Documentation ¶
Index ¶
Constants ¶
View Source
const ( // GuestRoleName defines role name for an unauthenticated user GuestRoleName = "guest" // TLSUserRoleName defines a generic role name for an authenticated user TLSUserRoleName = "tls_user" // JWTUserRoleName defines a generic role name for an authenticated user JWTUserRoleName = "jwt_user" // DPoPUserRoleName defines a generic role name for an authenticated user DPoPUserRoleName = "dpop_user" // AWSUserRoleName defines a generic role name for an authenticated user AWSUserRoleName = "aws_user" // DefaultSubjectClaim defines default JWT Subject claim DefaultSubjectClaim = "sub" // DefaultRoleClaim defines default Role claim DefaultRoleClaim = "email" // DefaultTenantClaim defines default Tenant claim DefaultTenantClaim = "tenant" )
View Source
const CacheTTL = 5 * time.Minute
CacheTTL defines TTL for AWS cache
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type AWSIdentityMap ¶ added in v0.17.0
type AWSIdentityMap struct { // DefaultAuthenticatedRole specifies role name for identity, if not found in maps DefaultAuthenticatedRole string `json:"default_authenticated_role" yaml:"default_authenticated_role"` // Enable TLS identities Enabled bool `json:"enabled" yaml:"enabled"` // Roles is a map of role to TLS identity Roles map[string][]string `json:"roles" yaml:"roles"` // AllowedAccounts is a list of allowed AWS accounts, // if empty, all accounts are allowed AllowedAccounts []string `json:"allowed_accounts" yaml:"allowed_accounts"` }
AWSIdentityMap provides roles for AWS
type CallerIdentity ¶ added in v0.17.0
type CallerIdentity struct { GetCallerIdentityResponse struct { GetCallerIdentityResult struct { Account string `json:"Account"` Arn string `json:"Arn"` UserID string `json:"UserId"` } `json:"GetCallerIdentityResult"` ResponseMetadata struct { RequestID string `json:"RequestId"` } `json:"ResponseMetadata"` } `json:"GetCallerIdentityResponse"` }
CallerIdentity represents the Identity of the caller AWS Caller Identity Response documentation: https://docs.aws.amazon.com/STS/latest/APIReference/API_GetCallerIdentity.html
type GenericIdentityMap ¶ added in v0.17.0
type GenericIdentityMap struct { // DefaultAuthenticatedRole specifies role name for identity, if not found in maps DefaultAuthenticatedRole string `json:"default_authenticated_role" yaml:"default_authenticated_role"` // Enable TLS identities Enabled bool `json:"enabled" yaml:"enabled"` // Roles is a map of role to TLS identity Roles map[string][]string `json:"roles" yaml:"roles"` }
GenericIdentityMap provides roles mapping
type IdentityMap ¶
type IdentityMap struct { // DebugLogs allows to add extra debog logs DebugLogs bool `json:"debug_logs" yaml:"debug_logs"` // TLS identity map TLS GenericIdentityMap `json:"tls" yaml:"tls"` // JWT identity map JWT JWTIdentityMap `json:"jwt" yaml:"jwt"` // DPoP identity map DPoP JWTIdentityMap `json:"jwt_dpop" yaml:"jwt_dpop"` // AWS identity map AWS AWSIdentityMap `json:"aws" yaml:"aws"` }
IdentityMap contains configuration for the roles
type IdentityProvider ¶
type IdentityProvider interface { // ApplicableForRequest returns true if the provider is applicable for the request ApplicableForRequest(*http.Request) bool // IdentityFromRequest returns identity from the request IdentityFromRequest(*http.Request) (identity.Identity, error) // ApplicableForContext returns true if the provider is applicable for the request ApplicableForContext(ctx context.Context) bool // IdentityFromContext returns identity from the request IdentityFromContext(ctx context.Context, uri string) (identity.Identity, error) }
IdentityProvider interface to extract identity from requests
func New ¶
func New(config *IdentityMap, jwt jwt.Parser) (IdentityProvider, error)
New returns Authz provider instance
type JWTIdentityMap ¶
type JWTIdentityMap struct { // DefaultAuthenticatedRole specifies role name for identity, if not found in maps DefaultAuthenticatedRole string `json:"default_authenticated_role" yaml:"default_authenticated_role"` // Enable JWT identities Enabled bool `json:"enabled" yaml:"enabled"` // Issuer specifies the token issuer to check for Issuer string `json:"issuer" yaml:"issuer"` // Audience specifies the token audience to check for Audience string `json:"audience" yaml:"audience"` // SubjectClaim specifies claim name to be used as Subject, // by default it's `sub`, but can be changed to `email` etc SubjectClaim string `json:"subject_claim" yaml:"subject_claim"` // RoleClaim specifies claim name to be used for role mapping, // by default it's `email`, but can be changed to `sub` etc RoleClaim string `json:"role_claim" yaml:"role_claim"` // TenantClaim specifies claim name to be used for tenant mapping, // by default it's `tenant`, but can be changed to `org` etc TenantClaim string `json:"tenant_claim" yaml:"tenant_claim"` // Roles is a map of role to JWT identity Roles map[string][]string `json:"roles" yaml:"roles"` }
JWTIdentityMap provides roles for JWT
Click to show internal directories.
Click to hide internal directories.