security

package
v1.12.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Nov 5, 2024 License: Apache-2.0 Imports: 24 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

View Source
var ErrLoginProviderNotFound = errors.New("login provider not found")

Functions

func CreateJWTForTokenRequest

func CreateJWTForTokenRequest(subject string, audience string, privateKey *rsa.PrivateKey) (string, error)

func ExportRsaPrivateKeyAsPem

func ExportRsaPrivateKeyAsPem(key *rsa.PrivateKey) (string, error)

func ExportRsaPublicKeyAsPem

func ExportRsaPublicKeyAsPem(key *rsa.PublicKey) (string, error)

func GenerateRsaKeyPair

func GenerateRsaKeyPair() (*rsa.PrivateKey, *rsa.PublicKey)

func ParseRsaPrivateKeyFromPem

func ParseRsaPrivateKeyFromPem(pemValue []byte) (*rsa.PrivateKey, error)

func ParseRsaPublicKeyFromPem

func ParseRsaPublicKeyFromPem(pemValue []byte) (*rsa.PublicKey, error)

Types

type AccessControl

type AccessControl struct {
	Resource string
	Action   string
	Deny     bool
}

AccessControl allows or denies action on a resource Allowed actions are: read, write (write implies delete) Resources are: nodeid/datasets/[name] with * nodeid/* gives access to all endpoints nodeid/jobs/* nodeid/content/name or *

type BasicProvider

type BasicProvider struct {
	User     string
	Password string
}

func (BasicProvider) Authorize

func (p BasicProvider) Authorize(req *http.Request)

type ClientCredentialsProvider

type ClientCredentialsProvider struct {
	// contains filtered or unexported fields
}

ClientCredentialsProvider contains the auth0 configuration

func NewClientCredentialsProvider

func NewClientCredentialsProvider(logger *zap.SugaredLogger, conf ProviderConfig, pm *ProviderManager) *ClientCredentialsProvider

NewClientCredentialsProvider creates a new ClientCredentialsProvider struct, populated with the values from Viper.

func (*ClientCredentialsProvider) Authorize

func (tp *ClientCredentialsProvider) Authorize(req *http.Request)

type ClientIDClaim

type ClientIDClaim struct {
	Message        []byte // encrypted message
	MessageHashSum int    // signed
	Signature      []byte
	Algorithm      string
	// contains filtered or unexported fields
}

ClientIDClaim used by a client to assert it is who they say they are.

type ClientInfo

type ClientInfo struct {
	ClientID  string
	PublicKey []byte
	Deleted   bool
}

type CustomClaims

type CustomClaims struct {
	Scope    string   `json:"scope"`
	Scp      []string `json:"scp"`
	Gty      string   `json:"gty"`
	Adm      bool     `json:"adm"`
	Roles    []string `json:"roles"`
	ClientID string   `json:"client_id"`
	jwt.RegisteredClaims
}

func (CustomClaims) Scopes

func (claims CustomClaims) Scopes() []string

type KeyPair

type KeyPair struct {
	PrivateKey *rsa.PrivateKey
	PublicKey  *rsa.PublicKey
	Active     bool
	Expires    uint64
}

func NewKeyPair

func NewKeyPair(privateKey *rsa.PrivateKey, publicKey *rsa.PublicKey, active bool) *KeyPair

type NodeInfo

type NodeInfo struct {
	NodeID   string
	KeyPairs []*KeyPair
}

NodeInfo is a data structure that represents a node in the security topology

func NewNodeInfo

func NewNodeInfo(nodeID string, keyPairs []*KeyPair) *NodeInfo

type NodeJwtBearerProvider

type NodeJwtBearerProvider struct {
	// contains filtered or unexported fields
}

NodeJwtBearerProvider contains the auth0 configuration

func NewNodeJwtBearerProvider

func NewNodeJwtBearerProvider(
	logger *zap.SugaredLogger,
	serviceCore *ServiceCore,
	conf ProviderConfig,
) *NodeJwtBearerProvider

func (*NodeJwtBearerProvider) Authorize

func (nodeTokenProvider *NodeJwtBearerProvider) Authorize(req *http.Request)

type Provider

type Provider interface {
	Authorize(req *http.Request)
}

type ProviderConfig

type ProviderConfig struct {
	Name         string       `json:"name"`
	Type         string       `json:"type"`
	User         *ValueReader `json:"user,omitempty"`
	Password     *ValueReader `json:"password,omitempty"`
	ClientID     *ValueReader `json:"key,omitempty"`
	ClientSecret *ValueReader `json:"secret,omitempty"`
	Audience     *ValueReader `json:"audience,omitempty"`
	Endpoint     *ValueReader `json:"endpoint,omitempty"`
}

type ProviderManager

type ProviderManager struct {
	// contains filtered or unexported fields
}

func NewProviderManager

func NewProviderManager(env *conf.Config, store *server.Store, log *zap.SugaredLogger) *ProviderManager

func (*ProviderManager) AddProvider

func (pm *ProviderManager) AddProvider(providerConfig ProviderConfig) error

func (*ProviderManager) DeleteProvider

func (pm *ProviderManager) DeleteProvider(name string) error

func (*ProviderManager) FindByName

func (pm *ProviderManager) FindByName(name string) (*ProviderConfig, error)

func (*ProviderManager) ListProviders

func (pm *ProviderManager) ListProviders() ([]ProviderConfig, error)

func (*ProviderManager) LoadValue

func (pm *ProviderManager) LoadValue(vp *ValueReader) string

type ServiceCore

type ServiceCore struct {
	// admin client key for node admin
	AdminClientKey string

	// admin client secret for node admin
	AdminClientSecret string

	// storage location for this node's data
	Location string

	// this node info
	NodeInfo *NodeInfo
	// contains filtered or unexported fields
}

ServiceCore provides core logic for management of data and verification of client claims and requests for access of resources.

func NewServiceCore

func NewServiceCore(env *conf.Config) *ServiceCore

func (*ServiceCore) CheckGranted

func (serviceCore *ServiceCore) CheckGranted(ac *AccessControl, resource string, action string) bool

func (*ServiceCore) CreateJWTForTokenRequest

func (serviceCore *ServiceCore) CreateJWTForTokenRequest(audience string) (string, error)

CreateJWTForTokenRequest returns a JWT token that can be used to get an access token to a remote endpoint

func (*ServiceCore) DeleteClientAccessControls

func (serviceCore *ServiceCore) DeleteClientAccessControls(clientID string)

func (*ServiceCore) FilterDatasets

func (serviceCore *ServiceCore) FilterDatasets(
	datasets []server.DatasetName,
	subject string,
) ([]server.DatasetName, error)

FilterDatasets given a list of datasets returns the ones that the user has access to

func (*ServiceCore) GetAccessControls

func (serviceCore *ServiceCore) GetAccessControls(clientID string) []*AccessControl

func (*ServiceCore) GetActiveKeyPair

func (serviceCore *ServiceCore) GetActiveKeyPair() *KeyPair

func (*ServiceCore) GetAllAccessControls

func (serviceCore *ServiceCore) GetAllAccessControls() map[string][]*AccessControl

func (*ServiceCore) GetClients

func (serviceCore *ServiceCore) GetClients() map[string]*ClientInfo

func (*ServiceCore) Init

func (serviceCore *ServiceCore) Init() error

Init ensures that local storage is available

func (*ServiceCore) MakeAdminJWT

func (serviceCore *ServiceCore) MakeAdminJWT(clientKey string, clientSecret string) (string, error)

func (*ServiceCore) RegisterClient

func (serviceCore *ServiceCore) RegisterClient(clientInfo *ClientInfo)

func (*ServiceCore) SetClientAccessControls

func (serviceCore *ServiceCore) SetClientAccessControls(clientID string, acls []*AccessControl)

func (*ServiceCore) ValidateClientJWTMakeJWTAccessToken

func (serviceCore *ServiceCore) ValidateClientJWTMakeJWTAccessToken(clientJWT string) (string, error)

type TokenProviders

type TokenProviders struct {
	Providers *map[string]Provider

	ServiceCore *ServiceCore
	// contains filtered or unexported fields
}

func NewTokenProviders

func NewTokenProviders(
	logger *zap.SugaredLogger,
	providerManager *ProviderManager,
	serviceCore *ServiceCore,
) *TokenProviders

NewTokenProviders provides a map of token providers, keyed on the name of the token provider struct as lower_case.

func (*TokenProviders) Add

func (providers *TokenProviders) Add(providerConfig ProviderConfig) error

func (*TokenProviders) DeleteProvider

func (providers *TokenProviders) DeleteProvider(name string) error

func (*TokenProviders) Get

func (providers *TokenProviders) Get(providerName string) (Provider, bool)

func (*TokenProviders) GetProviderConfig

func (providers *TokenProviders) GetProviderConfig(name string) (*ProviderConfig, error)

func (*TokenProviders) ListProviders

func (providers *TokenProviders) ListProviders() ([]ProviderConfig, error)

func (*TokenProviders) UpdateProvider

func (providers *TokenProviders) UpdateProvider(name string, provider ProviderConfig) error

type ValueReader

type ValueReader struct {
	Type  string `json:"type"`
	Value string `json:"value"`
}

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL