Affected by GO-2023-1898 and 1 other vulnerabilities

GO-2023-1898: HashiCorp Boundary Workers Store Rotated Credentials in Plaintext Even When Key Management Service Configured in github.com/hashicorp/boundary

GO-2024-2532: Boundary vulnerable to session hijacking through TLS certificate tampering in github.com/hashicorp/boundary

request

package

v0.10.5 Latest Latest Go to latest Published: Sep 14, 2022 License: MPL-2.0 Imports: 7 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/hashicorp/boundary

Links

Open Source Insights

Documentation ¶

Constants ¶

This section is empty.

Variables ¶

View Source

var File_controller_storage_auth_oidc_request_v1_request_proto protoreflect.FileDescriptor

Functions ¶

This section is empty.

Types ¶

type State ¶

type State struct {

	// token_request_id is the id. This id is used by the client to poll for a Boundary
	// token, once the final leg of the authen flow is compeleted.  The Callback uses this
	// id to create a "pending" token for that polling process.
	TokenRequestId string `protobuf:"bytes,10,opt,name=token_request_id,json=tokenRequestId,proto3" json:"token_request_id,omitempty"`
	// create_time of the request that started the authentication flow.
	CreateTime *timestamp.Timestamp `protobuf:"bytes,20,opt,name=create_time,json=createTime,proto3" json:"create_time,omitempty"`
	// expiration_time of the authenticaion flow.
	ExpirationTime *timestamp.Timestamp `protobuf:"bytes,30,opt,name=expiration_time,json=expirationTime,proto3" json:"expiration_time,omitempty"`
	// final_redirect_url that will be sent back to the client after the callback
	FinalRedirectUrl string `protobuf:"bytes,40,opt,name=final_redirect_url,json=finalRedirectUrl,proto3" json:"final_redirect_url,omitempty"`
	// nonce of the request which is used to verify the ID Token in the third leg
	// as a way to prevent replay attacks.
	//
	// See https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest
	// and https://openid.net/specs/openid-connect-core-1_0.html#NonceNotes.
	Nonce string `protobuf:"bytes,50,opt,name=nonce,proto3" json:"nonce,omitempty"`
	// provider_config_hash can be used to see if the provider's config has changed
	// since the request started.
	ProviderConfigHash uint64 `protobuf:"varint,60,opt,name=provider_config_hash,json=providerConfigHash,proto3" json:"provider_config_hash,omitempty"`
	// contains filtered or unexported fields
}

First, State is used in constructing the authorization URL, in the first leg of the authen flow. State represents the unique data used to construct an oidc.Request (see: https://github.com/hashicorp/cap/blob/main/oidc/request.go). State needs enough information, that when combined with a Boundary oidc auth method, a proper oidc.Request can be recreated during the second leg of the authen flow. State also needs the provider.ConfigHash() used to from the first leg, so it can verify the Boundary's oidc auth method configuration hasn't changed since the authen flow began.

func (*State) Descriptor deprecated

func (*State) Descriptor() ([]byte, []int)

Deprecated: Use State.ProtoReflect.Descriptor instead.

func (*State) GetCreateTime ¶

func (x *State) GetCreateTime() *timestamp.Timestamp

func (*State) GetExpirationTime ¶

func (x *State) GetExpirationTime() *timestamp.Timestamp

func (*State) GetFinalRedirectUrl ¶

func (x *State) GetFinalRedirectUrl() string

func (*State) GetNonce ¶

func (x *State) GetNonce() string

func (*State) GetProviderConfigHash ¶

func (x *State) GetProviderConfigHash() uint64

func (*State) GetTokenRequestId ¶

func (x *State) GetTokenRequestId() string

func (*State) ProtoMessage ¶

func (*State) ProtoMessage()

func (*State) ProtoReflect ¶

func (x *State) ProtoReflect() protoreflect.Message

func (*State) Reset ¶

func (x *State) Reset()

func (*State) String ¶

func (x *State) String() string

func (*State) Validate ¶

func (s *State) Validate(ctx context.Context) error

Validate the request.State

type Token ¶

type Token struct {

	// request_id for the token.
	RequestId string `protobuf:"bytes,10,opt,name=request_id,json=requestId,proto3" json:"request_id,omitempty"`
	// expiration_time of the authenticaion flow.
	ExpirationTime *timestamp.Timestamp `protobuf:"bytes,20,opt,name=expiration_time,json=expirationTime,proto3" json:"expiration_time,omitempty"`
	// contains filtered or unexported fields
}

Token is the request token that's returned as part of the auth_token_url from oidc.StartAuth(...)

func (*Token) Descriptor deprecated

func (*Token) Descriptor() ([]byte, []int)

Deprecated: Use Token.ProtoReflect.Descriptor instead.

func (*Token) GetExpirationTime ¶

func (x *Token) GetExpirationTime() *timestamp.Timestamp

func (*Token) GetRequestId ¶

func (x *Token) GetRequestId() string

func (*Token) ProtoMessage ¶

func (*Token) ProtoMessage()

func (*Token) ProtoReflect ¶

func (x *Token) ProtoReflect() protoreflect.Message

func (*Token) Reset ¶

func (x *Token) Reset()

func (*Token) String ¶

func (x *Token) String() string

func (*Token) Validate ¶

func (t *Token) Validate(ctx context.Context) error

Validate the request.Token

type Wrapper ¶

type Wrapper struct {

	// auth_method_id is the auth method of the oidc request
	AuthMethodId string `protobuf:"bytes,10,opt,name=auth_method_id,json=authMethodId,proto3" json:"auth_method_id,omitempty"`
	// scope_id is the auth method's scope
	ScopeId string `protobuf:"bytes,20,opt,name=scope_id,json=scopeId,proto3" json:"scope_id,omitempty"`
	// wrapper_key_id is the DEK wrapper key id which was used to derive the
	// cipher's key
	WrapperKeyId string `protobuf:"bytes,30,opt,name=wrapper_key_id,json=wrapperKeyId,proto3" json:"wrapper_key_id,omitempty"`
	// ct is the encrypted cipher text
	Ct []byte `protobuf:"bytes,40,opt,name=ct,proto3" json:"ct,omitempty"`
	// contains filtered or unexported fields
}

Wrapper wraps an encrypted cipher text with non-sensitive info which allows Boundary to determine how to decrypt the wrappered cipher text (ct) field.

func (*Wrapper) Descriptor deprecated

func (*Wrapper) Descriptor() ([]byte, []int)

Deprecated: Use Wrapper.ProtoReflect.Descriptor instead.

func (*Wrapper) GetAuthMethodId ¶

func (x *Wrapper) GetAuthMethodId() string

func (*Wrapper) GetCt ¶

func (x *Wrapper) GetCt() []byte

func (*Wrapper) GetScopeId ¶

func (x *Wrapper) GetScopeId() string

func (*Wrapper) GetWrapperKeyId ¶

func (x *Wrapper) GetWrapperKeyId() string

func (*Wrapper) ProtoMessage ¶

func (*Wrapper) ProtoMessage()

func (*Wrapper) ProtoReflect ¶

func (x *Wrapper) ProtoReflect() protoreflect.Message

func (*Wrapper) Reset ¶

func (x *Wrapper) Reset()

func (*Wrapper) String ¶

func (x *Wrapper) String() string

func (*Wrapper) Validate ¶

func (w *Wrapper) Validate(ctx context.Context) error

Validate the request.Wrapper

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL