authenticate

package
v0.0.0-...-cb1a7a4 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Aug 21, 2022 License: Apache-2.0 Imports: 26 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	ControllerIssuer = "controller.k8s.relay.sh"

	MetadataAPIAudienceV1 = "k8s.relay.sh/metadata-api/v1"
)
View Source 
const (
	KubernetesTokenAnnotation   = "relay.sh/token"
	KubernetesSubjectAnnotation = "relay.sh/subject"
)
View Source 
const (
	PodValidationTimeout = 120 * time.Second
)

Variables

View Source 
var (
	ErrMalformed = errors.New("authenticate: malformed token")
)

Functions

func VaultTransitNamespaceContext 

func VaultTransitNamespaceContext(namespace string) string

Types

type AnyResolver 

type AnyResolver struct {
	// contains filtered or unexported fields
}

AnyResolver picks the first resolver that resolves claims successfully. If a resolver returns an error other than ErrNotFound, it is immediately propagated.

func NewAnyResolver 

func NewAnyResolver(delegates []Resolver) *AnyResolver

func (*AnyResolver) Resolve 

func (ar *AnyResolver) Resolve(ctx context.Context, state *Authentication, raw Raw) (*Claims, error)

type Authentication 

type Authentication struct {
	// contains filtered or unexported fields
}

Authentication is the current authentication state. Intermediaries and resolvers can add new validators and injectors to the state.

func NewAuthentication 

func NewAuthentication() *Authentication

func NewInitializedAuthentication 

func NewInitializedAuthentication(validators *[]Validator, injectors *[]Injector) *Authentication

func (*Authentication) AddInjector 

func (a *Authentication) AddInjector(i Injector)

func (*Authentication) AddValidator 

func (a *Authentication) AddValidator(v Validator)

type Authenticator 

type Authenticator struct {
	// contains filtered or unexported fields
}

Authenticator provides client authentication using a token. It resolves and validates claims, finally injecting contextual information as needed.

func NewAuthenticator 

func NewAuthenticator(intermediary Intermediary, resolver Resolver, opts ...AuthenticatorOption) *Authenticator

func (*Authenticator) Authenticate 

func (a *Authenticator) Authenticate(ctx context.Context) (bool, error)

type AuthenticatorOption 

type AuthenticatorOption func(a *Authenticator)

func AuthenticatorWithInjector 

func AuthenticatorWithInjector(i Injector) AuthenticatorOption

func AuthenticatorWithValidator 

func AuthenticatorWithValidator(v Validator) AuthenticatorOption

type ChainIntermediary 

type ChainIntermediary struct {
	// contains filtered or unexported fields
}

func NewChainIntermediary 

func NewChainIntermediary(initial Intermediary, fns ...ChainIntermediaryFunc) *ChainIntermediary

func (*ChainIntermediary) Next 

func (ci *ChainIntermediary) Next(ctx context.Context, state *Authentication) (Raw, error)

type ChainIntermediaryFunc 

type ChainIntermediaryFunc func(ctx context.Context, prev Raw) (Intermediary, error)

func ChainVaultTransitIntermediary 

func ChainVaultTransitIntermediary(client *vaultapi.Client, path, key string, opts ...VaultTransitIntermediaryOption) ChainIntermediaryFunc

type ChainWrapper 

type ChainWrapper struct {
	// contains filtered or unexported fields
}

func NewChainWrapper 

func NewChainWrapper(delegates ...Wrapper) *ChainWrapper

func (*ChainWrapper) Wrap 

func (cw *ChainWrapper) Wrap(ctx context.Context, raw Raw) (Raw, error)

type Claims 

type Claims struct {
	*jwt.Claims `json:",inline"`

	KubernetesNamespaceName       string `json:"k8s.io/namespace-name,omitempty"`
	KubernetesNamespaceUID        string `json:"k8s.io/namespace-uid,omitempty"`
	KubernetesServiceAccountToken string `json:"k8s.io/service-account-token,omitempty"`

	// RelayDomainID represents a holder of tenants with high-level
	// configuration like connections. In our SaaS service, domains correspond
	// to accounts.
	RelayDomainID string `json:"relay.sh/domain-id,omitempty"`

	// RelayTenantID represents the root of configuration for secrets, etc. In
	// our SaaS service, tenants correspond to workflows.
	RelayTenantID string `json:"relay.sh/tenant-id,omitempty"`

	RelayName  string `json:"relay.sh/name,omitempty"`
	RelayRunID string `json:"relay.sh/run-id,omitempty"`

	RelayKubernetesImmutableConfigMapName string `json:"relay.sh/k8s/immutable-config-map-name,omitempty"`
	RelayKubernetesMutableConfigMapName   string `json:"relay.sh/k8s/mutable-config-map-name,omitempty"`

	RelayVaultEnginePath     string `json:"relay.sh/vault/engine-path,omitempty"`
	RelayVaultSecretPath     string `json:"relay.sh/vault/secret-path,omitempty"`
	RelayVaultConnectionPath string `json:"relay.sh/vault/connection-path,omitempty"`

	RelayEventAPIURL   *types.URL `json:"relay.sh/event/api/url,omitempty"`
	RelayEventAPIToken string     `json:"relay.sh/event/api/token,omitempty"`

	RelayWorkflowExecutionAPIURL   *types.URL `json:"relay.sh/workflow-execution/api/url,omitempty"`
	RelayWorkflowExecutionAPIToken string     `json:"relay.sh/workflow-execution/api/token,omitempty"`
}

func (*Claims) Action 

func (c *Claims) Action() model.Action

type HTTPAuthorizationHeaderIntermediary 

type HTTPAuthorizationHeaderIntermediary struct {
	// contains filtered or unexported fields
}

func NewHTTPAuthorizationHeaderIntermediary 

func NewHTTPAuthorizationHeaderIntermediary(r *http.Request) *HTTPAuthorizationHeaderIntermediary

func (*HTTPAuthorizationHeaderIntermediary) Next 

func (hi *HTTPAuthorizationHeaderIntermediary) Next(ctx context.Context, state *Authentication) (Raw, error)

type Injector 

type Injector interface {
	Inject(ctx context.Context, claims *Claims) error
}

An Injector runs after validation is complete to provide additional context to consuming applications.

type InjectorFunc 

type InjectorFunc func(ctx context.Context, claims *Claims) error

func (InjectorFunc) Inject 

func (ij InjectorFunc) Inject(ctx context.Context, claims *Claims) error

type Intermediary 

type Intermediary interface {
	Next(ctx context.Context, state *Authentication) (Raw, error)
}

An Intermediary looks up a token from a source environment.

type IntermediaryFunc 

type IntermediaryFunc func(ctx context.Context, state *Authentication) (Raw, error)

func (IntermediaryFunc) Next 

func (ifn IntermediaryFunc) Next(ctx context.Context, state *Authentication) (Raw, error)

type Issuer 

type Issuer interface {
	Issue(ctx context.Context, claims *Claims) (Raw, error)
}

type IssuerFunc 

type IssuerFunc func(ctx context.Context, claims *Claims) (Raw, error)

func (IssuerFunc) Issue 

func (isf IssuerFunc) Issue(ctx context.Context, claims *Claims) (Raw, error)

type KeyResolver 

type KeyResolver struct {
	// contains filtered or unexported fields
}

func NewKeyResolver 

func NewKeyResolver(key interface{}, opts ...KeyResolverOption) *KeyResolver

func (*KeyResolver) Resolve 

func (kr *KeyResolver) Resolve(ctx context.Context, state *Authentication, raw Raw) (*Claims, error)

type KeyResolverOption 

type KeyResolverOption func(kr *KeyResolver)

func KeyResolverWithExpectation 

func KeyResolverWithExpectation(e jwt.Expected) KeyResolverOption

type KeySignerIssuer 

type KeySignerIssuer struct {
	// contains filtered or unexported fields
}

func NewHS256KeySignerIssuer 

func NewHS256KeySignerIssuer(key []byte) (*KeySignerIssuer, error)

func NewKeySignerIssuer 

func NewKeySignerIssuer(signer jose.Signer) *KeySignerIssuer

func (*KeySignerIssuer) Issue 

func (ksi *KeySignerIssuer) Issue(ctx context.Context, claims *Claims) (Raw, error)

type KubernetesChainIntermediaryFunc 

type KubernetesChainIntermediaryFunc func(ctx context.Context, raw Raw, md *KubernetesIntermediaryMetadata) (Intermediary, error)

type KubernetesInterface 

type KubernetesInterface struct {
	kubernetes.Interface
	TektonInterface
}

func NewKubernetesInterfaceForConfig 

func NewKubernetesInterfaceForConfig(cfg *rest.Config) (*KubernetesInterface, error)

type KubernetesIntermediary 

type KubernetesIntermediary struct {
	// contains filtered or unexported fields
}

KubernetesIntermediary looks up a pod by IP and reads the value of an annotation as the authentication credential.

func NewKubernetesIntermediary 

func NewKubernetesIntermediary(client *KubernetesInterface, ip net.IP) *KubernetesIntermediary

func (*KubernetesIntermediary) Chain 

func (ki *KubernetesIntermediary) Chain(fn KubernetesChainIntermediaryFunc) Intermediary

func (*KubernetesIntermediary) Next 

func (ki *KubernetesIntermediary) Next(ctx context.Context, state *Authentication) (Raw, error)

type KubernetesIntermediaryMetadata 

type KubernetesIntermediaryMetadata struct {
	NamespaceUID types.UID
	Image        string
}

type NotFoundError 

type NotFoundError struct {
	Reason string
	Causes []error
}

func (*NotFoundError) Error 

func (e *NotFoundError) Error() string

type Raw 

type Raw []byte

Raw is unprocessed token information, such as a compact JWT.

func (Raw) Next 

func (r Raw) Next(ctx context.Context, state *Authentication) (Raw, error)

type Resolver 

type Resolver interface {
	Resolve(ctx context.Context, state *Authentication, raw Raw) (*Claims, error)
}

A Resolver finds the claims associated with a token.

type ResolverFunc 

type ResolverFunc func(ctx context.Context, state *Authentication, raw Raw) (*Claims, error)

func (ResolverFunc) Resolve 

func (rf ResolverFunc) Resolve(ctx context.Context, state *Authentication, raw Raw) (*Claims, error)

type TektonInterface 

type TektonInterface = tekton.Interface

type Validator 

type Validator interface {
	Validate(ctx context.Context, claims *Claims) (bool, error)
}

A Validator provides additional assertions that a resolver's claims are valid.

type ValidatorFunc 

type ValidatorFunc func(ctx context.Context, claims *Claims) (bool, error)

func (ValidatorFunc) Validate 

func (vf ValidatorFunc) Validate(ctx context.Context, claims *Claims) (bool, error)

type VaultResolver 

type VaultResolver struct {
	// contains filtered or unexported fields
}

func NewStubConfigVaultResolver 

func NewStubConfigVaultResolver(addr, path string, opts ...VaultResolverOption) *VaultResolver

func NewVaultResolver 

func NewVaultResolver(cfg *vaultapi.Config, path string, opts ...VaultResolverOption) *VaultResolver

func (*VaultResolver) Resolve 

func (vr *VaultResolver) Resolve(ctx context.Context, state *Authentication, raw Raw) (*Claims, error)

type VaultResolverInjector 

type VaultResolverInjector interface {
	Inject(ctx context.Context, claims *Claims, md *VaultResolverMetadata) error
}

type VaultResolverInjectorFunc 

type VaultResolverInjectorFunc func(ctx context.Context, claims *Claims, md *VaultResolverMetadata) error

func (VaultResolverInjectorFunc) Inject 

func (vf VaultResolverInjectorFunc) Inject(ctx context.Context, claims *Claims, md *VaultResolverMetadata) error

type VaultResolverMetadata 

type VaultResolverMetadata struct {
	VaultClient *vaultapi.Client
}

type VaultResolverOption 

type VaultResolverOption func(vr *VaultResolver)

func VaultResolverWithInjector 

func VaultResolverWithInjector(injector VaultResolverInjector) VaultResolverOption

func VaultResolverWithRole 

func VaultResolverWithRole(role string) VaultResolverOption

type VaultTransitIntermediary 

type VaultTransitIntermediary struct {
	// contains filtered or unexported fields
}

func NewVaultTransitIntermediary 

func NewVaultTransitIntermediary(client *vaultapi.Client, path, key, ciphertext string, opts ...VaultTransitIntermediaryOption) *VaultTransitIntermediary

func (*VaultTransitIntermediary) Next 

func (vti *VaultTransitIntermediary) Next(ctx context.Context, state *Authentication) (Raw, error)

type VaultTransitIntermediaryOption 

type VaultTransitIntermediaryOption func(vti *VaultTransitIntermediary)

func VaultTransitIntermediaryWithContext 

func VaultTransitIntermediaryWithContext(context string) VaultTransitIntermediaryOption

type VaultTransitWrapper 

type VaultTransitWrapper struct {
	// contains filtered or unexported fields
}

func NewVaultTransitWrapper 

func NewVaultTransitWrapper(client *vaultapi.Client, path, key string, opts ...VaultTransitWrapperOption) *VaultTransitWrapper

func (*VaultTransitWrapper) Wrap 

func (vtw *VaultTransitWrapper) Wrap(ctx context.Context, raw Raw) (Raw, error)

type VaultTransitWrapperOption 

type VaultTransitWrapperOption func(vtw *VaultTransitWrapper)

func VaultTransitWrapperWithContext 

func VaultTransitWrapperWithContext(context string) VaultTransitWrapperOption

type WrappedIssuer 

type WrappedIssuer struct {
	// contains filtered or unexported fields
}

func NewWrappedIssuer 

func NewWrappedIssuer(delegate Issuer, wrapper Wrapper) *WrappedIssuer

func (*WrappedIssuer) Issue 

func (wi *WrappedIssuer) Issue(ctx context.Context, claims *Claims) (Raw, error)

type Wrapper 

type Wrapper interface {
	Wrap(ctx context.Context, raw Raw) (Raw, error)
}

type WrapperFunc 

type WrapperFunc func(ctx context.Context, raw Raw) (Raw, error)

func (WrapperFunc) Wrap 

func (wf WrapperFunc) Wrap(ctx context.Context, raw Raw) (Raw, error)

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.