iam

package
v1.4.2 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Sep 25, 2023 License: UPL-1.0 Imports: 26 Imported by: 1

Documentation

Overview

Package iam provides authorization provider implementations for clients that connect to cloud via IAM (Oracle Identity and Access Management).

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func DefaultBodyHeaders 

func DefaultBodyHeaders() []string

DefaultBodyHeaders list of default body headers that is used in signing

func DefaultDelegationHeaders added in v1.4.1 

func DefaultDelegationHeaders() []string

DefaultDelegationHeaders list of default headers that is used in signing with delegation token

func DefaultGenericHeaders 

func DefaultGenericHeaders() []string

DefaultGenericHeaders list of default generic headers that is used in signing

func GetBodyHash 

func GetBodyHash(request *http.Request) (hashString string, err error)

GetBodyHash creates a base64 string from the hash of body the request

func IsConfigurationProviderValid 

func IsConfigurationProviderValid(conf ConfigurationProvider) (ok bool, err error)

IsConfigurationProviderValid Tests all parts of the configuration provider do not return an error

func PrivateKeyFromBytes 

func PrivateKeyFromBytes(pemData []byte, password *string) (key *rsa.PrivateKey, e error)

PrivateKeyFromBytes is a helper function that will produce a RSA private key from bytes. This function is deprecated in favour of PrivateKeyFromBytesWithPassword Deprecated

func PrivateKeyFromBytesWithPassword 

func PrivateKeyFromBytesWithPassword(pemData, password []byte) (key *rsa.PrivateKey, e error)

PrivateKeyFromBytesWithPassword is a helper function that will produce a RSA private key from bytes and a password.

Types

type ConfigurationProvider 

type ConfigurationProvider interface {
	KeyProvider
	TenancyOCID() (string, error)
	UserOCID() (string, error)
	KeyFingerprint() (string, error)
	Region() (string, error)
	SecurityTokenFile() (string, error)
}

ConfigurationProvider wraps information about the account owner

func ConfigurationProviderFromFile 

func ConfigurationProviderFromFile(configFilePath, privateKeyPassword string) (ConfigurationProvider, error)

ConfigurationProviderFromFile creates a configuration provider from a configuration file by reading the "DEFAULT" profile.

func ConfigurationProviderFromFileWithProfile 

func ConfigurationProviderFromFileWithProfile(configFilePath, profile, privateKeyPassword string) (ConfigurationProvider, error)

ConfigurationProviderFromFileWithProfile creates a configuration provider from a configuration file and the given profile.

func NewRawConfigurationProvider 

func NewRawConfigurationProvider(tenancy, user, region, fingerprint, privateKey string, privateKeyPassphrase *string) ConfigurationProvider

NewRawConfigurationProvider will create a ConfigurationProvider with the arguments of the function

func SessionTokenProviderFromFileWithProfile added in v1.4.2 

func SessionTokenProviderFromFileWithProfile(configFilePath, profile, privateKeyPassword string) (ConfigurationProvider, error)

type HTTPRequestSigner 

type HTTPRequestSigner interface {
	Sign(r *http.Request) error
	ExpirationTime() time.Time
}

HTTPRequestSigner the interface to sign a request

func DefaultRequestSigner 

func DefaultRequestSigner(provider KeyProvider) HTTPRequestSigner

DefaultRequestSigner creates a signer with default parameters.

func DelegationRequestSigner added in v1.4.1 

func DelegationRequestSigner(provider KeyProvider) HTTPRequestSigner

DelegationRequestSigner creates a signer with parameters including delegation token.

func DelegationRequestSignerExcludeBody added in v1.4.1 

func DelegationRequestSignerExcludeBody(provider KeyProvider) HTTPRequestSigner

DelegationRequestSignerExcludeBody creates a signer without hash the body but including delegation token.

func NewSignerFromOCIRequestSigner 

func NewSignerFromOCIRequestSigner(oldSigner HTTPRequestSigner, predicate SignerBodyHashPredicate) (HTTPRequestSigner, error)

NewSignerFromOCIRequestSigner creates a copy of the request signer and attaches the new SignerBodyHashPredicate returns an error if the passed signer is not of type ociRequestSigner

func RequestSigner 

func RequestSigner(provider KeyProvider, genericHeaders, bodyHeaders []string) HTTPRequestSigner

RequestSigner creates a signer that utilizes the specified headers for signing and the default predicate for using the body of the request as part of the signature

func RequestSignerExcludeBody 

func RequestSignerExcludeBody(provider KeyProvider) HTTPRequestSigner

RequestSignerExcludeBody creates a signer without hash the body.

func RequestSignerWithBodyHashingPredicate 

func RequestSignerWithBodyHashingPredicate(provider KeyProvider, genericHeaders, bodyHeaders []string, shouldHashBody SignerBodyHashPredicate) HTTPRequestSigner

RequestSignerWithBodyHashingPredicate creates a signer that utilizes the specified headers for signing, as well as a predicate for using the body of the request and bodyHeaders parameter as part of the signature

type KeyProvider 

type KeyProvider interface {
	PrivateRSAKey() (*rsa.PrivateKey, error)
	KeyID() (string, error)
	ExpirationTime() time.Time
}

KeyProvider interface that wraps information about the key's account owner

type SignatureProvider 

type SignatureProvider struct {
	// contains filtered or unexported fields
}

SignatureProvider is an signature provider for use with cloud IAM.

This implements the nosqldb.AuthorizationProvider interface.

func NewRawSignatureProvider 

func NewRawSignatureProvider(tenancy, user, region, fingerprint, compartmentID, privateKeyOrFile string, privateKeyPassphrase *string) (*SignatureProvider, error)

NewRawSignatureProvider creates a signature provider based on the raw credentials given (no files necessary).

privateKeyPassphrase is only required if the private key uses a passphrase.

compartmentID is optional; if empty, the tenancyOCID is used in its place.

privateKeyOrFile specifies the private key or full path to the private key file.

func NewSessionTokenSignatureProvider added in v1.4.2 

func NewSessionTokenSignatureProvider() (*SignatureProvider, error)

NewSessionTokenSignatureProvider Creates a SignatureProvider using a temporary session token read from a token file.

The configuration file used is '~/.oci/config'. See [SDK Configuration File] for details of the file's contents and format. The "DEFAULT" profile is used.

The path of token file is read from the configuration, using the value of field 'security_token_file'.

See [Session Token-Based Authentication] for more details of session-token-based authentication.

You can use the OCI CLI to authenticate and create a token. See [Token-based Authentication for the CLI].

When using this constructor, the user has a default compartment for all tables. It is the root compartment of the user's tenancy.

[SDK Configuration File]: https://docs.cloud.oracle.com/iaas/Content/API/Concepts/sdkconfig.htm Session Token-Based Authentication]: https://docs.oracle.com/en-us/iaas/Content/API/Concepts/sdk_authentication_methods.htm#sdk_authentication_methods_session_token [Token-based Authentication for the CLI]: https://docs.oracle.com/en-us/iaas/Content/API/SDKDocs/clitoken.htm

func NewSessionTokenSignatureProviderFromFile added in v1.4.2 

func NewSessionTokenSignatureProviderFromFile(configFilePath, ociProfile, privateKeyPassphrase string) (*SignatureProvider, error)

NewSessionTokenSignatureProviderFromFile Creates a SignatureProvider using a temporary session token read from a token file, using the ociProfile specified in the OCI configuration file configFilePath. See [SDK Configuration File] for details of the file's contents and format.

The path of token file is read from the configuration, using the value of field 'security_token_file'.

See [Session Token-Based Authentication] for more details of session-token-based authentication.

You can use the OCI CLI to authenticate and create a token. See [Token-based Authentication for the CLI].

privateKeyPassphrase is only required if the private key uses a passphrase and it is not specified in the "pass_phrase" field in the OCI configuration file.

When using this constructor, the user has a default compartment for all tables. It is the root compartment of the user's tenancy.

[SDK Configuration File]: https://docs.cloud.oracle.com/iaas/Content/API/Concepts/sdkconfig.htm Session Token-Based Authentication]: https://docs.oracle.com/en-us/iaas/Content/API/Concepts/sdk_authentication_methods.htm#sdk_authentication_methods_session_token [Token-based Authentication for the CLI]: https://docs.oracle.com/en-us/iaas/Content/API/SDKDocs/clitoken.htm

func NewSignatureProvider 

func NewSignatureProvider() (*SignatureProvider, error)

NewSignatureProvider creates a signature provider using the "DEFAULT" profile specified in the default OCI configuration file ~/.oci/config. See https://docs.cloud.oracle.com/iaas/Content/API/Concepts/sdkconfig.htm for details of the configuration file's contents and format.

This signature provider uses the tenancyOCID that is the "tenancy" field specified in the configuration file as compartmentID.

func NewSignatureProviderFromFile 

func NewSignatureProviderFromFile(configFilePath, ociProfile, privateKeyPassphrase, compartmentID string) (*SignatureProvider, error)

NewSignatureProviderFromFile creates a signature provider using the ociProfile specified in the OCI configuration file configFilePath. See https://docs.cloud.oracle.com/iaas/Content/API/Concepts/sdkconfig.htm for details of the configuration file's contents and format.

ociProfile is optional; if empty, "DEFAULT" will be used.

privateKeyPassphrase is only required if the private key uses a passphrase and it is not specified in the "pass_phrase" field in the OCI configuration file.

compartmentID is optional; if empty, the tenancyOCID is used in its place. If specified, it represents a compartment id or name. If using a nested compartment, specify the full compartment path relative to the root compartment as compartmentID. For example, if using rootCompartment.compartmentA.compartmentB, the compartmentID should be set to compartmentA.compartmentB.

func NewSignatureProviderWithConfiguration 

func NewSignatureProviderWithConfiguration(configProvider ConfigurationProvider, compartmentID string) (*SignatureProvider, error)

NewSignatureProviderWithConfiguration creates a signature provider with the supplied configuration.

The compartmentID specifies the OCID of compartment to which the Oracle NoSQL tables belong. If empty, the tenancy OCID is used.

This function can be used in the following cases:

1. If other NewSignatureProviderXXX() variants declared in the package do not meet application requirements, you can provide an implementation of the ConfigurationProvider interface and create a signature provider with it.

2. If your application uses OCI-GO-SDK as a dependency, you can use one of the ConfigurationProvider implementations from OCI-GO-SDK and create a signature provider with it.

func NewSignatureProviderWithInstancePrincipal 

func NewSignatureProviderWithInstancePrincipal(compartmentID string) (*SignatureProvider, error)

NewSignatureProviderWithInstancePrincipal creates a signature provider with instance principal. This can be used for applications that access NoSQL cloud service from within an Oracle Compute Instance.

The compartmentID specifies the OCID of compartment to which the Oracle NoSQL tables belong. If empty, the tenancy OCID is used.

func NewSignatureProviderWithInstancePrincipalDelegation added in v1.4.1 

func NewSignatureProviderWithInstancePrincipalDelegation(compartmentID string, delegationToken string) (*SignatureProvider, error)

NewDelegationSignatureProviderWithInstancePrincipal creates a signature provider with instance principal using a delegation token. This can be used for applications that access NoSQL cloud service from within an Oracle Compute Instance. The delegation token allows the instance to assume the privileges of the user for which the token was created.

The compartmentID specifies the OCID of compartment to which the Oracle NoSQL tables belong. If empty, the tenancy OCID is used.

func NewSignatureProviderWithInstancePrincipalDelegationFromFile added in v1.4.1 

func NewSignatureProviderWithInstancePrincipalDelegationFromFile(compartmentID string, delegationTokenFile string) (*SignatureProvider, error)

NewSignatureProviderWithInstancePrincipalDelegationFromFile creates a signature provider with instance principal using a delegation token read from a file. This can be used for applications that access NoSQL cloud service from within an Oracle Compute Instance. The delegation token allows the instance to assume the privileges of the user for which the token was created. The file must contain only the delegation token string.

The compartmentID specifies the OCID of compartment to which the Oracle NoSQL tables belong. If empty, the tenancy OCID is used.

func NewSignatureProviderWithResourcePrincipal 

func NewSignatureProviderWithResourcePrincipal(compartmentID string) (*SignatureProvider, error)

NewSignatureProviderWithResourcePrincipal creates a signature provider with resource principal. This can be used for applications that access NoSQL cloud service from within a function that executes on Oracle Functions.

The compartmentID specifies the OCID of compartment to which the Oracle NoSQL tables belong. If empty, the tenancy OCID is used.

Resource principal is configured using the following environment variables: 

OCI_RESOURCE_PRINCIPAL_VERSION
OCI_RESOURCE_PRINCIPAL_RPST
OCI_RESOURCE_PRINCIPAL_PRIVATE_PEM
OCI_RESOURCE_PRINCIPAL_PRIVATE_PEM_PASSPHRASE
OCI_RESOURCE_PRINCIPAL_REGION

Where OCI_RESOURCE_PRINCIPAL_VERSION specifies a resource principal version. Current version is 2.2.

OCI_RESOURCE_PRINCIPAL_RPST specifies a resource principal session token or a path to the file that stores the token.

OCI_RESOURCE_PRINCIPAL_PRIVATE_PEM specifies an RSA private key in pem format or a path to private key file.

OCI_RESOURCE_PRINCIPAL_PRIVATE_PEM_PASSPHRASE specifies a passphrase for the private key or a path to the file that stores the passphrase. This is optional, only required if the private key has a passphrase.

OCI_RESOURCE_PRINCIPAL_REGION specifies an OCI region identifier.

Note that if your application is deployed to Oracle Functions, these environment variables are already set inside the container in which the function executes.

func (*SignatureProvider) AuthorizationScheme 

func (p *SignatureProvider) AuthorizationScheme() string

AuthorizationScheme returns "Signature" for this provider which means the requests must be signed before sending out

func (*SignatureProvider) AuthorizationString 

func (p *SignatureProvider) AuthorizationString(req auth.Request) (auth string, err error)

AuthorizationString isn't used for IAM; instead, each individual request is signed via SignHTTPRequest()

func (*SignatureProvider) Close 

func (p *SignatureProvider) Close() error

Close releases resources allocated by the provider and sets closed state for the provider. Currently nothing to release

func (*SignatureProvider) Profile 

func (p *SignatureProvider) Profile() ConfigurationProvider

Profile returns the profile used for the signature provider.

func (*SignatureProvider) SetDelegationToken added in v1.4.1 

func (p *SignatureProvider) SetDelegationToken(delegationToken string) (*SignatureProvider, error)

SetDelegationToken is used to set a delegation token for the signature provider. Passing an empty string will configure the provider to not use delegation.

func (*SignatureProvider) SetDelegationTokenFromFile added in v1.4.1 

func (p *SignatureProvider) SetDelegationTokenFromFile(delegationTokenFile string) (*SignatureProvider, error)

SetDelegationTokenFromFile is used to set a delegation token for the signature provider based on the string contents of a file. The file must have the token istelf and nothing else.

func (*SignatureProvider) SignHTTPRequest 

func (p *SignatureProvider) SignHTTPRequest(req *http.Request) error

SignHTTPRequest signs the request, add the signature to the Authentication: header, add the Date: header, and add the "X-Nosql-Compartment-Id" header

The Authorization header looks like: 

Signature version=n,headers=<>,keyId=<>,algorithm="rsa-sha256",signature="..."

This method uses the cached signature if it was generated within the expiry time specified in signatureExpiry. Else it gets the current date/time and uses that to generate a new signature.

type SignerBodyHashPredicate 

type SignerBodyHashPredicate func(r *http.Request) bool

SignerBodyHashPredicate a function that allows to disable/enable body hashing of requests and headers associated with body content

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.