tokens

package
v0.8.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Aug 1, 2023 License: BSD-3-Clause Imports: 18 Imported by: 0

Documentation

Index

Constants

View Source
const DefaultRefreshAudience = "https://auth.rotational.app/v1/refresh"

Variables

View Source
var (
	ErrCacheMiss    = errors.New("requested key is not in the cache")
	ErrCacheExpired = errors.New("requested key is expired")
)

Functions

func ExpiresAt added in v0.5.2

func ExpiresAt(tks string) (_ time.Time, err error)

func NotBefore added in v0.5.2

func NotBefore(tks string) (_ time.Time, err error)

func ParseUnverified added in v0.5.2

func ParseUnverified(tks string) (claims *jwt.RegisteredClaims, err error)

Types

type Cache added in v0.8.0

type Cache struct {
	sync.RWMutex
	// contains filtered or unexported fields
}

Cache is an in-memory cache that stores issued token claims by ULID.

func NewCache added in v0.8.0

func NewCache(size uint32) (c *Cache)

Create a new token cache with a maximum number of items.

func (*Cache) Add added in v0.8.0

func (c *Cache) Add(userID, projectID ulid.ULID, tks string) (err error)

Add a token to the cache by user ID and project ID.

func (*Cache) Clear added in v0.8.0

func (c *Cache) Clear()

Clear the entire cache.

func (*Cache) Get added in v0.8.0

func (c *Cache) Get(userID, projectID ulid.ULID) (tks string, err error)

Get the token from the user ID and project ID or return an error if it does not exist.

func (*Cache) Remove added in v0.8.0

func (c *Cache) Remove(userID, projectID ulid.ULID)

Remove a token from the cache by user ID and project ID.

func (*Cache) Size added in v0.8.0

func (c *Cache) Size() int

Return the current size of the cache for profiling or testing purposes.

type CachedJWKSValidator added in v0.2.0

type CachedJWKSValidator struct {
	JWKSValidator
	// contains filtered or unexported fields
}

func NewCachedJWKSValidator added in v0.2.0

func NewCachedJWKSValidator(ctx context.Context, cache *jwk.Cache, endpoint, audience, issuer string) (validator *CachedJWKSValidator, err error)

func (*CachedJWKSValidator) Parse added in v0.2.0

func (v *CachedJWKSValidator) Parse(tks string) (claims *Claims, err error)

Parse an access or refresh token verifying its signature but without verifying its claims. This ensures that valid JWT tokens are still accepted but claims can be handled on a case-by-case basis; for example by validating an expired access token during reauthentication.

func (*CachedJWKSValidator) Refresh added in v0.2.0

func (v *CachedJWKSValidator) Refresh(ctx context.Context) (err error)

func (*CachedJWKSValidator) Verify added in v0.2.0

func (v *CachedJWKSValidator) Verify(tks string) (claims *Claims, err error)

Verify an access or a refresh token after parsing and return its claims.

type Claims

type Claims struct {
	jwt.RegisteredClaims
	Name        string   `json:"name,omitempty"`
	Email       string   `json:"email,omitempty"`
	Picture     string   `json:"picture,omitempty"`
	OrgID       string   `json:"org,omitempty"`
	ProjectID   string   `json:"project,omitempty"`
	Permissions []string `json:"permissions,omitempty"`
}

Claims implements custom claims for the Quarterdeck application.

func ParseUnverifiedTokenClaims added in v0.5.2

func ParseUnverifiedTokenClaims(tks string) (claims *Claims, err error)

Parse token claims from an access token.

func (Claims) HasAllPermissions added in v0.2.0

func (c Claims) HasAllPermissions(requiredPermissions ...string) bool

HasAllPermissions checks if all specified permissions are in the claims.

func (Claims) HasAnyPermission added in v0.5.1

func (c Claims) HasAnyPermission(permissions ...string) bool

HasAnyPermission checks if at least one of the specified permissions ar ein the claims.

func (Claims) HasPermission added in v0.2.0

func (c Claims) HasPermission(requiredPermission string) bool

HasPermission checks if the claims contain the specified permission.

func (Claims) ParseOrgID added in v0.3.0

func (c Claims) ParseOrgID() ulid.ULID

ParseOrgID returns the ULID of the organization ID in the claims. If the OrgID is not valid then an empty ULID is returned without an error to reduce error checking in handlers. If the caller needs to know if the ULID is invalid they should parse it themselves; otherwise the Null ULID will prevent most accesses from succeeding.

func (Claims) ParseProjectID added in v0.5.1

func (c Claims) ParseProjectID() ulid.ULID

ParseProjectID returns the ULID of the project from the claims. If the project ID is not valid then an empty ULID is returned without an error to reduce error checking in handlers. If the caller needs to know if the ULID is invalid they should parse it directly or perform an IsZero check on the result.

func (Claims) ParseUserID added in v0.3.0

func (c Claims) ParseUserID() ulid.ULID

ParseUserID returns the ULID of the user from the Subject of the claims. If the UserID is not valid then an empty ULID is returned without an error to reduce error checking in the handlers. If the caller needs to know if the ULID is invalid, they should parse it themselves or perform an IsZero check on the result.

func (Claims) ValidateProject added in v0.5.0

func (c Claims) ValidateProject(projectID ulid.ULID) bool

Checks to see if the claims match the input projectID.

type JWKSValidator added in v0.2.0

type JWKSValidator struct {
	// contains filtered or unexported fields
}

JWKSValidator provides public verification that JWT tokens have been issued by the Quarterdeck authentication service by checking that the tokens have been signed using public keys from a JSON Web Key Set (JWKS). The validator then returns Quarterdeck specific claims if the token is in fact valid.

func NewJWKSValidator added in v0.2.0

func NewJWKSValidator(keys jwk.Set, audience, issuer string) *JWKSValidator

func (*JWKSValidator) Parse added in v0.2.0

func (v *JWKSValidator) Parse(tks string) (claims *Claims, err error)

Parse an access or refresh token verifying its signature but without verifying its claims. This ensures that valid JWT tokens are still accepted but claims can be handled on a case-by-case basis; for example by validating an expired access token during reauthentication.

func (*JWKSValidator) Verify added in v0.2.0

func (v *JWKSValidator) Verify(tks string) (claims *Claims, err error)

Verify an access or a refresh token after parsing and return its claims.

type MockValidator added in v0.2.0

type MockValidator struct {
	OnVerify func(string) (*Claims, error)
	OnParse  func(string) (*Claims, error)
	Calls    map[string]int
}

func (*MockValidator) Parse added in v0.2.0

func (m *MockValidator) Parse(tks string) (*Claims, error)

func (*MockValidator) Verify added in v0.2.0

func (m *MockValidator) Verify(tks string) (*Claims, error)

type SessionToken added in v0.8.0

type SessionToken struct {
	// contains filtered or unexported fields
}

SessionToken is a string token issued to users that has a limited lifetime. The cache is responsible for checking whether tokens are expired and removing expired tokens to maintain the cache size.

func (*SessionToken) Key added in v0.8.0

func (t *SessionToken) Key() string

The key is used to lookup the token in the cache by user ID and project ID.

type TokenManager

type TokenManager struct {
	// contains filtered or unexported fields
}

TokenManager handles the creation and verification of RSA signed JWT tokens. To facilitate signing key rollover, TokenManager can accept multiple keys identified by a ulid. JWT tokens generated by token managers include a kid in the header that allows the token manager to verify the key with the specified signature. To sign keys the token manager will always use the latest private key by ulid.

When the TokenManager creates tokens it will use JWT standard claims as well as extended claims based on Quarterdeck usage. The standard claims included are exp, nbf aud, and sub. On token verification, the exp, nbf, iss and aud claims are validated. TODO: Create automatic key rotation mechanism rather than loading keys.

func New

func New(conf config.TokenConfig) (tm *TokenManager, err error)

New creates a TokenManager with the specified keys which should be a mapping of ULID strings to paths to files that contain PEM encoded RSA private keys. This input is specifically designed for the config environment variable so that keys can be loaded from k8s or vault secrets that are mounted as files on disk.

func NewWithKey added in v0.2.0

func NewWithKey(key *rsa.PrivateKey, conf config.TokenConfig) (tm *TokenManager, err error)

func (*TokenManager) CreateAccessToken

func (tm *TokenManager) CreateAccessToken(claims *Claims) (_ *jwt.Token, err error)

CreateAccessToken from the credential payload or from an previous token if the access token is being reauthorized from previous credentials. Note that the returned token only contains the claims and is unsigned.

func (*TokenManager) CreateRefreshToken

func (tm *TokenManager) CreateRefreshToken(accessToken *jwt.Token) (refreshToken *jwt.Token, err error)

CreateRefreshToken from the Access token claims with predefined expiration. Note that the returned token only contains the claims and is unsigned.

func (*TokenManager) CreateToken added in v0.5.0

func (tm *TokenManager) CreateToken(claims *Claims) *jwt.Token

CreateToken from the claims payload without modifying the claims unless the claims are missing required fields that need to be updated.

func (*TokenManager) CreateTokenPair added in v0.2.0

func (tm *TokenManager) CreateTokenPair(claims *Claims) (accessToken, refreshToken string, err error)

CreateTokenPair returns signed access and refresh tokens for the specified claims in one step (since normally users want both an access and a refresh token)!

func (*TokenManager) CurrentKey

func (tm *TokenManager) CurrentKey() ulid.ULID

CurrentKey returns the ulid of the current key being used to sign tokens.

func (*TokenManager) Keys

func (tm *TokenManager) Keys() (keys jwk.Set, err error)

Keys returns the JSON Web Key Set with public keys for use externally.

func (*TokenManager) Parse

func (v *TokenManager) Parse(tks string) (claims *Claims, err error)

Parse an access or refresh token verifying its signature but without verifying its claims. This ensures that valid JWT tokens are still accepted but claims can be handled on a case-by-case basis; for example by validating an expired access token during reauthentication.

func (*TokenManager) RefreshAudience added in v0.5.0

func (tm *TokenManager) RefreshAudience() string

func (*TokenManager) Sign

func (tm *TokenManager) Sign(token *jwt.Token) (tks string, err error)

Sign an access or refresh token and return the token string.

func (*TokenManager) Verify

func (v *TokenManager) Verify(tks string) (claims *Claims, err error)

Verify an access or a refresh token after parsing and return its claims.

type Validator added in v0.2.0

type Validator interface {
	// Verify an access or a refresh token after parsing and return its claims.
	Verify(tks string) (claims *Claims, err error)

	// Parse an access or refresh token without verifying claims (e.g. to check an expired token).
	Parse(tks string) (claims *Claims, err error)
}

Validators are able to verify that access and refresh tokens were issued by Quarterdeck and that their claims are valid (e.g. not expired).

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL