Documentation ¶
Index ¶
- Constants
- func Callback(ctx context.Context, oidcRepoFn OidcRepoFactory, iamRepoFn IamRepoFactory, ...) (finalRedirect string, e error)
- func EncodeCertificates(ctx context.Context, certs ...*x509.Certificate) ([]string, error)
- func ParseCertificates(ctx context.Context, pems ...string) ([]*x509.Certificate, error)
- func StartAuth(ctx context.Context, oidcRepoFn OidcRepoFactory, authMethodId string, ...) (authUrl *url.URL, tokenId string, e error)
- func SupportedAlgorithm(a Alg) bool
- func TestConvertToUrls(t testing.TB, urls ...string) []*url.URL
- func TestPendingToken(t testing.TB, tokenRepo *authtoken.Repository, user *iam.User, acct *Account, ...) *authtoken.AuthToken
- func TestSortAuthMethods(t testing.TB, methods []*AuthMethod)
- func TestTokenRequestId(t testing.TB, am *AuthMethod, kms *kms.Kms, expIn time.Duration, ...) string
- func TokenRequest(ctx context.Context, kms *kms.Kms, atRepoFn AuthTokenRepoFactory, ...) (*authtoken.AuthToken, error)
- func UnwrapMessage(ctx context.Context, encodedWrappedMsg string) (*request.Wrapper, error)
- type Account
- type AccountClaimMap
- type AccountToClaim
- type Alg
- type AudClaim
- type AuthMethod
- type AuthMethodState
- type AuthTokenRepoFactory
- type Certificate
- type ClaimMap
- type ClaimsScope
- type ClientSecret
- type HTTPClient
- type IamRepoFactory
- type ManagedGroup
- type ManagedGroupMemberAccount
- func AllocManagedGroupMemberAccount() *ManagedGroupMemberAccount
- func NewManagedGroupMemberAccount(ctx context.Context, managedGroupId string, memberId string, opt ...Option) (*ManagedGroupMemberAccount, error)
- func TestManagedGroupMember(t testing.TB, conn *db.DB, managedGroupId, memberId string, opt ...Option) *ManagedGroupMemberAccount
- type OidcRepoFactory
- type Option
- func WithAccountClaimMap(acm map[string]AccountToClaim) Option
- func WithApiUrl(urls *url.URL) Option
- func WithAudClaims(aud ...string) Option
- func WithAuthMethod(am *AuthMethod) Option
- func WithCertificates(certs ...*x509.Certificate) Option
- func WithClaimsScopes(claimsScope ...string) Option
- func WithDescription(desc string) Option
- func WithDryRun() Option
- func WithEmail(email string) Option
- func WithForce() Option
- func WithFullName(n string) Option
- func WithIssuer(iss *url.URL) Option
- func WithKeyId(id string) Option
- func WithLimit(l int) Option
- func WithMaxAge(max int) Option
- func WithName(name string) Option
- func WithOperationalState(state AuthMethodState) Option
- func WithOrderByCreateTime(ascending bool) Option
- func WithPublicId(publicId string) Option
- func WithReader(reader db.Reader) Option
- func WithRoundtripPayload(payload string) Option
- func WithSigningAlgs(alg ...Alg) Option
- func WithUnauthenticatedUser(enabled bool) Option
- type Repository
- func (r *Repository) CreateAccount(ctx context.Context, scopeId string, a *Account, opt ...Option) (*Account, error)
- func (r *Repository) CreateAuthMethod(ctx context.Context, am *AuthMethod, opt ...Option) (*AuthMethod, error)
- func (r *Repository) CreateManagedGroup(ctx context.Context, scopeId string, mg *ManagedGroup, opt ...Option) (*ManagedGroup, error)
- func (r *Repository) DeleteAccount(ctx context.Context, scopeId, withPublicId string, opt ...Option) (int, error)
- func (r *Repository) DeleteAuthMethod(ctx context.Context, publicId string, _ ...Option) (int, error)
- func (r *Repository) DeleteManagedGroup(ctx context.Context, scopeId, withPublicId string, opt ...Option) (int, error)
- func (r *Repository) ListAccounts(ctx context.Context, withAuthMethodId string, opt ...Option) ([]*Account, error)
- func (r *Repository) ListAuthMethods(ctx context.Context, scopeIds []string, opt ...Option) ([]*AuthMethod, error)
- func (r *Repository) ListManagedGroupMembershipsByGroup(ctx context.Context, withGroupId string, opt ...Option) ([]*ManagedGroupMemberAccount, error)
- func (r *Repository) ListManagedGroupMembershipsByMember(ctx context.Context, withAcctId string, opt ...Option) ([]*ManagedGroupMemberAccount, error)
- func (r *Repository) ListManagedGroups(ctx context.Context, withAuthMethodId string, opt ...Option) ([]*ManagedGroup, error)
- func (r *Repository) LookupAccount(ctx context.Context, withPublicId string, opt ...Option) (*Account, error)
- func (r *Repository) LookupAuthMethod(ctx context.Context, publicId string, opt ...Option) (*AuthMethod, error)
- func (r *Repository) LookupManagedGroup(ctx context.Context, withPublicId string, opt ...Option) (*ManagedGroup, error)
- func (r *Repository) MakeInactive(ctx context.Context, authMethodId string, version uint32, _ ...Option) (*AuthMethod, error)
- func (r *Repository) MakePrivate(ctx context.Context, authMethodId string, version uint32, opt ...Option) (*AuthMethod, error)
- func (r *Repository) MakePublic(ctx context.Context, authMethodId string, version uint32, opt ...Option) (*AuthMethod, error)
- func (r *Repository) SetManagedGroupMemberships(ctx context.Context, am *AuthMethod, acct *Account, mgs []*ManagedGroup, ...) ([]*ManagedGroupMemberAccount, int, error)
- func (r *Repository) UpdateAccount(ctx context.Context, scopeId string, a *Account, version uint32, ...) (*Account, int, error)
- func (r *Repository) UpdateAuthMethod(ctx context.Context, am *AuthMethod, version uint32, fieldMaskPaths []string, ...) (*AuthMethod, int, error)
- func (r *Repository) UpdateManagedGroup(ctx context.Context, scopeId string, mg *ManagedGroup, version uint32, ...) (*ManagedGroup, int, error)
- func (r *Repository) ValidateDiscoveryInfo(ctx context.Context, opt ...Option) error
- type SigningAlg
Constants ¶
const ( // AuthMethodPrefix defines the prefix for AuthMethod public ids. AuthMethodPrefix = "amoidc" // AccountPrefix defines the prefix for Account public ids. AccountPrefix = "acctoidc" Subtype = subtypes.Subtype("oidc") )
const ( OperationalStateField = "OperationalState" DisableDiscoveredConfigValidationField = "DisableDiscoveredConfigValidation" VersionField = "Version" NameField = "Name" DescriptionField = "Description" FilterField = "Filter" IssuerField = "Issuer" ClientIdField = "ClientId" ClientSecretField = "ClientSecret" CtClientSecretField = "CtClientSecret" ClientSecretHmacField = "ClientSecretHmac" MaxAgeField = "MaxAge" SigningAlgsField = "SigningAlgs" ApiUrlField = "ApiUrl" AudClaimsField = "AudClaims" CertificatesField = "Certificates" ClaimsScopesField = "ClaimsScopes" AccountClaimMapsField = "AccountClaimMaps" TokenClaimsField = "TokenClaims" UserinfoClaimsField = "UserinfoClaims" KeyIdField = "KeyId" )
const ( SigningAlgVO voName = "SigningAlgs" CertificateVO voName = "Certificates" AudClaimVO voName = "AudClaims" ClaimsScopesVO voName = "ClaimsScopes" AccountClaimMapsVO voName = "AccountClaimMaps" )
const ( // AttemptExpiration defines the TTL for an authentication attempt AttemptExpiration = 5 * 60 * time.Second // FinalRedirectEndpoint is the endpoint that the oidc callback redirect // client to after the callback is complete. FinalRedirectEndpoint = "%s/authentication-complete" // AuthenticationErrorsEndpoint is the endpoint that will returned as the final redirect // from the callback when there are auth errors AuthenticationErrorsEndpoint = "%s/authentication-error" // CallbackEndpoint is the endpoint for the oidc callback which will be // included in the auth URL returned when an authen attempted is kicked off. CallbackEndpoint = "%s/v1/auth-methods/oidc:authenticate:callback" )
const (
DefaultClaimsScope = "openid"
)
const TestFakeManagedGroupFilter = `"/foo" == "bar"`
Variables ¶
This section is empty.
Functions ¶
func Callback ¶
func Callback( ctx context.Context, oidcRepoFn OidcRepoFactory, iamRepoFn IamRepoFactory, atRepoFn AuthTokenRepoFactory, am *AuthMethod, state, code string, ) (finalRedirect string, e error)
Callback is an oidc domain service function for processing a successful OIDC Authentication Response from an IdP oidc callback. On success, it returns a final redirect URL for the response to the IdP.
Callback can return several errors including errors.Forbidden for requests with non-unique states (which are replays)
For more info on a successful OIDC Authentication Response see: https://openid.net/specs/openid-connect-core-1_0.html#AuthResponse
The service operation includes:
* Decrypt the state which has been encrypted with the OIDC DEK. If decryption fails, and error is returned. Decrypted state payload includes the token_request_id, nonce and final_redirect_url.
* Exchange the callbackCodeParameter for provider tokens and validate the tokens. Call UserInfo endpoint using access token.
* Use oidc.(Repository).upsertAccount to create/update account using ID Tokens claims. The "sub" claim as external ID and setting email and full name for the account.
* Use iam.(Repository).LookupUserWithLogin(...) look up the iam.User matching the Account.
* Use the authtoken.(Repository).CreateAuthToken(...) to create a pending auth token for the authenticated user.
func EncodeCertificates ¶
EncodeCertificates will encode a number of x509 certificates to PEMs.
func ParseCertificates ¶
ParseCertificates will parse a number of certificates PEMs to x509s.
func StartAuth ¶
func StartAuth(ctx context.Context, oidcRepoFn OidcRepoFactory, authMethodId string, opt ...Option) (authUrl *url.URL, tokenId string, e error)
StartAuth accepts a request to start an OIDC authentication/authorization attempt. It returns two URLs and a tokenId. authUrl is an OIDC authorization request URL. The authUrl includes a "state" parameter which is encrypted and has a payload which includes (among other things) the final redirect (calculated from the clientInfo), a token_request_id, and nonce. The tokenUrl is the URL theclient can use to retrieve the results of the user's OIDC authentication attempt. The tokenId is an encrypted payload for the POST request to the tokenUrl.
If the auth method is in an InactiveState, then an error is returned.
Options supported:
WithRoundTripPayload(string) provides an option for a client roundtrip payload. This payload will be added to the final redirect as a query parameter.
func SupportedAlgorithm ¶
SupportedAlgorithm returns true iff the provided algorithm is supported by boundary.
func TestConvertToUrls ¶
TestConvertToUrls will convert URL string representations to a slice of *url.URL
func TestPendingToken ¶
func TestPendingToken( t testing.TB, tokenRepo *authtoken.Repository, user *iam.User, acct *Account, tokenRequestId string, ) *authtoken.AuthToken
TestPendingToken will create a pending auth token for the tokenRequestId (aka public id)
func TestSortAuthMethods ¶
func TestSortAuthMethods(t testing.TB, methods []*AuthMethod)
TestSortAuthMethods will sort the provided auth methods by public id and it will sort each auth method's embedded value objects (algs, auds, certs, callbacks)
func TestTokenRequestId ¶
func TestTokenRequestId( t testing.TB, am *AuthMethod, kms *kms.Kms, expIn time.Duration, tokenPublicId string, ) string
TestTokenRequestId will make a request.Token and encrypt/encode within a request.Wrapper. the returned string can be used as a parameter for functions like: oidc.TokenRequest
func TokenRequest ¶
func TokenRequest(ctx context.Context, kms *kms.Kms, atRepoFn AuthTokenRepoFactory, authMethodId, tokenRequestId string) (*authtoken.AuthToken, error)
TokenRequest is an oidc domain service function for processing a token request from a Boundary client. Token requests are the result of a Boundary client polling the tokenUrl they received via StartAuth. On success, it returns Boundary token.
* Decrypt the tokenRequestId. If encryption fails, it returns an error.
* Use the authtoken.(Repository).IssueAuthToken to issue the request id's token and mark it as issued in the repo. If the token is already issue, an error is returned.
Types ¶
type Account ¶
Account contains an OIDC auth account. It is assigned to an OIDC AuthMethod and updates/deletes to that AuthMethod are cascaded to its Accounts.
func NewAccount ¶
func NewAccount(ctx context.Context, authMethodId string, subject string, opt ...Option) (*Account, error)
NewAccount creates a new in memory Account assigned to OIDC AuthMethod. WithIssuer, WithFullName, WithEmail, WithName and WithDescription are the only valid options. All other options are ignored.
Subject equals the locally unique and never reassigned identifier within the Issuer for the End-User, which is intended to be consumed by the Client.
Issuer equals the Verifiable Identifier for an Issuer. An Issuer Identifier is a case sensitive URL using the https scheme that contains scheme, host, and optionally, port number and path components and no query or fragment components.
FullName equals the End-User's full name in displayable form including all name parts, possibly including titles and suffixes, ordered according to the End-User's locale and preferences.
Email equals the End-User's preferred e-mail address. Its value MUST conform to the RFC 5322 [RFC5322] addr-spec syntax. The RP MUST NOT rely upon this value being unique
func TestAccount ¶
TestAccount creates a test oidc auth account.
func (*Account) GetLoginName ¶ added in v0.11.1
GetLoginName returns the login name, which will always be empty as this type doesn't currently support login name
func (*Account) SetTableName ¶
SetTableName sets the table name.
type AccountClaimMap ¶ added in v0.2.1
type AccountClaimMap struct { *store.AccountClaimMap // contains filtered or unexported fields }
AccountClaimMap defines optional OIDC scope values that are used to request claims, in addition to the default scope of "openid" (see: DefaultClaimsScope).
func AllocAccountClaimMap ¶ added in v0.2.1
func AllocAccountClaimMap() AccountClaimMap
AllocClaimsScope makes an empty one in memory
func NewAccountClaimMap ¶ added in v0.2.1
func NewAccountClaimMap(ctx context.Context, authMethodId, fromClaim string, toClaim AccountToClaim) (*AccountClaimMap, error)
func (*AccountClaimMap) Clone ¶ added in v0.2.1
func (cs *AccountClaimMap) Clone() *AccountClaimMap
Clone a AccountClaimMap
func (*AccountClaimMap) SetTableName ¶ added in v0.2.1
func (s *AccountClaimMap) SetTableName(n string)
SetTableName sets the table name.
func (*AccountClaimMap) TableName ¶ added in v0.2.1
func (s *AccountClaimMap) TableName() string
TableName returns the table name.
type AccountToClaim ¶ added in v0.2.1
type AccountToClaim string
const ( ToSubClaim AccountToClaim = "sub" ToEmailClaim AccountToClaim = "email" ToNameClaim AccountToClaim = "name" )
func ConvertToAccountToClaim ¶ added in v0.2.1
func ConvertToAccountToClaim(ctx context.Context, s string) (AccountToClaim, error)
type Alg ¶
type Alg string
Alg represents asymmetric signing algorithms
const ( // JOSE asymmetric signing algorithm values as defined by RFC 7518. // // See: https://tools.ietf.org/html/rfc7518#section-3.1 RS256 Alg = "RS256" // RSASSA-PKCS-v1.5 using SHA-256 RS384 Alg = "RS384" // RSASSA-PKCS-v1.5 using SHA-384 RS512 Alg = "RS512" // RSASSA-PKCS-v1.5 using SHA-512 ES256 Alg = "ES256" // ECDSA using P-256 and SHA-256 ES384 Alg = "ES384" // ECDSA using P-384 and SHA-384 ES512 Alg = "ES512" // ECDSA using P-521 and SHA-512 PS256 Alg = "PS256" // RSASSA-PSS using SHA256 and MGF1-SHA256 PS384 Alg = "PS384" // RSASSA-PSS using SHA384 and MGF1-SHA384 PS512 Alg = "PS512" // RSASSA-PSS using SHA512 and MGF1-SHA512 EdDSA Alg = "EdDSA" )
type AudClaim ¶
AudClaim defines an audience claim for an OIDC auth method. It is assigned to an OIDC AuthMethod and updates/deletes to that AuthMethod are cascaded to its AudClaims. AudClaims are value objects of an AuthMethod, therefore there's no need for oplog metadata, since only the AuthMethod will have metadata because it's the root aggregate.
see aud claim in the oidc spec: https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest
func NewAudClaim ¶
NewAudClaim creates a new in memory audience claim assigned to an OIDC AuthMethod. It supports no options. If an AuthMethod as assigned AudClaims, then ID tokens issued from the provider must contain one of the assigned audiences to be valid.
For more info on oidc aud claims, see the oidc spec: https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest
func (*AudClaim) SetTableName ¶
SetTableName sets the table name.
type AuthMethod ¶
type AuthMethod struct { *store.AuthMethod // contains filtered or unexported fields }
AuthMethod contains an OIDC auth method configuration. It is owned by a scope. AuthMethods can have Accounts, AudClaims, CallbackUrls, Certificates, SigningAlgs. AuthMethods also have one State at any given time which determines it's behavior for many its operations.
func AllocAuthMethod ¶
func AllocAuthMethod() AuthMethod
AllocAuthMethod makes an empty one in memory
func NewAuthMethod ¶
func NewAuthMethod(ctx context.Context, scopeId string, clientId string, clientSecret ClientSecret, opt ...Option) (*AuthMethod, error)
NewAuthMethod creates a new in memory AuthMethod assigned to scopeId. WithMaxAge, WithName and WithDescription are the only valid options. All other options are ignored.
State equals the state of the OIDC auth method. State is not a supported parameter when creating new AuthMethod's since it must be Inactive for all new AuthMethods.
Issuer equals a URL that identifies the OIDC provider. Boundary will strip off anything beyond scheme, host and port
ClientId equals an OAuth 2.0 Client Identifier valid at the Authorization Server.
ClientSecret equals the client's secret which will be encrypted when stored in the database and an hmac representation will also be stored when ever the secret changes. The secret is not returned via the API, the hmac is returned so callers can determine if it's been updated.
MaxAge equals the Maximum Authentication Age. Specifies the allowable elapsed time in seconds since the last time the End-User was actively authenticated by the OP. If the elapsed time is greater than this value, the OP MUST attempt to actively re-authenticate the End-User. A value -1 basically forces the IdP to re-authenticate the End-User. Zero is not a valid value.
See: https://openid.net/specs/openid-connect-core-1_0.html
Supports the options of WithMaxAge, WithSigningAlgs, WithAudClaims, WithApiUrl and WithCertificates and all other options are ignored.
func TestAuthMethod ¶
func TestAuthMethod( t testing.TB, conn *db.DB, databaseWrapper wrapping.Wrapper, scopeId string, state AuthMethodState, clientId string, clientSecret ClientSecret, opt ...Option, ) *AuthMethod
TestAuthMethod creates a test oidc auth method. WithName, WithDescription, WithMaxAge, WithApiUrl, WithIssuer, WithCertificates, WithAudClaims, and WithSigningAlgs options are supported.
func (*AuthMethod) SetTableName ¶
func (a *AuthMethod) SetTableName(n string)
SetTableName sets the table name.
func (*AuthMethod) TableName ¶
func (a *AuthMethod) TableName() string
TableName returns the table name.
type AuthMethodState ¶
type AuthMethodState string
AuthMethodState defines the possible states for an oidc auth method
const ( UnknownState AuthMethodState = "unknown" InactiveState AuthMethodState = "inactive" ActivePrivateState AuthMethodState = "active-private" ActivePublicState AuthMethodState = "active-public" )
type AuthTokenRepoFactory ¶
type AuthTokenRepoFactory func() (*authtoken.Repository, error)
AuthTokenRepoFactory is used by "service functions" to create a new auth token repo
type Certificate ¶
type Certificate struct { *store.Certificate // contains filtered or unexported fields }
Certificate defines a certificate to use as part of a trust root when connecting to the auth method's OIDC Provider. It is assigned to an OIDC AuthMethod and updates/deletes to that AuthMethod are cascaded to its Certificates. Certificates are value objects of an AuthMethod, therefore there's no need for oplog metadata, since only the AuthMethod will have metadata because it's the root aggregate.
func AllocCertificate ¶
func AllocCertificate() Certificate
AllocCertificate makes an empty one in memory
func NewCertificate ¶
func NewCertificate(ctx context.Context, authMethodId string, certificatePem string) (*Certificate, error)
NewCertificate creates a new in memory certificate assigned to and OIDC auth method.
func (*Certificate) SetTableName ¶
func (c *Certificate) SetTableName(n string)
SetTableName sets the table name.
func (*Certificate) TableName ¶
func (c *Certificate) TableName() string
TableName returns the table name.
type ClaimsScope ¶ added in v0.2.1
type ClaimsScope struct { *store.ClaimsScope // contains filtered or unexported fields }
ClaimsScope defines optional OIDC scope values that are used to request claims, in addition to the default scope of "openid" (see: DefaultClaimsScope).
see: https://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims
func AllocClaimsScope ¶ added in v0.2.1
func AllocClaimsScope() ClaimsScope
AllocClaimsScope makes an empty one in memory
func NewClaimsScope ¶ added in v0.2.1
func NewClaimsScope(ctx context.Context, authMethodId, claimsScope string) (*ClaimsScope, error)
func (*ClaimsScope) Clone ¶ added in v0.2.1
func (cs *ClaimsScope) Clone() *ClaimsScope
Clone a ClaimsScope
func (*ClaimsScope) SetTableName ¶ added in v0.2.1
func (s *ClaimsScope) SetTableName(n string)
SetTableName sets the table name.
func (*ClaimsScope) TableName ¶ added in v0.2.1
func (s *ClaimsScope) TableName() string
TableName returns the table name.
type ClientSecret ¶
type ClientSecret string
ClientSecret equals an AuthMethod's client secret. This type provides a wrapper so the secret isn't inadvertently leaked into a log or error.
func (ClientSecret) GoString ¶ added in v0.4.0
func (s ClientSecret) GoString() string
GoString will redact the client_secret.
func (ClientSecret) MarshalJSON ¶
func (s ClientSecret) MarshalJSON() ([]byte, error)
MarshalJSON will redact the client_secret.
func (ClientSecret) String ¶
func (s ClientSecret) String() string
String will redact the client_secret.
type IamRepoFactory ¶
type IamRepoFactory func() (*iam.Repository, error)
IamRepoFactory is used by "service functions" to create a new iam repo
type ManagedGroup ¶ added in v0.3.0
type ManagedGroup struct { *store.ManagedGroup // contains filtered or unexported fields }
ManagedGroup contains an OIDC managed group. It is assigned to an OIDC AuthMethod and updates/deletes to that AuthMethod are cascaded to its Managed Groups.
func AllocManagedGroup ¶ added in v0.3.0
func AllocManagedGroup() *ManagedGroup
AllocManagedGroup makes an empty one in memory
func NewManagedGroup ¶ added in v0.3.0
func NewManagedGroup(ctx context.Context, authMethodId string, filter string, opt ...Option) (*ManagedGroup, error)
NewManagedGroup creates a new in memory ManagedGroup assigned to OIDC AuthMethod. Supported options are withName and withDescription.
func TestManagedGroup ¶ added in v0.3.0
func TestManagedGroup(t testing.TB, conn *db.DB, am *AuthMethod, filter string, opt ...Option) *ManagedGroup
TestManagedGroup creates a test oidc managed group.
func (*ManagedGroup) Clone ¶ added in v0.3.0
func (mg *ManagedGroup) Clone() *ManagedGroup
Clone a ManagedGroup.
func (*ManagedGroup) SetTableName ¶ added in v0.3.0
func (mg *ManagedGroup) SetTableName(n string)
SetTableName sets the table name.
func (*ManagedGroup) TableName ¶ added in v0.3.0
func (mg *ManagedGroup) TableName() string
TableName returns the table name.
type ManagedGroupMemberAccount ¶ added in v0.3.0
type ManagedGroupMemberAccount struct { *store.ManagedGroupMemberAccount // contains filtered or unexported fields }
ManagedGroupMemberAccount contains a mapping between a managed group and a member account
func AllocManagedGroupMemberAccount ¶ added in v0.3.0
func AllocManagedGroupMemberAccount() *ManagedGroupMemberAccount
AllocManagedGroupMemberAccount makes an empty one in memory
func NewManagedGroupMemberAccount ¶ added in v0.3.0
func NewManagedGroupMemberAccount(ctx context.Context, managedGroupId string, memberId string, opt ...Option) (*ManagedGroupMemberAccount, error)
NewManagedGroupMemberAccount creates a new in memory ManagedGroupMemberAccount assigned to a managed group within an OIDC AuthMethod. Supported options are withName and withDescription.
func TestManagedGroupMember ¶ added in v0.3.0
func TestManagedGroupMember(t testing.TB, conn *db.DB, managedGroupId, memberId string, opt ...Option) *ManagedGroupMemberAccount
TestManagedGroupMember adds given account IDs to a managed group
func (*ManagedGroupMemberAccount) Clone ¶ added in v0.3.0
func (mg *ManagedGroupMemberAccount) Clone() *ManagedGroupMemberAccount
Clone a ManagedGroupMemberAccount.
func (*ManagedGroupMemberAccount) SetTableName ¶ added in v0.3.0
func (mg *ManagedGroupMemberAccount) SetTableName(n string)
SetTableName sets the table name.
func (*ManagedGroupMemberAccount) TableName ¶ added in v0.3.0
func (mg *ManagedGroupMemberAccount) TableName() string
TableName returns the table name.
type OidcRepoFactory ¶
type OidcRepoFactory func() (*Repository, error)
OidcRepoFactory is used by "service functions" to create a new oidc repo
type Option ¶
type Option func(*options)
Option - how Options are passed as arguments.
func WithAccountClaimMap ¶ added in v0.2.1
func WithAccountClaimMap(acm map[string]AccountToClaim) Option
WithAccountClaimMap provides an option for specifying an Account Claim map.
func WithApiUrl ¶
WithApiUrl provides optional api URL to use in the various
func WithAudClaims ¶
WithAudClaims provides optional audience claims
func WithAuthMethod ¶
func WithAuthMethod(am *AuthMethod) Option
WithAuthMethod provides an option for passing an AuthMethod to the operation
func WithCertificates ¶
func WithCertificates(certs ...*x509.Certificate) Option
WithCertificates provides optional certificates.
func WithClaimsScopes ¶ added in v0.2.1
WithClaimsScopes provides optional claims scopes
func WithDescription ¶
WithDescription provides an optional description.
func WithDryRun ¶
func WithDryRun() Option
WithDryRun provides an option to do a "dry run" of a write operation, which will run verification steps and return any errors, but will not persist the data into the repository.
func WithForce ¶
func WithForce() Option
WithForce provides an option to force the write operation, regardless of whether or not it's pre-verification succeeds.
func WithFullName ¶
WithFullName provides an optional full name for the account.
func WithIssuer ¶
WithIssuer provides an option for specifying an issuer.
func WithLimit ¶
WithLimit provides an option to provide a limit. Intentionally allowing negative integers. If WithLimit < 0, then unlimited results are returned. If WithLimit == 0, then default limits are used for results.
func WithMaxAge ¶
WithMaxAge provides an optional max age. Specifies the allowable elapsed time in seconds since the last time the End-User was actively authenticated by the OP. If the elapsed time is greater than this value, the OP MUST attempt to actively re-authenticate the End-User. A value -1 basically forces the IdP to re-authenticate the End-User. Zero is not a valid value.
see: https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest
func WithOperationalState ¶
func WithOperationalState(state AuthMethodState) Option
WithOperationalState provides an option for specifying an issuer.
func WithOrderByCreateTime ¶
WithOrderByCreateTime provides an option to specify ordering by the CreateTime field.
func WithPublicId ¶
WithPublicId provides an option for passing a public id to the operation
func WithReader ¶ added in v0.3.0
WithReader provides an option for specifying a reader to use for the operation.
func WithRoundtripPayload ¶
WithRoundTripPayload provides an option for passing an payload to be roundtripped during an authentication process.
func WithSigningAlgs ¶
WithSigningAlgs provides optional signing algorithms
func WithUnauthenticatedUser ¶
WithUnauthenticatedUser provides an option for filtering results for an unauthenticated users.
type Repository ¶
type Repository struct {
// contains filtered or unexported fields
}
Repository is the oidc repository
func NewRepository ¶
func NewRepository(ctx context.Context, r db.Reader, w db.Writer, kms *kms.Kms, opt ...Option) (*Repository, error)
NewRepository creates a new oidc Repository. Supports the options: WithLimit which sets a default limit on results returned by repo operations.
func (*Repository) CreateAccount ¶
func (r *Repository) CreateAccount(ctx context.Context, scopeId string, a *Account, opt ...Option) (*Account, error)
CreateAccount inserts an Account, a, into the repository and returns a new Account containing its PublicId. a is not changed. a must contain a valid AuthMethodId. a must not contain a PublicId. The PublicId is generated and assigned by this method. a must not contain an Issuer. The Issuer is retrieved from the auth method. If it does not contain an Issuer an error is returned.
a must contain a valid Subject. a.Subject must be unique for an a.AuthMethod/Issuer pair.
Both a.Name and a.Description are optional. If a.Name is set, it must be unique within a.AuthMethodId.
WithPublicId is currently the only valid option.
func (*Repository) CreateAuthMethod ¶
func (r *Repository) CreateAuthMethod(ctx context.Context, am *AuthMethod, opt ...Option) (*AuthMethod, error)
CreateAuthMethod creates am (*AuthMethod) in the repo along with its associated embedded optional value objects of SigningAlgs, AudClaims, and Certificates and returns the newly created AuthMethod (with its PublicId set)
The AuthMethod's public id and version must be empty (zero values).
All options are ignored.
func (*Repository) CreateManagedGroup ¶ added in v0.3.0
func (r *Repository) CreateManagedGroup(ctx context.Context, scopeId string, mg *ManagedGroup, opt ...Option) (*ManagedGroup, error)
CreateManagedGroup inserts an ManagedGroup, mg, into the repository and returns a new ManagedGroup containing its PublicId. mg is not changed. mg must contain a valid AuthMethodId. mg must not contain a PublicId. The PublicId is generated and assigned by this method.
Both mg.Name and mg.Description are optional. If mg.Name is set, it must be unique within mg.AuthMethodId.
func (*Repository) DeleteAccount ¶
func (r *Repository) DeleteAccount(ctx context.Context, scopeId, withPublicId string, opt ...Option) (int, error)
DeleteAccount deletes the account for the provided id from the repository returning a count of the number of records deleted. All options are ignored.
func (*Repository) DeleteAuthMethod ¶
func (r *Repository) DeleteAuthMethod(ctx context.Context, publicId string, _ ...Option) (int, error)
DeleteAuthMethod will delete the auth method from the repository. It is idempotent so if the auth method was not found, return 0 (no rows affected) and nil. No options are currently supported.
func (*Repository) DeleteManagedGroup ¶ added in v0.3.0
func (r *Repository) DeleteManagedGroup(ctx context.Context, scopeId, withPublicId string, opt ...Option) (int, error)
DeleteManagedGroup deletes the managed group for the provided id from the repository returning a count of the number of records deleted. All options are ignored.
func (*Repository) ListAccounts ¶
func (r *Repository) ListAccounts(ctx context.Context, withAuthMethodId string, opt ...Option) ([]*Account, error)
ListAccounts in an auth method and supports WithLimit option.
func (*Repository) ListAuthMethods ¶
func (r *Repository) ListAuthMethods(ctx context.Context, scopeIds []string, opt ...Option) ([]*AuthMethod, error)
ListAuthMethods returns a slice of AuthMethods for the scopeId. The WithUnauthenticatedUser, WithLimit and WithOrder options are supported and all other options are ignored.
func (*Repository) ListManagedGroupMembershipsByGroup ¶ added in v0.3.0
func (r *Repository) ListManagedGroupMembershipsByGroup(ctx context.Context, withGroupId string, opt ...Option) ([]*ManagedGroupMemberAccount, error)
ListManagedGroupMembershipsByGroup lists managed group memberships via the group ID and supports WithLimit option.
func (*Repository) ListManagedGroupMembershipsByMember ¶ added in v0.3.0
func (r *Repository) ListManagedGroupMembershipsByMember(ctx context.Context, withAcctId string, opt ...Option) ([]*ManagedGroupMemberAccount, error)
ListManagedGroupMembershipsByMember lists managed group memberships via the member (account) ID and supports WithLimit option.
func (*Repository) ListManagedGroups ¶ added in v0.3.0
func (r *Repository) ListManagedGroups(ctx context.Context, withAuthMethodId string, opt ...Option) ([]*ManagedGroup, error)
ListManagedGroups in an auth method and supports WithLimit option.
func (*Repository) LookupAccount ¶
func (r *Repository) LookupAccount(ctx context.Context, withPublicId string, opt ...Option) (*Account, error)
LookupAccount will look up an account in the repository. If the account is not found, it will return nil, nil. All options are ignored.
func (*Repository) LookupAuthMethod ¶
func (r *Repository) LookupAuthMethod(ctx context.Context, publicId string, opt ...Option) (*AuthMethod, error)
LookupAuthMethod will lookup an auth method in the repo, along with its associated Value Objects of SigningAlgs, CallbackUrls, AudClaims and Certificates. If it's not found, it will return nil, nil. The WithUnauthenticatedUser options is supported and all other options are ignored.
func (*Repository) LookupManagedGroup ¶ added in v0.3.0
func (r *Repository) LookupManagedGroup(ctx context.Context, withPublicId string, opt ...Option) (*ManagedGroup, error)
LookupManagedGroup will look up a managed group in the repository. If the managed group is not found, it will return nil, nil. All options are ignored.
func (*Repository) MakeInactive ¶
func (r *Repository) MakeInactive(ctx context.Context, authMethodId string, version uint32, _ ...Option) (*AuthMethod, error)
MakeInactive will transision an OIDC auth method from either the ActivePrivateState or the ActivePublicState to the InactiveState. No options are supported.
func (*Repository) MakePrivate ¶
func (r *Repository) MakePrivate(ctx context.Context, authMethodId string, version uint32, opt ...Option) (*AuthMethod, error)
MakePrivate will transision an OIDC auth method from either the InactiveState or the ActivePublicState to the ActivePrivateState. If transitioning from the InactiveState, the transition will only succeed if the auth method is complete and the oidc.ValidateAuthMethod(...) succeeds. If the WithForce option is provided, oidc.ValidateAuthMethod(...) success is not required.
func (*Repository) MakePublic ¶
func (r *Repository) MakePublic(ctx context.Context, authMethodId string, version uint32, opt ...Option) (*AuthMethod, error)
MakePublic will transision an OIDC auth method from either the InactiveState or the ActivePrivateState to the ActivePublicState. If transitioning from the InactiveState, the transition will only succeed if the auth method is complete and the oidc.ValidateAuthMethod(...) succeeds. If the WithForce option is provided, oidc.ValidateAuthMethod(...) success is not required.
func (*Repository) SetManagedGroupMemberships ¶ added in v0.3.0
func (r *Repository) SetManagedGroupMemberships(ctx context.Context, am *AuthMethod, acct *Account, mgs []*ManagedGroup, _ ...Option) ([]*ManagedGroupMemberAccount, int, error)
SetManagedGroupMemberships will set the managed groups for the given account ID. If mgs is empty, the set of groups the account belongs to will be cleared. It returns the set of managed group IDs.
mgs contains the set of managed groups that matched. It must contain the group's version as this is used to ensure consistency between when the filter attached to the managed group was run and the point at which we are adding the account to the group.
func (*Repository) UpdateAccount ¶
func (r *Repository) UpdateAccount(ctx context.Context, scopeId string, a *Account, version uint32, fieldMaskPaths []string, opt ...Option) (*Account, int, error)
UpdateAccount updates the repository entry for a.PublicId with the values in a for the fields listed in fieldMaskPaths. It returns a new Account containing the updated values and a count of the number of records updated. a is not changed.
a must contain a valid PublicId. Only a.Name and a.Description can be updated. If a.Name is set to a non-empty string, it must be unique within a.AuthMethodId.
An attribute of a will be set to NULL in the database if the attribute in a is the zero value and it is included in fieldMaskPaths.
func (*Repository) UpdateAuthMethod ¶
func (r *Repository) UpdateAuthMethod(ctx context.Context, am *AuthMethod, version uint32, fieldMaskPaths []string, opt ...Option) (*AuthMethod, int, error)
UpdateAuthMethod will retrieve the auth method from the repository, and update it based on the field masks provided.
The auth method will not be persisted in the repository if the auth method's OperationalStatus is currently ActivePublic or ActivePrivate and the update would have resulted in an incomplete/non-operational auth method.
During update, the auth method will be tested/validated against its provider's published OIDC discovery document. If this validation succeeds, the auth method is persisted in the repository, and the written auth method is returned.
fieldMaskPaths provides field_mask.proto paths for fields that should be updated. Fields will be set to NULL if the field is a zero value and included in fieldMask. Name, Description, Issuer, ClientId, ClientSecret, MaxAge are all updatable fields. The AuthMethod's Value Objects of SigningAlgs, CallbackUrls, AudClaims and Certificates are also updatable. if no updatable fields are included in the fieldMaskPaths, then an error is returned.
Options supported:
* WithDryRun: when this option is provided, the auth method is retrieved from the repo, updated based on the fieldMask, tested via Repository.ValidateDiscoveryInfo, the results of the update are returned, and and any errors reported. The updates are not peristed to the repository.
* WithForce: when this option is provided, the auth method is persisted in the repository without testing it's validity against its provider's published OIDC discovery document. Even if this option is provided, the auth method will not be persisted in the repository when the update would have resulted in an incomplete/non-operational auth method and it's OperationalStatus is currently ActivePublic or ActivePrivate.
Also, a successful update will invalidate (delete) the Repository's cache of the oidc.Provider for the AuthMethod.
func (*Repository) UpdateManagedGroup ¶ added in v0.3.0
func (r *Repository) UpdateManagedGroup(ctx context.Context, scopeId string, mg *ManagedGroup, version uint32, fieldMaskPaths []string, opt ...Option) (*ManagedGroup, int, error)
UpdateManagedGroup updates the repository entry for mg.PublicId with the values in mg for the fields listed in fieldMaskPaths. It returns a new ManagedGroup containing the updated values and a count of the number of records updated. mg is not changed.
mg must contain a valid PublicId. Only mg.Name, mg.Description, and mg.Filter can be updated. If mg.Name is set to a non-empty string, it must be unique within mg.AuthMethodId.
An attribute of a will be set to NULL in the database if the attribute in a is the zero value and it is included in fieldMaskPaths.
func (*Repository) ValidateDiscoveryInfo ¶
func (r *Repository) ValidateDiscoveryInfo(ctx context.Context, opt ...Option) error
ValidateDiscoveryInfo will test/validate the provided AuthMethod against the info from it's discovery URL.
It will verify that all required fields for a working AuthMethod have values.
If the AuthMethod is complete, ValidateDiscoveryInfo retrieves the auth method's OpenID Configuration document. The values in the AuthMethod (and associated data) are validated with the retrieved document. The issuer and id token signing algorithm in the configuration are validated with the retrieved document. ValidateDiscoveryInfo also verifies the authorization, token, and userinfo endpoints by connecting to each and uses any certificates in the configuration as trust anchors to confirm connectivity.
Options supported are: WithPublicId, WithAuthMethod
type SigningAlg ¶
type SigningAlg struct { *store.SigningAlg // contains filtered or unexported fields }
SigningAlg defines an signing algorithm supported by an OIDC auth method. It is assigned to an OIDC AuthMethod and updates/deletes to that AuthMethod are cascaded to its SigningAlgs. SigningAlgs are value objects of an AuthMethod, therefore there's no need for oplog metadata, since only the AuthMethod will have metadata because it's the root aggregate.
func AllocSigningAlg ¶
func AllocSigningAlg() SigningAlg
AllocSigningAlg makes an empty one in memory
func NewSigningAlg ¶
NewSigningAlg creates a new in memory signing alg assigned to an OIDC AuthMethod. It supports no options.
func (*SigningAlg) SetTableName ¶
func (s *SigningAlg) SetTableName(n string)
SetTableName sets the table name.
func (*SigningAlg) TableName ¶
func (s *SigningAlg) TableName() string
TableName returns the table name.
Source Files ¶
- account.go
- account_claim_map.go
- aud_claim.go
- auth_method.go
- certificate.go
- certificate_utils.go
- claims_scope.go
- client_secret.go
- ids.go
- managed_group.go
- managed_group_member_account.go
- options.go
- provider.go
- query.go
- repository.go
- repository_account.go
- repository_auth_method.go
- repository_auth_method_create.go
- repository_auth_method_delete.go
- repository_auth_method_operational_state.go
- repository_auth_method_read.go
- repository_auth_method_update.go
- repository_managed_group.go
- repository_managed_group_members.go
- rewrapping.go
- service.go
- service_callback.go
- service_start_auth.go
- service_token_request.go
- signing_alg.go
- state.go
- testing.go