navigaid

package
v1.0.1 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Oct 30, 2024 License: MIT Imports: 22 Imported by: 0

Documentation

Index

Examples

Constants

View Source
const (
	TokenTypeAccessToken = "access_token"
	TokenTypeIDToken     = "id_token"
)

Known token types.

Variables

This section is empty.

Functions

func AccessTokenEndpoint

func AccessTokenEndpoint(serviceURL string) string

ImasJWKSEndpoint is a helper function that returns the v1 token endpoint URL given an URL that points to the access token service.

func HTTPMiddleware

func HTTPMiddleware(jwks *JWKS, next http.Handler, annotate AnnotationFunc) http.Handler

HTTPMiddleware populates the request context with NavigaID authentication information. If there's an XRay segment on the context it will be decorated with the sub claim as the user and an "imid_org" annotation.

It is the responsibility of the individual handlers to act on authentication errors by calling GetAuth() and inspecting the error.

func ImasJWKSEndpoint

func ImasJWKSEndpoint(serviceURL string) string

ImasJWKSEndpoint is a helper function that returns the v1 JWKS endpoint URL given an URL that points to the IMAS service.

func NewHTTPClient

func NewHTTPClient() *http.Client

func NewTwirpAuthHook

func NewTwirpAuthHook(_ *slog.Logger, jwks *JWKS, annotate AnnotationFunc) *twirp.ServerHooks

NewTwirpAuthHook creates a twirp server hook that requires a valid NavigaID access token and adds the authentication result to the request context.

func SetAuth

func SetAuth(ctx context.Context, auth AuthInfo, err error) context.Context

SetClaims adds specified Claims to the context.

func TwirpAuthenticate

func TwirpAuthenticate(ctx context.Context, jwks *JWKS, annotate AnnotationFunc) (context.Context, error)

TwirpAuthenticate verifies that there is a valid access token and adds the authentication result to the request context.

Types

type AccessTokenResponse

type AccessTokenResponse struct {
	AccessToken string `json:"access_token"` //nolint:tagliatelle
	TokenType   string `json:"token_type"`   //nolint:tagliatelle
	ExpiresIn   int    `json:"expires_in"`   //nolint:tagliatelle
}

AccessTokenResponse is the response retrieved from navigaID.

type AccessTokenService

type AccessTokenService struct {
	// contains filtered or unexported fields
}

AccessTokenService can validate access tokens and create access tokens from naviga-id tokens.

Example
package main

import (
	"fmt"

	"github.com/dimelords/panurge/navigaid"
)

func main() {
	service := navigaid.New(
		"https://access-token.stage.imid.infomaker.io/v1/token",
	)

	jwks := navigaid.NewJWKS(
		navigaid.ImasJWKSEndpoint("https://imas.stage.imid.infomaker.io"),
	)

	navigaIDToken := "..."

	at, err := service.NewAccessToken(navigaIDToken)
	if err != nil {
		fmt.Println(err)
	}

	claims, err := jwks.Validate(at.AccessToken)
	if err != nil {
		fmt.Println(err)
	}

	fmt.Printf("%#v\n", claims)
}
Output:

func New

func New(tokenEndpoint string, options ...AccessTokenServiceOption) *AccessTokenService

New creates a new access token service with given options.

func (*AccessTokenService) NewAccessToken

func (ats *AccessTokenService) NewAccessToken(navigaIDToken string) (*AccessTokenResponse, error)

NewAccessToken takes an navigaID token and returns an access token.

type AccessTokenServiceOption

type AccessTokenServiceOption func(ats *AccessTokenService)

func WithAccessTokenClient

func WithAccessTokenClient(client *http.Client) AccessTokenServiceOption

WithAccessTokenClient sets the HTTP client that should be used for access token requests.

type AnnotationFunc

type AnnotationFunc func(ctx context.Context, organisation string, user string)

AnnotationFunc is used to add authentication annotations to the context.

type AuthInfo

type AuthInfo struct {
	AccessToken string
	Claims      Claims
}

func GetAuth

func GetAuth(ctx context.Context) (AuthInfo, error)

GetAutch retrieves authentication information from the context.

type Claims

type Claims struct {
	jwt.RegisteredClaims

	Org         string           `json:"org"`
	Groups      []string         `json:"groups"`
	Userinfo    Userinfo         `json:"userinfo"`
	TokenType   string           `json:"ntt"`
	Permissions PermissionsClaim `json:"permissions"`
}

Claims contains information regarding what org and groups (and more), that the claim belongs to.

func (Claims) HasPermissionsInOrganisation

func (c Claims) HasPermissionsInOrganisation(permissions ...string) bool

HasPermissionsInOrganisation checks if the holder has a set of permissions in the organisation.

func (Claims) HasPermissionsInUnit

func (c Claims) HasPermissionsInUnit(unit string, permissions ...string) bool

HasPermissionsInUnit checks if the holder has a set of permissions in a unit, either directly, or inherited from the organisation.

func (Claims) Valid

func (c Claims) Valid() error

type ErrNoToken

type ErrNoToken struct{}

ErrNoToken is used to communicate that no bearer token was included in the request.

func (ErrNoToken) Error

func (err ErrNoToken) Error() string

type JWKS

type JWKS struct {
	// contains filtered or unexported fields
}

JWKS can validate access tokens using published JWKS.

func NewJWKS

func NewJWKS(jwksEndpoint string, options ...JWKSOption) *JWKS

New creates a new access token validator.

func (*JWKS) Validate

func (j *JWKS) Validate(accessToken string) (Claims, error)

Validate tries to validate a given access token by first parsing it and then looking up the "kid" to match with a jwk (which are cached locally).

func (*JWKS) ValidateToken

func (j *JWKS) ValidateToken(token string, tokenType string) (Claims, error)

ValidateToken tries to validate a given JWT token by first parsing it and then looking up the "kid" to match with a jwk (which are cached locally).

type JWKSOption

type JWKSOption func(j *JWKS)

JWKSOption is a function that controls the JWKS configuration.

func WithJwksClient

func WithJwksClient(client *http.Client) JWKSOption

WithJwksClient sets the HTTP client that should be used for requests.

func WithJwksTTL

func WithJwksTTL(ttl time.Duration) JWKSOption

WithJwksTTL can be used to change the default JWKS refresh rate.

type MockServer

type MockServer struct {
	Server       *httptest.Server
	PrivateKey   *rsa.PrivateKey
	PrivateKeyID string
	Client       *http.Client
}

func NewMockServer

func NewMockServer(opts MockServerOptions) (*MockServer, error)

This mock server mocks two endpoints, one for creating new access tokens and another one for providing keys.

type MockServerOptions

type MockServerOptions struct {
	Claims          Claims
	TTL             int    `json:"ttl"`
	PrivatePemKey   string `json:"private_pem_key"`    //nolint:tagliatelle
	PrivatePemKeyID string `json:"private_pem_key_id"` //nolint:tagliatelle
}

type MockService

type MockService struct {
	Mux        *http.ServeMux
	PrivateKey *rsa.PrivateKey
	// contains filtered or unexported fields
}

func NewMockService

func NewMockService(opts MockServerOptions) (MockService, error)

This mock service mocks two endpoints, one for creating new access tokens and another one for providing keys.

func (MockService) ServeHTTP

func (ms MockService) ServeHTTP(rw http.ResponseWriter, r *http.Request)

type PermissionsClaim

type PermissionsClaim struct {
	Units map[string][]string `json:"units"`
	Org   []string            `json:"org"`
}

PermissionsClaim describes the permissions the holder has in an organisation-wide and per-unit context.

func (PermissionsClaim) PermissionsInOrganisation

func (p PermissionsClaim) PermissionsInOrganisation() map[string]bool

HasPermissionsInOrganisation returns the permissions the holder has in the organisation.

func (PermissionsClaim) PermissionsInUnit

func (p PermissionsClaim) PermissionsInUnit(unit string) map[string]bool

HasPermissionsInUnit returns the permissions the holder has in a unit, either directly, or inherited from the organisation.

type Transport

type Transport struct {
	// Base is the base RoundTripper used to make HTTP requests.
	// If nil, http.DefaultTransport is used.
	Base http.RoundTripper
}

Transport is an http.RoundTripper that makes OAuth 2.0 HTTP requests based of the incoming NavigaID context.

func (*Transport) RoundTrip

func (t *Transport) RoundTrip(req *http.Request) (*http.Response, error)

RoundTrip authorizes and authenticates the request with an access token from Transport's Source.

type Userinfo

type Userinfo struct {
	GivenName  string `json:"given_name"`  //nolint:tagliatelle
	FamilyName string `json:"family_name"` //nolint:tagliatelle
	Email      string `json:"email"`
	Picture    string `json:"picture"`
}

Userinfo contains name and similar data.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL