Documentation ¶
Overview ¶
**************************************************************
* * Copyright (C) 2023, Pelican Project, Morgridge Institute for Research * * Licensed under the Apache License, Version 2.0 (the "License"); you * may not use this file except in compliance with the License. You may * obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. * **************************************************************
Index ¶
- func CheckAnyAuth(ctx *gin.Context, authOption AuthOption) bool
- func LoadDirectorPublicKey() (jwk.Key, error)
- func MakeRequest(url string, method string, data map[string]interface{}, ...) ([]byte, error)
- func PeriodicWriteCABundle(filename string, sleepTime time.Duration) (count int, err error)
- func WriteCABundle(filename string) (int, error)
- type AuthCheckImpl
- func (a AuthCheckImpl) DirectorCheck(c *gin.Context, strToken string, expectedScopes []string, allScopes bool) error
- func (a AuthCheckImpl) FederationCheck(c *gin.Context, strToken string, expectedScopes []string, allScopes bool) error
- func (a AuthCheckImpl) IssuerCheck(c *gin.Context, strToken string, expectedScopes []string, allScopes bool) error
- type AuthChecker
- type AuthOption
- type CredentialGeneration
- type DiscoveryResponse
- type Namespace
- type Server
- type TestFileTransfer
- type TestFileTransferImpl
- type TestType
- type TokenIssuer
- type TokenSource
- type TopologyNamespacesJSON
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func CheckAnyAuth ¶
func CheckAnyAuth(ctx *gin.Context, authOption AuthOption) bool
Check token authentication with token obtained from authOption.Sources, found the first token available and proceed to check against a list of authOption.Issuers with authOption.Scopes, return true and set "User" context to the issuer if any of the issuer check succeed
Scope check will pass if your token has ANY of the scopes in authOption.Scopes
func LoadDirectorPublicKey ¶
Return director's public JWK for token verification. This function can be called on any server (director/origin/registry) as long as the Federation_DirectorUrl is set
The director's metadata discovery endpoint and JWKS endpoint are cached
func MakeRequest ¶
func PeriodicWriteCABundle ¶
Periodically write out the system CAs, updating them if the system updates. Returns an error if the first attempt at writing fails. Otherwise, it will launch a goroutine and update the entire CA bundle every specified duration.
If we're on a platform (Mac, Windows) that does not provide a CA bundle, we return a count of 0 and do not launch the go routine.
func WriteCABundle ¶
Write out all the trusted CAs as a CA bundle on disk. This is useful for components that do not use go's trusted CA store
Types ¶
type AuthCheckImpl ¶
type AuthCheckImpl struct{}
func (AuthCheckImpl) DirectorCheck ¶
func (a AuthCheckImpl) DirectorCheck(c *gin.Context, strToken string, expectedScopes []string, allScopes bool) error
Check if a JWT string was issued by the director and has the correct scope
func (AuthCheckImpl) FederationCheck ¶
func (a AuthCheckImpl) FederationCheck(c *gin.Context, strToken string, expectedScopes []string, allScopes bool) error
Checks that the given token was signed by the federation jwk and also checks that the token has the expected scope
func (AuthCheckImpl) IssuerCheck ¶
func (a AuthCheckImpl) IssuerCheck(c *gin.Context, strToken string, expectedScopes []string, allScopes bool) error
Checks that the given token was signed by the issuer jwk (the one from the server itself) and also checks that the token has the expected scope
Note that this means the issuer jwk MUST be the one server created. It can't be provided by the user if they want to use a different issuer than the server. This can be changed in the future.
type AuthChecker ¶
type AuthChecker interface { FederationCheck(ctx *gin.Context, token string, expectedScopes []string, allScopes bool) error DirectorCheck(ctx *gin.Context, token string, expectedScopes []string, allScopes bool) error IssuerCheck(ctx *gin.Context, token string, expectedScopes []string, allScopes bool) error }
type AuthOption ¶
type AuthOption struct { Sources []TokenSource Issuers []TokenIssuer Scopes []string AllScopes bool }
type CredentialGeneration ¶
type DiscoveryResponse ¶
type Namespace ¶
type Namespace struct { Caches []Server `json:"caches"` Origins []Server `json:"origins"` CredentialGeneration CredentialGeneration `json:"credential_generation"` DirlistHost string `json:"dirlisthost"` Path string `json:"path"` ReadHTTPS bool `json:"readhttps"` UseTokenOnRead bool `json:"usetokenonread"` WritebackHost string `json:"writebackhost"` }
type TestFileTransfer ¶
type TestFileTransferImpl ¶
type TestFileTransferImpl struct {
// contains filtered or unexported fields
}
func (TestFileTransferImpl) RunTests ¶
func (t TestFileTransferImpl) RunTests(baseUrl, issuerUrl string, testType TestType) (bool, error)
Run a file transfer test suite with upload/download/delete a test file from the server and a xrootd service. It expects `baseUrl` to be the url to the xrootd endpoint, `issuerUrl` be the url to issue scitoken for file transfer, and the test file content/name be based on `testType`
Note that for this test to work, you need to have the `issuerUrl` registered in your xrootd as a list of trusted token issuers and the issuer is expected to follow WLCG rules for issuer metadata discovery and public key access
Read more: https://github.com/WLCG-AuthZ-WG/common-jwt-profile/blob/master/profile.md#token-verification
type TokenSource ¶
type TokenSource int
const ( Header TokenSource = iota // "Authorization" header Cookie // "login" cookie Authz // "authz" query parameter )
type TopologyNamespacesJSON ¶
type TopologyNamespacesJSON struct { Caches []Server `json:"caches"` Namespaces []Namespace `json:"namespaces"` }
func GetTopologyJSON ¶
func GetTopologyJSON() (*TopologyNamespacesJSON, error)