auth

package
v0.4.37 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jan 9, 2025 License: BSD-3-Clause-Clear Imports: 28 Imported by: 0

Documentation

Index

Constants

View Source
const (
	ActionRead   = "read"
	ActionWrite  = "write"
	ActionDelete = "delete"
	ActionUnsafe = "unsafe"
	ActionOther  = "other"
)
View Source
const (
	// DiscoveryPath is the path to the discovery endpoint
	DiscoveryPath = "/.well-known/openid-configuration"
)

Variables

This section is empty.

Functions

This section is empty.

Types

type AuthNConfig

type AuthNConfig struct {
	EnforceDPoP    bool          `mapstructure:"enforceDPoP" json:"enforceDPoP" default:"false"`
	Issuer         string        `mapstructure:"issuer" json:"issuer"`
	Audience       string        `mapstructure:"audience" json:"audience"`
	Policy         PolicyConfig  `mapstructure:"policy" json:"policy"`
	CacheRefresh   string        `mapstructure:"cache_refresh_interval"`
	DPoPSkew       time.Duration `mapstructure:"dpopskew" default:"1h"`
	TokenSkew      time.Duration `mapstructure:"skew" default:"1m"`
	PublicClientID string        `mapstructure:"public_client_id" json:"public_client_id,omitempty"`
}

AuthNConfig is the configuration need for the platform to validate tokens

type Authentication

type Authentication struct {
	// contains filtered or unexported fields
}

Authentication holds a jwks cache and information about the openid configuration

func NewAuthenticator

func NewAuthenticator(ctx context.Context, cfg Config, logger *logger.Logger, wellknownRegistration func(namespace string, config any) error) (*Authentication, error)

Creates new authN which is used to verify tokens for a set of given issuers

func (Authentication) ConnectUnaryServerInterceptor added in v0.4.27

func (a Authentication) ConnectUnaryServerInterceptor() connect.UnaryInterceptorFunc

UnaryServerInterceptor is a grpc interceptor that verifies the token in the metadata

func (Authentication) MuxHandler

func (a Authentication) MuxHandler(handler http.Handler) http.Handler

verifyTokenHandler is a http handler that verifies the token

type CasbinConfig

type CasbinConfig struct {
	PolicyConfig
}

type Config

type Config struct {
	Enabled      bool     `mapstructure:"enabled" json:"enabled" default:"true" `
	PublicRoutes []string `mapstructure:"-"`
	AuthNConfig  `mapstructure:",squash"`
}

AuthConfig pulls AuthN and AuthZ together

type Enforcer

type Enforcer struct {
	*casbin.Enforcer
	Config CasbinConfig
	Policy string
	// contains filtered or unexported fields
}

func NewCasbinEnforcer

func NewCasbinEnforcer(c CasbinConfig, logger *logger.Logger) (*Enforcer, error)

newCasbinEnforcer creates a new casbin enforcer

func (*Enforcer) Enforce

func (e *Enforcer) Enforce(token jwt.Token, resource, action string) (bool, error)

casbinEnforce is a helper function to enforce the policy with casbin TODO implement a common type so this can be used for both http and grpc

type OIDCConfiguration

type OIDCConfiguration struct {
	Issuer                           string   `json:"issuer"`
	AuthorizationEndpoint            string   `json:"authorization_endpoint"`
	TokenEndpoint                    string   `json:"token_endpoint"`
	JwksURI                          string   `json:"jwks_uri"`
	ResponseTypesSupported           []string `json:"response_types_supported"`
	SubjectTypesSupported            []string `json:"subject_types_supported"`
	IDTokenSigningAlgValuesSupported []string `json:"id_token_signing_alg_values_supported"`
	RequireRequestURIRegistration    bool     `json:"require_request_uri_registration"`
	PublicClientID                   string   `json:"public_client_id,omitempty"`
}

OIDCConfiguration holds the openid configuration for the issuer. Currently only required fields are included (https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata)

func DiscoverOIDCConfiguration

func DiscoverOIDCConfiguration(ctx context.Context, issuer string, logger *logger.Logger) (*OIDCConfiguration, error)

DiscoverOPENIDConfiguration discovers the openid configuration for the issuer provided

type PolicyConfig

type PolicyConfig struct {
	Builtin string `mapstructure:"-" json:"-"`
	// Username claim to use for user information
	UserNameClaim string `mapstructure:"username_claim" json:"username_claim" default:"preferred_username"`
	// Claim to use for group/role information
	GroupsClaim string `mapstructure:"groups_claim" json:"group_claim" default:"realm_access.roles"`
	// Deprecated: Use GroupClain instead
	RoleClaim string `mapstructure:"claim" json:"claim" default:"realm_access.roles"`
	// Deprecated: Use Casbin grouping statements g, <user/group>, <role>
	RoleMap map[string]string `mapstructure:"map" json:"map"`
	// Override the builtin policy with a custom policy
	Csv string `mapstructure:"csv" json:"csv"`
	// Extend the builtin policy with a custom policy
	Extension string `mapstructure:"extension" json:"extension"`
	Model     string `mapstructure:"model" json:"model"`
	// Override the default string-adapter
	Adapter persist.Adapter `mapstructure:"-" json:"-"`
}

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL