authorization

package
v4.2.1 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jul 26, 2021 License: MIT Imports: 16 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

View Source 
var (
	ErrMissingSub   = errors.New("sub is required")
	ErrExpiration   = errors.New("invalid exp")
	ErrTooEarly     = errors.New("token is not valid yet")
	ErrTooSoon      = errors.New("token used before issued")
	ErrInvalidParty = errors.New("invalid authorized party")
)

Validation error constants

View Source 
var (

	// DataStoreClaims used for setting the service itself as an author of a record
	DataStoreClaims = Claims{
		UserID:   uuid.Nil.String(),
		UserName: "datastore",
	}
)
View Source 
var TimeFunc = time.Now

TimeFunc provides the current time when parsing token to validate "exp" claim (expiration time). You can override it to use another time value. This is useful for testing or if your server uses a different time zone than your tokens.

Functions

func NewMiddleware 

func NewMiddleware(headerName string, publicKey interface{}) goserverhttp.Option

NewMiddleware creates a new authrorization middleware to set the claims in the context

func SetClaims 

func SetClaims(r *http.Request, claims Claims) *http.Request

SetClaims add the Claims instance to the request Context

Types

type Claims 

type Claims struct {
	// standard oidc claims
	ID        string    `json:"id"`
	Issuer    string    `json:"iss"`
	IssuedAt  Timestamp `json:"iat"`
	NotBefore Timestamp `json:"nbf"`
	Expires   Timestamp `json:"exp"`
	Audience  string    `json:"aud,omitempty"`

	UserID   string `json:"sub"`
	UserName string `json:"name"`
	Email    string `json:"email"`

	// Contiamo specific claims
	TenantID      string   `json:"tenantID"`
	RealmIDs      []string `json:"realmIDs"`
	GroupIDs      []string `json:"groupIDs"`
	AllowedIPs    []string `json:"allowedIPs"`
	IsTenantAdmin bool     `json:"isTenantAdmin"`
	AdminRealmIDs []string `json:"adminRealmIDs"`

	AuthenticationMethodReferences []string `json:"amr"`
	// AuthorizedParty is used to indicate that the request is authorizing as a
	// service request, giving it super-admin privileges to completely any request.
	// This replaces the "project admin" behavior of the current tokens.
	AuthorizedParty string `json:"azp,omitempty"`

	// SourceToken is for internal usage only
	SourceToken string `json:"-"`
}

Claims represents the expected claims that should be in JWT claims of an X-Request-Token

func GetClaims 

func GetClaims(r *http.Request) (Claims, bool)

GetClaims retrieves the Claims object from the request context

func GetClaimsFromCtx 

func GetClaimsFromCtx(ctx context.Context) (Claims, bool)

GetClaimsFromCtx retrieves the Claims object from the given context

func (*Claims) Entities 

func (a *Claims) Entities() (entities []string)

Entities returns a slice of the entity ids that the auth claims contains. These are ids that permissions may be assigned to. Currently, this is the UserID, GroupIDs, and ResourceTokenIDs

func (*Claims) FromClaimsMap 

func (a *Claims) FromClaimsMap(claims jwt.Claims) error

FromClaimsMap loads the claim information from a jwt.Claims object, this is a simple map[string]interface{}

func (*Claims) ToClaims 

func (a *Claims) ToClaims() (jwt.Claims, error)

ToClaims encodes the token as jwt.Claims

func (*Claims) ToJWT 

func (a *Claims) ToJWT(privateKey interface{}) (string, error)

ToJWT encodes the token to a valid jwt

func (*Claims) Valid deprecated 

func (a *Claims) Valid() bool

Valid tests if the Claims object contains the minimal required information to be used for authorization checks.

Deprecated: Use the Validate method to get a precise error message. This method remains for backward compatibility.

func (Claims) Validate 

func (a Claims) Validate() (err error)

Validate verifies the token claims.

func (Claims) VerifyAudience 

func (a Claims) VerifyAudience(cmp string, required bool) bool

VerifyAudience compares the aud claim against cmp.

func (Claims) VerifyAuthorizedParty 

func (a Claims) VerifyAuthorizedParty() bool

VerifyAuthorizedParty verify that azp matches the iss value, if set.

func (Claims) VerifyExpiresAt 

func (a Claims) VerifyExpiresAt(cmp time.Time, required bool) bool

VerifyExpiresAt compares the exp claim against the cmp time.

func (Claims) VerifyIssuedAt 

func (a Claims) VerifyIssuedAt(cmp time.Time, required bool) bool

VerifyIssuedAt compares the iat claim against the cmp time.

func (Claims) VerifyIssuer 

func (a Claims) VerifyIssuer(cmp string, required bool) bool

VerifyIssuer compares the iss claim against cmp.

func (Claims) VerifyNotBefore 

func (a Claims) VerifyNotBefore(cmp time.Time, required bool) bool

VerifyNotBefore compares the nbf claim against the cmp time.

type Timestamp 

type Timestamp struct {
	// contains filtered or unexported fields
}

Timestamp provides a timestamp value that can handle JSON strings and numeric values

func FromTime 

func FromTime(t time.Time) Timestamp

FromTime creates a timestamp from an existing time value

func (Timestamp) MarshalJSON 

func (t Timestamp) MarshalJSON() ([]byte, error)

MarshalJSON implements the JSON marshal interface, returning 

t as a Unix time, the number of seconds elapsed since

January 1, 1970 UTC.

func (Timestamp) Time 

func (t Timestamp) Time() time.Time

Time returns the embedded go time value

func (*Timestamp) UnmarshalJSON 

func (t *Timestamp) UnmarshalJSON(data []byte) error

UnmarshalJSON implements json.Unmarshaler. It supports string and null input.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.