jose

package

v0.2.47 Latest Latest Go to latest Published: Dec 4, 2024 License: Apache-2.0 Imports: 26 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/unikorn-cloud/identity

Links

Open Source Insights

Documentation ¶

Index ¶

Constants
Variables
type CoordinationClientGetter
type InClusterCoordinationClientGetter
- func (*InClusterCoordinationClientGetter) Client() (coordinationv1.CoordinationV1Interface, error)
type JWTIssuer
- func NewJWTIssuer(client client.Client, namespace string, options *Options) *JWTIssuer
type Options
- func (o *Options) AddFlags(f *pflag.FlagSet)
type PublicKeyer
type TokenType

Constants ¶

View Source

const SigningKeyName = "unikorn-identity-jose"

Variables ¶

View Source

var (
	// ErrKeyFormat is raised when something is wrong with the
	// encryption keys.
	ErrKeyFormat = errors.New("key format error")

	// ErrTokenVerification is raised when token verification fails.
	ErrTokenVerification = errors.New("failed to verify token")

	// ErrMissingKey is raised when a key is missing from a secret.
	ErrMissingKey = errors.New("failed to lookup key")

	// ErrContextError is raised when a required value cannot be retrieved
	// from a context.
	ErrContextError = errors.New("value missing from context")

	// ErrJOSE is raised when something is wrong with a JWT.
	ErrJOSE = errors.New("jose error")
)

Functions ¶

This section is empty.

Types ¶

type CoordinationClientGetter ¶ added in v0.2.4

type CoordinationClientGetter interface {
	Client() (coordinationv1.CoordinationV1Interface, error)
}

type InClusterCoordinationClientGetter ¶ added in v0.2.4

type InClusterCoordinationClientGetter struct{}

func (*InClusterCoordinationClientGetter) Client ¶ added in v0.2.4

func (*InClusterCoordinationClientGetter) Client() (coordinationv1.CoordinationV1Interface, error)

type JWTIssuer ¶

type JWTIssuer struct {
	// contains filtered or unexported fields
}

JWTIssuer is in charge of API token issue and verification. It is expected that the keys come from a mounted kubernetes.io/tls secret, and that is managed by cert-manager. As a result the keys will rotate every 60 days (by default), so you MUST ensure they are not cached in perpetuity. Additionally, due to horizontal scale-out these secrets need to be shared between all replicas so that a token issued by one, can be verified by another. As such if you ever do cache the certificate load, it will need to be coordinated between all instances.

func NewJWTIssuer ¶

func NewJWTIssuer(client client.Client, namespace string, options *Options) *JWTIssuer

NewJWTIssuer returns a new JWT issuer and validator.

func (*JWTIssuer) DecodeJWEToken ¶

func (i *JWTIssuer) DecodeJWEToken(ctx context.Context, tokenString string, claims interface{}, tokenType TokenType) error

func (*JWTIssuer) DecodeJWT ¶ added in v0.1.2

func (i *JWTIssuer) DecodeJWT(ctx context.Context, tokenString string, claims interface{}) error

func (*JWTIssuer) EncodeJWEToken ¶

func (i *JWTIssuer) EncodeJWEToken(ctx context.Context, claims interface{}, tokenType TokenType) (string, error)

EncodeJWEToken encodes, signs and encrypts as set of claims. For access tokens this implemenrs https://datatracker.ietf.org/doc/html/rfc9068

func (*JWTIssuer) EncodeJWT ¶

func (i *JWTIssuer) EncodeJWT(ctx context.Context, claims interface{}) (string, error)

func (*JWTIssuer) GetJSONWebKey ¶ added in v0.2.39

func (i *JWTIssuer) GetJSONWebKey(pem []byte) (*jose.JSONWebKey, *jose.JSONWebKey, error)

GetJSONWebKey converts from a X.509 secret into a JWK.

func (*JWTIssuer) GetJSONWebKeySet ¶ added in v0.2.39

func (i *JWTIssuer) GetJSONWebKeySet(ctx context.Context) (*jose.JSONWebKeySet, *jose.JSONWebKeySet, error)

GetJSONWebKeySet returns all JSON web keys.

func (*JWTIssuer) GetKeyByID ¶ added in v0.2.39

func (i *JWTIssuer) GetKeyByID(ctx context.Context, keyID string) (*jose.JSONWebKey, *jose.JSONWebKey, error)

func (*JWTIssuer) GetPrimaryKey ¶ added in v0.2.39

func (i *JWTIssuer) GetPrimaryKey(ctx context.Context) (*jose.JSONWebKey, *jose.JSONWebKey, error)

GetPrimaryKey is the JWK used to sign and encrypt new tokens.

func (*JWTIssuer) Run ¶ added in v0.2.4

func (i *JWTIssuer) Run(ctx context.Context, coordinationClientGetter CoordinationClientGetter) error

Run starts the certificate management loop. The certificate itself is managed by cert-manager, as a reissue duration of N and a lifetime of 2N. Tokens may be issued for a maximum duration of N. Tokens issued just before the certificates N will be able to be verified until their expiration. Now, to pull this off we need to:

Keep a primary copy of the current key pair so we can see when it changes. with reference to the master copy managed by cert-manager.
When it does change, we need to demote the primary copy to the secondary, then update the new primary.

Tokens will always be issued by the current primary, but may be verified by either the primary or secondary.

As identity is hoizontally scalable, we have another pain in the arse that is split brain, so use leadership election to ease the burden.

func (*JWTIssuer) StartLeading ¶ added in v0.2.4

func (i *JWTIssuer) StartLeading(ctx context.Context)

StartLeading does certificate rotation handling. NOTE: there is a startup penalty waiting for the first tick, but on the first invocation it's expected there won't be any traffic immediately anyway.

func (*JWTIssuer) StopLeading ¶ added in v0.2.4

func (i *JWTIssuer) StopLeading()

type Options ¶

type Options struct {
	// IssuerSecretName is the name of the secret that contains our managed
	// signing key.
	IssuerSecretName string

	// RotationPeriod is used to tweak the period for certificate rotation
	// detection.
	RotationPeriod time.Duration
}

func (*Options) AddFlags ¶

func (o *Options) AddFlags(f *pflag.FlagSet)

AddFlags registers flags with the provided flag set.

type PublicKeyer ¶ added in v0.2.39

type PublicKeyer interface {
	Public() crypto.PublicKey
}

type TokenType ¶ added in v0.2.4

type TokenType string

TokenType is used to define the specific use of a token.

const (
	// TokenTypeAccessToken is defined by RFC9068 to prevent reuse in other contexts.
	TokenTypeAccessToken TokenType = "at+jwt"

	// TokenTypeAuthorizationCode is defined by us to prevent reuse in other contexts.
	//nolint:gosec
	TokenTypeAuthorizationCode TokenType = "unikorn-cloud.org/authcode+jwt"

	// TokenTypeLoginState is deinfed by us to prevent reuse in other contexts.
	//nolint:gosec
	TokenTypeLoginState TokenType = "unikorn-cloud.org/loginstate+jwt"

	// TokenTypeRefreshToken is defined to prevent reuse in other contexts.
	//nolint:gosec
	TokenTypeRefreshToken TokenType = "unikorn-cloud.org/rt+jwt"
)

Source Files ¶

View all Source files

jose.go

Directories ¶

Path	Synopsis
testing

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL