README
¶
krakend-jose
JOSE component for the KrakenD framework
Documentation
¶
Index ¶
- Constants
- Variables
- func CalculateHeadersToPropagate(propagationCfg [][]string, claims map[string]interface{}) (map[string]string, error)
- func CanAccess(roleKey string, claims map[string]interface{}, required []string) bool
- func CanAccessNested(roleKey string, claims map[string]interface{}, required []string) bool
- func CompoundX5TKeyIDGetter(key *jose.JSONWebKey) string
- func CompoundX5TTokenKeyIDGetter(token *jwt.JSONWebToken) string
- func DecodeFingerprints(in []string) ([][]byte, error)
- func DefaultKeyIDGetter(key *jose.JSONWebKey) string
- func DefaultTokenKeyIDGetter(token *jwt.JSONWebToken) string
- func NewSigner(cfg *config.EndpointConfig, te auth0.RequestTokenExtractor) (*SignerConfig, Signer, error)
- func NewValidator(signatureConfig *SignatureConfig, ef ExtractorFactory) (*auth0.JWTValidator, error)
- func ScopesAllMatcher(scopesKey string, claims map[string]interface{}, requiredScopes []string) bool
- func ScopesAnyMatcher(scopesKey string, claims map[string]interface{}, requiredScopes []string) bool
- func ScopesDefaultMatcher(scopesKey string, claims map[string]interface{}, requiredScopes []string) bool
- func SignFields(keys []string, signer Signer, response *proxy.Response) error
- func X5TKeyIDGetter(key *jose.JSONWebKey) string
- func X5TTokenKeyIDGetter(token *jwt.JSONWebToken) string
- type ChainedRejecterFactory
- type Claims
- type Dialer
- type ExtractorFactory
- type FileKeyCacher
- type FixedRejecter
- type JWKClient
- type JWKClientOptions
- type KeyCacher
- type KeyIDGetter
- type KeyIDGetterFunc
- type MemoryKeyCacher
- type NopRejecterFactory
- type Rejecter
- type RejecterFactory
- type RejecterFactoryFunc
- type RejecterFunc
- type SecretProviderConfig
- type SignatureConfig
- type Signer
- type SignerConfig
- type TokenIDGetter
- type TokenKeyIDGetterFunc
Constants ¶
View Source
const ( ValidatorNamespace = "github.com/devopsfaith/krakend-jose/validator" SignerNamespace = "github.com/devopsfaith/krakend-jose/signer" )
Variables ¶
View Source
var ( ErrInsecureJWKSource = errors.New("JWK client is using an insecure connection to the JWK service") ErrPinnedKeyNotFound = errors.New("JWK client did not find a pinned key") )
View Source
var ( ErrNoValidatorCfg = errors.New("no validator config") ErrNoSignerCfg = errors.New("no signer config") )
View Source
var ( ErrNoKeyFound = errors.New("no Keys have been found") ErrKeyExpired = errors.New("key exists but is expired") // Configuring with MaxKeyAgeNoCheck will skip key expiry check MaxKeyAgeNoCheck = time.Duration(-1) )
View Source
var ( // DefaultEnabledCipherSuites is a collection of secure cipher suites to use DefaultEnabledCipherSuites = []uint16{ tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305, tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, tls.TLS_AES_128_GCM_SHA256, tls.TLS_AES_256_GCM_SHA384, tls.TLS_CHACHA20_POLY1305_SHA256, } )
Functions ¶
func CanAccessNested ¶
func CompoundX5TKeyIDGetter ¶
func CompoundX5TKeyIDGetter(key *jose.JSONWebKey) string
CompoundX5TKeyIDGetter extracts the key id from the jSONWebKey as the a compound string of the kid and the x5t
func CompoundX5TTokenKeyIDGetter ¶
func CompoundX5TTokenKeyIDGetter(token *jwt.JSONWebToken) string
CompoundX5TTokenKeyIDGetter extracts the key id from the jSONWebToken as a compound string of the kid and x5t
func DecodeFingerprints ¶
func DefaultKeyIDGetter ¶
func DefaultKeyIDGetter(key *jose.JSONWebKey) string
DefaultKeyIDGetter returns the default kid as JSONWebKey key id
func DefaultTokenKeyIDGetter ¶
func DefaultTokenKeyIDGetter(token *jwt.JSONWebToken) string
DefaultTokenKeyIDGetter returns the default kid as the JSONWebKey key id
func NewSigner ¶
func NewSigner(cfg *config.EndpointConfig, te auth0.RequestTokenExtractor) (*SignerConfig, Signer, error)
func NewValidator ¶
func NewValidator(signatureConfig *SignatureConfig, ef ExtractorFactory) (*auth0.JWTValidator, error)
func ScopesAllMatcher ¶
func ScopesAnyMatcher ¶
func ScopesDefaultMatcher ¶
func X5TKeyIDGetter ¶
func X5TKeyIDGetter(key *jose.JSONWebKey) string
X5TKeyIDGetter extracts the key id from the jSONWebKey as the x5t
func X5TTokenKeyIDGetter ¶
func X5TTokenKeyIDGetter(token *jwt.JSONWebToken) string
X5TTokenKeyIDGetter extracts the key id from the jSONWebToken as the x5t
Types ¶
type ChainedRejecterFactory ¶
type ChainedRejecterFactory []RejecterFactory
ChainedRejecterFactory returns rejecters chaining every rejecter contained in tne collection
func (ChainedRejecterFactory) New ¶
func (c ChainedRejecterFactory) New(l logging.Logger, cfg *config.EndpointConfig) Rejecter
New returns a chainned rejected that evaluates all the rejecters until v is rejected or the chain is finished
type Dialer ¶
type Dialer struct {
// contains filtered or unexported fields
}
func NewDialer ¶
func NewDialer(cfg SecretProviderConfig) *Dialer
func (*Dialer) DialContext ¶
type ExtractorFactory ¶
type FileKeyCacher ¶
type FileKeyCacher struct {
// contains filtered or unexported fields
}
func NewFileKeyCacher ¶
func NewFileKeyCacher(data []byte, keyIdentifyStrategy string) (*FileKeyCacher, error)
func (*FileKeyCacher) Add ¶
func (f *FileKeyCacher) Add(keyID string, _ []jose.JSONWebKey) (*jose.JSONWebKey, error)
func (*FileKeyCacher) Get ¶
func (f *FileKeyCacher) Get(keyID string) (*jose.JSONWebKey, error)
type FixedRejecter ¶
type FixedRejecter bool
FixedRejecter is a rejecter that always returns the same bool response
func (FixedRejecter) Reject ¶
func (f FixedRejecter) Reject(_ map[string]interface{}) bool
Reject returns f
type JWKClient ¶
type JWKClient struct {
*auth0.JWKClient
// contains filtered or unexported fields
}
func NewJWKClientWithCache ¶
func NewJWKClientWithCache(options JWKClientOptions, extractor auth0.RequestTokenExtractor, keyCacher auth0.KeyCacher) *JWKClient
NewJWKClientWithCache creates a new JWKClient instance from the provided options and custom extractor and keycacher. Passing nil to keyCacher will create a persistent key cacher. the extractor is also saved in the extended JWKClient.
func SecretProvider ¶
func SecretProvider(cfg SecretProviderConfig, te auth0.RequestTokenExtractor) (*JWKClient, error)
type JWKClientOptions ¶
type JWKClientOptions struct {
auth0.JWKClientOptions
KeyIdentifyStrategy string
}
type KeyCacher ¶
type KeyIDGetter ¶
type KeyIDGetter interface {
Get(*jose.JSONWebKey) string
}
KeyIDGetter extracts a key id from a JSONWebKey
func KeyIDGetterFactory ¶
func KeyIDGetterFactory(keyIdentifyStrategy string) KeyIDGetter
type KeyIDGetterFunc ¶
type KeyIDGetterFunc func(*jose.JSONWebKey) string
KeyIDGetterFunc function conforming to the KeyIDGetter interface.
func (KeyIDGetterFunc) Get ¶
func (f KeyIDGetterFunc) Get(key *jose.JSONWebKey) string
Get calls f(r)
type MemoryKeyCacher ¶
type MemoryKeyCacher struct {
// contains filtered or unexported fields
}
func (*MemoryKeyCacher) Add ¶
func (mkc *MemoryKeyCacher) Add(keyID string, downloadedKeys []jose.JSONWebKey) (*jose.JSONWebKey, error)
Add adds a key into the cache and handles overflow
func (*MemoryKeyCacher) Get ¶
func (mkc *MemoryKeyCacher) Get(keyID string) (*jose.JSONWebKey, error)
Get obtains a key from the cache, and checks if the key is expired
type NopRejecterFactory ¶
type NopRejecterFactory struct{}
NopRejecterFactory is a factory returning rejecters accepting all the tokens
func (NopRejecterFactory) New ¶
func (NopRejecterFactory) New(_ logging.Logger, _ *config.EndpointConfig) Rejecter
New returns a fixed rejecter that accepts all the tokens
type RejecterFactory ¶
type RejecterFactory interface {
New(logging.Logger, *config.EndpointConfig) Rejecter
}
RejecterFactory is a builder for rejecters
type RejecterFactoryFunc ¶
type RejecterFactoryFunc func(logging.Logger, *config.EndpointConfig) Rejecter
RejecterFactoryFunc is an adapter to use a function as rejecter factory
func (RejecterFactoryFunc) New ¶
func (f RejecterFactoryFunc) New(l logging.Logger, cfg *config.EndpointConfig) Rejecter
New calls f(l, cfg)
type RejecterFunc ¶
RejecterFunc is an adapter to use functions as rejecters
func (RejecterFunc) Reject ¶
func (r RejecterFunc) Reject(v map[string]interface{}) bool
Reject calls r(v)
type SecretProviderConfig ¶
type SignatureConfig ¶
type SignatureConfig struct {
Alg string `json:"alg"`
URI string `json:"jwk_url"`
CacheEnabled bool `json:"cache,omitempty"`
CacheDuration uint32 `json:"cache_duration,omitempty"`
Issuer string `json:"issuer,omitempty"`
Audience []string `json:"audience,omitempty"`
Roles []string `json:"roles,omitempty"`
PropagateClaimsToHeader [][]string `json:"propagate_claims,omitempty"`
RolesKey string `json:"roles_key,omitempty"`
RolesKeyIsNested bool `json:"roles_key_is_nested,omitempty"`
CookieKey string `json:"cookie_key,omitempty"`
CipherSuites []uint16 `json:"cipher_suites,omitempty"`
DisableJWKSecurity bool `json:"disable_jwk_security"`
Fingerprints []string `json:"jwk_fingerprints,omitempty"`
LocalCA string `json:"jwk_local_ca,omitempty"`
LocalPath string `json:"jwk_local_path,omitempty"`
SecretURL string `json:"secret_url,omitempty"`
CipherKey []byte `json:"cypher_key,omitempty"`
Scopes []string `json:"scopes,omitempty"`
ScopesKey string `json:"scopes_key,omitempty"`
ScopesMatcher string `json:"scopes_matcher,omitempty"`
KeyIdentifyStrategy string `json:"key_identify_strategy"`
OperationDebug bool `json:"operation_debug,omitempty"`
}
func GetSignatureConfig ¶
func GetSignatureConfig(cfg *config.EndpointConfig) (*SignatureConfig, error)
type SignerConfig ¶
type SignerConfig struct {
Alg string `json:"alg"`
KeyID string `json:"kid"`
URI string `json:"jwk_url"`
FullSerialization bool `json:"full,omitempty"`
KeysToSign []string `json:"keys_to_sign,omitempty"`
CipherSuites []uint16 `json:"cipher_suites,omitempty"`
DisableJWKSecurity bool `json:"disable_jwk_security"`
Fingerprints []string `json:"jwk_fingerprints,omitempty"`
LocalCA string `json:"jwk_local_ca,omitempty"`
LocalPath string `json:"jwk_local_path,omitempty"`
SecretURL string `json:"secret_url,omitempty"`
CipherKey []byte `json:"cypher_key,omitempty"`
}
type TokenIDGetter ¶
type TokenIDGetter interface {
Get(*jwt.JSONWebToken) string
}
TokenIDGetter extracts the keyID from the JSON web token
func TokenIDGetterFactory ¶
func TokenIDGetterFactory(keyIdentifyStrategy string) TokenIDGetter
TokenIDGetterFactory returns the TokenIDGetter from the keyIdentifyStrategy configuration string
type TokenKeyIDGetterFunc ¶
type TokenKeyIDGetterFunc func(*jwt.JSONWebToken) string
TokenKeyIDGetterFunc function conforming to the TokenIDGetter interface.
func (TokenKeyIDGetterFunc) Get ¶
func (f TokenKeyIDGetterFunc) Get(token *jwt.JSONWebToken) string
Extract calls f(r)
Source Files
Directories
Click to show internal directories.
Click to hide internal directories.