auth

package
v0.23.1 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jul 21, 2021 License: Apache-2.0 Imports: 28 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func TokenEndpoint added in v0.7.0 

func TokenEndpoint(endpoint environments.AzureADEndpoint, tenant string, version TokenVersion) (e string)

Types

type Api added in v0.5.0 

type Api int
const (
	MsGraph Api = iota
	AadGraph
)

type Authorizer 

type Authorizer interface {
	Token() (*oauth2.Token, error)
}

Authorizer is anything that can return an access token for authorizing API connections

func CachedAuthorizer added in v0.7.0 

func CachedAuthorizer(src Authorizer) Authorizer

CachedAuthorizer returns an Authorizer that caches an access token for the duration of its validity. If the cached token expires, a new one is acquired and cached.

func NewAzureCliAuthorizer 

func NewAzureCliAuthorizer(ctx context.Context, api Api, tenantId string) (Authorizer, error)

NewAzureCliAuthorizer returns an Authorizer which authenticates using the Azure CLI.

func NewClientCertificateAuthorizer 

func NewClientCertificateAuthorizer(ctx context.Context, environment environments.Environment, api Api, tokenVersion TokenVersion, tenantId, clientId string, pfxData []byte, pfxPath, pfxPass string) (Authorizer, error)

NewClientCertificateAuthorizer returns an authorizer which uses client certificate authentication.

func NewClientSecretAuthorizer 

func NewClientSecretAuthorizer(ctx context.Context, environment environments.Environment, api Api, tokenVersion TokenVersion, tenantId, clientId, clientSecret string) (Authorizer, error)

NewClientSecretAuthorizer returns an authorizer which uses client secret authentication.

func NewMsiAuthorizer added in v0.6.0 

func NewMsiAuthorizer(ctx context.Context, environment environments.Environment, api Api, msiEndpoint string) (Authorizer, error)

NewMsiAuthorizer returns an authorizer which uses managed service identity to for authentication.

type AzureCliAuthorizer 

type AzureCliAuthorizer struct {
	// TenantID is optional and forces selection of the specified tenant. Must be a valid UUID.
	TenantID string
	// contains filtered or unexported fields
}

AzureCliAuthorizer is an Authorizer which supports the Azure CLI.

func (AzureCliAuthorizer) Token 

func (a AzureCliAuthorizer) Token() (*oauth2.Token, error)

Token returns an access token using the Azure CLI as an authentication mechanism.

type AzureCliConfig 

type AzureCliConfig struct {
	Api      Api
	TenantID string
}

AzureCliConfig configures an AzureCliAuthorizer.

func NewAzureCliConfig 

func NewAzureCliConfig(api Api, tenantId string) (*AzureCliConfig, error)

NewAzureCliConfig validates the supplied tenant ID and returns a new AzureCliConfig.

func (*AzureCliConfig) TokenSource 

func (c *AzureCliConfig) TokenSource(ctx context.Context) Authorizer

TokenSource provides a source for obtaining access tokens using AzureCliAuthorizer.

type Claims 

type Claims struct {
	Audience          string   `json:"aud"`
	Issuer            string   `json:"iss"`
	IdentityProvider  string   `json:"idp"`
	ObjectId          string   `json:"oid"`
	Roles             []string `json:"roles"`
	Scopes            string   `json:"scp"`
	Subject           string   `json:"sub"`
	TenantRegionScope string   `json:"tenant_region_scope"`
	TenantId          string   `json:"tid"`
	Version           string   `json:"ver"`

	AppDisplayName string `json:"app_displayname,omitempty"`
	AppId          string `json:"appid,omitempty"`
	IdType         string `json:"idtyp,omitempty"`
}

Claims is used to unmarshall the claims from a JWT issued by the Microsoft Identity Platform.

func ParseClaims 

func ParseClaims(token *oauth2.Token) (claims Claims, err error)

ParseClaims retrieves and parses the claims from a JWT issued by the Microsoft Identity Platform.

type ClientCredentialsConfig added in v0.7.0 

type ClientCredentialsConfig struct {
	// ClientID is the application's ID.
	ClientID string

	// ClientSecret is the application's secret.
	ClientSecret string

	// PrivateKey contains the contents of an RSA private key or the
	// contents of a PEM file that contains a private key. The provided
	// private key is used to sign JWT assertions.
	// PEM containers with a passphrase are not supported.
	// Use the following command to convert a PKCS 12 file into a PEM.
	//
	//    $ openssl pkcs12 -in key.p12 -out key.pem -nodes
	//
	PrivateKey []byte

	// Certificate contains the (optionally PEM encoded) X509 certificate registered
	// for the application with which you are authenticating.
	Certificate []byte

	// Resource specifies an API resource for which to request access (used for v1 tokens)
	Resource string

	// Scopes specifies a list of requested permission scopes (used for v2 tokens)
	Scopes []string

	// TokenURL is the clientCredentialsToken endpoint. Typically you can use the AzureADEndpoint
	// function to obtain this value, but it may change for non-public clouds.
	TokenURL string

	// Audience optionally specifies the intended audience of the
	// request.  If empty, the value of TokenURL is used as the
	// intended audience.
	Audience string
}

ClientCredentialsConfig is the configuration for using client credentials flow.

For more information see: https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow#get-a-token https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-certificate-credentials

func (*ClientCredentialsConfig) TokenSource added in v0.7.0 

func (c *ClientCredentialsConfig) TokenSource(ctx context.Context, authType ClientCredentialsType) (source Authorizer)

TokenSource provides a source for obtaining access tokens using clientAssertionAuthorizer or clientSecretAuthorizer.

type ClientCredentialsType added in v0.7.0 

type ClientCredentialsType int
const (
	ClientCredentialsAssertionType ClientCredentialsType = iota
	ClientCredentialsSecretType
)

type Config 

type Config struct {
	// Specifies the national cloud environment to use
	Environment environments.Environment

	// Version specifies the token version  to acquire from Microsoft Identity Platform.
	// Ignored when using Azure CLI or Managed Identity authentication.
	Version TokenVersion

	// Azure Active Directory tenant to connect to, should be a valid UUID
	TenantID string

	// Client ID for the application used to authenticate the connection
	ClientID string

	// Enables authentication using Azure CLI
	EnableAzureCliToken bool

	// Enables authentication using managed service identity.
	EnableMsiAuth bool

	// Specifies a custom MSI endpoint to connect to
	MsiEndpoint string

	// Enables client certificate authentication using client assertions
	EnableClientCertAuth bool

	// Specifies the contents of a client certificate PKCS#12 bundle
	ClientCertData []byte

	// Specifies the path to a client certificate PKCS#12 bundle (.pfx file)
	ClientCertPath string

	// Specifies the encryption password to unlock a client certificate
	ClientCertPassword string

	// Enables client secret authentication using client credentials
	EnableClientSecretAuth bool

	// Specifies the password to authenticate with using client secret authentication
	ClientSecret string
}

Config sets up NewAuthorizer to return an Authorizer based on the provided configuration.

func (*Config) NewAuthorizer 

func (c *Config) NewAuthorizer(ctx context.Context, api Api) (Authorizer, error)

NewAuthorizer returns a suitable Authorizer depending on what is defined in the Config Authorizers are selected for authentication methods in the following preferential order: - Client certificate authentication - Client secret authentication - Azure CLI authentication

Whether one of these is returned depends on whether it is enabled in the Config, and whether sufficient configuration fields are set to enable that authentication method.

For client certificate authentication, specify TenantID, ClientID and ClientCertData / ClientCertPath. For client secret authentication, specify TenantID, ClientID and ClientSecret. MSI authentication (if enabled) using the Azure Metadata Service is then attempted Azure CLI authentication (if enabled) is attempted last

It's recommended to only enable the mechanisms you have configured and are known to work in the execution environment. If any authentication mechanism fails due to misconfiguration or some other error, the function will return (nil, error) and later mechanisms will not be attempted.

type MsiAuthorizer added in v0.6.0 

type MsiAuthorizer struct {
	// contains filtered or unexported fields
}

MsiAuthorizer is an Authorizer which supports managed service identity.

func (*MsiAuthorizer) Token added in v0.6.0 

func (a *MsiAuthorizer) Token() (*oauth2.Token, error)

Token returns an access token acquired from the metadata endpoint.

type MsiConfig added in v0.6.0 

type MsiConfig struct {
	MsiApiVersion string
	MsiEndpoint   string
	Resource      string
}

MsiConfig configures an MsiAuthorizer.

func NewMsiConfig added in v0.6.0 

func NewMsiConfig(ctx context.Context, resource string, msiEndpoint string) (*MsiConfig, error)

NewMsiConfig returns a new MsiConfig with a configured metadata endpoint and resource.

func (*MsiConfig) TokenSource added in v0.6.0 

func (c *MsiConfig) TokenSource(ctx context.Context) Authorizer

TokenSource provides a source for obtaining access tokens using MsiAuthorizer.

type TokenVersion added in v0.5.0 

type TokenVersion int
const (
	TokenVersion2 TokenVersion = iota
	TokenVersion1
)

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.