utils

package
v1.0.4 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Dec 28, 2023 License: Apache-2.0 Imports: 28 Imported by: 0

Documentation

Overview

**************************************************************

*
* Copyright (C) 2023, Pelican Project, Morgridge Institute for Research
*
* Licensed under the Apache License, Version 2.0 (the "License"); you
* may not use this file except in compliance with the License.  You may
* obtain a copy of the License at
*
*    http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*
**************************************************************

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func CheckAnyAuth

func CheckAnyAuth(ctx *gin.Context, authOption AuthOption) bool

Check token authentication with token obtained from authOption.Sources, found the first token available and proceed to check against a list of authOption.Issuers with authOption.Scopes, return true and set "User" context to the issuer if any of the issuer check succeed

Scope check will pass if your token has ANY of the scopes in authOption.Scopes

func LoadDirectorPublicKey

func LoadDirectorPublicKey() (jwk.Key, error)

Return director's public JWK for token verification. This function can be called on any server (director/origin/registry) as long as the Federation_DirectorUrl is set

The director's metadata discovery endpoint and JWKS endpoint are cached

func MakeRequest

func MakeRequest(url string, method string, data map[string]interface{}, headers map[string]string) ([]byte, error)

func PeriodicWriteCABundle

func PeriodicWriteCABundle(filename string, sleepTime time.Duration) (count int, err error)

Periodically write out the system CAs, updating them if the system updates. Returns an error if the first attempt at writing fails. Otherwise, it will launch a goroutine and update the entire CA bundle every specified duration.

If we're on a platform (Mac, Windows) that does not provide a CA bundle, we return a count of 0 and do not launch the go routine.

func WriteCABundle

func WriteCABundle(filename string) (int, error)

Write out all the trusted CAs as a CA bundle on disk. This is useful for components that do not use go's trusted CA store

Types

type AuthCheckImpl

type AuthCheckImpl struct{}

func (AuthCheckImpl) DirectorCheck

func (a AuthCheckImpl) DirectorCheck(c *gin.Context, strToken string, expectedScopes []string, allScopes bool) error

Check if a JWT string was issued by the director and has the correct scope

func (AuthCheckImpl) FederationCheck

func (a AuthCheckImpl) FederationCheck(c *gin.Context, strToken string, expectedScopes []string, allScopes bool) error

Checks that the given token was signed by the federation jwk and also checks that the token has the expected scope

func (AuthCheckImpl) IssuerCheck

func (a AuthCheckImpl) IssuerCheck(c *gin.Context, strToken string, expectedScopes []string, allScopes bool) error

Checks that the given token was signed by the issuer jwk (the one from the server itself) and also checks that the token has the expected scope

Note that this means the issuer jwk MUST be the one server created. It can't be provided by the user if they want to use a different issuer than the server. This can be changed in the future.

type AuthChecker

type AuthChecker interface {
	FederationCheck(ctx *gin.Context, token string, expectedScopes []string, allScopes bool) error
	DirectorCheck(ctx *gin.Context, token string, expectedScopes []string, allScopes bool) error
	IssuerCheck(ctx *gin.Context, token string, expectedScopes []string, allScopes bool) error
}

type AuthOption

type AuthOption struct {
	Sources   []TokenSource
	Issuers   []TokenIssuer
	Scopes    []string
	AllScopes bool
}

type CredentialGeneration

type CredentialGeneration struct {
	BasePath      string `json:"base_path"`
	Issuer        string `json:"issuer"`
	MaxScopeDepth int    `json:"max_scope_depth"`
	Strategy      string `json:"strategy"`
	VaultIssuer   string `json:"vault_issuer"`
	VaultServer   string `json:"vault_server"`
}

type DiscoveryResponse

type DiscoveryResponse struct {
	Issuer  string `json:"issuer"`
	JwksUri string `json:"jwks_uri"`
}

type Namespace

type Namespace struct {
	Caches               []Server             `json:"caches"`
	Origins              []Server             `json:"origins"`
	CredentialGeneration CredentialGeneration `json:"credential_generation"`
	DirlistHost          string               `json:"dirlisthost"`
	Path                 string               `json:"path"`
	ReadHTTPS            bool                 `json:"readhttps"`
	UseTokenOnRead       bool                 `json:"usetokenonread"`
	WritebackHost        string               `json:"writebackhost"`
}

type Server

type Server struct {
	AuthEndpoint string `json:"auth_endpoint"`
	Endpoint     string `json:"endpoint"`
	Resource     string `json:"resource"`
}

type TestFileTransfer

type TestFileTransfer interface {
	UploadTestfile(baseUrl string, testType TestType) (string, error)
	DownloadTestfile(downloadUrl string) error
	DeleteTestfile(fileUrl string) error
	RunTests(baseUrl string, testType TestType) (bool, error)
	// contains filtered or unexported methods
}

type TestFileTransferImpl

type TestFileTransferImpl struct {
	// contains filtered or unexported fields
}

func (TestFileTransferImpl) RunTests

func (t TestFileTransferImpl) RunTests(baseUrl, issuerUrl string, testType TestType) (bool, error)

Run a file transfer test suite with upload/download/delete a test file from the server and a xrootd service. It expects `baseUrl` to be the url to the xrootd endpoint, `issuerUrl` be the url to issue scitoken for file transfer, and the test file content/name be based on `testType`

Note that for this test to work, you need to have the `issuerUrl` registered in your xrootd as a list of trusted token issuers and the issuer is expected to follow WLCG rules for issuer metadata discovery and public key access

Read more: https://github.com/WLCG-AuthZ-WG/common-jwt-profile/blob/master/profile.md#token-verification

type TestType

type TestType string
const (
	OriginSelfFileTest TestType = "self-test"
	DirectorFileTest   TestType = "director-test"
)

func (TestType) String

func (t TestType) String() string

type TokenIssuer

type TokenIssuer int
const (
	Federation TokenIssuer = iota
	Director
	Issuer
)

type TokenSource

type TokenSource int
const (
	Header TokenSource = iota // "Authorization" header
	Cookie                    // "login" cookie
	Authz                     // "authz" query parameter
)

type TopologyNamespacesJSON

type TopologyNamespacesJSON struct {
	Caches     []Server    `json:"caches"`
	Namespaces []Namespace `json:"namespaces"`
}

func GetTopologyJSON

func GetTopologyJSON() (*TopologyNamespacesJSON, error)

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL