README
¶
Vault Plugin Auth OCI
Vault auth plugin for Oracle Cloud Infrastructure.
Acceptance tests
The acceptance tests can only be run from an OCI instance.
If you are running this code on an OCI instance, you can run them directly with make testacc.
You will need to set the following environtment variables:
HOME_TENANCY_IDto the tenancy you are running under (or your root tenancy ID)ROLE_OCID_LISTto a comma-separated list of group OCIDs to at least two groups. At least one should be a dynamic group that contains the instance, and another should be an identity group that contains your user.
For example:
make testacc HOME_TENANCY_ID=ocid1.tenancy.oc1..aaaaaaaasomecharacter ROLE_OCID_LIST=ocid1.group.oc1..aaaaaaaasomecharacters OCI_GO_SDK_DEBUG=info VAULT_LOG_LEVEL=debug
Terraform
You can run the acceptance tests with terraform as well.
You will need an OCI account.
You need to generate and download a private key in your account settings. This should give you a private key file, the fingerprint, your tenancy OCID, and your user OCID.
Using those, you can run the acceptance tests via:
cd tests/terraform
# download your private key to this directory
terraform init
terraform apply \
-var "fingerprint=YOURFINGERPRINT" \
-var "tenancy_ocid=YOUR_TENANCY_OCID" \
-var "user_ocid=YOUR_USER_OCID" \
-var "private_key_path=YOUR_PRIVATE_KEY" \
-var "region=YOUR_REGION"
This downloads the current main branch from GitHub and runs the tests on an OCI instance.
It takes about 5 minutes.
Don't forget to destroy the resources when you are done:
terraform destroy \
-var "fingerprint=YOURFINGERPRINT" \
-var "tenancy_ocid=YOUR_TENANCY_OCID" \
-var "user_ocid=YOUR_USER_OCID" \
-var "private_key_path=YOUR_PRIVATE_KEY" \
-var "region=YOUR_REGION"
Documentation
¶
Overview ¶
Copyright © 2019, Oracle and/or its affiliates.
Copyright © 2019, Oracle and/or its affiliates.
Copyright © 2019, Oracle and/or its affiliates.
Copyright © 2019, Oracle and/or its affiliates.
Copyright © 2019, Oracle and/or its affiliates.
Copyright © 2019, Oracle and/or its affiliates.
Copyright © 2019, Oracle and/or its affiliates.
Copyright © 2019, Oracle and/or its affiliates.
Copyright © 2019, Oracle and/or its affiliates.
Copyright © 2019, Oracle and/or its affiliates.
Copyright © 2019, Oracle and/or its affiliates.
Copyright © 2019, Oracle and/or its affiliates.
Copyright © 2019, Oracle and/or its affiliates.
Copyright © 2019, Oracle and/or its affiliates.
Copyright © 2019, Oracle and/or its affiliates.
Copyright © 2019, Oracle and/or its affiliates.
Index ¶
- Constants
- Variables
- func Backend() (*backend, error)
- func CreateLoginData(addr string, m map[string]string, path string) (map[string]interface{}, error)
- func Factory(ctx context.Context, conf *logical.BackendConfig) (logical.Backend, error)
- func GetSignedAPIRequestHeaders(addr, path string) (http.Header, error)
- func GetSignedInstanceRequestHeaders(addr, path string) (http.Header, error)
- type AuthenticateClientDetails
- type AuthenticateClientRequest
- func (request AuthenticateClientRequest) BinaryRequestBody() (*common.OCIReadSeekCloser, bool)
- func (request AuthenticateClientRequest) HTTPRequest(method, path string, binaryRequestBody *common.OCIReadSeekCloser, ...) (http.Request, error)
- func (request AuthenticateClientRequest) RetryPolicy() *common.RetryPolicy
- func (request AuthenticateClientRequest) String() string
- type AuthenticateClientResponse
- type AuthenticateClientResult
- type AuthenticationClient
- func (client AuthenticationClient) AuthenticateClient(ctx context.Context, request AuthenticateClientRequest) (response AuthenticateClientResponse, err error)
- func (client AuthenticationClient) FilterGroupMembership(ctx context.Context, request FilterGroupMembershipRequest) (response FilterGroupMembershipResponse, err error)
- func (client *AuthenticationClient) SetHost(host string)
- func (client *AuthenticationClient) SetRegion(region string)
- type CLIHandler
- type Claim
- type FilterGroupMembershipDetails
- type FilterGroupMembershipRequest
- func (request FilterGroupMembershipRequest) BinaryRequestBody() (*common.OCIReadSeekCloser, bool)
- func (request FilterGroupMembershipRequest) HTTPRequest(method, path string, binaryRequestBody *common.OCIReadSeekCloser, ...) (http.Request, error)
- func (request FilterGroupMembershipRequest) RetryPolicy() *common.RetryPolicy
- func (request FilterGroupMembershipRequest) String() string
- type FilterGroupMembershipResponse
- type FilterGroupMembershipResult
- type InternalClaim
- type InternalClaims
- type OCIConfigEntry
- type OCIRoleEntry
- type OciClient
- type Principal
Constants ¶
const ( PrincipalTypeUser = "user" PrincipalTypeInstance = "instance" )
These constants define types of principal
const ( PathVersionBase = "/v1" PathBaseFormat = "/auth/%s/login/%s" PathLoginMethod = "get" PathSegmentAuth = "auth" PathSegmentLogin = "login" PathSegmentVersion = "v1" )
These constants store the required http path & method information for validating the signed request
const (
// HdrRequestTarget represents the special header name used to refer to the HTTP verb and URI in the signature.
HdrRequestTarget = `(request-target)`
)
Signing Header constants
const (
HomeTenancyIdConfigName = "home_tenancy_id"
)
These constants store the configuration keys
const ( // Increasing this above this limit might require implementing // client-side paging in the filterGroupMembership API MaxOCIDsPerRole = 100 )
Constants for role specific data
Variables ¶
var (
ClaimPrincipalType = "ptype"
)
This constant defines the Principal type key
Functions ¶
func CreateLoginData ¶
CreateLoginData creates the interface required for a login request, signed using the corresponding OCI Identity Principal
func GetSignedAPIRequestHeaders ¶ added in v0.13.0
Types ¶
type AuthenticateClientDetails ¶
type AuthenticateClientDetails struct {
RequestHeaders map[string][]string `json:"requestHeaders"`
}
Stores the request headers required for authenticating the client
func (AuthenticateClientDetails) String ¶
func (m AuthenticateClientDetails) String() string
Prints the values of pointers in AuthenticateClientDetails, producing a human friendly string for an struct with pointers. Useful when debugging the values of a struct.
type AuthenticateClientRequest ¶
type AuthenticateClientRequest struct {
// Request object for AuthenticateClientRequest
AuthenticateClientDetails `contributesTo:"body"`
// A token that uniquely identifies a request so it can be retried in case of a timeout or
// server error without risk of executing that same action again. Retry tokens expire after 24
// hours, but can be invalidated before then due to conflicting operations (e.g., if a resource
// has been deleted and purged from the system, then a retry of the original creation request
// may be rejected).
OpcRetryToken *string `mandatory:"false" contributesTo:"header" name:"opc-retry-token"`
// Unique Oracle-assigned identifier for the request.
// If you need to contact Oracle about a particular request, please provide the request ID.
OpcRequestId *string `mandatory:"false" contributesTo:"header" name:"opc-request-id"`
// Metadata about the request. This information will not be transmitted to the service, but
// represents information that the SDK will consume to drive retry behavior.
RequestMetadata common.RequestMetadata
}
Stores the request body and meta-data required for authenticating the client
func (AuthenticateClientRequest) BinaryRequestBody ¶ added in v0.15.0
func (request AuthenticateClientRequest) BinaryRequestBody() (*common.OCIReadSeekCloser, bool)
BinaryRequestBody implements the OCIRequest interface
func (AuthenticateClientRequest) HTTPRequest ¶
func (request AuthenticateClientRequest) HTTPRequest(method, path string, binaryRequestBody *common.OCIReadSeekCloser, extraHeaders map[string]string) (http.Request, error)
HTTPRequest implements the OCIRequest interface
func (AuthenticateClientRequest) RetryPolicy ¶
func (request AuthenticateClientRequest) RetryPolicy() *common.RetryPolicy
RetryPolicy implements the OCIRetryableRequest interface. This retrieves the specified retry policy.
func (AuthenticateClientRequest) String ¶
func (request AuthenticateClientRequest) String() string
Prints the values of pointers in AuthenticateClientRequest, producing a human friendly string for an struct with pointers. Useful when debugging the values of a struct.
type AuthenticateClientResponse ¶
type AuthenticateClientResponse struct {
// The underlying http response
RawResponse *http.Response
// The AuthenticateClientResult instance
AuthenticateClientResult `presentIn:"body"`
// Unique Oracle-assigned identifier for the request. If you need to contact Oracle about a
// particular request, please provide the request ID.
OpcRequestId *string `presentIn:"header" name:"opc-request-id"`
// For optimistic concurrency control. See `if-match`.
Etag *string `presentIn:"header" name:"etag"`
}
Stores the response of the AuthenticateClient request, including meta-data.
func (AuthenticateClientResponse) HTTPResponse ¶
func (response AuthenticateClientResponse) HTTPResponse() *http.Response
HTTPResponse implements the OCIResponse interface
func (AuthenticateClientResponse) String ¶
func (response AuthenticateClientResponse) String() string
Prints the values of pointers in AuthenticateClientResponse, producing a human friendly string for an struct with pointers. Useful when debugging the values of a struct.
type AuthenticateClientResult ¶
type AuthenticateClientResult struct {
Principal *Principal `json:"principal"`
ErrorMessage *string `json:"errorMessage"`
IsSuccess *bool `json:"success"`
}
Contains the result of the Authenticate Client request.
func (AuthenticateClientResult) String ¶
func (m AuthenticateClientResult) String() string
Prints the values of pointers in AuthenticateClientResult, producing a human friendly string for an struct with pointers. Useful when debugging the values of a struct.
type AuthenticationClient ¶
type AuthenticationClient struct {
common.BaseClient
// contains filtered or unexported fields
}
AuthenticationClient stores the client and configuration details for authenticating
func NewAuthenticationClientWithConfigurationProvider ¶
func NewAuthenticationClientWithConfigurationProvider(configProvider common.ConfigurationProvider) (client AuthenticationClient, err error)
NewAuthenticationClientWithConfigurationProvider Creates a new default Authentication client with the given configuration provider. the configuration provider will be used for the default signer as well as reading the region
func (AuthenticationClient) AuthenticateClient ¶
func (client AuthenticationClient) AuthenticateClient(ctx context.Context, request AuthenticateClientRequest) (response AuthenticateClientResponse, err error)
AuthenticateClient takes in a request to authenticate a client, makes the API request to OCI Identity and returns the Response. If the authentication is successful, the AuthenticateClientResult member of the response will contain the Principal of the authenticated entity.
func (AuthenticationClient) FilterGroupMembership ¶
func (client AuthenticationClient) FilterGroupMembership(ctx context.Context, request FilterGroupMembershipRequest) (response FilterGroupMembershipResponse, err error)
FilterGroupMembership takes in a list of Group or Dynamic Group IDs and a Principal context and makes an API request to OCI Identity. If the request is successful, it returns the subset of the request groups that the entity corresponding to the Principal is a part of.
func (*AuthenticationClient) SetHost ¶
func (client *AuthenticationClient) SetHost(host string)
SetRegion overrides the region of this client.
func (*AuthenticationClient) SetRegion ¶
func (client *AuthenticationClient) SetRegion(region string)
SetRegion overrides the region of this client.
type CLIHandler ¶
type CLIHandler struct{}
func (*CLIHandler) Help ¶
func (h *CLIHandler) Help() string
type Claim ¶
type Claim struct {
Key *string `json:"key"`
Value *string `json:"value"`
Issuer *string `json:"issuer"`
}
Stores a list of claims of a Principal
type FilterGroupMembershipDetails ¶
type FilterGroupMembershipDetails struct {
Principal Principal `json:"principal"`
GroupIds []string `json:"groupIds"`
}
Stores the Principal and list of Group or Dynamic Group Ids required for the filtering request
func (FilterGroupMembershipDetails) String ¶
func (m FilterGroupMembershipDetails) String() string
Prints the values of pointers in FilterGroupMembershipDetails, producing a human friendly string for an struct with pointers. Useful when debugging the values of a struct.
type FilterGroupMembershipRequest ¶
type FilterGroupMembershipRequest struct {
// Request object for FilterGroupMembershipRequest
FilterGroupMembershipDetails `contributesTo:"body"`
// A token that uniquely identifies a request so it can be retried in case of a timeout or
// server error without risk of executing that same action again. Retry tokens expire after 24
// hours, but can be invalidated before then due to conflicting operations (e.g., if a resource
// has been deleted and purged from the system, then a retry of the original creation request
// may be rejected).
OpcRetryToken *string `mandatory:"false" contributesTo:"header" name:"opc-retry-token"`
// Unique Oracle-assigned identifier for the request.
// If you need to contact Oracle about a particular request, please provide the request ID.
OpcRequestId *string `mandatory:"false" contributesTo:"header" name:"opc-request-id"`
// Metadata about the request. This information will not be transmitted to the service, but
// represents information that the SDK will consume to drive retry behavior.
RequestMetadata common.RequestMetadata
}
Stores the request body and meta-data required for filtering the group membership
func (FilterGroupMembershipRequest) BinaryRequestBody ¶ added in v0.15.0
func (request FilterGroupMembershipRequest) BinaryRequestBody() (*common.OCIReadSeekCloser, bool)
BinaryRequestBody implements the OCIRequest interface
func (FilterGroupMembershipRequest) HTTPRequest ¶
func (request FilterGroupMembershipRequest) HTTPRequest(method, path string, binaryRequestBody *common.OCIReadSeekCloser, extraHeaders map[string]string) (http.Request, error)
HTTPRequest implements the OCIRequest interface
func (FilterGroupMembershipRequest) RetryPolicy ¶
func (request FilterGroupMembershipRequest) RetryPolicy() *common.RetryPolicy
RetryPolicy implements the OCIRetryableRequest interface. This retrieves the specified retry policy.
func (FilterGroupMembershipRequest) String ¶
func (request FilterGroupMembershipRequest) String() string
type FilterGroupMembershipResponse ¶
type FilterGroupMembershipResponse struct {
// The underlying http response
RawResponse *http.Response
// The FilterGroupMembershipResult instance
FilterGroupMembershipResult `presentIn:"body"`
// Unique Oracle-assigned identifier for the request. If you need to contact Oracle about a
// particular request, please provide the request ID.
OpcRequestId *string `presentIn:"header" name:"opc-request-id"`
// For optimistic concurrency control. See `if-match`.
Etag *string `presentIn:"header" name:"etag"`
}
Stores the response of the FilterGroupMembership request, including meta-data.
func (FilterGroupMembershipResponse) HTTPResponse ¶
func (response FilterGroupMembershipResponse) HTTPResponse() *http.Response
HTTPResponse implements the OCIResponse interface
func (FilterGroupMembershipResponse) String ¶
func (response FilterGroupMembershipResponse) String() string
type FilterGroupMembershipResult ¶
type FilterGroupMembershipResult struct {
Principal Principal `json:"principal"`
GroupIds []string `json:"groupIds"`
}
Contains the result of the FilterGroupMembership request.
func (FilterGroupMembershipResult) String ¶
func (m FilterGroupMembershipResult) String() string
Prints the values of pointers in FilterGroupMembershipResult, producing a human friendly string for an struct with pointers. Useful when debugging the values of a struct.
type InternalClaim ¶
type InternalClaim struct {
Issuer string `json:"issuer"`
Key string `json:"key"`
Value string `json:"value"`
}
Claim is a representation of a JWT claim
func FromClaim ¶
func FromClaim(claim Claim) InternalClaim
FromClaims takes in a claim and coverts it to an InternalClaim
type InternalClaims ¶
type InternalClaims map[string][]InternalClaim
Claims represents a collection of JWT claims
func FromClaims ¶
func FromClaims(claimList []Claim) InternalClaims
FromClaims takes in a list of claims and coverts it to InternalClaims
func (InternalClaims) GetSingleClaim ¶
func (c InternalClaims) GetSingleClaim(key string) InternalClaim
GetSingleClaim returns single claim given a claim type.
func (InternalClaims) GetString ¶
func (c InternalClaims) GetString(key string) string
GetString returns the claim value given a claim type.
type OCIConfigEntry ¶
type OCIConfigEntry struct {
HomeTenancyId string `json:"home_tenancy_id" `
}
Struct to hold the information associated with an OCI config
type OCIRoleEntry ¶
type OCIRoleEntry struct {
tokenutil.TokenParams
OcidList []string `json:"ocid_list"`
}
Struct to hold the information associated with an OCI role
type OciClient ¶
type OciClient struct {
common.BaseClient
// contains filtered or unexported fields
}
OciClient stores the client and configuration details for making API requests to OCI Identity Service
func NewOciClientWithConfigurationProvider ¶
func NewOciClientWithConfigurationProvider(configProvider common.ConfigurationProvider) (client OciClient, err error)
NewIdentityClientWithConfigurationProvider Creates a new default Identity client with the given configuration provider. the configuration provider will be used for the default signer as well as reading the region
Source Files
¶
- authenticate_client_details.go
- authenticate_client_request_response.go
- authenticate_client_result.go
- authentication_client.go
- backend.go
- cli.go
- filter_group_membership_details.go
- filter_group_membership_request_response.go
- filter_group_membership_result.go
- internal_claims.go
- oci_client.go
- path_config.go
- path_login.go
- path_role.go
- principal.go
- slice_helper.go
Directories