auth

package

v0.0.66 Latest Latest Go to latest Published: Oct 15, 2024 License: Apache-2.0 Imports: 13 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/mindersec/minder

Links

Open Source Insights

Documentation ¶

Overview ¶

Package auth contains the authentication logic for the control plane

Index ¶

Constants
Variables
func DeleteAccessToken(ctx context.Context, provider string, token string) error
func GetUserForGitHubId(ctx context.Context, sic server.IdentityConfigWrapper, ghUser int64) (string, error)
func NewProviderHttpClient(provider string) *http.Client
type Identity
- func (i *Identity) Human() string
- func (i *Identity) String() string
type IdentityClient
- func NewIdentityClient(providers ...IdentityProvider) (*IdentityClient, error)
type IdentityProvider
type Resolver

Constants ¶

View Source

const (
	// Github OAuth2 provider
	Github = "github"
)

Variables ¶

View Source

var OAuthSuccessHtml []byte

OAuthSuccessHtml is the html page sent to the client upon successful enrollment via CLI

Functions ¶

func DeleteAccessToken ¶

func DeleteAccessToken(ctx context.Context, provider string, token string) error

DeleteAccessToken deletes the access token for a given provider

func GetUserForGitHubId ¶

func GetUserForGitHubId(ctx context.Context, sic server.IdentityConfigWrapper, ghUser int64) (string, error)

GetUserForGitHubId looks up a user in Keycloak by their GitHub ID. This is a temporary implementation until we have a proper interface in front of IDP implementations.

If the user is found, it returns their subject _in Keycloak_, suitable for use in the `sub` claim of a JWT, and in OpenFGA's user field. Note that this function may return a user of "" with no error if no users were found matching the GitHub ID.

func NewProviderHttpClient ¶

func NewProviderHttpClient(provider string) *http.Client

NewProviderHttpClient creates a new http client for the given provider

Types ¶

type Identity ¶

type Identity struct {
	// UserID is a stable unique identifier for the user.  This may be a large
	// integer or a UUID, rather than something human-readable.
	//
	// For KeyCloak, this is `sub`.
	UserID string
	// HumanName is a human-readable name.  Because humans are fickle, these may
	// not be unique or stable over time, though they should be unique at any
	// particular time.  For example, Alex may change their handle from
	// "alexsmith" to "alexawesome" after a life change, and someone else might
	// enroll the "alexsmith" handle.  If you are storing data, you want UserID,
	// not HumanName.  If you are presenting data, you probably want HumanName.
	//
	// For KeyCloak, this is `preferred_username`.  For some other providers,
	// this might be an email address.
	HumanName string
	// Provider is the identity provider that vended this identity.  Note that
	// UserID and HumanName are only unique within the context of a single
	// identity provider.
	Provider IdentityProvider
	// FirstName and LastName are optional fields that may be provided by the
	// identity provider. These are not guaranteed to be present, and may be
	// empty.
	FirstName string
	LastName  string
}

Identity represents a particular user's identity in a particular trust domain (represented by an IdentityProvider).

func (*Identity) Human ¶

func (i *Identity) Human() string

Human returns a human-readable representation of the identity, suitable for presentation to humans.

func (*Identity) String ¶

func (i *Identity) String() string

String implements strings.Stringer, and also provides a stable storage representation of the Identity.

type IdentityClient ¶

type IdentityClient struct {
	// contains filtered or unexported fields
}

IdentityClient supports the ability to look up identities in one or more IdentityProviders.

func NewIdentityClient ¶

func NewIdentityClient(providers ...IdentityProvider) (*IdentityClient, error)

NewIdentityClient creates a new IdentityClient with the supplied providers.

func (*IdentityClient) Register ¶

func (c *IdentityClient) Register(p IdentityProvider) error

Register registers a new identity provider with the client.

func (*IdentityClient) Resolve ¶

func (c *IdentityClient) Resolve(ctx context.Context, id string) (*Identity, error)

Resolve implements Resolver.

func (*IdentityClient) Validate ¶

func (c *IdentityClient) Validate(ctx context.Context, token jwt.Token) (*Identity, error)

Validate implements Resolver.

type IdentityProvider ¶

type IdentityProvider interface {
	Resolver

	// String returns the name of the identity provider.  This should be a short
	// one-word string suitable for presentation.  As a special case, a _single_
	// provider may use the empty string as its name to act as a default / fallback
	// provider.
	String() string
	// URL returns the `iss` URL of the identity provider.
	URL() url.URL
}

IdentityProvider provides an abstract interface for looking up identities in a remote identity provider.

type Resolver ¶

type Resolver interface {

	// Validate validates a token and returns an underlying identity representation
	// suitable for use in authz calls.  This _probably_ reads data from the token,
	// but could fetch from an external provider.
	Validate(ctx context.Context, token jwt.Token) (*Identity, error)

	// Resolve takes either a human-readable identifier or a stable identifier and
	// returns the underlying identity.  This may involve looking up or defining
	// the identity in the remote identity provider.
	//
	// For Keycloak + GitHub, this may define a new user in Keycloak based on
	// GitHub user data if the user is not already known to Keycloak.
	Resolve(ctx context.Context, id string) (*Identity, error)
}

Resolver is an interface for resolving human-readable or stable identifiers from either JWTs or stored strings

Source Files ¶

View all Source files

Directories ¶

Path	Synopsis
jwt Package jwt provides the logic for reading and validating JWT tokens	Package jwt provides the logic for reading and validating JWT tokens
mock Package mock_jwt is a generated GoMock package.	Package mock_jwt is a generated GoMock package.
noop Package noop provides a no-op implementation of the Validator interface	Package noop provides a no-op implementation of the Validator interface
keycloak Package keycloak provides an implementation of the Keycloak IdentityProvider.	Package keycloak provides an implementation of the Keycloak IdentityProvider.
client Package client provides primitives to interact with the openapi HTTP API.	Package client provides primitives to interact with the openapi HTTP API.
mock Package mock_auth is a generated GoMock package.	Package mock_auth is a generated GoMock package.

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL