x509request

package

v0.4.3 Latest Latest Go to latest Published: Apr 8, 2015 License: Apache-2.0 Imports: 6 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/gsson/origin

Links

Open Source Insights

Documentation ¶

Overview ¶

Package x509request provides a request authenticator that validates and extracts user information from client certificates

Index ¶

Variables
func DefaultVerifyOptions() x509.VerifyOptions
func NewVerifier(opts x509.VerifyOptions, auth authenticator.Request) authenticator.Request
func SubjectToUser(subject pkix.Name) user.Info
func UserToSubject(u user.Info) pkix.Name
type Authenticator
- func New(opts x509.VerifyOptions, user UserConversion) *Authenticator
- func (a *Authenticator) AuthenticateRequest(req *http.Request) (user.Info, bool, error)
type UserConversion
type UserConversionFunc
- func (f UserConversionFunc) User(chain []*x509.Certificate) (user.Info, bool, error)
type Verifier
- func (a *Verifier) AuthenticateRequest(req *http.Request) (user.Info, bool, error)

Constants ¶

This section is empty.

Variables ¶

View Source

var CommonNameUserConversion = UserConversionFunc(func(chain []*x509.Certificate) (user.Info, bool, error) {
	if len(chain[0].Subject.CommonName) == 0 {
		return nil, false, nil
	}
	return &user.DefaultInfo{Name: chain[0].Subject.CommonName}, true, nil
})

CommonNameUserConversion builds user info from a certificate chain using the subject's CommonName

View Source

var DNSNameUserConversion = UserConversionFunc(func(chain []*x509.Certificate) (user.Info, bool, error) {
	if len(chain[0].DNSNames) == 0 {
		return nil, false, nil
	}
	return &user.DefaultInfo{Name: chain[0].DNSNames[0]}, true, nil
})

DNSNameUserConversion builds user info from a certificate chain using the first DNSName on the certificate

View Source

var EmailAddressUserConversion = UserConversionFunc(func(chain []*x509.Certificate) (user.Info, bool, error) {
	if len(chain[0].EmailAddresses) == 0 {
		return nil, false, nil
	}
	return &user.DefaultInfo{Name: chain[0].EmailAddresses[0]}, true, nil
})

EmailAddressUserConversion builds user info from a certificate chain using the first EmailAddress on the certificate

View Source

var SubjectToUserConversion = UserConversionFunc(func(chain []*x509.Certificate) (user.Info, bool, error) {
	user := SubjectToUser(chain[0].Subject)
	if len(user.GetName()) == 0 {
		return nil, false, nil
	}
	return user, true, nil
})

SubjectToUserConversion calls SubjectToUser on the subject of the first certificate in the chain. If the resulting user has no name, it returns nil, false, nil

Functions ¶

func DefaultVerifyOptions ¶

func DefaultVerifyOptions() x509.VerifyOptions

DefaultVerifyOptions returns VerifyOptions that use the system root certificates, current time, and requires certificates to be valid for client auth (x509.ExtKeyUsageClientAuth)

func NewVerifier ¶ added in v0.4.2

func NewVerifier(opts x509.VerifyOptions, auth authenticator.Request) authenticator.Request

func SubjectToUser ¶ added in v0.3.1

func SubjectToUser(subject pkix.Name) user.Info

func UserToSubject ¶ added in v0.3.1

func UserToSubject(u user.Info) pkix.Name

Types ¶

type Authenticator ¶

type Authenticator struct {
	// contains filtered or unexported fields
}

Authenticator implements request.Authenticator by extracting user info from verified client certificates

func New ¶

func New(opts x509.VerifyOptions, user UserConversion) *Authenticator

New returns a request.Authenticator that verifies client certificates using the provided VerifyOptions, and converts valid certificate chains into user.Info using the provided UserConversion

func (*Authenticator) AuthenticateRequest ¶

func (a *Authenticator) AuthenticateRequest(req *http.Request) (user.Info, bool, error)

AuthenticateRequest authenticates the request using presented client certificates

type UserConversion ¶

type UserConversion interface {
	User(chain []*x509.Certificate) (user.Info, bool, error)
}

UserConversion defines an interface for extracting user info from a client certificate chain

type UserConversionFunc ¶

type UserConversionFunc func(chain []*x509.Certificate) (user.Info, bool, error)

UserConversionFunc is a function that implements the UserConversion interface.

func (UserConversionFunc) User ¶

func (f UserConversionFunc) User(chain []*x509.Certificate) (user.Info, bool, error)

User implements x509.UserConversion

type Verifier ¶ added in v0.4.2

type Verifier struct {
	// contains filtered or unexported fields
}

Verifier implements request.Authenticator by verifying a client cert on the request, then delegating to the wrapped auth

func (*Verifier) AuthenticateRequest ¶ added in v0.4.2

func (a *Verifier) AuthenticateRequest(req *http.Request) (user.Info, bool, error)

AuthenticateRequest verifies the presented client certificates, then delegates to the wrapped auth

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL