iamauth

package
v1.12.0-beta1 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Apr 4, 2022 License: MPL-2.0 Imports: 26 Imported by: 0

README

This is an internal package to house the AWS IAM auth method utilities for potential future extraction from Consul.

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func GenerateLoginData

func GenerateLoginData(in *LoginInput) (map[string]interface{}, error)

GenerateLoginData populates the necessary data to send for the bearer token. https://github.com/hashicorp/go-secure-stdlib/blob/main/awsutil/generate_credentials.go#L232-L301

Types

type Authenticator

type Authenticator struct {
	// contains filtered or unexported fields
}

func NewAuthenticator

func NewAuthenticator(config *Config, logger hclog.Logger) (*Authenticator, error)

func (*Authenticator) ValidateLogin

func (a *Authenticator) ValidateLogin(ctx context.Context, loginToken string) (*IdentityDetails, error)

ValidateLogin determines if the identity in the loginToken is permitted to login. If so, it returns details about the identity. Otherwise, an error is returned.

type BearerToken

type BearerToken struct {
	// contains filtered or unexported fields
}

BearerToken is a login "token" for an IAM auth method. It is a signed sts:GetCallerIdentity request in JSON format. Optionally, it can include a signed embedded iam:GetRole or iam:GetUser request in the headers.

func NewBearerToken

func NewBearerToken(loginToken string, config *Config) (*BearerToken, error)

func (*BearerToken) GetCallerIdentityRequest

func (t *BearerToken) GetCallerIdentityRequest() (*http.Request, error)

GetCallerIdentityRequest returns the sts:GetCallerIdentity request decoded from the bearer token.

func (*BearerToken) GetEntityRequest

func (t *BearerToken) GetEntityRequest() (*http.Request, error)

GetEntityRequest returns the iam:GetUser or iam:GetRole request from the request details, if present, embedded in the headers of the sts:GetCallerIdentity request.

func (*BearerToken) UnmarshalJSON

func (t *BearerToken) UnmarshalJSON(data []byte) error

UnmarshalJSON unmarshals the bearer token details which contains an HTTP request (a signed sts:GetCallerIdentity request).

type Config

type Config struct {
	BoundIAMPrincipalARNs  []string
	EnableIAMEntityDetails bool
	IAMEntityTags          []string
	ServerIDHeaderValue    string
	MaxRetries             int
	IAMEndpoint            string
	STSEndpoint            string
	STSRegion              string
	AllowedSTSHeaderValues []string

	// Customizable header names
	ServerIDHeaderName     string
	GetEntityMethodHeader  string
	GetEntityURLHeader     string
	GetEntityHeadersHeader string
	GetEntityBodyHeader    string
}

func (*Config) Validate

func (c *Config) Validate() error

type IdentityDetails

type IdentityDetails struct {
	EntityName string
	EntityId   string
	AccountId  string

	EntityPath string
	EntityTags map[string]string
}

type LoginInput

type LoginInput struct {
	Creds            *credentials.Credentials
	IncludeIAMEntity bool
	STSEndpoint      string
	STSRegion        string

	Logger hclog.Logger

	ServerIDHeaderValue string
	// Customizable header names
	ServerIDHeaderName     string
	GetEntityMethodHeader  string
	GetEntityURLHeader     string
	GetEntityHeadersHeader string
	GetEntityBodyHeader    string
}

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL