callouthook

package
v0.0.0-...-147f0cf Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Oct 27, 2023 License: MIT Imports: 11 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

This section is empty.

Types

type NatsCalloutHook

type NatsCalloutHook struct {
	// contains filtered or unexported fields
}

NatsCalloutHook provides an easy-to-use hook to enable callout in the NATS server. It combines the various parts needed to function, such as account, nkeys, auth request handler and auth response creator. Intended for handling callouts in server mode. Not for use in operator mode. (that is a lot of work just to get your own authn handler called)

func EnableNatsCalloutHook

func EnableNatsCalloutHook(
	srv *service.NatsMsgServer,

) (*NatsCalloutHook, error)

EnableNatsCalloutHook create an instance of the NATS callout hook for use with NKey based configuration options. This configures the server to use callout hooks and subscribes to requests using the given connection.

Reload the server options for it to take effect.

NOTE: If password users are defined, server will report an error "Authorization callout user %q not valid". This is because auth.go:291 which does a check but skips nkeys if any user is defined in natsOpts. As this is a check only, it can be ignored. However it would be better to let the callout validator to handle the password auth and not apply these in nats users options.

  • serverOpts is the server mode options struct to update
  • issuerAccountName is the name of the account used to issue the JWT tokens
  • issuerAccountKey is the key-pair of the account used to issue the JWT tokens
  • nc is the nats connection to use
  • authnVerifier is the callback handler to verify an authn request

func (*NatsCalloutHook) GetCounters

func (chook *NatsCalloutHook) GetCounters() (int, int)

GetCounters return the number of success and failed callout requests

type NatsCalloutVerifier

type NatsCalloutVerifier struct {
	// contains filtered or unexported fields
}

NatsCalloutVerifier provides client verification using callout hooks.

callout -> handler -> tokenizer -> verify ? auth -> server -> createToken -> tokenizer -> create ? needs authz ?

This support authentication using password, nkey, certificate, and jwt token To use, provide 'VerifyAuthnReq' to EnableNatsCalloutHook(), which determines the authn method to use.

func NewNatsCoVerifier

func NewNatsCoVerifier(
	msgServer *service.NatsMsgServer, caCert *x509.Certificate) *NatsCalloutVerifier

func (*NatsCalloutVerifier) VerifyAuthnReq

func (v *NatsCalloutVerifier) VerifyAuthnReq(claims *jwt.AuthorizationRequestClaims) (clientID string, err error)

VerifyAuthnReq the authentication request For use with the callout hook to verify various means of authentication. claims contains various possible svc methods: password, nkey, jwt, certs

Note that NATS server can already authenticate password, nkey, cert, and jwt tokens. However, NATS doesn't do multiple methods of password, nkey,cert and jwt. This verifier does them all. Since the server is updated with client auth info, actual verification goes back to the server. effectively a very roundabout way of doing what the server should have been able to.

func (*NatsCalloutVerifier) VerifyClientCert

func (v *NatsCalloutVerifier) VerifyClientCert(claims *jwt.AuthorizationRequestClaims) (string, error)

VerifyClientCert checks that a client certificate is used to connect and is that of the claimed clientID. There is no documentation on how to use this so this uses the claims.TLS.VerifiedChains field, as the claims.TLS.Cert field is empty.

func (*NatsCalloutVerifier) VerifyNKey

func (v *NatsCalloutVerifier) VerifyNKey(claims *jwt.AuthorizationRequestClaims) (string, error)

VerifyNKey claim Don't use this as it is incomplete. nats-server nkey change is embedded deep into its auth code and can't be easily separated. Workaround: let server handle NKeys through static config.

See also nats-server auth.go:990 for dealing with nkeys. It aint pretty.

func (*NatsCalloutVerifier) VerifyPassword

func (v *NatsCalloutVerifier) VerifyPassword(claims *jwt.AuthorizationRequestClaims) (string, error)

VerifyPassword checks the password claim

func (*NatsCalloutVerifier) VerifyToken

func (v *NatsCalloutVerifier) VerifyToken(claims *jwt.AuthorizationRequestClaims) (string, error)

VerifyToken verifies any JWT token

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL