Documentation
¶
Index ¶
- func CanAccessOPA(principal knox.Principal, authenticator *authz_utils.Authenticator, ...) bool
- func GetURINamesFromExtensions(extensions *[]pkix.Extension) (uris []string, err error)
- func IsService(p knox.Principal) bool
- func IsUser(p knox.Principal) bool
- func NewKubernetesClient() *k8s
- func NewMachine(id string) knox.Principal
- func NewService(domain string, path string) knox.Principal
- func NewUser(id string, groups []string) knox.Principal
- type JWTProvider
- type MTLSAuthProvider
- type Provider
- type SpiffeFallbackProvider
- type SpiffeProvider
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func CanAccessOPA ¶
func CanAccessOPA(principal knox.Principal, authenticator *authz_utils.Authenticator, path, action, partition, service string) bool
func GetURINamesFromExtensions ¶
GetURINamesFromExtensions retrieves URIs from the SAN extension of a slice of extensions
func IsService ¶
IsService returns true if the principal, or first principal in the case of mux, is a service.
func IsUser ¶
IsUser returns true if the principal, or first principal in the case of mux, is a user.
func NewKubernetesClient ¶
func NewKubernetesClient() *k8s
func NewMachine ¶
NewMachine creates a machine principal with the given auth Provider.
func NewService ¶
NewService creates a service principal with the given auth Provider.
Types ¶
type JWTProvider ¶
JWT provider implements user authentication through signed JWT tokens
func MockJWTProvider ¶
func MockJWTProvider() *JWTProvider
MockJWTProvider returns a mocked out authentication header with a simple mock "server". If there exists an authorization header with user token that does not equal 'notvalid', it will log in as 'testuser'.
func NewJWTProvider ¶
func NewJWTProvider(RSAPubKey string) (*JWTProvider, error)
NewJWTProvider initializes JWTProvider
func (*JWTProvider) Authenticate ¶
Authenticate uses the token to get user data from github.com
func (*JWTProvider) Name ¶
func (p *JWTProvider) Name() string
Name is the name of the provider for logging
func (*JWTProvider) Type ¶
func (p *JWTProvider) Type() byte
Type is set to u for JWTProvider since it authenticates users
func (*JWTProvider) Version ¶
func (p *JWTProvider) Version() byte
Version is set to 0 for GitHubProvider
type MTLSAuthProvider ¶
MTLSAuthProvider does authentication by verifying TLS certs against a collection of root CAs
func NewMTLSAuthProvider ¶
func NewMTLSAuthProvider(CAs *x509.CertPool) *MTLSAuthProvider
NewMTLSAuthProvider initializes a chain of trust with given CA certificates
func (*MTLSAuthProvider) Authenticate ¶
Authenticate performs TLS based Authentication for the MTLSAuthProvider
func (*MTLSAuthProvider) Name ¶
func (p *MTLSAuthProvider) Name() string
Name is the name of the provider for logging
func (*MTLSAuthProvider) Type ¶
func (p *MTLSAuthProvider) Type() byte
Type is set to t for MTLSAuthProvider
func (*MTLSAuthProvider) Version ¶
func (p *MTLSAuthProvider) Version() byte
Version is set to 0 for MTLSAuthProvider
type Provider ¶
type Provider interface {
Name() string
Authenticate(r *http.Request) (knox.Principal, error)
Version() byte
Type() byte
}
Provider is used for authenticating requests via the authentication decorator.
type SpiffeFallbackProvider ¶
type SpiffeFallbackProvider struct {
SpiffeProvider
}
SpiffeFallbackProvider is a SpiffeProvider that uses the same Type byte as the MTLSAuthProvider. The use case for this is to allow a client that specifies MTLSAuth to also transparently be given Spiffe based access as well. For more predictable results, ensure that the MTLSAuthProvider is registered before the SpiffeFallbackProvider so that MTLSAuthProvider is always used if it succeeds. Note that this is only possible with the SpiffeProvider because there is no use of the token from the AuthorizationHeader in this Provider.
func NewSpiffeAuthFallbackProvider ¶
func NewSpiffeAuthFallbackProvider(CAs *x509.CertPool) *SpiffeFallbackProvider
NewSpiffeAuthFallbackProvider initializes a chain of trust with given CA certificates, identical to the SpiffeProvider except the Type is defined as the MTLSAuthProvider Type().
func (*SpiffeFallbackProvider) Name ¶
func (p *SpiffeFallbackProvider) Name() string
Name is the name of the provider for logging
func (*SpiffeFallbackProvider) Type ¶
func (s *SpiffeFallbackProvider) Type() byte
Type is set to be identical to the Type of the MTLSAuthProvider
type SpiffeProvider ¶
SpiffeProvider does authentication by verifying TLS certs against a collection of root CAs
func NewSpiffeAuthProvider ¶
func NewSpiffeAuthProvider(isDevServer bool, spiffeCAPath string) *SpiffeProvider
NewSpiffeAuthProvider initializes a chain of trust with given CA certificates, identical to the MTLS provider except the principal is a Spiffe ID instead of a hostname and the CN of the cert is ignored.
func (*SpiffeProvider) Authenticate ¶
Authenticate performs TLS based Authentication and extracts the Spiffe URI extension
func (*SpiffeProvider) Name ¶
func (p *SpiffeProvider) Name() string
Name is the name of the provider for logging
func (*SpiffeProvider) ReloadCerts ¶
func (p *SpiffeProvider) ReloadCerts() error
func (*SpiffeProvider) Type ¶
func (p *SpiffeProvider) Type() byte
Type is set to s for SpiffeProvider
func (*SpiffeProvider) Version ¶
func (p *SpiffeProvider) Version() byte
Version is set to 0 for SpiffeProvider
Source Files