JWTKeysUrl, myCustomValidator); err != nil {
    log.Fatal("failed to initialize principal service")
}

Validators is a variadic argument so multiple parameters can be passed in and will be validated in order.

err := auth.CreatePrincipalServiceInstance(config.Auth.JWT.JWTKeysUrl, myCustomValidator1, myCustomValidator2, myCustomValidator3); err != nil {
    log.Fatal("failed to initialize principal service")
}

Example middleware setup:

JWT Verification: Manual extraction

You can verify the token after extracting from the authorization headers manually if you do not wish to use the middleware and implement your own error handling:

token, err := a.ExtractAndVerifyPrincipalFromTokenString(tokenStr)

Documentation ¶

Index ¶

Variables
func AuthMiddleware(ps *ArmoryCloudPrincipalService) func(handler http.Handler) http.Handler
func GinAuthMiddleware(ps *ArmoryCloudPrincipalService) gin.HandlerFunc
func WithPrincipal(ctx context.Context, principal ArmoryCloudPrincipal) context.Context
type ArmoryCloudPrincipal
- func ExtractPrincipalFromContext(ctx context.Context) (*ArmoryCloudPrincipal, error)
type ArmoryCloudPrincipalService
- func New(settings Settings) (*ArmoryCloudPrincipalService, error)
- func (a *ArmoryCloudPrincipalService) ExtractAndVerifyPrincipalFromTokenBytes(token []byte) (*ArmoryCloudPrincipal, error)
- func (a *ArmoryCloudPrincipalService) ExtractAndVerifyPrincipalFromTokenString(token string) (*ArmoryCloudPrincipal, error)
type JWT
type JwtFetcher
type JwtToken
- func (j *JwtToken) Download() error
- func (j *JwtToken) Fetch(token []byte) (interface{}, interface{}, error)
type PrincipalType
type Settings

Constants ¶

This section is empty.

Variables ¶

View Source

var (
	ErrUnauthorized = errors.New("unauthorized")
)

Functions ¶

func AuthMiddleware ¶

func AuthMiddleware(ps *ArmoryCloudPrincipalService) func(handler http.Handler) http.Handler

func GinAuthMiddleware ¶

func GinAuthMiddleware(ps *ArmoryCloudPrincipalService) gin.HandlerFunc

func WithPrincipal ¶

func WithPrincipal(ctx context.Context, principal ArmoryCloudPrincipal) context.Context

Types ¶

type ArmoryCloudPrincipal ¶

type ArmoryCloudPrincipal struct {
	Type        PrincipalType `json:"type"`
	Name        string        `json:"name"`
	OrgId       string        `json:"orgId"`
	OrgName     string        `json:"orgName"`
	EnvId       string        `json:"envId"`
	ArmoryAdmin bool          `json:"armoryAdmin"`
	Scopes      []string      `json:"scopes"`
	Groups      []string      `json:"groups"`
}

func ExtractPrincipalFromContext ¶

func ExtractPrincipalFromContext(ctx context.Context) (*ArmoryCloudPrincipal, error)

ExtractPrincipalFromContext can be used by any handler or downstream middleware of the ArmoryCloudPrincipalMiddleware to get the encoded principal for manual verification of scopes.

func (*ArmoryCloudPrincipal) HasScope ¶

func (p *ArmoryCloudPrincipal) HasScope(scope string) bool

func (*ArmoryCloudPrincipal) String ¶

func (p *ArmoryCloudPrincipal) String() string

func (*ArmoryCloudPrincipal) Tenant ¶

func (p *ArmoryCloudPrincipal) Tenant() string

func (*ArmoryCloudPrincipal) ToJson ¶

func (p *ArmoryCloudPrincipal) ToJson() string

type ArmoryCloudPrincipalService ¶

type ArmoryCloudPrincipalService struct {
	JwtFetcher JwtFetcher
}

func New ¶

func New(settings Settings) (*ArmoryCloudPrincipalService, error)

New creates an ArmoryCloudPrincipalService. It downloads JWKS from the Armory Auth Server & populates the JWK Cache for principal verification.

func (*ArmoryCloudPrincipalService) ExtractAndVerifyPrincipalFromTokenBytes ¶

func (a *ArmoryCloudPrincipalService) ExtractAndVerifyPrincipalFromTokenBytes(token []byte) (*ArmoryCloudPrincipal, error)

func (*ArmoryCloudPrincipalService) ExtractAndVerifyPrincipalFromTokenString ¶

func (a *ArmoryCloudPrincipalService) ExtractAndVerifyPrincipalFromTokenString(token string) (*ArmoryCloudPrincipal, error)

type JWT ¶

type JWT struct {
	JWTKeysURL string `yaml:"jwtKeysUrl"`
}

type JwtFetcher ¶

type JwtFetcher interface {
	Download() error
	Fetch(token []byte) (interface{}, interface{}, error)
}

type JwtToken ¶

type JwtToken struct {
	// contains filtered or unexported fields
}

func (*JwtToken) Download ¶

func (j *JwtToken) Download() error

func (*JwtToken) Fetch ¶

func (j *JwtToken) Fetch(token []byte) (interface{}, interface{}, error)

type PrincipalType ¶

type PrincipalType string

const (
	User    PrincipalType = "user"
	Machine PrincipalType = "machine"
)

type Settings ¶

type Settings struct {
	JWT            JWT            `yaml:"jwt"`
	RequiredScopes []string       `yaml:"requiredScopes"`
	Identity       token.Identity `yaml:"identity"`
}

Source Files ¶

View all Source files

Directories ¶

Path	Synopsis
token

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL