Documentation ¶
Overview ¶
Package auth provides supporting functions and structs for authentication
Index ¶
- Constants
- Variables
- func GetGenericConfigurationProvider(configProvider common.ConfigurationProvider) (common.ConfigurationProvider, error)
- func InstancePrincipalConfigurationForRegionWithCustomClient(region common.Region, ...) (common.ConfigurationProvider, error)
- func InstancePrincipalConfigurationProvider() (common.ConfigurationProvider, error)
- func InstancePrincipalConfigurationProviderForRegion(region common.Region) (common.ConfigurationProvider, error)
- func InstancePrincipalConfigurationProviderWithCustomClient(...) (common.ConfigurationProvider, error)
- func InstancePrincipalConfigurationWithCerts(region common.Region, leafCertificate, leafPassphrase, leafPrivateKey []byte, ...) (common.ConfigurationProvider, error)
- func InstancePrincipalDelegationTokenConfigurationProvider(delegationToken *string) (common.ConfigurationProvider, error)
- func InstancePrincipalDelegationTokenConfigurationProviderForRegion(delegationToken *string, region common.Region) (common.ConfigurationProvider, error)
- func ResourcePrincipalConfigurationProviderWithInterceptor(instancePrincipalProvider common.ConfigurationProvider, ...) (common.ConfigurationProvider, error)
- func ResourcePrincipalV3ConfiguratorBuilder(leafResourcePrincipalKeyProvider ConfigurationProviderWithClaimAccess) *resourcePrincipalV30ConfiguratorBuilder
- type ClaimHolder
- type ConfigurationProviderWithClaimAccess
- func OkeWorkloadIdentityConfigurationProvider() (ConfigurationProviderWithClaimAccess, error)
- func OkeWorkloadIdentityConfigurationProviderWithServiceAccountTokenProvider(saTokenProvider ServiceAccountTokenProvider) (ConfigurationProviderWithClaimAccess, error)
- func OkeWorkloadIdentityConfigurationProviderWithServiceAccountTokenProviderK8sService(k8sServiceHost *string, saTokenProvider ServiceAccountTokenProvider, ...) (ConfigurationProviderWithClaimAccess, error)
- func ResourcePrincipalConfigurationProvider() (ConfigurationProviderWithClaimAccess, error)
- func ResourcePrincipalConfigurationProviderForRegion(region common.Region) (ConfigurationProviderWithClaimAccess, error)
- func ResourcePrincipalConfigurationProviderV3(leafResourcePrincipalKeyProvider ConfigurationProviderWithClaimAccess) (ConfigurationProviderWithClaimAccess, error)
- func ResourcePrincipalConfigurationProviderWithPathProvider(pathProvider PathProvider) (ConfigurationProviderWithClaimAccess, error)
- func ResourcePrincipalDelegationTokenConfigurationProvider(delegationToken *string) (ConfigurationProviderWithClaimAccess, error)
- func ResourcePrincipalDelegationTokenConfigurationProviderForRegion(delegationToken *string, region common.Region) (ConfigurationProviderWithClaimAccess, error)
- type DefaultRptPathProvider
- type DefaultServiceAccountTokenProvider
- type EnvRptPathProvider
- type ImdsRptPathProvider
- type PathProvider
- type RptPathProviderForLeafResource
- type ServiceAccountTokenProvider
- type StringRptPathProvider
- type SuppliedServiceAccountTokenProvider
- type Token
- type X509FederationDetails
Constants ¶
const ( //ResourcePrincipalVersion2_2 is a supported version for resource principals ResourcePrincipalVersion2_2 = "2.2" //ResourcePrincipalVersionEnvVar environment var name for version ResourcePrincipalVersionEnvVar = "OCI_RESOURCE_PRINCIPAL_VERSION" //ResourcePrincipalRPSTEnvVar environment var name holding the token or a path to the token ResourcePrincipalRPSTEnvVar = "OCI_RESOURCE_PRINCIPAL_RPST" //ResourcePrincipalPrivatePEMEnvVar environment var holding a rsa private key in pem format or a path to one ResourcePrincipalPrivatePEMEnvVar = "OCI_RESOURCE_PRINCIPAL_PRIVATE_PEM" //ResourcePrincipalPrivatePEMPassphraseEnvVar environment var holding the passphrase to a key or a path to one ResourcePrincipalPrivatePEMPassphraseEnvVar = "OCI_RESOURCE_PRINCIPAL_PRIVATE_PEM_PASSPHRASE" //ResourcePrincipalRegionEnvVar environment variable holding a region ResourcePrincipalRegionEnvVar = "OCI_RESOURCE_PRINCIPAL_REGION" //ResourcePrincipalVersion1_1 is a supported version for resource principals ResourcePrincipalVersion1_1 = "1.1" //ResourcePrincipalSessionTokenEndpoint endpoint for retrieving the Resource Principal Session Token ResourcePrincipalSessionTokenEndpoint = "OCI_RESOURCE_PRINCIPAL_RPST_ENDPOINT" //ResourcePrincipalTokenEndpoint endpoint for retrieving the Resource Principal Token ResourcePrincipalTokenEndpoint = "OCI_RESOURCE_PRINCIPAL_RPT_ENDPOINT" //ResourcePrincipalVersion3_0 is a supported version for resource principals ResourcePrincipalVersion3_0 = "3.0" ResourcePrincipalVersionForLeaf = "OCI_RESOURCE_PRINCIPAL_VERSION_FOR_LEAF_RESOURCE" ResourcePrincipalRptEndpointForLeaf = "OCI_RESOURCE_PRINCIPAL_RPT_ENDPOINT_FOR_LEAF_RESOURCE" ResourcePrincipalRptPathForLeaf = "OCI_RESOURCE_PRINCIPAL_RPT_PATH_FOR_LEAF_RESOURCE" ResourcePrincipalRpstEndpointForLeaf = "OCI_RESOURCE_PRINCIPAL_RPST_ENDPOINT_FOR_LEAF_RESOURCE" ResourcePrincipalResourceIdForLeaf = "OCI_RESOURCE_PRINCIPAL_RESOURCE_ID_FOR_LEAF_RESOURCE" ResourcePrincipalPrivatePemForLeaf = "OCI_RESOURCE_PRINCIPAL_PRIVATE_PEM_FOR_LEAF_RESOURCE" ResourcePrincipalPrivatePemPassphraseForLeaf = "OCI_RESOURCE_PRINCIPAL_PRIVATE_PEM_PASSPHRASE_FOR_LEAF_RESOURCE" ResourcePrincipalRpstForLeaf = "OCI_RESOURCE_PRINCIPAL_RPST_FOR_LEAF_RESOURCE" ResourcePrincipalRegionForLeaf = "OCI_RESOURCE_PRINCIPAL_REGION_FOR_LEAF_RESOURCE" ResourcePrincipalRptURLForParent = "OCI_RESOURCE_PRINCIPAL_RPT_URL_FOR_PARENT_RESOURCE" ResourcePrincipalRpstEndpointForParent = "OCI_RESOURCE_PRINCIPAL_RPST_ENDPOINT_FOR_PARENT_RESOURCE" ResourcePrincipalTenancyIDForLeaf = "OCI_RESOURCE_PRINCIPAL_TENANCY_ID_FOR_LEAF_RESOURCE" OpcParentRptUrlHeader = "opc-parent-rpt-url" // KubernetesServiceAccountTokenPath that contains cluster information KubernetesServiceAccountTokenPath = "/var/run/secrets/kubernetes.io/serviceaccount/token" // DefaultKubernetesServiceAccountCertPath that contains cluster information DefaultKubernetesServiceAccountCertPath = "/var/run/secrets/kubernetes.io/serviceaccount/ca.crt" // OciKubernetesServiceAccountCertPath Environment variable for Kubernetes Service Account Cert Path OciKubernetesServiceAccountCertPath = "OCI_KUBERNETES_SERVICE_ACCOUNT_CERT_PATH" // KubernetesServiceHostEnvVar environment var holding the kubernetes host KubernetesServiceHostEnvVar = "KUBERNETES_SERVICE_HOST" // KubernetesProxymuxServicePort environment var holding the kubernetes port KubernetesProxymuxServicePort = "12250" // TenancyOCIDClaimKey is the key used to look up the resource tenancy in an RPST TenancyOCIDClaimKey = "res_tenant" // CompartmentOCIDClaimKey is the key used to look up the resource compartment in an RPST CompartmentOCIDClaimKey = "res_compartment" )
const ( //ResourcePrincipalTokenPath path for retrieving the Resource Principal Token ResourcePrincipalTokenPath = "OCI_RESOURCE_PRINCIPAL_RPT_PATH" //ResourceID OCID for the resource for Resource Principal ResourceID = "OCI_RESOURCE_PRINCIPAL_RPT_ID" )
Variables ¶
var ( // ErrNoSuchClaim is returned when a token does not hold the claim sought ErrNoSuchClaim = errors.New("no such claim") )
var ( // ErrNonStringClaim is returned if the token has a claim for a key, but it's not a string value ErrNonStringClaim = errors.New("claim does not have a string value") )
Functions ¶
func GetGenericConfigurationProvider ¶
func GetGenericConfigurationProvider(configProvider common.ConfigurationProvider) (common.ConfigurationProvider, error)
GetGenericConfigurationProvider checks auth config paras in config file and return the final configuration provider
func InstancePrincipalConfigurationForRegionWithCustomClient ¶
func InstancePrincipalConfigurationForRegionWithCustomClient(region common.Region, modifier func(common.HTTPRequestDispatcher) (common.HTTPRequestDispatcher, error)) (common.ConfigurationProvider, error)
InstancePrincipalConfigurationForRegionWithCustomClient returns a configuration for instance principals with a given region using a modifier function to modify the HTTPRequestDispatcher
func InstancePrincipalConfigurationProvider ¶
func InstancePrincipalConfigurationProvider() (common.ConfigurationProvider, error)
InstancePrincipalConfigurationProvider returns a configuration for instance principals
func InstancePrincipalConfigurationProviderForRegion ¶
func InstancePrincipalConfigurationProviderForRegion(region common.Region) (common.ConfigurationProvider, error)
InstancePrincipalConfigurationProviderForRegion returns a configuration for instance principals with a given region
func InstancePrincipalConfigurationProviderWithCustomClient ¶
func InstancePrincipalConfigurationProviderWithCustomClient(modifier func(common.HTTPRequestDispatcher) (common.HTTPRequestDispatcher, error)) (common.ConfigurationProvider, error)
InstancePrincipalConfigurationProviderWithCustomClient returns a configuration for instance principals using a modifier function to modify the HTTPRequestDispatcher
func InstancePrincipalConfigurationWithCerts ¶
func InstancePrincipalConfigurationWithCerts(region common.Region, leafCertificate, leafPassphrase, leafPrivateKey []byte, intermediateCertificates [][]byte) (common.ConfigurationProvider, error)
InstancePrincipalConfigurationWithCerts returns a configuration for instance principals with a given region and hardcoded certificates in lieu of metadata service certs
func InstancePrincipalDelegationTokenConfigurationProvider ¶
func InstancePrincipalDelegationTokenConfigurationProvider(delegationToken *string) (common.ConfigurationProvider, error)
InstancePrincipalDelegationTokenConfigurationProvider returns a configuration for obo token instance principals
func InstancePrincipalDelegationTokenConfigurationProviderForRegion ¶
func InstancePrincipalDelegationTokenConfigurationProviderForRegion(delegationToken *string, region common.Region) (common.ConfigurationProvider, error)
InstancePrincipalDelegationTokenConfigurationProviderForRegion returns a configuration for obo token instance principals with a given region
func ResourcePrincipalConfigurationProviderWithInterceptor ¶
func ResourcePrincipalConfigurationProviderWithInterceptor(instancePrincipalProvider common.ConfigurationProvider, resourcePrincipalTokenEndpoint, resourcePrincipalSessionTokenEndpoint string, interceptor common.RequestInterceptor) (common.ConfigurationProvider, error)
ResourcePrincipalConfigurationProviderWithInterceptor creates a resource principal configuration provider with endpoints a interceptor used to customize the call going to the resource principal token request to the target service see https://godoc.org/github.com/oracle/oci-go-sdk/common#RequestInterceptor
func ResourcePrincipalV3ConfiguratorBuilder ¶ added in v65.71.0
func ResourcePrincipalV3ConfiguratorBuilder(leafResourcePrincipalKeyProvider ConfigurationProviderWithClaimAccess) *resourcePrincipalV30ConfiguratorBuilder
ResourcePrincipalV3ConfiguratorBuilder creates a new resourcePrincipalV30ConfiguratorBuilder.
Types ¶
type ClaimHolder ¶
ClaimHolder is implemented by any token interface that provides access to the security claims embedded in the token.
type ConfigurationProviderWithClaimAccess ¶
type ConfigurationProviderWithClaimAccess interface { common.ConfigurationProvider ClaimHolder }
ConfigurationProviderWithClaimAccess mixes in a method to access the claims held on the underlying security token
func OkeWorkloadIdentityConfigurationProvider ¶ added in v65.32.0
func OkeWorkloadIdentityConfigurationProvider() (ConfigurationProviderWithClaimAccess, error)
OkeWorkloadIdentityConfigurationProvider returns a resource principal configuration provider by OKE Workload Identity
func OkeWorkloadIdentityConfigurationProviderWithServiceAccountTokenProvider ¶ added in v65.42.0
func OkeWorkloadIdentityConfigurationProviderWithServiceAccountTokenProvider(saTokenProvider ServiceAccountTokenProvider) (ConfigurationProviderWithClaimAccess, error)
OkeWorkloadIdentityConfigurationProviderWithServiceAccountTokenProvider returns a resource principal configuration provider by OKE Workload Identity with service account token provider
func OkeWorkloadIdentityConfigurationProviderWithServiceAccountTokenProviderK8sService ¶ added in v65.71.0
func OkeWorkloadIdentityConfigurationProviderWithServiceAccountTokenProviderK8sService(k8sServiceHost *string, saTokenProvider ServiceAccountTokenProvider, remoteCAbytes []byte) (ConfigurationProviderWithClaimAccess, error)
func ResourcePrincipalConfigurationProvider ¶
func ResourcePrincipalConfigurationProvider() (ConfigurationProviderWithClaimAccess, error)
ResourcePrincipalConfigurationProvider returns a resource principal configuration provider using well known environment variables to look up token information. The environment variables can either paths or contain the material value of the keys. However in the case of the keys and tokens paths and values can not be mixed
func ResourcePrincipalConfigurationProviderForRegion ¶ added in v65.40.1
func ResourcePrincipalConfigurationProviderForRegion(region common.Region) (ConfigurationProviderWithClaimAccess, error)
ResourcePrincipalConfigurationProviderForRegion returns a resource principal configuration provider using well known environment variables to look up token information, for a given region. The environment variables can either paths or contain the material value of the keys. However, in the case of the keys and tokens paths and values can not be mixed
func ResourcePrincipalConfigurationProviderV3 ¶ added in v65.71.0
func ResourcePrincipalConfigurationProviderV3(leafResourcePrincipalKeyProvider ConfigurationProviderWithClaimAccess) (ConfigurationProviderWithClaimAccess, error)
ResourcePrincipalConfigurationProviderV3 ResourcePrincipalConfigurationProvider is a function that creates and configures a resource principal.
func ResourcePrincipalConfigurationProviderWithPathProvider ¶
func ResourcePrincipalConfigurationProviderWithPathProvider(pathProvider PathProvider) (ConfigurationProviderWithClaimAccess, error)
ResourcePrincipalConfigurationProviderWithPathProvider returns a resource principal configuration provider using path provider.
func ResourcePrincipalDelegationTokenConfigurationProvider ¶ added in v65.48.0
func ResourcePrincipalDelegationTokenConfigurationProvider(delegationToken *string) (ConfigurationProviderWithClaimAccess, error)
ResourcePrincipalDelegationTokenConfigurationProvider returns a configuration for obo token resource principals
func ResourcePrincipalDelegationTokenConfigurationProviderForRegion ¶ added in v65.48.0
func ResourcePrincipalDelegationTokenConfigurationProviderForRegion(delegationToken *string, region common.Region) (ConfigurationProviderWithClaimAccess, error)
ResourcePrincipalDelegationTokenConfigurationProviderForRegion returns a configuration for obo token resource principals with a given region
type DefaultRptPathProvider ¶
type DefaultRptPathProvider struct {
// contains filtered or unexported fields
}
DefaultRptPathProvider path provider makes sure the behavior happens with the correct fallback.
For the path, Use the contents of the OCI_RESOURCE_PRINCIPAL_RPT_PATH environment variable, if set. Otherwise, use the current path: "/20180711/resourcePrincipalToken/{id}"
For the resource id, Use the contents of the OCI_RESOURCE_PRINCIPAL_RPT_ID environment variable, if set. Otherwise, use IMDS to get the instance id
This path provider is used when the caller doesn't provide a specific path provider to the resource principals signer
func (DefaultRptPathProvider) Path ¶
func (pp DefaultRptPathProvider) Path() (*string, error)
Path returns the resource principal token path
func (DefaultRptPathProvider) ResourceID ¶
func (pp DefaultRptPathProvider) ResourceID() (*string, error)
ResourceID returns the resource associated with the resource principal
type DefaultServiceAccountTokenProvider ¶ added in v65.42.0
type DefaultServiceAccountTokenProvider struct {
// contains filtered or unexported fields
}
DefaultServiceAccountTokenProvider is supplied by user when instantiating OkeWorkloadIdentityConfigurationProvider
func NewDefaultServiceAccountTokenProvider ¶ added in v65.42.0
func NewDefaultServiceAccountTokenProvider() DefaultServiceAccountTokenProvider
NewDefaultServiceAccountTokenProvider returns a new instance of defaultServiceAccountTokenProvider
func (DefaultServiceAccountTokenProvider) ServiceAccountToken ¶ added in v65.42.0
func (d DefaultServiceAccountTokenProvider) ServiceAccountToken() (string, error)
ServiceAccountToken returns a service account token
func (DefaultServiceAccountTokenProvider) WithSaTokenPath ¶ added in v65.42.0
func (d DefaultServiceAccountTokenProvider) WithSaTokenPath(tokenPath string) DefaultServiceAccountTokenProvider
WithSaTokenPath Builder method to override the to SA ken path
type EnvRptPathProvider ¶
type EnvRptPathProvider struct{}
EnvRptPathProvider sets the path and resource ID from environment variables
func (EnvRptPathProvider) Path ¶
func (pp EnvRptPathProvider) Path() (*string, error)
Path returns the resource principal token path
func (EnvRptPathProvider) ResourceID ¶
func (pp EnvRptPathProvider) ResourceID() (*string, error)
ResourceID returns the resource associated with the resource principal
type ImdsRptPathProvider ¶
type ImdsRptPathProvider struct{}
ImdsRptPathProvider sets the path from a default value and the resource ID from instance metadata
func (ImdsRptPathProvider) Path ¶
func (pp ImdsRptPathProvider) Path() (*string, error)
Path returns the resource principal token path
func (ImdsRptPathProvider) ResourceID ¶
func (pp ImdsRptPathProvider) ResourceID() (*string, error)
ResourceID returns the resource associated with the resource principal
type PathProvider ¶
PathProvider is an interface that returns path and resource ID
type RptPathProviderForLeafResource ¶ added in v65.71.0
type RptPathProviderForLeafResource struct {
// contains filtered or unexported fields
}
func (RptPathProviderForLeafResource) Path ¶ added in v65.71.0
func (pp RptPathProviderForLeafResource) Path() (*string, error)
func (RptPathProviderForLeafResource) ResourceID ¶ added in v65.71.0
func (pp RptPathProviderForLeafResource) ResourceID() (*string, error)
ResourceID returns the resource associated with the resource principal
type ServiceAccountTokenProvider ¶ added in v65.42.0
ServiceAccountTokenProvider comment
type StringRptPathProvider ¶
type StringRptPathProvider struct {
// contains filtered or unexported fields
}
StringRptPathProvider is a simple path provider that takes a string and returns it
func (StringRptPathProvider) Path ¶
func (pp StringRptPathProvider) Path() (*string, error)
Path returns the resource principal token path
func (StringRptPathProvider) ResourceID ¶
func (pp StringRptPathProvider) ResourceID() (*string, error)
ResourceID returns the resource associated with the resource principal
type SuppliedServiceAccountTokenProvider ¶ added in v65.42.0
type SuppliedServiceAccountTokenProvider struct {
// contains filtered or unexported fields
}
SuppliedServiceAccountTokenProvider is supplied by user when instantiating OkeWorkloadIdentityConfigurationProviderWithServiceAccountTokenProvider
func NewSuppliedServiceAccountTokenProvider ¶ added in v65.42.0
func NewSuppliedServiceAccountTokenProvider(tokenString string) SuppliedServiceAccountTokenProvider
NewSuppliedServiceAccountTokenProvider returns a new instance of defaultServiceAccountTokenProvider
func (SuppliedServiceAccountTokenProvider) ServiceAccountToken ¶ added in v65.42.0
func (d SuppliedServiceAccountTokenProvider) ServiceAccountToken() (string, error)
ServiceAccountToken returns a service account token
type Token ¶
type Token struct {
Token string `mandatory:"true" json:"token,omitempty"`
}
Token token
type X509FederationDetails ¶
type X509FederationDetails struct { Certificate string `mandatory:"true" json:"certificate,omitempty"` PublicKey string `mandatory:"true" json:"publicKey,omitempty"` IntermediateCertificates []string `mandatory:"false" json:"intermediateCertificates,omitempty"` }
X509FederationDetails x509 federation details
Source Files ¶
- certificate_retriever.go
- configuration.go
- dispatcher_modifier.go
- federation_client.go
- federation_client_oke_workload_identity.go
- instance_principal_delegation_token_provider.go
- instance_principal_key_provider.go
- jwt.go
- resource_principal_delegation_token_provider.go
- resource_principal_key_provider.go
- resource_principal_token_path_provider.go
- resource_principals_v1.go
- resource_principals_v3.go
- utils.go