Documentation ¶
Index ¶
- Constants
- Variables
- func AddCallerAuthInfoToContext(ctx context.Context, info CallerAuthInfo) context.Contextdeprecated
- func IsInvalidTokenErr(err error) bool
- type Access
- func (c *Access) Audience() []string
- func (c *Access) DelegatedPermissions() []string
- func (c *Access) Expiry() *time.Time
- func (c *Access) IsNil() bool
- func (c *Access) IssuedAt() *time.Time
- func (c *Access) Issuer() string
- func (c *Access) JTI() string
- func (c *Access) Namespace() string
- func (c *Access) NotBefore() *time.Time
- func (c *Access) Permissions() []string
- func (c *Access) Scopes() []string
- func (c *Access) Subject() string
- type AccessTokenClaims
- type AccessTokenVerifier
- type AuthInfo
- type CallerAuthInfodeprecated
- func (c *CallerAuthInfo) GetAccess() claims.AccessClaims
- func (c *CallerAuthInfo) GetExtra() map[string][]string
- func (c *CallerAuthInfo) GetGroups() []string
- func (c *CallerAuthInfo) GetIdentity() claims.IdentityClaims
- func (c *CallerAuthInfo) GetName() string
- func (c *CallerAuthInfo) GetUID() string
- type CallerAuthInfoContextKey
- type Claims
- type ContextMetadataExtractor
- type DefaultKeyRetriever
- type DefaultKeyRetrieverOption
- type ExchangeClientOpts
- type GrpcAuthenticator
- type GrpcAuthenticatorConfig
- type GrpcAuthenticatorOption
- type GrpcClientConfig
- type GrpcClientInterceptor
- type GrpcClientInterceptorOption
- func WithDisableAccessTokenOption() GrpcClientInterceptorOption
- func WithIDTokenExtractorOption(extractor func(context.Context) (string, error)) GrpcClientInterceptorOption
- func WithMetadataExtractorOption(extractors ...ContextMetadataExtractor) GrpcClientInterceptorOption
- func WithTokenClientOption(tokenClient TokenExchanger) GrpcClientInterceptorOption
- func WithTracerOption(tracer trace.Tracer) GrpcClientInterceptorOption
- type IDTokenClaims
- type IDTokenVerifier
- type Identity
- func (c *Identity) Audience() []string
- func (c *Identity) AuthenticatedBy() string
- func (c *Identity) DisplayName() string
- func (c *Identity) Email() string
- func (c *Identity) EmailVerified() bool
- func (c *Identity) Expiry() *time.Time
- func (c *Identity) Identifier() string
- func (c *Identity) IdentityType() claims.IdentityType
- func (c *Identity) IsNil() bool
- func (c *Identity) IssuedAt() *time.Time
- func (c *Identity) Issuer() string
- func (c *Identity) JTI() string
- func (c *Identity) Namespace() string
- func (c *Identity) NotBefore() *time.Time
- func (c *Identity) Subject() string
- func (c *Identity) Username() string
- type KeyRetriever
- type KeyRetrieverConfig
- type NoopVerifier
- type TokenExchangeClient
- type TokenExchangeConfig
- type TokenExchangeRequest
- type TokenExchangeResponse
- type TokenExchanger
- type TokenType
- type UnsafeVerifierBase
- type Verifier
- type VerifierBase
- type VerifierConfig
Constants ¶
const ( DefaultAccessTokenMetadataKey = "X-Access-Token" DefaultIdTokenMetadataKey = "X-Id-Token" )
Variables ¶
var ( ErrFetchingSigningKey = errors.New("unable to fetch signing keys") ErrParseToken = fmt.Errorf("%w: failed to parse as jwt token", errInvalidToken) ErrInvalidTokenType = fmt.Errorf("%w: invalid token type", errInvalidToken) ErrInvalidSigningKey = fmt.Errorf("%w: unrecognized signing key", errInvalidToken) ErrExpiredToken = fmt.Errorf("%w: expired token", errInvalidToken) ErrInvalidAudience = fmt.Errorf("%w: invalid audience", errInvalidToken) ErrMissingConfig = errors.New("missing config") )
var ( ErrMissingNamespace = errors.New("missing required namespace") ErrMissingAudiences = errors.New("missing required audiences") ErrInvalidExchangeResponse = errors.New("invalid exchange response") )
var ( ErrorMissingMetadata = status.Error(codes.Unauthenticated, "unauthenticated: no metadata found") ErrorMissingIDToken = status.Error(codes.Unauthenticated, "unauthenticated: missing id token") ErrorMissingAccessToken = status.Error(codes.Unauthenticated, "unauthenticated: missing access token") ErrorInvalidIDToken = status.Error(codes.PermissionDenied, "unauthorized: invalid id token") ErrorInvalidAccessToken = status.Error(codes.PermissionDenied, "unauthorized: invalid access token") ErrorNamespacesMismatch = status.Error(codes.PermissionDenied, "unauthorized: access and id token namespaces mismatch") ErrorInvalidSubject = status.Error(codes.PermissionDenied, "unauthorized: invalid subject") ErrorInvalidSubjectType = status.Error(codes.PermissionDenied, "unauthorized: invalid subject type") )
Functions ¶
func AddCallerAuthInfoToContext
deprecated
func AddCallerAuthInfoToContext(ctx context.Context, info CallerAuthInfo) context.Context
Deprecated: use claims.With(...)
func IsInvalidTokenErr ¶
Types ¶
type Access ¶
type Access struct {
// contains filtered or unexported fields
}
func NewAccessClaims ¶
func NewAccessClaims(c Claims[AccessTokenClaims]) *Access
func (*Access) DelegatedPermissions ¶
DelegatedPermissions implements claims.AccessClaims.
func (*Access) Permissions ¶
Permissions implements claims.AccessClaims.
type AccessTokenClaims ¶
type AccessTokenClaims struct { // Namespace takes the form of '<type>-<id>', '*' means all namespaces. // Type can be either org or stack. Namespace string `json:"namespace"` // Access policy scopes Scopes []string `json:"scopes"` // Grafana roles Permissions []string `json:"permissions"` // On-behalf-of user DelegatedPermissions []string `json:"delegatedPermissions"` }
type AccessTokenVerifier ¶
type AccessTokenVerifier struct {
// contains filtered or unexported fields
}
AccessTokenVerifier is a convenient wrapper around `Verifier` used to verify and authenticate Grafana issued AccessTokens.
func NewAccessTokenVerifier ¶
func NewAccessTokenVerifier(cfg VerifierConfig, keys KeyRetriever) *AccessTokenVerifier
func NewUnsafeAccessTokenVerifier ¶
func NewUnsafeAccessTokenVerifier(cfg VerifierConfig) *AccessTokenVerifier
func (*AccessTokenVerifier) Verify ¶
func (e *AccessTokenVerifier) Verify(ctx context.Context, token string) (*Claims[AccessTokenClaims], error)
type AuthInfo ¶
func (*AuthInfo) GetAccess ¶
func (c *AuthInfo) GetAccess() claims.AccessClaims
Access implements claims.AuthInfo.
func (*AuthInfo) GetIdentity ¶
func (c *AuthInfo) GetIdentity() claims.IdentityClaims
Identity implements claims.AuthInfo.
type CallerAuthInfo
deprecated
type CallerAuthInfo struct { IDTokenClaims *Claims[IDTokenClaims] AccessTokenClaims Claims[AccessTokenClaims] }
Deprecated: Use authn.AuthInfo
func GetCallerAuthInfoFromContext
deprecated
func GetCallerAuthInfoFromContext(ctx context.Context) (CallerAuthInfo, bool)
Deprecated: use claims.From(...)
func (*CallerAuthInfo) GetAccess ¶
func (c *CallerAuthInfo) GetAccess() claims.AccessClaims
Access implements claims.AuthInfo.
func (*CallerAuthInfo) GetExtra ¶
func (c *CallerAuthInfo) GetExtra() map[string][]string
GetExtra implements claims.AuthInfo.
func (*CallerAuthInfo) GetGroups ¶
func (c *CallerAuthInfo) GetGroups() []string
GetGroups implements claims.AuthInfo.
func (*CallerAuthInfo) GetIdentity ¶
func (c *CallerAuthInfo) GetIdentity() claims.IdentityClaims
Identity implements claims.AuthInfo.
func (*CallerAuthInfo) GetName ¶
func (c *CallerAuthInfo) GetName() string
GetName implements claims.AuthInfo.
func (*CallerAuthInfo) GetUID ¶
func (c *CallerAuthInfo) GetUID() string
GetUID implements claims.AuthInfo.
type CallerAuthInfoContextKey ¶
type CallerAuthInfoContextKey struct{}
type DefaultKeyRetriever ¶
type DefaultKeyRetriever struct {
// contains filtered or unexported fields
}
func NewKeyRetriever ¶
func NewKeyRetriever(cfg KeyRetrieverConfig, opt ...DefaultKeyRetrieverOption) *DefaultKeyRetriever
type DefaultKeyRetrieverOption ¶
type DefaultKeyRetrieverOption func(*DefaultKeyRetriever)
func WithHTTPClientKeyRetrieverOpt ¶
func WithHTTPClientKeyRetrieverOpt(client *http.Client) DefaultKeyRetrieverOption
WithHTTPClientKeyRetrieverOpt allows setting the HTTP client to be used by the key retriever.
type ExchangeClientOpts ¶
type ExchangeClientOpts func(c *TokenExchangeClient)
ExchangeClientOpts allows setting custom parameters during construction.
func WithHTTPClient ¶
func WithHTTPClient(client *http.Client) ExchangeClientOpts
WithHTTPClient allows setting the HTTP client to be used by the token exchange client.
type GrpcAuthenticator ¶
type GrpcAuthenticator struct {
// contains filtered or unexported fields
}
GrpcAuthenticator is a gRPC authenticator that authenticates incoming requests based on the access token and ID token.
func NewGrpcAuthenticator ¶
func NewGrpcAuthenticator(cfg *GrpcAuthenticatorConfig, opts ...GrpcAuthenticatorOption) (*GrpcAuthenticator, error)
NewGrpcAuthenticator creates a new gRPC authenticator that uses safe verifiers (i.e. JWT signature is checked). If a KeyRetriever is not provided via WithKeyRetrieverOption, a default one is created using the configuration provided via GrpcAuthenticatorConfig.KeyRetrieverConfig.
func NewUnsafeGrpcAuthenticator ¶
func NewUnsafeGrpcAuthenticator(cfg *GrpcAuthenticatorConfig, opts ...GrpcAuthenticatorOption) *GrpcAuthenticator
NewUnsafeGrpcAuthenticator creates a new gRPC authenticator that uses unsafe verifiers (i.e. JWT signature is not checked). Unsafe verifiers do not perform key retrieval and JWT signtature validation. **Use with caution**.
func (*GrpcAuthenticator) Authenticate ¶
Authenticate authenticates the incoming request based on the access token and ID token, and returns the context with the caller information.
type GrpcAuthenticatorConfig ¶
type GrpcAuthenticatorConfig struct { // AccessTokenMetadataKey is the key used to retrieve the access token from the incoming metadata. // Defaults to "X-Access-Token". AccessTokenMetadataKey string // IDTokenMetadataKey is the key used to retrieve the ID token from the incoming metadata. // Defaults to "X-Id-Token". IDTokenMetadataKey string // KeyRetrieverConfig holds the configuration for the key retriever. // Ignored if KeyRetrieverOption is provided or when unsafe verifiers are used via NewUnsafeGrpcAuthenticator. KeyRetrieverConfig KeyRetrieverConfig // VerifierConfig holds the configuration for the token verifiers. VerifierConfig VerifierConfig // contains filtered or unexported fields }
GrpcAuthenticatorConfig holds the configuration for the gRPC authenticator.
type GrpcAuthenticatorOption ¶
type GrpcAuthenticatorOption func(*GrpcAuthenticator)
GrpcAuthenticatorOptions
func WithDisableAccessTokenAuthOption ¶
func WithDisableAccessTokenAuthOption() GrpcAuthenticatorOption
WithDisableAccessTokenAuthOption is an option to disable access token authentication. Warning: Using this option means there won't be any service authentication.
func WithIDTokenAuthOption ¶
func WithIDTokenAuthOption(required bool) GrpcAuthenticatorOption
WithIDTokenAuthOption is a flag to enable ID token authentication. If required is true, the ID token is required for authentication.
func WithKeyRetrieverOption ¶
func WithKeyRetrieverOption(kr KeyRetriever) GrpcAuthenticatorOption
func WithTracerAuthOption ¶
func WithTracerAuthOption(tracer trace.Tracer) GrpcAuthenticatorOption
WithTracerAuthOption sets the tracer for the gRPC authenticator.
type GrpcClientConfig ¶
type GrpcClientConfig struct { // AccessTokenMetadataKey is the key used to store the access token in the outgoing context metadata. // Defaults to "X-Access-Token". AccessTokenMetadataKey string // IDTokenMetadataKey is the key used to store the ID token in the outgoing context metadata. // Not required if IDTokenExtractor is provided. Defaults to "X-Id-Token". IDTokenMetadataKey string // TokenClientConfig holds the configuration for the token exchange client. // Not required if TokenClient is provided. TokenClientConfig *TokenExchangeConfig // TokenRequest is the token request to be used for token exchange. // This assumes the token request is static and does not change. TokenRequest *TokenExchangeRequest // contains filtered or unexported fields }
GrpcClientConfig holds the configuration for the gRPC client interceptor.
type GrpcClientInterceptor ¶
type GrpcClientInterceptor struct {
// contains filtered or unexported fields
}
GrpcClientInterceptor is a gRPC client interceptor that adds an access token to the outgoing context metadata.
func NewGrpcClientInterceptor ¶
func NewGrpcClientInterceptor(cfg *GrpcClientConfig, opts ...GrpcClientInterceptorOption) (*GrpcClientInterceptor, error)
func (*GrpcClientInterceptor) StreamClientInterceptor ¶
func (gci *GrpcClientInterceptor) StreamClientInterceptor(ctx context.Context, desc *grpc.StreamDesc, cc *grpc.ClientConn, method string, streamer grpc.Streamer, opts ...grpc.CallOption) (grpc.ClientStream, error)
func (*GrpcClientInterceptor) UnaryClientInterceptor ¶
func (gci *GrpcClientInterceptor) UnaryClientInterceptor(ctx context.Context, method string, req, reply interface{}, cc *grpc.ClientConn, invoker grpc.UnaryInvoker, opts ...grpc.CallOption) error
type GrpcClientInterceptorOption ¶
type GrpcClientInterceptorOption func(*GrpcClientInterceptor)
func WithDisableAccessTokenOption ¶
func WithDisableAccessTokenOption() GrpcClientInterceptorOption
WithDisableAccessTokenOption is an option to disable access token authentication. Warning: Using this option means there won't be any service authentication.
func WithIDTokenExtractorOption ¶
func WithIDTokenExtractorOption(extractor func(context.Context) (string, error)) GrpcClientInterceptorOption
func WithMetadataExtractorOption ¶
func WithMetadataExtractorOption(extractors ...ContextMetadataExtractor) GrpcClientInterceptorOption
func WithTokenClientOption ¶
func WithTokenClientOption(tokenClient TokenExchanger) GrpcClientInterceptorOption
func WithTracerOption ¶
func WithTracerOption(tracer trace.Tracer) GrpcClientInterceptorOption
WithTracerOption sets the tracer for the gRPC authenticator.
type IDTokenClaims ¶
type IDTokenClaims struct { // Identifier is the unique ID of the of entity Identifier string `json:"identifier"` // The type of the entity. Type claims.IdentityType `json:"type"` // Namespace takes the form of '<type>-<id>', '*' means all namespaces. // Type can be either org or stack. Namespace string `json:"namespace"` // AuthenticatedBy is the method used to authenticate the identity. AuthenticatedBy string `json:"authenticatedBy,omitempty"` Email string `json:"email,omitempty"` EmailVerified bool `json:"email_verified,omitempty"` // Username of the user (login attribute on the Identity) Username string `json:"username,omitempty"` // Display name of the user (name attribute if it is set, otherwise the login or email) DisplayName string `json:"name,omitempty"` }
type IDTokenVerifier ¶
type IDTokenVerifier struct {
// contains filtered or unexported fields
}
IDTokenVerifier is a convenient wrapper around `Verifier` used to verify grafana issued id tokens.
func NewIDTokenVerifier ¶
func NewIDTokenVerifier(cfg VerifierConfig, keys KeyRetriever) *IDTokenVerifier
func NewUnsafeIDTokenVerifier ¶
func NewUnsafeIDTokenVerifier(cfg VerifierConfig) *IDTokenVerifier
func (*IDTokenVerifier) Verify ¶
func (e *IDTokenVerifier) Verify(ctx context.Context, token string) (*Claims[IDTokenClaims], error)
type Identity ¶
type Identity struct {
// contains filtered or unexported fields
}
func NewIdentityClaims ¶
func NewIdentityClaims(c Claims[IDTokenClaims]) *Identity
func (*Identity) AuthenticatedBy ¶
AuthenticatedBy implements claims.IdentityClaims.
func (*Identity) DisplayName ¶
DisplayName implements claims.IdentityClaims.
func (*Identity) EmailVerified ¶
EmailVerified implements claims.IdentityClaims.
func (*Identity) Identifier ¶
Identifier implements claims.IdentityClaims.
func (*Identity) IdentityType ¶
func (c *Identity) IdentityType() claims.IdentityType
UID implements claims.IdentityClaims.
type KeyRetriever ¶
type KeyRetrieverConfig ¶
type KeyRetrieverConfig struct {
SigningKeysURL string `yaml:"signingKeysUrl"`
}
func (*KeyRetrieverConfig) RegisterFlags ¶
func (c *KeyRetrieverConfig) RegisterFlags(prefix string, fs *flag.FlagSet)
type NoopVerifier ¶
type NoopVerifier[T any] struct{}
func NewNoopVerifier ¶
func NewNoopVerifier[T any]() *NoopVerifier[T]
type TokenExchangeClient ¶
type TokenExchangeClient struct {
// contains filtered or unexported fields
}
func NewTokenExchangeClient ¶
func NewTokenExchangeClient(cfg TokenExchangeConfig, opts ...ExchangeClientOpts) (*TokenExchangeClient, error)
func (*TokenExchangeClient) Exchange ¶
func (c *TokenExchangeClient) Exchange(ctx context.Context, r TokenExchangeRequest) (*TokenExchangeResponse, error)
type TokenExchangeConfig ¶
type TokenExchangeConfig struct { // Token used to perform the exchange request. Token string `yaml:"token"` // Url called to perform exchange request. TokenExchangeURL string `yaml:"tokenExchangeUrl"` }
func (*TokenExchangeConfig) RegisterFlags ¶
func (c *TokenExchangeConfig) RegisterFlags(prefix string, fs *flag.FlagSet)
type TokenExchangeRequest ¶
type TokenExchangeResponse ¶
type TokenExchangeResponse struct {
Token string
}
type TokenExchanger ¶
type TokenExchanger interface {
Exchange(ctx context.Context, r TokenExchangeRequest) (*TokenExchangeResponse, error)
}
Provided for mockability of client
type UnsafeVerifierBase ¶
type UnsafeVerifierBase[T any] struct { // contains filtered or unexported fields }
func NewUnsafeVerifier ¶
func NewUnsafeVerifier[T any](cfg VerifierConfig, typ TokenType) *UnsafeVerifierBase[T]
type VerifierBase ¶
type VerifierBase[T any] struct { // contains filtered or unexported fields }
func NewVerifier ¶
func NewVerifier[T any](cfg VerifierConfig, typ TokenType, keys KeyRetriever) *VerifierBase[T]
type VerifierConfig ¶
func (*VerifierConfig) RegisterFlags ¶
func (c *VerifierConfig) RegisterFlags(prefix string, fs *flag.FlagSet)