tokens

package
v1.8.1 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Oct 5, 2022 License: Apache-2.0 Imports: 21 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	DefaultSerialNumber = 1
)
View Source 
const KeyIDHeader = "kid" // standard JWT header that indicates which signing key we should use

Variables

This section is empty.

Functions

func IsSigningKeyNotFound 

func IsSigningKeyNotFound(err error) bool

func NewDefaultSigningKeyComponent 

func NewDefaultSigningKeyComponent(signingKeyManager SigningKeyManager, log logr.Logger) component.Component

func NewSigningKey 

func NewSigningKey() ([]byte, error)

func SigningKeyResourceKey 

func SigningKeyResourceKey(signingKeyPrefix string, serialNumber int, mesh string) model.ResourceKey

Types

type Claims 

type Claims interface {
	jwt.Claims
	ID() string
	// KeyIDFallback returns KID when it is not provided as a header.
	// It helps us to built backwards compatibility with a tokens that did not have KID in the past.
	// https://github.com/kumahq/kuma/issues/4006
	KeyIDFallback() (int, error)
	SetRegisteredClaims(claims jwt.RegisteredClaims)
}

type Issuer 

type Issuer interface {
	Generate(ctx context.Context, claims Claims, validFor time.Duration) (Token, error)
}

Issuer generates tokens. Token is a JWT token with claims that is provided by the actual issuer (for example - Dataplane Token Issuer, User Token Issuer). We place "kid" in token, so we don't have to validate the token against every single signing key. Instead, we take "kid" from the token, retrieve signing key and validate only against this key. A new token is always generated by using the latest signing key.

func NewTokenIssuer 

func NewTokenIssuer(signingKeyAccessor SigningKeyManager) Issuer

type Revocations 

type Revocations interface {
	IsRevoked(ctx context.Context, id string) (bool, error)
}

Revocations keeps track of revoked tokens. If only one token is compromised, it's more convenient to revoke it instead of rotate signing key and regenerate all tokens. Revocation list is stored as Secret (in case of mesh scoped tokens) or GlobalSecret (global scoped tokens). IDs of token are stored in secret in comma separated format: "id1,id2".

func NewRevocations 

func NewRevocations(manager manager.ReadOnlyResourceManager, revocationKey core_model.ResourceKey) Revocations

type SigningKeyAccessor 

type SigningKeyAccessor interface {
	GetPublicKey(ctx context.Context, serialNumber int) (*rsa.PublicKey, error)
	// GetLegacyKey returns legacy key. In pre 1.4.x version of Kuma, we used symmetric HMAC256 method of signing DP keys.
	// In that case, we have to retrieve private key even for verification.
	GetLegacyKey(ctx context.Context, serialNumber int) ([]byte, error)
}

SigningKeyAccessor access public part of signing key In the future, we may add offline token generation (kumactl without CP running or external system) In that case, we could provide only public key to the CP via static configuration. So we can easily do this by providing separate implementation for this interface.

func NewMeshedSigningKeyAccessor 

func NewMeshedSigningKeyAccessor(resManager manager.ReadOnlyResourceManager, signingKeyPrefix string, mesh string) SigningKeyAccessor

NewMeshedSigningKeyAccessor builds SigningKeyAccessor that is bound to a Mesh. Some tokens like Dataplane Token are bound to a mesh. In this case, the singing key is also stored as a Secret in the Mesh, not as GlobalSecret.

func NewSigningKeyAccessor 

func NewSigningKeyAccessor(resManager manager.ReadOnlyResourceManager, signingKeyPrefix string) SigningKeyAccessor

func NewSigningKeyFromPublicKeyAccessor 

func NewSigningKeyFromPublicKeyAccessor(resManager manager.ReadOnlyResourceManager, signingKeyPrefix string) SigningKeyAccessor

type SigningKeyManager 

type SigningKeyManager interface {
	GetLatestSigningKey(context.Context) (*rsa.PrivateKey, int, error)
	CreateDefaultSigningKey(context.Context) error
	CreateSigningKey(ctx context.Context, serialNumber int) error
}

SigningKeyManager manages tokens's signing keys. We can have many signing keys in the system. Example: "user-token-signing-key-1", "user-token-signing-key-2" etc. "user-token-signing-key" has a serial number of 0 The latest key is a key with a higher serial number (number at the end of the name)

func NewMeshedSigningKeyManager 

func NewMeshedSigningKeyManager(manager manager.ResourceManager, signingKeyPrefix string, mesh string) SigningKeyManager

NewMeshedSigningKeyManager builds SigningKeyManager that is bound to a Mesh. Some tokens like Dataplane Token are bound to a mesh. In this case, singing key is also stored as a Secret in the Mesh, not as GlobalSecret.

func NewSigningKeyManager 

func NewSigningKeyManager(manager manager.ResourceManager, signingKeyPrefix string) SigningKeyManager

type SigningKeyNotFound 

type SigningKeyNotFound struct {
	SerialNumber int
	Prefix       string
	Mesh         string
}

func (*SigningKeyNotFound) Error 

func (s *SigningKeyNotFound) Error() string

type Token 

type Token = string

type Validator 

type Validator interface {
	// ParseWithValidation parses token and fills data in provided Claims.
	ParseWithValidation(ctx context.Context, token Token, claims Claims) error
}

func NewValidator 

func NewValidator(keyAccessor SigningKeyAccessor, revocations Revocations, storeType store_config.StoreType) Validator

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.