Documentation
¶
Overview ¶
Package core which contains logic that is shared among different compilation units.
This is primarily used to prevent cyclical compilation (forbidden in Go) between compilation units.
Forgive the horizontal slicing, it's not great and is an anti-pattern in Go, but it's also very quick and does the job.
Index ¶
- func WrapError(standardErr AuthenticationProviderError, nestedErr error) error
- type Application
- type AuthenticationProvider
- type AuthenticationProviderError
- type Credentials
- type Crypto
- type CryptoProvider
- type KMSProvider
- type KMSProviderConfig
- type PassThroughProvider
- type Role
- type SAMLResponse
- type User
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func WrapError ¶
func WrapError(standardErr AuthenticationProviderError, nestedErr error) error
WrapError wraps an error into a standard authentication provider error.
Types ¶
type Application ¶
type Application struct {
// LegacyID is used to enable legacy support for the old key-conjurer clients.
// This is not used past KeyConjurer version 2
LegacyID uint `json:"id"`
ID string `json:"@id"`
Name string `json:"name"`
}
An Application is some SAML-enabled service that a user is entitled to.
type AuthenticationProvider ¶
type AuthenticationProvider interface {
// Authenticate should validate that the provided credentials are correct for a user.
Authenticate(ctx context.Context, credentials Credentials) (User, AuthenticationProviderError)
// ListApplications should list all the applications the given user is entitled to access.
ListApplications(ctx context.Context, user User) ([]Application, AuthenticationProviderError)
// GenerateSAMLAssertion should generate a SAML assertion that the user may exchange with the target application in order to gain access to it.
GenerateSAMLAssertion(ctx context.Context, credentials Credentials, appID string) (*SAMLResponse, AuthenticationProviderError)
}
An AuthenticationProvider is a component which will verify user credentials, list the applications a user is entitled to, the roles the user may assume within that application and generate SAML assertions for federation.
type AuthenticationProviderError ¶
type AuthenticationProviderError error
AuthenticationProviderError is an error returned by an authentication provider.
var ( ErrBadRequest AuthenticationProviderError = errors.New("bad request") ErrApplicationNotFound AuthenticationProviderError = errors.New("application not found") ErrAuthenticationFailed AuthenticationProviderError = errors.New("unauthorized") ErrAccessDenied AuthenticationProviderError = errors.New("access denied") ErrFactorVerificationFailed AuthenticationProviderError = errors.New("factor verification failed") ErrCouldNotSendMfaPush AuthenticationProviderError = errors.New("could not send MFA push") ErrSubmitChallengeResponseFailed AuthenticationProviderError = errors.New("submit challenge response failed") ErrCouldNotCreateSession AuthenticationProviderError = errors.New("could not create a session") ErrSAMLError AuthenticationProviderError = errors.New("failed to process SAML") ErrInternalError AuthenticationProviderError = errors.New("internal error") ErrUnspecified AuthenticationProviderError = errors.New("unspecified") )
A list of standard errors that can be returned by an authentication provider.
type Credentials ¶
Credentials is a struct which contains the username and password for a user.
func (Credentials) Encrypted ¶
func (c Credentials) Encrypted() bool
Encrypted indicates whether or not the credentials are encrypted
type Crypto ¶
type Crypto struct {
// contains filtered or unexported fields
}
Crypto encrypts credentials using a given provider when handling them from a client connection
func NewCrypto ¶
func NewCrypto(provider CryptoProvider) Crypto
NewCrypto creates a new Crypto with the given provider.
func (*Crypto) Decrypt ¶
func (c *Crypto) Decrypt(ctx context.Context, credentials *Credentials) error
Decrypt decrypts the credentials stored within the given credentials object and updates it in place.
If the credentials object is not encrypted, this is a no-op.
type CryptoProvider ¶
type CryptoProvider interface {
Encrypt(ctx context.Context, input []byte) ([]byte, error)
Decrypt(ctx context.Context, input []byte) ([]byte, error)
}
A CryptoProvider gives the user the ability to encrypt and decrypt bytes using secrets that are not aware to the caller.
type KMSProvider ¶
type KMSProvider struct {
// contains filtered or unexported fields
}
func NewKMSProvider ¶
func NewKMSProvider(opts *KMSProviderConfig) KMSProvider
type KMSProviderConfig ¶
type PassThroughProvider ¶
type PassThroughProvider struct{}
PassThroughProvider is a CryptoProvider that performs no operations on its input
type Role ¶
A Role is something a user can 'assume' when accessing an application.
This stems from AWS terminology with their AssumeRolePolicy; it's possible this concept does not translate well with alternative cloud providers.
type SAMLResponse ¶
type SAMLResponse struct {
saml.Response
// contains filtered or unexported fields
}
SAMLResponse contains a raw SAML Response from an IdP. This is used to provide access to the original, signed SAML response from the IdP as parsing it into XML and then attempting to encode it again loses this information.
func ParseEncodedResponse ¶
func ParseEncodedResponse(b64EncodedXML string) (*SAMLResponse, error)
ParseEncodedResponse parses the base64-encoded SAML assertion provided and returns a SAMLResponse object
func (*SAMLResponse) GetBase64Encoded ¶
func (s *SAMLResponse) GetBase64Encoded() *string
GetBase64Encoded returns the base64 encoded SAML response from the IdP.
Source Files