auth

package
v0.0.79 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Dec 10, 2024 License: Apache-2.0 Imports: 13 Imported by: 0

Documentation

Overview

Package auth contains the authentication logic for the control plane

Index

Constants

View Source
const (
	// Github OAuth2 provider
	Github = "github"
)

Variables

View Source
var OAuthSuccessHtml []byte

OAuthSuccessHtml is the html page sent to the client upon successful enrollment via CLI

Functions

func DeleteAccessToken

func DeleteAccessToken(ctx context.Context, provider string, token string) error

DeleteAccessToken deletes the access token for a given provider

func GetUserForGitHubId

func GetUserForGitHubId(ctx context.Context, sic server.IdentityConfigWrapper, ghUser int64) (string, error)

GetUserForGitHubId looks up a user in Keycloak by their GitHub ID. This is a temporary implementation until we have a proper interface in front of IDP implementations.

If the user is found, it returns their subject _in Keycloak_, suitable for use in the `sub` claim of a JWT, and in OpenFGA's user field. Note that this function may return a user of "" with no error if no users were found matching the GitHub ID.

func NewProviderHttpClient

func NewProviderHttpClient(provider string) *http.Client

NewProviderHttpClient creates a new http client for the given provider

Types

type Identity

type Identity struct {
	// UserID is a stable unique identifier for the user.  This may be a large
	// integer or a UUID, rather than something human-readable.
	//
	// For KeyCloak, this is `sub`.
	UserID string
	// HumanName is a human-readable name.  Because humans are fickle, these may
	// not be unique or stable over time, though they should be unique at any
	// particular time.  For example, Alex may change their handle from
	// "alexsmith" to "alexawesome" after a life change, and someone else might
	// enroll the "alexsmith" handle.  If you are storing data, you want UserID,
	// not HumanName.  If you are presenting data, you probably want HumanName.
	//
	// For KeyCloak, this is `preferred_username`.  For some other providers,
	// this might be an email address.
	HumanName string
	// Provider is the identity provider that vended this identity.  Note that
	// UserID and HumanName are only unique within the context of a single
	// identity provider.
	Provider IdentityProvider
	// FirstName and LastName are optional fields that may be provided by the
	// identity provider. These are not guaranteed to be present, and may be
	// empty.
	FirstName string
	LastName  string
}

Identity represents a particular user's identity in a particular trust domain (represented by an IdentityProvider).

func (*Identity) Human

func (i *Identity) Human() string

Human returns a human-readable representation of the identity, suitable for presentation to humans.

func (*Identity) String

func (i *Identity) String() string

String implements strings.Stringer, and also provides a stable storage representation of the Identity.

type IdentityClient

type IdentityClient struct {
	// contains filtered or unexported fields
}

IdentityClient supports the ability to look up identities in one or more IdentityProviders.

func NewIdentityClient

func NewIdentityClient(providers ...IdentityProvider) (*IdentityClient, error)

NewIdentityClient creates a new IdentityClient with the supplied providers.

func (*IdentityClient) Register

func (c *IdentityClient) Register(p IdentityProvider) error

Register registers a new identity provider with the client.

func (*IdentityClient) Resolve

func (c *IdentityClient) Resolve(ctx context.Context, id string) (*Identity, error)

Resolve implements Resolver.

func (*IdentityClient) Validate

func (c *IdentityClient) Validate(ctx context.Context, token jwt.Token) (*Identity, error)

Validate implements Resolver.

type IdentityProvider

type IdentityProvider interface {
	Resolver

	// String returns the name of the identity provider.  This should be a short
	// one-word string suitable for presentation.  As a special case, a _single_
	// provider may use the empty string as its name to act as a default / fallback
	// provider.
	String() string
	// URL returns the `iss` URL of the identity provider.
	URL() url.URL
}

IdentityProvider provides an abstract interface for looking up identities in a remote identity provider.

type Resolver

type Resolver interface {

	// Validate validates a token and returns an underlying identity representation
	// suitable for use in authz calls.  This _probably_ reads data from the token,
	// but could fetch from an external provider.
	Validate(ctx context.Context, token jwt.Token) (*Identity, error)

	// Resolve takes either a human-readable identifier or a stable identifier and
	// returns the underlying identity.  This may involve looking up or defining
	// the identity in the remote identity provider.
	//
	// For Keycloak + GitHub, this may define a new user in Keycloak based on
	// GitHub user data if the user is not already known to Keycloak.
	Resolve(ctx context.Context, id string) (*Identity, error)
}

Resolver is an interface for resolving human-readable or stable identifiers from either JWTs or stored strings

Directories

Path Synopsis
jwt
Package jwt provides the logic for reading and validating JWT tokens
Package jwt provides the logic for reading and validating JWT tokens
mock
Package mock_jwt is a generated GoMock package.
Package mock_jwt is a generated GoMock package.
noop
Package noop provides a no-op implementation of the Validator interface
Package noop provides a no-op implementation of the Validator interface
Package keycloak provides an implementation of the Keycloak IdentityProvider.
Package keycloak provides an implementation of the Keycloak IdentityProvider.
client
Package client provides primitives to interact with the openapi HTTP API.
Package client provides primitives to interact with the openapi HTTP API.
Package mock_auth is a generated GoMock package.
Package mock_auth is a generated GoMock package.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL