Documentation ¶
Index ¶
- Constants
- Variables
- func CreateJWTToken(createEntry TokenCreateEntry, roleEntry RoleStorageEntry, key jose.JSONWebKey) ([]byte, error)
- func Factory(ctx context.Context, conf *logical.BackendConfig) (logical.Backend, error)
- func GenerateKey(kid, alg, use string, rsaBits, symmetricBits int) (*jose.JSONWebKey, error)
- func KeygenEnc(alg jose.KeyAlgorithm, bits int) (crypto.PublicKey, crypto.PrivateKey, error)
- func KeygenSig(alg jose.SignatureAlgorithm, bits int) (crypto.PublicKey, crypto.PrivateKey, error)
- func LoadPrivateKey(data []byte) (interface{}, error)
- func ValidateJWTToken(serializedToken string, roleEntry RoleStorageEntry, keySet *KeySetStorageEntry) error
- type JwtBackend
- type KeySetStorageEntry
- func (k *KeySetStorageEntry) AddKey(toAdd jose.JSONWebKey) error
- func (k *KeySetStorageEntry) Exists(kid string) bool
- func (k *KeySetStorageEntry) GetActiveKey() (jose.JSONWebKey, error)
- func (k *KeySetStorageEntry) GetPublicKey(kid string) jose.JSONWebKey
- func (k *KeySetStorageEntry) PublicKeyAsMap(kid string) (m map[string]interface{})
- func (k *KeySetStorageEntry) RemoveKey(kid string)
- func (k *KeySetStorageEntry) SetActiveKID(kid string) error
- func (k *KeySetStorageEntry) ToMap() map[string]interface{}
- type RoleStorageEntry
- type TokenCreateEntry
Constants ¶
const SecretJWTType = "jwt"
Variables ¶
var CreateRoleSchema = map[string]*framework.FieldSchema{ "name": { Type: framework.TypeString, Description: "The name of the role to be created.", }, "type": { Type: framework.TypeString, Description: "The type of token returned (jwe|jwt|jws).", }, "key_set": { Type: framework.TypeString, Description: "The name of the key set to use for signing.", }, "token_ttl": { Type: framework.TypeDurationSecond, Description: "The default TTL of tokens created through this role, as a golang duration string.", }, "max_token_ttl": { Type: framework.TypeDurationSecond, Description: "The maximum TTL of tokens created through this role, as a golang duration string.", }, "claims": { Type: framework.TypeMap, Description: `The structure of the public/private claims to be added to the token in addition to the standard registered claims configured directly on the role (iss, sub, aud, nbf, iat, exp).`, }, "allowed_custom_claims": { Type: framework.TypeStringSlice, Description: "Array of claims which will be accepted as parameters in the issue request and used instead of the values set in the Claims map.", Default: false, }, "iss": {Type: framework.TypeString, Description: "Issuer"}, "sub": {Type: framework.TypeString, Description: "Subject"}, "aud": {Type: framework.TypeString, Description: "Audience"}, "nbf": {Type: framework.TypeBool, Default: true, Description: "Not Before. Automatically added when tokens are issued. To disable, set to false."}, "iat": {Type: framework.TypeBool, Default: true, Description: "Issued At. Automatically added when tokens are issued. To disable, set to false."}, "exp": {Type: framework.TypeBool, Default: true, Description: "Expiration Time. Automatically added when tokens are issued. To disable, set to false."}, }
basic schema for the creation of the role, this will map the fields coming in from the vault request field map
Functions ¶
func CreateJWTToken ¶
func CreateJWTToken(createEntry TokenCreateEntry, roleEntry RoleStorageEntry, key jose.JSONWebKey) ([]byte, error)
CreateJWTToken will create a token using the parameters in the token entry, the defaults in the role entry, and signed using the key.
func GenerateKey ¶
func GenerateKey(kid, alg, use string, rsaBits, symmetricBits int) (*jose.JSONWebKey, error)
func KeygenEnc ¶
func KeygenEnc(alg jose.KeyAlgorithm, bits int) (crypto.PublicKey, crypto.PrivateKey, error)
KeygenEnc generates keypair for corresponding KeyAlgorithm.
func KeygenSig ¶
func KeygenSig(alg jose.SignatureAlgorithm, bits int) (crypto.PublicKey, crypto.PrivateKey, error)
KeygenSig generates keypair for corresponding SignatureAlgorithm.
func LoadPrivateKey ¶
func ValidateJWTToken ¶
func ValidateJWTToken(serializedToken string, roleEntry RoleStorageEntry, keySet *KeySetStorageEntry) error
ValidateJWTToken will return an error if the token is not valid based on the role and the key.
Types ¶
type JwtBackend ¶
JwtBackend export type backend for use else where
func Backend ¶
func Backend(ctx context.Context, conf *logical.BackendConfig) *JwtBackend
Backend export the function to create backend and configure
type KeySetStorageEntry ¶
type KeySetStorageEntry struct { Name string ActiveKID string Keys map[string]jose.JSONWebKey }
KeySetStorageEntry strutcure defines the type of object that is stored
func (*KeySetStorageEntry) AddKey ¶
func (k *KeySetStorageEntry) AddKey(toAdd jose.JSONWebKey) error
func (*KeySetStorageEntry) Exists ¶
func (k *KeySetStorageEntry) Exists(kid string) bool
func (*KeySetStorageEntry) GetActiveKey ¶
func (k *KeySetStorageEntry) GetActiveKey() (jose.JSONWebKey, error)
func (*KeySetStorageEntry) GetPublicKey ¶
func (k *KeySetStorageEntry) GetPublicKey(kid string) jose.JSONWebKey
func (*KeySetStorageEntry) PublicKeyAsMap ¶
func (k *KeySetStorageEntry) PublicKeyAsMap(kid string) (m map[string]interface{})
func (*KeySetStorageEntry) RemoveKey ¶
func (k *KeySetStorageEntry) RemoveKey(kid string)
func (*KeySetStorageEntry) SetActiveKID ¶
func (k *KeySetStorageEntry) SetActiveKID(kid string) error
func (*KeySetStorageEntry) ToMap ¶
func (k *KeySetStorageEntry) ToMap() map[string]interface{}
type RoleStorageEntry ¶
type RoleStorageEntry struct { RoleID string `json:"role_id" structs:"role_id" mapstructure:"role_id"` // The provided name for the role. Name string `json:"name" structs:"name" mapstructure:"name"` // The type of token to be created for the role, jwe|jwt|jws. Type string `json:"type" structs:"type" mapstructure:"type"` // The name of the key set this role will use to sign/encrypt tokens. KeySet string `json:"key_set" structs:"key_set" mapstructure:"key_set"` // The default TTL (in seconds) for tokens created through this role. TokenTTL time.Duration `json:"token_ttl" structs:"token_ttl" mapstructure:"token_ttl"` // The maximum TTL (in seconds) for tokens created through this role (this limit is applied to the requested TTL at issuance.) MaxTokenTTL time.Duration `json:"max_token_ttl" structs:"max_token_ttl" mapstructure:"max_token_ttl"` // The claims that will be set on a JWT token issued through this role. Claims map[string]interface{} `json:"claims" structs:"claims" mapstructure:"claims"` // Array of claims which will be accepted as parameters in the issue request and used instead of the values set in the Claims map. AllowedCustomClaims []string `json:"allowed_custom_claims" structs:"allowed_custom_claims" mapstructure:"allowed_custom_claims"` // Claims: // String-valued claims Issuer string `json:"iss" structs:"iss" mapstructure:"iss"` Subject string `json:"sub" structs:"sub" mapstructure:"sub"` Audience string `json:"aud" structs:"aud" mapstructure:"aud"` ExpirationTime bool `json:"exp" structs:"exp" mapstructure:"exp"` NotBefore bool `json:"nbf" structs:"nbf" mapstructure:"nbf"` IssuedAt bool `json:"iat" structs:"iat" mapstructure:"iat"` }
RoleStorageEntry structure that represents the role as it is stored within vault
func (RoleStorageEntry) ToMap ¶
func (r RoleStorageEntry) ToMap() map[string]interface{}
type TokenCreateEntry ¶
type TokenCreateEntry struct { TTL time.Duration `json:"ttl" structs:"ttl" mapstructure:"ttl"` ID string `json:"id" structs:"id" mapstructure:"id"` Claims map[string]interface{} `json:"claims" structs:"claims" mapstructure:"claims"` Role string `json:"role" structs:"role" mapstructure:"role"` KeyName string `json:"key_name" structs:"key_name" mapstructure:"key_name"` }
TokenCreateEntry is the exposed structure for creating a token
func (TokenCreateEntry) ToMap ¶
func (t TokenCreateEntry) ToMap() map[string]interface{}