auth

package

v0.0.51 Latest Latest Go to latest Published: May 27, 2024 License: Apache-2.0 Imports: 19 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/stacklok/minder

Links

Open Source Insights

Documentation ¶

Index ¶

Constants
Variables
func DeleteAccessToken(ctx context.Context, provider string, token string) error
func GetUserClaimFromContext[T any](ctx context.Context, claim string) (T, bool)
func GetUserForGitHubId(ctx context.Context, sic server.IdentityConfigWrapper, ghUser int64) (string, error)
func GetUserSubjectFromContext(ctx context.Context) string
func NewOAuthConfig(c *server.ProviderConfig, provider string, cli bool) (*oauth2.Config, error)
func NewProviderHttpClient(provider string) *http.Client
func ValidateProviderToken(_ context.Context, provider db.ProviderClass, token string) error
func WithAuthTokenContext(ctx context.Context, token openid.Token) context.Context
type Identity
- func (i *Identity) Human() string
- func (i *Identity) String() string
type IdentityClient
- func NewIdentityClient(providers ...IdentityProvider) (*IdentityClient, error)
- func (c *IdentityClient) Register(p IdentityProvider) error
- func (c *IdentityClient) Resolve(ctx context.Context, id string) (*Identity, error)
- func (c *IdentityClient) Validate(ctx context.Context, token jwt.Token) (*Identity, error)
type IdentityProvider
type JwkSetJwtValidator
- func (j *JwkSetJwtValidator) ParseAndValidate(tokenString string) (openid.Token, error)
type JwtValidator
- func NewJwtValidator(ctx context.Context, jwksUrl string) (JwtValidator, error)
type KeySetCache
- func (k *KeySetCache) GetKeySet() (jwk.Set, error)
type KeySetFetcher
type Resolver

Constants ¶

View Source

const (
	// Github OAuth2 provider
	Github = "github"

	// GitHubApp provider
	GitHubApp = "github-app"
)

Variables ¶

View Source

var OAuthSuccessHtml []byte

OAuthSuccessHtml is the html page sent to the client upon successful enrollment via CLI

Functions ¶

func DeleteAccessToken ¶

func DeleteAccessToken(ctx context.Context, provider string, token string) error

DeleteAccessToken deletes the access token for a given provider

func GetUserClaimFromContext ¶ added in v0.0.35

func GetUserClaimFromContext[T any](ctx context.Context, claim string) (T, bool)

GetUserClaimFromContext returns the specified claim from the user subject in the context if found and of the correct type

func GetUserForGitHubId ¶ added in v0.0.39

func GetUserForGitHubId(ctx context.Context, sic server.IdentityConfigWrapper, ghUser int64) (string, error)

GetUserForGitHubId looks up a user in Keycloak by their GitHub ID. This is a temporary implementation until we have a proper interface in front of IDP implementations.

If the user is found, it returns their subject _in Keycloak_, suitable for use in the `sub` claim of a JWT, and in OpenFGA's user field. Note that this function may return a user of "" with no error if no users were found matching the GitHub ID.

func GetUserSubjectFromContext ¶ added in v0.0.24

func GetUserSubjectFromContext(ctx context.Context) string

GetUserSubjectFromContext returns the user subject from the context, or nil

func NewOAuthConfig ¶

func NewOAuthConfig(c *server.ProviderConfig, provider string, cli bool) (*oauth2.Config, error)

NewOAuthConfig creates a new OAuth2 config for the given provider and whether the client is a CLI or web client

func NewProviderHttpClient ¶

func NewProviderHttpClient(provider string) *http.Client

NewProviderHttpClient creates a new http client for the given provider

func ValidateProviderToken ¶

func ValidateProviderToken(_ context.Context, provider db.ProviderClass, token string) error

ValidateProviderToken validates the given token for the given provider

func WithAuthTokenContext ¶ added in v0.0.35

func WithAuthTokenContext(ctx context.Context, token openid.Token) context.Context

WithAuthTokenContext stores the specified user-identifying token in the context.

Types ¶

type Identity ¶ added in v0.0.48

type Identity struct {
	// UserID is a stable unique identifier for the user.  This may be a large
	// integer or a UUID, rather than something human-readable.
	//
	// For KeyCloak, this is `sub`.
	UserID string
	// HumanName is a human-readable name.  Because humans are fickle, these may
	// not be unique or stable over time, though they should be unique at any
	// particular time.  For example, Alex may change their handle from
	// "alexsmith" to "alexawesome" after a life change, and someone else might
	// enroll the "alexsmith" handle.  If you are storing data, you want UserID,
	// not HumanName.  If you are presenting data, you probably want HumanName.
	//
	// For KeyCloak, this is `preferred_username`.  For some other providers,
	// this might be an email address.
	HumanName string
	// Provider is the identity provider that vended this identity.  Note that
	// UserID and HumanName are only unique within the context of a single
	// identity provider.
	Provider IdentityProvider
}

Identity represents a particular user's identity in a particular trust domain (represented by an IdentityProvider).

func (*Identity) Human ¶ added in v0.0.48

func (i *Identity) Human() string

Human returns a human-readable representation of the identity, suitable for presentation to humans.

func (*Identity) String ¶ added in v0.0.48

func (i *Identity) String() string

String implements strings.Stringer, and also provides a stable storage representation of the Identity.

type IdentityClient ¶ added in v0.0.48

type IdentityClient struct {
	// contains filtered or unexported fields
}

IdentityClient supports the ability to look up identities in one or more IdentityProviders.

func NewIdentityClient ¶ added in v0.0.48

func NewIdentityClient(providers ...IdentityProvider) (*IdentityClient, error)

NewIdentityClient creates a new IdentityClient with the supplied providers.

func (*IdentityClient) Register ¶ added in v0.0.48

func (c *IdentityClient) Register(p IdentityProvider) error

Register registers a new identity provider with the client.

func (*IdentityClient) Resolve ¶ added in v0.0.48

func (c *IdentityClient) Resolve(ctx context.Context, id string) (*Identity, error)

Resolve implements Resolver.

func (*IdentityClient) Validate ¶ added in v0.0.48

func (c *IdentityClient) Validate(ctx context.Context, token jwt.Token) (*Identity, error)

Validate implements Resolver.

type IdentityProvider ¶ added in v0.0.48

type IdentityProvider interface {
	Resolver

	// String returns the name of the identity provider.  This should be a short
	// one-word string suitable for presentation.  As a special case, a _single_
	// provider may use the empty string as its name to act as a default / fallback
	// provider.
	String() string
	// URL returns the `iss` URL of the identity provider.
	URL() url.URL
}

IdentityProvider provides an abstract interface for looking up identities in a remote identity provider.

type JwkSetJwtValidator ¶

type JwkSetJwtValidator struct {
	// contains filtered or unexported fields
}

JwkSetJwtValidator is a JWT validator that uses a JWK set URL to validate the tokens

func (*JwkSetJwtValidator) ParseAndValidate ¶

func (j *JwkSetJwtValidator) ParseAndValidate(tokenString string) (openid.Token, error)

ParseAndValidate validates a token string and returns an openID token, or an error if the token is invalid

type JwtValidator ¶

type JwtValidator interface {
	ParseAndValidate(tokenString string) (openid.Token, error)
}

JwtValidator provides the functions to validate a JWT

func NewJwtValidator ¶

func NewJwtValidator(ctx context.Context, jwksUrl string) (JwtValidator, error)

NewJwtValidator creates a new JWT validator that uses a JWK set URL to validate the tokens

type KeySetCache ¶

type KeySetCache struct {
	// contains filtered or unexported fields
}

KeySetCache is a KeySetFetcher that fetches the JWK set from a cache

func (*KeySetCache) GetKeySet ¶

func (k *KeySetCache) GetKeySet() (jwk.Set, error)

GetKeySet returns the caches JWK set

type KeySetFetcher ¶

type KeySetFetcher interface {
	GetKeySet() (jwk.Set, error)
}

KeySetFetcher provides the functions to fetch a JWK set

type Resolver ¶ added in v0.0.48

type Resolver interface {

	// Validate validates a token and returns an underlying identity representation
	// suitable for use in authz calls.  This _probably_ reads data from the token,
	// but could fetch from an external provider.
	Validate(ctx context.Context, token jwt.Token) (*Identity, error)

	// Resolve takes either a human-readable identifier or a stable identifier and
	// returns the underlying identity.  This may involve looking up or defining
	// the identity in the remote identity provider.
	//
	// For Keycloak + GitHub, this may define a new user in Keycloak based on
	// GitHub user data if the user is not already known to Keycloak.
	Resolve(ctx context.Context, id string) (*Identity, error)
}

Resolver is an interface for resolving human-readable or stable identifiers from either JWTs or stored strings

Source Files ¶

View all Source files

Directories ¶

Path	Synopsis
keycloak Package keycloak provides an implementation of the Keycloak IdentityProvider.	Package keycloak provides an implementation of the Keycloak IdentityProvider.
client Package client provides primitives to interact with the openapi HTTP API.	Package client provides primitives to interact with the openapi HTTP API.
mock Package mock_auth is a generated GoMock package.	Package mock_auth is a generated GoMock package.
noop Package noop provides a no-op implementation of the JwtValidator interface	Package noop provides a no-op implementation of the JwtValidator interface

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL