Documentation ¶
Index ¶
- Variables
- func AuthorizedSubjectID(c *gin.Context, subject string) *uuid.UUID
- func ParseBearerAuthorizationHeader(c *gin.Context, keyfunc *func(_jwtToken *jwt.Token) (interface{}, error)) (*jwt.Token, error)
- func RequireGin()
- func RequireJWT() map[string]*JWTKeypair
- func RequireJWTVerifiers() map[string]*JWTKeypair
- func RequireVault()
- func ResolveCapabilitiesManifest() (map[string]interface{}, error)
- func ResolveJWTKeypair(fingerprint *string) (*rsa.PublicKey, *rsa.PrivateKey, *vault.Key, *string)
- func SealVault() error
- func TrackAPICalls() gin.HandlerFunc
- func UnsealVault() error
- type JWTKeypair
- type JWTKeypairSSHSigner
- type SigningMethodEdDSA
Constants ¶
This section is empty.
Variables ¶
var ( // ListenAddr is the http server listen address ListenAddr string // ListenPort is the http server listen port ListenPort string // CertificatePath is the SSL certificate path used by HTTPS listener CertificatePath string // PrivateKeyPath is the private key used by HTTPS listener PrivateKeyPath string // ServeTLS is true when CertificatePath and PrivateKeyPath are valid ServeTLS bool )
gin configuration vars
var ( // JWTApplicationClaimsKey is the key within the JWT payload where application-specific claims are encoded JWTApplicationClaimsKey string // JWTAuthorizationAudience is the audience who will consume the JWT; this will be set as the JWT "aud" claim JWTAuthorizationAudience string // JWTAlternativeAuthorizationAudiences are additional valid audiences who will consume signed JWTs, keyed on a scope; these will be allowed to be set as the JWT "aud" claim JWTAlternativeAuthorizationAudiences map[string]interface{} // JWTAuthorizationIssuer is the common name of the operator of the token vending machine; this will be set as the JWT "iss" claim JWTAuthorizationIssuer string // JWTAuthorizationTTL is the ttl in milliseconds for new token authorizations, calculated from the issued at timestamp ("iat" claim) JWTAuthorizationTTL time.Duration // JWTNatsClaimsKey is the key within the JWT claims payload where NATS-specific claims are encoded JWTNatsClaimsKey string // JWTNatsAuthorizationAudience is the audience who will consume the NATS bearer authorization JWT; this will be set as the JWT "aud" claim JWTNatsAuthorizationAudience string // Vault is the vault instance Vault *vault.Vault )
var ( // DefaultVaultAccessJWT for the default vault context DefaultVaultAccessJWT string )
Functions ¶
func AuthorizedSubjectID ¶
AuthorizedSubjectID returns the requested JWT subject if it matches
func ParseBearerAuthorizationHeader ¶
func ParseBearerAuthorizationHeader(c *gin.Context, keyfunc *func(_jwtToken *jwt.Token) (interface{}, error)) (*jwt.Token, error)
ParseBearerAuthorizationHeader parses a bearer authorization header expecting to find a valid JWT token; returns the token if present
func RequireJWT ¶
func RequireJWT() map[string]*JWTKeypair
RequireJWT allows a package to conditionally require a valid JWT configuration in the ident environment; at least one RS256 keypair must be configured using the JWT_SIGNER_PRIVATE_KEY and JWT_SIGNER_PUBLIC_KEY environment variables
func RequireJWTVerifiers ¶
func RequireJWTVerifiers() map[string]*JWTKeypair
RequireJWTVerifiers allows a package to conditionally require RS256 signature verification in the configured environment via JWT_SIGNER_PUBLIC_KEY; the use-case for this support is when another microservice is depending on the token authorization middleware provided in this package
func RequireVault ¶
func RequireVault()
RequireVault panics if the VAULT_REFRESH_TOKEN is not given or an access token is otherwise unable to be obtained; attepts to unseal the vault if possible
func ResolveCapabilitiesManifest ¶
ResolveCapabilitiesManifest attempts to resolve the capabilities manifest from S3
func ResolveJWTKeypair ¶
ResolveJWTKeypair returns the configured public/private signing keypair and its fingerprint, if one has been configured; this impl will be upgraded soon to allow many key to be configured
func TrackAPICalls ¶
func TrackAPICalls() gin.HandlerFunc
TrackAPICalls returns gin middleware for tracking API calls
Types ¶
type JWTKeypair ¶
type JWTKeypair struct { Fingerprint string PublicKey rsa.PublicKey PublicKeyPEM *string PrivateKey *rsa.PrivateKey SSHPublicKey *ssh.PublicKey VaultKey *vault.Key }
JWTKeypair enables private key or vault-based JWT signing and verification
func (*JWTKeypair) SSHSigner ¶
func (j *JWTKeypair) SSHSigner() ssh.Signer
PublicKey returns an associated PublicKey instance.
type JWTKeypairSSHSigner ¶
type JWTKeypairSSHSigner struct {
// contains filtered or unexported fields
}
func (*JWTKeypairSSHSigner) PublicKey ¶
func (j *JWTKeypairSSHSigner) PublicKey() ssh.PublicKey
PublicKey returns an associated PublicKey instance.
type SigningMethodEdDSA ¶
type SigningMethodEdDSA struct{}
SigningMethodEdDSA enables Ed25519