Documentation
¶
Index ¶
- func AuthMiddleware(h http.Handler, mdstore *fedtls.MetadataStore, apiKey *APIKey) http.Handler
- func EntityIDFromContext(ctx context.Context) string
- func Limiter(h http.Handler, r rate.Limit, b int) http.Handler
- func OrganizationFromContext(ctx context.Context) *string
- func OrganizationIDFromContext(ctx context.Context) *string
- type APIKey
- type AuthStatus
- type ConnContext
- type ContextConnection
- type MetadataTLSConfigManager
- type TLSConfigManager
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func AuthMiddleware ¶
AuthMiddleware is the authentication middlware for federated TLS authentication.
It assumes that the http.Server is set up with a ConnContext as provided by ContextModifier() so that the middleware can access the connection of the request and store some authentication state in the context associated with the connection.
func EntityIDFromContext ¶
EntityIDFromContext returns the authenticated entity ID
This can be called by a request handler so find out who made the request, assuming that the authentication middleware is in place before the request handler.
func OrganizationFromContext ¶
OrganizationFromContext returns the peer's organization or nil
nil is returned if the organization property isn't set for the entity in the metadata.
func OrganizationIDFromContext ¶
OrganizationIDFromContext returns the peer's organization ID or nil
nil is returned if the organization_id property isn't set for the entity in the metadata.
Types ¶
type APIKey ¶ added in v1.1.0
type APIKey struct { HeaderName string // Name of HTTP header to use Key string // The actual API key }
APIKey is used to configure an API key to use in all requests made by the middleware.
type AuthStatus ¶
type AuthStatus struct { // Granted tells us if the connection was successfully authenticated Granted bool // EntityID will be set to the connecting peer's entity ID if Granted == true EntityID string // Set if Granted == true and there was an organization attribute for the entity in metadata Organization *string // Set if Granted == true and there was an organization id attribute for the entity in metadata OrganizationID *string }
AuthStatus shows us if a connection is authenticated and if so, who the peer is
type ConnContext ¶
ConnContext is used by net/http.Server to set up a connection specific context
func ContextModifier ¶
func ContextModifier() ConnContext
ContextModifier returns a function that will modify the context for requests on a server
The context will contain a ContextConnection, which allows the middleware to do the authentication based on client cert if it hasn't been done, or check the result of this authentication if it was done in a previous request.
type ContextConnection ¶
type ContextConnection struct {
// contains filtered or unexported fields
}
ContextConnection is stored in the context used for all requests for a server
func ConnectionFromContext ¶
func ConnectionFromContext(ctx context.Context) *ContextConnection
ConnectionFromContext gets the ContextConnection from the context.
Typically called from the authentication middleware to do the authentication and either deny the request or send it through to the actual request handler.
type MetadataTLSConfigManager ¶
type MetadataTLSConfigManager struct {
// contains filtered or unexported fields
}
The MetadataTLSConfigManager creates and manages a tls.Config which can be used to set up a TLS listener with a CA store which changes dynamically as a MetadataStore fetches new metadata from the federation operator.
func NewMetadataTLSConfigManager ¶
func NewMetadataTLSConfigManager(certFile, keyFile string, mdstore *fedtls.MetadataStore) (*MetadataTLSConfigManager, error)
NewMetadataTLSConfigManager creates a new TLS config manager connected to a MetadataStore. The config manager will listen to changes from the metadata store and hot-swap the CA store.
func (*MetadataTLSConfigManager) Config ¶
func (mdTLSConfigManager *MetadataTLSConfigManager) Config() *tls.Config
Config returns a tls.Config which can be used by a TLS listener.
type TLSConfigManager ¶
type TLSConfigManager struct {
// contains filtered or unexported fields
}
The TLSConfigManager constructs a dynamic tls.Config object used by TLS listeners.
tls.Config supports hot-swapping CA stores etc without closing the listener. This type simplifies creating such a tls.Config for our purposes (We need to be able to replace the client certificate authorities when new metadata is loaded)
func NewTLSConfigManager ¶
func NewTLSConfigManager(certFile, keyFile string) (*TLSConfigManager, error)
func (*TLSConfigManager) Config ¶
func (mgr *TLSConfigManager) Config() *tls.Config
Config will return a tls.Config that can be used by a TLS listener
func (*TLSConfigManager) SetTrusted ¶
func (mgr *TLSConfigManager) SetTrusted(clientCAs *x509.CertPool)
SetTrusted replaces the client certificate authorities