auth

package
v0.4.23 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Aug 27, 2024 License: BSD-3-Clause-Clear Imports: 28 Imported by: 0

Documentation

Index

Constants

View Source
const (
	ActionRead   = "read"
	ActionWrite  = "write"
	ActionDelete = "delete"
	ActionUnsafe = "unsafe"
	ActionOther  = "other"
)
View Source
const (
	// DiscoveryPath is the path to the discovery endpoint
	DiscoveryPath = "/.well-known/openid-configuration"
)

Variables

View Source
var (
	ErrPolicyMalformed = errors.New("malformed authz policy")
)

Functions

func ContextWithAuthNInfo added in v0.4.2

func ContextWithAuthNInfo(ctx context.Context, key jwk.Key, accessToken jwt.Token, raw string) context.Context

func GetAccessTokenFromContext added in v0.4.1

func GetAccessTokenFromContext(ctx context.Context, l *logger.Logger) jwt.Token

func GetJWKFromContext

func GetJWKFromContext(ctx context.Context, l *logger.Logger) jwk.Key

func GetRawAccessTokenFromContext added in v0.4.1

func GetRawAccessTokenFromContext(ctx context.Context, l *logger.Logger) string

Types

type AuthNConfig

type AuthNConfig struct {
	EnforceDPoP    bool          `mapstructure:"enforceDPoP" json:"enforceDPoP" default:"false"`
	Issuer         string        `mapstructure:"issuer" json:"issuer"`
	Audience       string        `mapstructure:"audience" json:"audience"`
	Policy         PolicyConfig  `mapstructure:"policy" json:"policy"`
	CacheRefresh   string        `mapstructure:"cache_refresh_interval"`
	DPoPSkew       time.Duration `mapstructure:"dpopskew" default:"1h"`
	TokenSkew      time.Duration `mapstructure:"skew" default:"1m"`
	PublicClientID string        `mapstructure:"public_client_id" json:"public_client_id,omitempty"`
}

AuthNConfig is the configuration need for the platform to validate tokens

type Authentication

type Authentication struct {
	// contains filtered or unexported fields
}

Authentication holds a jwks cache and information about the openid configuration

func NewAuthenticator

func NewAuthenticator(ctx context.Context, cfg Config, logger *logger.Logger, wellknownRegistration func(namespace string, config any) error) (*Authentication, error)

Creates new authN which is used to verify tokens for a set of given issuers

func (*Authentication) ExtendAuthzDefaultPolicy added in v0.4.10

func (a *Authentication) ExtendAuthzDefaultPolicy(policies [][]string) error

func (Authentication) MuxHandler

func (a Authentication) MuxHandler(handler http.Handler) http.Handler

verifyTokenHandler is a http handler that verifies the token

func (Authentication) UnaryServerInterceptor

func (a Authentication) UnaryServerInterceptor(ctx context.Context, req any, info *grpc.UnaryServerInfo, handler grpc.UnaryHandler) (any, error)

UnaryServerInterceptor is a grpc interceptor that verifies the token in the metadata

type CasbinConfig

type CasbinConfig struct {
	PolicyConfig
}

type Config

type Config struct {
	Enabled      bool     `mapstructure:"enabled" json:"enabled" default:"true" `
	PublicRoutes []string `mapstructure:"-"`
	AuthNConfig  `mapstructure:",squash"`
}

AuthConfig pulls AuthN and AuthZ together

type Enforcer

type Enforcer struct {
	*casbin.Enforcer
	Config CasbinConfig
	Policy string
	// contains filtered or unexported fields
}

func NewCasbinEnforcer

func NewCasbinEnforcer(c CasbinConfig, logger *logger.Logger) (*Enforcer, error)

newCasbinEnforcer creates a new casbin enforcer

func (*Enforcer) Enforce

func (e *Enforcer) Enforce(token jwt.Token, resource, action string) (bool, error)

casbinEnforce is a helper function to enforce the policy with casbin TODO implement a common type so this can be used for both http and grpc

func (*Enforcer) ExtendDefaultPolicy added in v0.4.10

func (e *Enforcer) ExtendDefaultPolicy(policies [][]string) error

Extend the default policy

type OIDCConfiguration

type OIDCConfiguration struct {
	Issuer                           string   `json:"issuer"`
	AuthorizationEndpoint            string   `json:"authorization_endpoint"`
	TokenEndpoint                    string   `json:"token_endpoint"`
	JwksURI                          string   `json:"jwks_uri"`
	ResponseTypesSupported           []string `json:"response_types_supported"`
	SubjectTypesSupported            []string `json:"subject_types_supported"`
	IDTokenSigningAlgValuesSupported []string `json:"id_token_signing_alg_values_supported"`
	RequireRequestURIRegistration    bool     `json:"require_request_uri_registration"`
	PublicClientID                   string   `json:"public_client_id,omitempty"`
}

OIDCConfiguration holds the openid configuration for the issuer. Currently only required fields are included (https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata)

func DiscoverOIDCConfiguration

func DiscoverOIDCConfiguration(ctx context.Context, issuer string, logger *logger.Logger) (*OIDCConfiguration, error)

DiscoverOPENIDConfiguration discovers the openid configuration for the issuer provided

type PolicyConfig

type PolicyConfig struct {
	Default   string            `mapstructure:"default" json:"default"`
	RoleClaim string            `mapstructure:"claim" json:"claim"`
	RoleMap   map[string]string `mapstructure:"map" json:"map"`
	Csv       string            `mapstructure:"csv" json:"csv"`
	Model     string            `mapstructure:"model" json:"model"`
}

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL