tokens

package
v0.26.2 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Nov 7, 2022 License: Apache-2.0 Imports: 10 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func IsClientIDToken

func IsClientIDToken(claims StandardClaims) bool

IsClientIDToken determines if this is a client identifying token

func IsClientIDTokenString

func IsClientIDTokenString(token string) (bool, error)

IsClientIDTokenString calls IsClientIDToken on the token in a string

func IsProvisioningToken

func IsProvisioningToken(claims StandardClaims) bool

IsProvisioningToken determines if this is a provisioning token

func IsServerToken

func IsServerToken(claims StandardClaims) bool

IsServerToken determines if this is a server token

func IsServerTokenString

func IsServerTokenString(token string) (bool, error)

func ParseToken

func ParseToken(token string, claims jwt.Claims, pk any) error

ParseToken parses token into claims and verify the token is valid using the pk

func ParseTokenUnverified

func ParseTokenUnverified(token string) (jwt.MapClaims, error)

ParseTokenUnverified parses token into claims and DOES not verify the token validity in any way

func SaveAndSignTokenWithKeyFile

func SaveAndSignTokenWithKeyFile(claims jwt.Claims, pkFile string, outFile string, perm os.FileMode) error

SaveAndSignTokenWithKeyFile signs a token using SignTokenWithKeyFile and saves it to outFile

func SignToken

func SignToken(claims jwt.Claims, pk any) (string, error)

SignToken signs a JWT using a RSA Private Key

func SignTokenWithKeyFile

func SignTokenWithKeyFile(claims jwt.Claims, pkFile string) (string, error)

SignTokenWithKeyFile signs a JWT using a RSA Private Key in PEM format

func UnverifiedCallerFromClientIDToken

func UnverifiedCallerFromClientIDToken(token string) (*jwt.Token, string, error)

UnverifiedCallerFromClientIDToken extracts the caller id from a client token.

The token is not verified as this is mainly used on clents who might not have the signer public key to verify the certificate. This is safe as the signer will later verify the token anyway.

Further, at the moment, we do not verity the Purpose for backward compatibility

An empty callerid will result in an error

func UnverifiedIdentityFromServerToken

func UnverifiedIdentityFromServerToken(token string) (*jwt.Token, string, error)

UnverifiedIdentityFromServerToken extracts the identity from a server token.

The token is not verified as this is mainly used on servers who might not have the signer public key to verify the certificate. This is safe as the signer will later verify the token anyway.

An empty identity will result in an error

Types

type ClientIDClaims

type ClientIDClaims struct {
	// CallerID is the choria caller id that will be set for this user for AAA purposes, typically provider=caller format
	CallerID string `json:"callerid"`

	// AllowedAgents is a list of agent names or agent.action names this user can perform
	AllowedAgents []string `json:"agents,omitempty"`

	// OrganizationUnit is currently unused but will indicate the server account a user should belong to, set to 'choria' now
	OrganizationUnit string `json:"ou,omitempty"`

	// UserProperties is a list of arbitrary properties that can be set for a user, OPA Policies in the token can access these
	UserProperties map[string]string `json:"user_properties,omitempty"`

	// OPAPolicy is a Open Policy Agent document to be used by the signer to limit the users actions
	OPAPolicy string `json:"opa_policy,omitempty"`

	// Permissions sets additional permissions for a client
	Permissions *ClientPermissions `json:"permissions,omitempty"`

	// PublicKey is a ED25519 public key that will be used to sign requests and the server nonce
	PublicKey string `json:"public_key,omitempty"`

	// AdditionalPublishSubjects are additional subjects the client can publish to
	AdditionalPublishSubjects []string `json:"pub_subjects,omitempty"`

	// AdditionalSubscribeSubjects are additional subjects the client can subscribe to
	AdditionalSubscribeSubjects []string `json:"sub_subjects,omitempty"`

	StandardClaims
}

ClientIDClaims represents a user and all AAA Authenticators should create a JWT using this format

The "purpose" claim should be set to ClientIDPurpose

func NewClientIDClaims

func NewClientIDClaims(callerID string, allowedAgents []string, org string, properties map[string]string, opaPolicy string, issuer string, validity time.Duration, perms *ClientPermissions, pk ed25519.PublicKey) (*ClientIDClaims, error)

NewClientIDClaims generates new ClientIDClaims

func ParseClientIDToken

func ParseClientIDToken(token string, pk any, verifyPurpose bool) (*ClientIDClaims, error)

ParseClientIDToken parses token and verifies it with pk

func ParseClientIDTokenUnverified

func ParseClientIDTokenUnverified(token string) (*ClientIDClaims, error)

ParseClientIDTokenUnverified parses the client token in an unverified manner.

func ParseClientIDTokenWithKeyfile

func ParseClientIDTokenWithKeyfile(token string, pkFile string, verifyPurpose bool) (*ClientIDClaims, error)

ParseClientIDTokenWithKeyfile parses token and verifies it with the RSA Public key in pkFile, does not support ed25519 public keys in a file

func (*ClientIDClaims) UniqueID

func (c *ClientIDClaims) UniqueID() (id string, uid string)

UniqueID returns the caller id and unique id used to generate private inboxes

type ClientPermissions

type ClientPermissions struct {
	// StreamsAdmin enables full access to Choria Streams for all APIs
	StreamsAdmin bool `json:"streams_admin,omitempty"`

	// StreamsUser enables user level access to Choria Streams, no stream admin features
	StreamsUser bool `json:"streams_user,omitempty"`

	// EventsViewer allows viewing lifecycle and auto agent events
	EventsViewer bool `json:"events_viewer,omitempty"`

	// ElectionUser allows using leader elections
	ElectionUser bool `json:"election_user,omitempty"`

	// SystemUser allows accessing the Choria Broker system account without verified TLS
	SystemUser bool `json:"system_user,omitempty"`

	// Governor enables access to Governors, cannot make new ones, also requires Streams permission
	Governor bool `json:"governor"`

	// OrgAdmin has access to all subjects
	OrgAdmin bool `json:"org_admin,omitempty"`

	// FleetManagement enables access to the choria server fleet for RPCs
	FleetManagement bool `json:"fleet_management,omitempty"`

	// SignedFleetManagement requires a user to have a valid signature by an AuthenticationDelegator to interact with the fleet
	SignedFleetManagement bool `json:"signed_fleet_management,omitempty"`

	// ExtendedServiceLifetime allows a token to have a longer than common lifetime, suitable for services users
	ExtendedServiceLifetime bool `json:"service,omitempty"`

	// AuthenticationDelegator has the right to sign requests on behalf of others
	AuthenticationDelegator bool `json:"authentication_delegator"`
}

type MapClaims added in v0.26.0

type MapClaims jwt.MapClaims

MapClaims are free form map claims

type ProvisioningClaims

type ProvisioningClaims struct {
	Token        string    `json:"cht"`
	Secure       bool      `json:"chs"`
	URLs         string    `json:"chu,omitempty"`
	SRVDomain    string    `json:"chsrv,omitempty"`
	ProvDefault  bool      `json:"chpd"`
	ProvRegData  string    `json:"chrd,omitempty"`
	ProvFacts    string    `json:"chf,omitempty"`
	ProvNatsUser string    `json:"chusr,omitempty"`
	ProvNatsPass string    `json:"chpwd,omitempty"`
	Extensions   MapClaims `json:"extensions"`

	StandardClaims
}

func NewProvisioningClaims

func NewProvisioningClaims(secure bool, byDefault bool, token string, user string, password string, urls []string, srvDomain string, registrationDataFile string, factsDataFile string, issuer string, validity time.Duration) (*ProvisioningClaims, error)

NewProvisioningClaims generates new ProvisioningClaims

func ParseProvisionTokenUnverified

func ParseProvisionTokenUnverified(token string) (*ProvisioningClaims, error)

ParseProvisionTokenUnverified parses the provisioning token in an unverified manner.

This is intended to be used for nodes to figure out their settings, they will go try them and if nothings there no biggie. The broker and provisioner WILL validate this token so parsing it unverified there is about equivalent to just a configuration file, which is the intended purpose of this token and function.

func ParseProvisioningToken

func ParseProvisioningToken(token string, pk any) (*ProvisioningClaims, error)

ParseProvisioningToken parses token and verifies it with pk

func ParseProvisioningTokenWithKeyfile

func ParseProvisioningTokenWithKeyfile(token string, pkFile string) (*ProvisioningClaims, error)

ParseProvisioningTokenWithKeyfile parses token and verifies it with the RSA Public key in pkFile, does not support ed25519

type Purpose

type Purpose string

Purpose indicates what kind of token a JWT is and helps us parse it into the right data structure

const (
	// UnknownPurpose is a JWT that does not have a purpose set
	UnknownPurpose Purpose = ""

	// ClientIDPurpose indicates a JWT is a ClientIDClaims JWT
	ClientIDPurpose Purpose = "choria_client_id"

	// ProvisioningPurpose indicates a JWT is a ProvisioningClaims JWT
	ProvisioningPurpose Purpose = "choria_provisioning"

	// ServerPurpose indicates a JWT is a ServerClaims JWT
	ServerPurpose Purpose = "choria_server"
)

func TokenPurpose

func TokenPurpose(token string) Purpose

TokenPurpose parses, without validating, token and checks for a Purpose field in it

func TokenPurposeBytes

func TokenPurposeBytes(token []byte) Purpose

TokenPurposeBytes called TokenPurpose with a bytes input

type ServerClaims

type ServerClaims struct {
	// ChoriaIdentity is the server identity
	ChoriaIdentity string `json:"identity"`

	// Collectives sets what collectives this server belongs to within the organization
	Collectives []string `json:"collectives"`

	// PublicKey is a ED25519 public key use to sign server nonce and other parts
	PublicKey string `json:"public_key"`

	// Permissions are additional abilities the server will have
	Permissions *ServerPermissions `json:"permissions,omitempty"`

	// OrganizationUnit is currently unused but will indicate the server account a node should belong to, set to 'choria' now
	OrganizationUnit string `json:"ou,omitempty"`

	// AdditionalPublishSubjects are additional subjects the server can publish to facilitate for example custom registration paths
	AdditionalPublishSubjects []string `json:"pub_subjects,omitempty"`

	StandardClaims
}

func NewServerClaims

func NewServerClaims(identity string, collectives []string, org string, perms *ServerPermissions, additionalPublish []string, pk ed25519.PublicKey, issuer string, validity time.Duration) (*ServerClaims, error)

func ParseServerToken

func ParseServerToken(token string, pk any) (*ServerClaims, error)

ParseServerToken parses token and verifies it with pk

func ParseServerTokenFileUnverified added in v0.26.1

func ParseServerTokenFileUnverified(file string) (*ServerClaims, error)

ParseServerTokenFileUnverified calls ParseServerTokenUnverified using the contents of file

func ParseServerTokenUnverified

func ParseServerTokenUnverified(token string) (*ServerClaims, error)

ParseServerTokenUnverified parses the server token in an unverified manner.

func ParseServerTokenWithKeyfile

func ParseServerTokenWithKeyfile(token string, pkFile string) (*ServerClaims, error)

ParseServerTokenWithKeyfile parses token and verifies it with the RSA Public key in pkFile, does not support ed25519

func (*ServerClaims) IsMatchingPublicKey added in v0.26.1

func (c *ServerClaims) IsMatchingPublicKey(pubK ed25519.PublicKey) (bool, error)

IsMatchingPublicKey checks that the stored public key matches the supplied one

func (*ServerClaims) IsMatchingSeedFile added in v0.26.1

func (c *ServerClaims) IsMatchingSeedFile(file string) (bool, error)

IsMatchingSeedFile determines if the token public key matches the seed in file

func (*ServerClaims) UniqueID

func (c *ServerClaims) UniqueID() (id string, uid string)

UniqueID returns the identity and unique id used to generate private inboxes

type ServerPermissions

type ServerPermissions struct {
	// Submission enables access to <collective>.submission.in.>
	Submission bool `json:"submission"`

	// Streams allow access to Choria Streams such as reading KV values and using Governors
	Streams bool `json:"streams"`

	// Governor enables access to Governors, cannot make new ones, also requires Streams permission
	Governor bool `json:"governor"`

	// ServiceHost allows a node to listen for service requests
	ServiceHost bool `json:"service_host"`
}

type StandardClaims

type StandardClaims struct {
	Purpose Purpose `json:"purpose"`

	jwt.RegisteredClaims
}

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL