GO-2024-2905: Openshift/telemeter: iss check during jwt authentication can be bypassed in github.com/openshift/telemeter

jwt

package

v0.0.0-...-98dad3e Latest Latest Go to latest Published: Dec 6, 2024 License: Apache-2.0 Imports: 17 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/openshift/telemeter

Links

Open Source Insights

Documentation ¶

Index ¶

func Claims(subject string, labels map[string]string, expirationSeconds int64, ...) (*jwt.Claims, interface{})
func NewAuthorizeClusterHandler(logger log.Logger, clusterIDKey string, expireInSeconds int64, signer *Signer, ...) *authorizeClusterHandler
func NewClientAuthorizer(issuer string, keys []crypto.PublicKey, v Validator) *clientAuthorizer
type Signer
- func NewSigner(issuer string, private crypto.PrivateKey) *Signer
- func (j *Signer) GenerateToken(claims *jwt.Claims, privateClaims interface{}) (string, error)
type Validator
- func NewValidator(logger log.Logger, audiences []string) Validator

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

func Claims ¶

func Claims(subject string, labels map[string]string, expirationSeconds int64, audience []string) (*jwt.Claims, interface{})

func NewAuthorizeClusterHandler ¶

func NewAuthorizeClusterHandler(logger log.Logger, clusterIDKey string, expireInSeconds int64, signer *Signer, labels map[string]string, ca authorize.ClusterAuthorizer) *authorizeClusterHandler

NewAuthorizerHandler creates an authorizer HTTP endpoint that will authorize the cluster given by the "id" form request parameter using the given cluster authorizer.

Upon success, the given cluster authorizer returns a subject which is used as the client identifier in a generated signed JWT which is returned to the client, along with any labels.

A single cluster ID key parameter must be passed to uniquely identify the caller's data.

func NewClientAuthorizer ¶

func NewClientAuthorizer(issuer string, keys []crypto.PublicKey, v Validator) *clientAuthorizer

NewClientAuthorizer authenticates tokens as JWT tokens produced by JWTTokenGenerator Token signatures are verified using each of the given public keys until one works (allowing key rotation) If lookup is true, the service account and secret referenced as claims inside the token are retrieved and verified with the provided ServiceAccountTokenGetter

Types ¶

type Signer ¶

type Signer struct {
	// contains filtered or unexported fields
}

func NewSigner ¶

func NewSigner(issuer string, private crypto.PrivateKey) *Signer

func (*Signer) GenerateToken ¶

func (j *Signer) GenerateToken(claims *jwt.Claims, privateClaims interface{}) (string, error)

type Validator ¶

type Validator interface {
	// Validate validates a token and returns user information or an error.
	// Validator can assume that the issuer and signature of a token are already
	// verified when this function is called.
	Validate(tokenData string, public *jwt.Claims, private interface{}) (*authorize.Client, error)
	// NewPrivateClaims returns a struct that the authenticator should
	// deserialize the JWT payload into. The authenticator may then pass this
	// struct back to the Validator as the 'private' argument to a Validate()
	// call. This struct should contain fields for any private claims that the
	// Validator requires to validate the JWT.
	NewPrivateClaims() interface{}
}

Validator is called by the JWT token authentictaor to apply domain specific validation to a token and extract user information.

func NewValidator ¶

func NewValidator(logger log.Logger, audiences []string) Validator

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL