ogoogle

package
v0.0.0-...-895b022 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Dec 13, 2024 License: BSD-3-Clause, BSD-3-Clause Imports: 13 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func Defaults

func Defaults() oauth.Modifier

func FromFlags

func FromFlags(f *Flags) (oauth.Modifier, error)

func NewGetGroupsVerifier

func NewGetGroupsVerifier(conf *oauth2.Config) (oauth.Verifier, error)

func NewGetUserInfoVerifier

func NewGetUserInfoVerifier(conf *oauth2.Config) (oauth.Verifier, error)

GetUserInfoVerifier tries to fetch the userinfo of a user to verify the validity of a token.

It performs an http request for every attempt to validate the token. If the request fails, either the token is invalid, or there is a problem with the API backend.

func NewOidJWTVerifier

func NewOidJWTVerifier(conf *oauth2.Config) (oauth.Verifier, error)

OidJWTVerifier fetches a google certificate over https once, and uses it to verify the signature in the JWT extra information attached to a returned token.

This only requires fetching a certificate at startup (and well... ideally, refreshing it every now and then), to then use simple crypto functions to verify the singature on every token.

func SplitUsername

func SplitUsername(email, hd string) (string, string)

Types

type Flags

type Flags struct {
	// Use JWT certs or API calls to retrieve user info.
	// Valid values are jwt or api.
	FetchMethod string

	// Tri-state:
	//    disabled: don't retrieve groups.
	//    enabled: retrieve groups, but don't fail if there is an error.
	//    enforced: retrieve groups, fail if there is an error.
	GroupsPolicy string
}

func DefaultFlags

func DefaultFlags() *Flags

func (*Flags) Register

func (f *Flags) Register(set kflags.FlagSet, prefix string) *Flags

type GetGroupsVerifier

type GetGroupsVerifier struct {

	// Used mostly for testing, overrides the API endpoint if not empty.
	BasePath string
	// contains filtered or unexported fields
}

GetGroupsVerifier retrieves the user membership in groups.

The groups are stored in the identity cookie of the user, and can optionally be used to deny (or allow) access.

The GetGroupsVerifier relies on the cloudidentity API, which is very poorly documented here:

https://pkg.go.dev/google.golang.org/api/cloudidentity/v1beta1#GroupsMembershipsService.SearchTransitiveGroups

... and was announced in this blog post:

https://workspaceupdates.googleblog.com/2020/08/new-api-cloud-identity-groups-google.html

The API is the only "documented" API that allows to retrieve membership without having an admin key / admin privileges - relying solely on the credentials of the user.

The API is recursive/transitive: if user is member of group A, and group A is member of group B, then the user is member of both A and B. However, this API has one major flaw: if one of the groups is closed/configured such as the API cannot compute the transitive membership, the API fails entirely returning an error.

If any user of your org is part of an external/public google group, the API will most likely fail for that user.

The API allows specifying a query, but the the set of fields available for the query seems undocumented? We could not find any way to constrain the recursive search to only groups belonging to the domain.

However, the query can be constrained to the "kind of group" used. Specifically, it recognizes two kinds of groups: - traditional google groups (label "groups.discussion_forum") - security groups (label "groups.security") - ... a few more not relevant ...

From documentation, any traditional google group can be labeled to be a security group. Once labeled, a few more restrictions are enforced, including preventing external or non-security groups from joining.

GetGroupsVerifier will thus only return security groups.

To label a group as a security group, you can tag it via UI by visiting admin.google.com (groups.google.com does not expose the feature!) or by using `gcloud identity groups update --labels=...`. More details here:

https://support.google.com/a/answer/10607394?hl=en

func (*GetGroupsVerifier) Scopes

func (ggv *GetGroupsVerifier) Scopes() []string

func (*GetGroupsVerifier) Verify

func (gui *GetGroupsVerifier) Verify(log logger.Logger, identity *oauth.Identity, tok *oauth2.Token) (*oauth.Identity, error)

type GetUserInfoVerifier

type GetUserInfoVerifier struct {
	// contains filtered or unexported fields
}

func (*GetUserInfoVerifier) Scopes

func (gui *GetUserInfoVerifier) Scopes() []string

func (*GetUserInfoVerifier) Verify

func (gui *GetUserInfoVerifier) Verify(log logger.Logger, identity *oauth.Identity, tok *oauth2.Token) (*oauth.Identity, error)

type OidJWTVerifier

type OidJWTVerifier struct {
	// contains filtered or unexported fields
}

func (*OidJWTVerifier) Scopes

func (ojt *OidJWTVerifier) Scopes() []string

func (*OidJWTVerifier) Verify

func (ojt *OidJWTVerifier) Verify(log logger.Logger, identity *oauth.Identity, tok *oauth2.Token) (*oauth.Identity, error)

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL