auth

package
v65.71.1 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Aug 13, 2024 License: Apache-2.0, UPL-1.0 Imports: 25 Imported by: 29

Documentation

Overview

Package auth provides supporting functions and structs for authentication

Index

Constants

View Source
const (
	//ResourcePrincipalVersion2_2 is a supported version for resource principals
	ResourcePrincipalVersion2_2 = "2.2"
	//ResourcePrincipalVersionEnvVar environment var name for version
	ResourcePrincipalVersionEnvVar = "OCI_RESOURCE_PRINCIPAL_VERSION"
	//ResourcePrincipalRPSTEnvVar environment var name holding the token or a path to the token
	ResourcePrincipalRPSTEnvVar = "OCI_RESOURCE_PRINCIPAL_RPST"
	//ResourcePrincipalPrivatePEMEnvVar environment var holding a rsa private key in pem format or a path to one
	ResourcePrincipalPrivatePEMEnvVar = "OCI_RESOURCE_PRINCIPAL_PRIVATE_PEM"
	//ResourcePrincipalPrivatePEMPassphraseEnvVar environment var holding the passphrase to a key or a path to one
	ResourcePrincipalPrivatePEMPassphraseEnvVar = "OCI_RESOURCE_PRINCIPAL_PRIVATE_PEM_PASSPHRASE"
	//ResourcePrincipalRegionEnvVar environment variable holding a region
	ResourcePrincipalRegionEnvVar = "OCI_RESOURCE_PRINCIPAL_REGION"

	//ResourcePrincipalVersion1_1 is a supported version for resource principals
	ResourcePrincipalVersion1_1 = "1.1"
	//ResourcePrincipalSessionTokenEndpoint endpoint for retrieving the Resource Principal Session Token
	ResourcePrincipalSessionTokenEndpoint = "OCI_RESOURCE_PRINCIPAL_RPST_ENDPOINT"
	//ResourcePrincipalTokenEndpoint endpoint for retrieving the Resource Principal Token
	ResourcePrincipalTokenEndpoint = "OCI_RESOURCE_PRINCIPAL_RPT_ENDPOINT"

	//ResourcePrincipalVersion3_0 is a supported version for resource principals
	ResourcePrincipalVersion3_0                  = "3.0"
	ResourcePrincipalVersionForLeaf              = "OCI_RESOURCE_PRINCIPAL_VERSION_FOR_LEAF_RESOURCE"
	ResourcePrincipalRptEndpointForLeaf          = "OCI_RESOURCE_PRINCIPAL_RPT_ENDPOINT_FOR_LEAF_RESOURCE"
	ResourcePrincipalRptPathForLeaf              = "OCI_RESOURCE_PRINCIPAL_RPT_PATH_FOR_LEAF_RESOURCE"
	ResourcePrincipalRpstEndpointForLeaf         = "OCI_RESOURCE_PRINCIPAL_RPST_ENDPOINT_FOR_LEAF_RESOURCE"
	ResourcePrincipalResourceIdForLeaf           = "OCI_RESOURCE_PRINCIPAL_RESOURCE_ID_FOR_LEAF_RESOURCE"
	ResourcePrincipalPrivatePemForLeaf           = "OCI_RESOURCE_PRINCIPAL_PRIVATE_PEM_FOR_LEAF_RESOURCE"
	ResourcePrincipalPrivatePemPassphraseForLeaf = "OCI_RESOURCE_PRINCIPAL_PRIVATE_PEM_PASSPHRASE_FOR_LEAF_RESOURCE"
	ResourcePrincipalRpstForLeaf                 = "OCI_RESOURCE_PRINCIPAL_RPST_FOR_LEAF_RESOURCE"
	ResourcePrincipalRegionForLeaf               = "OCI_RESOURCE_PRINCIPAL_REGION_FOR_LEAF_RESOURCE"
	ResourcePrincipalRptURLForParent             = "OCI_RESOURCE_PRINCIPAL_RPT_URL_FOR_PARENT_RESOURCE"
	ResourcePrincipalRpstEndpointForParent       = "OCI_RESOURCE_PRINCIPAL_RPST_ENDPOINT_FOR_PARENT_RESOURCE"
	ResourcePrincipalTenancyIDForLeaf            = "OCI_RESOURCE_PRINCIPAL_TENANCY_ID_FOR_LEAF_RESOURCE"
	OpcParentRptUrlHeader                        = "opc-parent-rpt-url"

	// KubernetesServiceAccountTokenPath that contains cluster information
	KubernetesServiceAccountTokenPath = "/var/run/secrets/kubernetes.io/serviceaccount/token"
	// DefaultKubernetesServiceAccountCertPath that contains cluster information
	DefaultKubernetesServiceAccountCertPath = "/var/run/secrets/kubernetes.io/serviceaccount/ca.crt"
	// OciKubernetesServiceAccountCertPath Environment variable for Kubernetes Service Account Cert Path
	OciKubernetesServiceAccountCertPath = "OCI_KUBERNETES_SERVICE_ACCOUNT_CERT_PATH"
	// KubernetesServiceHostEnvVar environment var holding the kubernetes host
	KubernetesServiceHostEnvVar = "KUBERNETES_SERVICE_HOST"
	// KubernetesProxymuxServicePort environment var holding the kubernetes port
	KubernetesProxymuxServicePort = "12250"
	// TenancyOCIDClaimKey is the key used to look up the resource tenancy in an RPST
	TenancyOCIDClaimKey = "res_tenant"
	// CompartmentOCIDClaimKey is the key used to look up the resource compartment in an RPST
	CompartmentOCIDClaimKey = "res_compartment"
)
View Source
const (

	//ResourcePrincipalTokenPath path for retrieving the Resource Principal Token
	ResourcePrincipalTokenPath = "OCI_RESOURCE_PRINCIPAL_RPT_PATH"
	//ResourceID OCID for the resource for Resource Principal
	ResourceID = "OCI_RESOURCE_PRINCIPAL_RPT_ID"
)

Variables

View Source
var (
	// ErrNoSuchClaim is returned when a token does not hold the claim sought
	ErrNoSuchClaim = errors.New("no such claim")
)
View Source
var (
	// ErrNonStringClaim is returned if the token has a claim for a key, but it's not a string value
	ErrNonStringClaim = errors.New("claim does not have a string value")
)

Functions

func GetGenericConfigurationProvider

func GetGenericConfigurationProvider(configProvider common.ConfigurationProvider) (common.ConfigurationProvider, error)

GetGenericConfigurationProvider checks auth config paras in config file and return the final configuration provider

func InstancePrincipalConfigurationForRegionWithCustomClient

func InstancePrincipalConfigurationForRegionWithCustomClient(region common.Region, modifier func(common.HTTPRequestDispatcher) (common.HTTPRequestDispatcher, error)) (common.ConfigurationProvider, error)

InstancePrincipalConfigurationForRegionWithCustomClient returns a configuration for instance principals with a given region using a modifier function to modify the HTTPRequestDispatcher

func InstancePrincipalConfigurationProvider

func InstancePrincipalConfigurationProvider() (common.ConfigurationProvider, error)

InstancePrincipalConfigurationProvider returns a configuration for instance principals

func InstancePrincipalConfigurationProviderForRegion

func InstancePrincipalConfigurationProviderForRegion(region common.Region) (common.ConfigurationProvider, error)

InstancePrincipalConfigurationProviderForRegion returns a configuration for instance principals with a given region

func InstancePrincipalConfigurationProviderWithCustomClient

func InstancePrincipalConfigurationProviderWithCustomClient(modifier func(common.HTTPRequestDispatcher) (common.HTTPRequestDispatcher, error)) (common.ConfigurationProvider, error)

InstancePrincipalConfigurationProviderWithCustomClient returns a configuration for instance principals using a modifier function to modify the HTTPRequestDispatcher

func InstancePrincipalConfigurationWithCerts

func InstancePrincipalConfigurationWithCerts(region common.Region, leafCertificate, leafPassphrase, leafPrivateKey []byte, intermediateCertificates [][]byte) (common.ConfigurationProvider, error)

InstancePrincipalConfigurationWithCerts returns a configuration for instance principals with a given region and hardcoded certificates in lieu of metadata service certs

func InstancePrincipalDelegationTokenConfigurationProvider

func InstancePrincipalDelegationTokenConfigurationProvider(delegationToken *string) (common.ConfigurationProvider, error)

InstancePrincipalDelegationTokenConfigurationProvider returns a configuration for obo token instance principals

func InstancePrincipalDelegationTokenConfigurationProviderForRegion

func InstancePrincipalDelegationTokenConfigurationProviderForRegion(delegationToken *string, region common.Region) (common.ConfigurationProvider, error)

InstancePrincipalDelegationTokenConfigurationProviderForRegion returns a configuration for obo token instance principals with a given region

func ResourcePrincipalConfigurationProviderWithInterceptor

func ResourcePrincipalConfigurationProviderWithInterceptor(instancePrincipalProvider common.ConfigurationProvider,
	resourcePrincipalTokenEndpoint, resourcePrincipalSessionTokenEndpoint string,
	interceptor common.RequestInterceptor) (common.ConfigurationProvider, error)

ResourcePrincipalConfigurationProviderWithInterceptor creates a resource principal configuration provider with endpoints a interceptor used to customize the call going to the resource principal token request to the target service see https://godoc.org/github.com/oracle/oci-go-sdk/common#RequestInterceptor

func ResourcePrincipalV3ConfiguratorBuilder added in v65.71.0

func ResourcePrincipalV3ConfiguratorBuilder(leafResourcePrincipalKeyProvider ConfigurationProviderWithClaimAccess) *resourcePrincipalV30ConfiguratorBuilder

ResourcePrincipalV3ConfiguratorBuilder creates a new resourcePrincipalV30ConfiguratorBuilder.

Types

type ClaimHolder

type ClaimHolder interface {
	GetClaim(key string) (interface{}, error)
}

ClaimHolder is implemented by any token interface that provides access to the security claims embedded in the token.

type ConfigurationProviderWithClaimAccess

type ConfigurationProviderWithClaimAccess interface {
	common.ConfigurationProvider
	ClaimHolder
}

ConfigurationProviderWithClaimAccess mixes in a method to access the claims held on the underlying security token

func OkeWorkloadIdentityConfigurationProvider added in v65.32.0

func OkeWorkloadIdentityConfigurationProvider() (ConfigurationProviderWithClaimAccess, error)

OkeWorkloadIdentityConfigurationProvider returns a resource principal configuration provider by OKE Workload Identity

func OkeWorkloadIdentityConfigurationProviderWithServiceAccountTokenProvider added in v65.42.0

func OkeWorkloadIdentityConfigurationProviderWithServiceAccountTokenProvider(saTokenProvider ServiceAccountTokenProvider) (ConfigurationProviderWithClaimAccess, error)

OkeWorkloadIdentityConfigurationProviderWithServiceAccountTokenProvider returns a resource principal configuration provider by OKE Workload Identity with service account token provider

func OkeWorkloadIdentityConfigurationProviderWithServiceAccountTokenProviderK8sService added in v65.71.0

func OkeWorkloadIdentityConfigurationProviderWithServiceAccountTokenProviderK8sService(k8sServiceHost *string, saTokenProvider ServiceAccountTokenProvider, remoteCAbytes []byte) (ConfigurationProviderWithClaimAccess, error)

func ResourcePrincipalConfigurationProvider

func ResourcePrincipalConfigurationProvider() (ConfigurationProviderWithClaimAccess, error)

ResourcePrincipalConfigurationProvider returns a resource principal configuration provider using well known environment variables to look up token information. The environment variables can either paths or contain the material value of the keys. However in the case of the keys and tokens paths and values can not be mixed

func ResourcePrincipalConfigurationProviderForRegion added in v65.40.1

func ResourcePrincipalConfigurationProviderForRegion(region common.Region) (ConfigurationProviderWithClaimAccess, error)

ResourcePrincipalConfigurationProviderForRegion returns a resource principal configuration provider using well known environment variables to look up token information, for a given region. The environment variables can either paths or contain the material value of the keys. However, in the case of the keys and tokens paths and values can not be mixed

func ResourcePrincipalConfigurationProviderV3 added in v65.71.0

func ResourcePrincipalConfigurationProviderV3(leafResourcePrincipalKeyProvider ConfigurationProviderWithClaimAccess) (ConfigurationProviderWithClaimAccess, error)

ResourcePrincipalConfigurationProviderV3 ResourcePrincipalConfigurationProvider is a function that creates and configures a resource principal.

func ResourcePrincipalConfigurationProviderWithPathProvider

func ResourcePrincipalConfigurationProviderWithPathProvider(pathProvider PathProvider) (ConfigurationProviderWithClaimAccess, error)

ResourcePrincipalConfigurationProviderWithPathProvider returns a resource principal configuration provider using path provider.

func ResourcePrincipalDelegationTokenConfigurationProvider added in v65.48.0

func ResourcePrincipalDelegationTokenConfigurationProvider(delegationToken *string) (ConfigurationProviderWithClaimAccess, error)

ResourcePrincipalDelegationTokenConfigurationProvider returns a configuration for obo token resource principals

func ResourcePrincipalDelegationTokenConfigurationProviderForRegion added in v65.48.0

func ResourcePrincipalDelegationTokenConfigurationProviderForRegion(delegationToken *string, region common.Region) (ConfigurationProviderWithClaimAccess, error)

ResourcePrincipalDelegationTokenConfigurationProviderForRegion returns a configuration for obo token resource principals with a given region

type DefaultRptPathProvider

type DefaultRptPathProvider struct {
	// contains filtered or unexported fields
}

DefaultRptPathProvider path provider makes sure the behavior happens with the correct fallback.

For the path, Use the contents of the OCI_RESOURCE_PRINCIPAL_RPT_PATH environment variable, if set. Otherwise, use the current path: "/20180711/resourcePrincipalToken/{id}"

For the resource id, Use the contents of the OCI_RESOURCE_PRINCIPAL_RPT_ID environment variable, if set. Otherwise, use IMDS to get the instance id

This path provider is used when the caller doesn't provide a specific path provider to the resource principals signer

func (DefaultRptPathProvider) Path

func (pp DefaultRptPathProvider) Path() (*string, error)

Path returns the resource principal token path

func (DefaultRptPathProvider) ResourceID

func (pp DefaultRptPathProvider) ResourceID() (*string, error)

ResourceID returns the resource associated with the resource principal

type DefaultServiceAccountTokenProvider added in v65.42.0

type DefaultServiceAccountTokenProvider struct {
	// contains filtered or unexported fields
}

DefaultServiceAccountTokenProvider is supplied by user when instantiating OkeWorkloadIdentityConfigurationProvider

func NewDefaultServiceAccountTokenProvider added in v65.42.0

func NewDefaultServiceAccountTokenProvider() DefaultServiceAccountTokenProvider

NewDefaultServiceAccountTokenProvider returns a new instance of defaultServiceAccountTokenProvider

func (DefaultServiceAccountTokenProvider) ServiceAccountToken added in v65.42.0

func (d DefaultServiceAccountTokenProvider) ServiceAccountToken() (string, error)

ServiceAccountToken returns a service account token

func (DefaultServiceAccountTokenProvider) WithSaTokenPath added in v65.42.0

WithSaTokenPath Builder method to override the to SA ken path

type EnvRptPathProvider

type EnvRptPathProvider struct{}

EnvRptPathProvider sets the path and resource ID from environment variables

func (EnvRptPathProvider) Path

func (pp EnvRptPathProvider) Path() (*string, error)

Path returns the resource principal token path

func (EnvRptPathProvider) ResourceID

func (pp EnvRptPathProvider) ResourceID() (*string, error)

ResourceID returns the resource associated with the resource principal

type ImdsRptPathProvider

type ImdsRptPathProvider struct{}

ImdsRptPathProvider sets the path from a default value and the resource ID from instance metadata

func (ImdsRptPathProvider) Path

func (pp ImdsRptPathProvider) Path() (*string, error)

Path returns the resource principal token path

func (ImdsRptPathProvider) ResourceID

func (pp ImdsRptPathProvider) ResourceID() (*string, error)

ResourceID returns the resource associated with the resource principal

type PathProvider

type PathProvider interface {
	Path() (*string, error)
	ResourceID() (*string, error)
}

PathProvider is an interface that returns path and resource ID

type RptPathProviderForLeafResource added in v65.71.0

type RptPathProviderForLeafResource struct {
	// contains filtered or unexported fields
}

func (RptPathProviderForLeafResource) Path added in v65.71.0

func (RptPathProviderForLeafResource) ResourceID added in v65.71.0

func (pp RptPathProviderForLeafResource) ResourceID() (*string, error)

ResourceID returns the resource associated with the resource principal

type ServiceAccountTokenProvider added in v65.42.0

type ServiceAccountTokenProvider interface {
	ServiceAccountToken() (string, error)
}

ServiceAccountTokenProvider comment

type StringRptPathProvider

type StringRptPathProvider struct {
	// contains filtered or unexported fields
}

StringRptPathProvider is a simple path provider that takes a string and returns it

func (StringRptPathProvider) Path

func (pp StringRptPathProvider) Path() (*string, error)

Path returns the resource principal token path

func (StringRptPathProvider) ResourceID

func (pp StringRptPathProvider) ResourceID() (*string, error)

ResourceID returns the resource associated with the resource principal

type SuppliedServiceAccountTokenProvider added in v65.42.0

type SuppliedServiceAccountTokenProvider struct {
	// contains filtered or unexported fields
}

SuppliedServiceAccountTokenProvider is supplied by user when instantiating OkeWorkloadIdentityConfigurationProviderWithServiceAccountTokenProvider

func NewSuppliedServiceAccountTokenProvider added in v65.42.0

func NewSuppliedServiceAccountTokenProvider(tokenString string) SuppliedServiceAccountTokenProvider

NewSuppliedServiceAccountTokenProvider returns a new instance of defaultServiceAccountTokenProvider

func (SuppliedServiceAccountTokenProvider) ServiceAccountToken added in v65.42.0

func (d SuppliedServiceAccountTokenProvider) ServiceAccountToken() (string, error)

ServiceAccountToken returns a service account token

type Token

type Token struct {
	Token string `mandatory:"true" json:"token,omitempty"`
}

Token token

type X509FederationDetails

type X509FederationDetails struct {
	Certificate              string   `mandatory:"true" json:"certificate,omitempty"`
	PublicKey                string   `mandatory:"true" json:"publicKey,omitempty"`
	IntermediateCertificates []string `mandatory:"false" json:"intermediateCertificates,omitempty"`
}

X509FederationDetails x509 federation details

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL