token

package
v0.23.5-rc.3 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Mar 16, 2023 License: Apache-2.0 Imports: 15 Imported by: 9

Documentation

Index

Constants

View Source
const (
	// DefaultIssuer when generating tokens.
	DefaultIssuer = "step-cli"
	// DefaultAudience when generating tokens.
	DefaultAudience = "https://ca/sign"
	// MinValidity token validity token duration.
	MinValidity = 10 * time.Second
	// MaxValidity token validity token duration.
	MaxValidity = 1 * time.Hour
	// DefaultValidity token validity duration.
	DefaultValidity = 5 * time.Minute
	// MaxValidityDelay allowable delay between Now and beginning of token validity period.
	MaxValidityDelay = 30 * time.Minute
)
View Source
const RootSHAClaim = "sha"

RootSHAClaim is the property name for a JWT claim that stores the SHA256 of a root certificate.

View Source
const SANSClaim = "sans"

SANSClaim is the property name for a JWT claim that stores the list of required subject alternative names.

View Source
const StepClaim = "step"

StepClaim is the property name for a JWT claim the stores the custom information in the certificate.

Variables

This section is empty.

Functions

func GenerateKeyID

func GenerateKeyID(priv interface{}) (string, error)

GenerateKeyID returns the SHA256 of a public key.

Types

type AWSAmazonPayload added in v0.11.0

type AWSAmazonPayload struct {
	Document                 []byte                       `json:"document"`
	Signature                []byte                       `json:"signature"`
	InstanceIdentityDocument *AWSInstanceIdentityDocument `json:"-"`
}

AWSAmazonPayload represents the Amazon payload for a AWS token.

type AWSInstanceIdentityDocument added in v0.11.0

type AWSInstanceIdentityDocument struct {
	AccountID          string    `json:"accountId"`
	Architecture       string    `json:"architecture"`
	AvailabilityZone   string    `json:"availabilityZone"`
	BillingProducts    []string  `json:"billingProducts"`
	DevpayProductCodes []string  `json:"devpayProductCodes"`
	ImageID            string    `json:"imageId"`
	InstanceID         string    `json:"instanceId"`
	InstanceType       string    `json:"instanceType"`
	KernelID           string    `json:"kernelId"`
	PendingTime        time.Time `json:"pendingTime"`
	PrivateIP          string    `json:"privateIp"`
	RamdiskID          string    `json:"ramdiskId"`
	Region             string    `json:"region"`
	Version            string    `json:"version"`
}

AWSInstanceIdentityDocument is the JSON representation of the instance identity document.

type AzurePayload added in v0.11.0

type AzurePayload struct {
	SubscriptionID string
	ResourceGroup  string
	ResourceType   string
	ResourceName   string
}

AzurePayload contains the information in the xms_mirid claim.

type Claims

type Claims struct {
	jose.Claims
	ExtraClaims  map[string]interface{}
	ExtraHeaders map[string]interface{}
}

Claims represents the claims that a token might have.

func DefaultClaims

func DefaultClaims() *Claims

DefaultClaims returns the default claims of any token.

func NewClaims

func NewClaims(opts ...Options) (*Claims, error)

NewClaims returns the default claims with the given options added.

func (*Claims) Set

func (c *Claims) Set(key string, value interface{})

Set adds the given key and value to the map of extra claims.

func (*Claims) SetHeader

func (c *Claims) SetHeader(key string, value interface{})

SetHeader adds the given key and value to the map of extra headers.

func (*Claims) Sign

func (c *Claims) Sign(alg jose.SignatureAlgorithm, key interface{}) (string, error)

Sign creates a JWT with the claims and signs it with the given key.

type GCPComputeEnginePayload added in v0.11.0

type GCPComputeEnginePayload struct {
	InstanceID                string            `json:"instance_id"`
	InstanceName              string            `json:"instance_name"`
	InstanceCreationTimestamp *jose.NumericDate `json:"instance_creation_timestamp"`
	ProjectID                 string            `json:"project_id"`
	ProjectNumber             int64             `json:"project_number"`
	Zone                      string            `json:"zone"`
	LicenseID                 []string          `json:"license_id"`
}

GCPComputeEnginePayload represents the Google ComputeEngine payload in GCP.

type GCPGooglePayload added in v0.11.0

type GCPGooglePayload struct {
	ComputeEngine GCPComputeEnginePayload `json:"compute_engine"`
}

GCPGooglePayload represents the Google payload in GCP.

type JSONWebToken added in v0.11.0

type JSONWebToken struct {
	*jose.JSONWebToken
	Payload Payload
}

JSONWebToken represents a JSON Web Token (as specified in RFC7519). Using the Parse or ParseInsecure it will contain the payloads supported on step ca.

func Parse added in v0.11.0

func Parse(token string, key interface{}) (*JSONWebToken, error)

Parse parses the given token verifying the signature with the key.

func ParseInsecure added in v0.11.0

func ParseInsecure(token string) (*JSONWebToken, error)

ParseInsecure parses the given token.

type Options

type Options func(c *Claims) error

Options is a function that set claims.

func WithAudience

func WithAudience(s string) Options

WithAudience returns a Options that sets the audience to use in the token claims. If Audience is not used the default audience will be used.

func WithClaim

func WithClaim(name string, value interface{}) Options

WithClaim is an Options function that adds a custom claim to the JWT.

func WithIssuer

func WithIssuer(s string) Options

WithIssuer returns an Options function that sets the issuer to use in the token claims. If Issuer is not used the default issuer will be used.

func WithJWTID

func WithJWTID(s string) Options

WithJWTID returns a Options that sets the jwtID to use in the token claims. If WithJWTID is not used a random identifier will be used.

func WithKid

func WithKid(s string) Options

WithKid returns a Options that sets the header kid claims. If WithKid is not used a thumbprint using SHA256 will be used.

func WithNebulaCert added in v0.18.1

func WithNebulaCert(certFile string, key []byte) Options

WithNebulaCert returns a Options that sets the nebula header.

func WithRootCA

func WithRootCA(path string) Options

WithRootCA returns an Options function that calculates the SHA256 of the given root certificate to be used in the token claims. If this method it's not used the default root certificate in the $STEPPATH secrets directory will be used.

func WithSANS added in v0.8.4

func WithSANS(sans []string) Options

WithSANS returns an Options function that sets the list of required SANs in the token claims.

func WithSHA added in v0.11.0

func WithSHA(sum string) Options

WithSHA returns an Options function that sets the SHA claim to the given value.

func WithSSH added in v0.12.0

func WithSSH(v interface{}) Options

WithSSH returns an Options function that sets the step claim with the ssh property in the value.

func WithSSHPOPFile added in v0.14.0

func WithSSHPOPFile(certFile string, key interface{}) Options

WithSSHPOPFile returns a Options that sets the header sshpop claims.

func WithStep added in v0.12.0

func WithStep(v interface{}) Options

WithStep returns an Options function that sets the step claim in the payload.

func WithSubject

func WithSubject(s string) Options

WithSubject returns an Options that sets the subject to use in the token claims.

func WithValidity

func WithValidity(notBefore, expiration time.Time) Options

WithValidity validates boundary inputs and sets the 'nbf' (NotBefore) and 'exp' (expiration) options.

func WithX5CCerts added in v0.23.0

func WithX5CCerts(certs []*x509.Certificate, key interface{}) Options

WithX5CCerts returns a Options that sets the header x5c claims from a cert in memory

func WithX5CFile added in v0.14.0

func WithX5CFile(certFile string, key interface{}) Options

WithX5CFile returns a Options that sets the header x5c claims.

func WithX5CInsecureCerts added in v0.23.0

func WithX5CInsecureCerts(certs []*x509.Certificate, key interface{}) Options

WithX5CInsecureCerts returns a Options that sets the header x5cAllowInvalid claims using the cert in memory

func WithX5CInsecureFile added in v0.14.0

func WithX5CInsecureFile(certFile string, key interface{}) Options

WithX5CInsecureFile returns a Options that sets the header x5cAllowInvalid claims. The `x5c` claims can only be accessed by running a method on the jose Token which validates the certificate chain before returning it. This option serves a use case where the user would prefer not to validate the certificate chain before returning it. Presumably the user would then perform their own validation. NOTE: here be dragons. Use WithX5CFile unless you know what you are doing.

type Payload added in v0.11.0

type Payload struct {
	jose.Claims
	SHA                     string            `json:"sha"`     // JWK token claims
	SANs                    []string          `json:"sans"`    // ...
	AtHash                  string            `json:"at_hash"` // OIDC token claims
	AuthorizedParty         string            `json:"azp"`     // ...
	Email                   string            `json:"email"`
	EmailVerified           bool              `json:"email_verified"`
	Hd                      string            `json:"hd"`
	Nonce                   string            `json:"nonce"`
	AppID                   string            `json:"appid"`    // Azure token claims
	AppIDAcr                string            `json:"appidacr"` // ...
	IdentityProvider        string            `json:"idp"`
	ObjectID                string            `json:"oid"`
	TenantID                string            `json:"tid"`
	Version                 interface{}       `json:"ver"`
	XMSMirID                string            `json:"xms_mirid"`
	K8sSANamespace          string            `json:"kubernetes.io/serviceaccount/namespace,omitempty"`
	K8sSASecretName         string            `json:"kubernetes.io/serviceaccount/secret.name,omitempty"`
	K8sSAServiceAccountName string            `json:"kubernetes.io/serviceaccount/service-account.name,omitempty"`
	K8sSAServiceAccountUID  string            `json:"kubernetes.io/serviceaccount/service-account.uid,omitempty"`
	Google                  *GCPGooglePayload `json:"google"` // GCP token claims
	Amazon                  *AWSAmazonPayload `json:"amazon"` // AWS token claims
	Azure                   *AzurePayload     `json:"azure"`  // Azure token claims
}

Payload represents public claim values (as specified in RFC 7519). In addition to the standard claims it contains the ones supported in step ca.

func (Payload) Type added in v0.11.0

func (p Payload) Type() Type

Type returns the type of the payload.

type Token

type Token interface {
	SignedString(sigAlg string, priv interface{}) (string, error)
}

Token interface which all token types should attempt to implement.

type Type added in v0.11.0

type Type int

Type indicates the token Type.

const (
	Unknown Type = iota
	JWK          // Smallstep JWK
	X5C          // Smallstep JWK with x5c header
	OIDC         // OpenID Connect
	GCP          // Google Cloud Platform
	AWS          // Amazon Web Services
	Azure        // Microsoft Azure
	K8sSA        // Kubernetes Service Account
	Nebula       // Nebula, a JWT with nebula header
)

Token types supported.

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL