csp

package
v1.2.0-dev Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Nov 4, 2023 License: Apache-2.0 Imports: 25 Imported by: 0

Documentation

Overview

Package csp provides VMware Cloud Services Platform token utilities.

Index

Constants

View Source
const (

	// PinnipedSupervisorDomain is the domain name for the pinniped supervisor token issuer that is
	// deployed in TMC self-managed environment to serve as an identity broker.
	PinnipedSupervisorDomain = "pinniped-supervisor"
	// FederationDomainPath is the path in the issuer URL of the federation domain setup to work
	// with the upstream identity provider.
	// TODO(ashisham): finalize what the federation domain deployed in production will look like
	// Prod and non-prod environments can share this path as the DNS zone from which the issuer URL
	// is generated from will be different.
	FederationDomainPath = "provider/pinniped"
)
View Source
const (
	// AuthTokenDir is a directory where cluster access token and refresh tokens are stored.
	AuthTokenDir = "tokens"

	// ExtraIDToken is the key in the Extra fields map that contains id_token.
	ExtraIDToken = "id_token"

	// StgIssuer is the CSP staging issuer.
	StgIssuer = "https://console-stg.cloud.vmware.com/csp/gateway/am/api"

	// ProdIssuer is the CSP issuer.
	ProdIssuer = "https://console.cloud.vmware.com/csp/gateway/am/api"

	//nolint:gosec // Avoid "hardcoded credentials" false positive.
	// APITokenKey is the env var for an API token override.
	APITokenKey = "CSP_API_TOKEN"
)

Variables

View Source
var (
	// KnownIssuers are known OAuth2 endpoints in each CSP environment.
	KnownIssuers = map[string]oauth2.Endpoint{
		StgIssuer: {
			AuthURL:   "https://console-stg.cloud.vmware.com/csp/gateway/discovery",
			TokenURL:  "https://console-stg.cloud.vmware.com/csp/gateway/am/api/auth/authorize",
			AuthStyle: oauth2.AuthStyleInHeader,
		},
		ProdIssuer: {
			AuthURL:   "https://console.cloud.vmware.com/csp/gateway/discovery",
			TokenURL:  "https://console.cloud.vmware.com/csp/gateway/am/api/auth/authorize",
			AuthStyle: oauth2.AuthStyleInHeader,
		},
	}
)

Functions

func GetAuthOptsOrExit

func GetAuthOptsOrExit() grpc.CallOption

GetAuthOptsOrExit returns the grpc auth options. If accessToken is not empty it uses it, else it fetches the token from the current auth context. If it encounters and error, it exits.

func GetIssuer

func GetIssuer(staging bool) string

GetIssuer returns the appropriate CSP issuer based on the environment.

func GetToken

func GetToken(g *configapi.GlobalServerAuth) (*oauth2.Token, error)

GetToken fetches a token for the current auth context.

func IDTokenFromTokenSource

func IDTokenFromTokenSource(token *oauth2.Token) (idTok string)

IDTokenFromTokenSource parses out the id token from extra info in tokensource if available, or returns empty string.

func IsExpired

func IsExpired(tokenExpiry time.Time) bool

IsExpired checks for the token expiry and returns true if the token has expired else will return false

func WithCredentialDiscovery

func WithCredentialDiscovery() (grpc.CallOption, error)

WithCredentialDiscovery returns a grpc.CallOption that adds credentials into gRPC calls. The credentials are loaded from the auth context found on the machine.

func WithStaticCreds

func WithStaticCreds(accessToken string) grpc.CallOption

WithStaticCreds will wrap a static access token into a grpc.CallOption

Types

type Claims

type Claims struct {
	Username    string
	Permissions []string
	OrgID       string
	Raw         map[string]interface{}
}

Claims are the jwt claims.

func ParseToken

func ParseToken(tkn *oauth2.Token) (*Claims, error)

ParseToken parses the token.

type Token

type Token struct {
	// IDToken for OIDC.
	IDToken string `json:"id_token"`

	// TokenType is the type of token.
	TokenType string `json:"token_type"`

	// ExpiresIn is expiration in seconds.
	ExpiresIn int64 `json:"expires_in"`

	// Scope of the token.
	Scope string `json:"scope"`

	// AccessToken from CSP.
	AccessToken string `json:"access_token"`

	// RefreshToken for use with Refresh Token grant.
	RefreshToken string `json:"refresh_token"`
}

Token is a CSP token.

func GetAccessTokenFromAPIToken

func GetAccessTokenFromAPIToken(apiToken, issuer string) (*Token, error)

GetAccessTokenFromAPIToken fetches CSP access token using the API-token.

func GetAccessTokenFromSelfManagedIDP added in v0.0.4

func GetAccessTokenFromSelfManagedIDP(refreshToken, issuerURL string) (*Token, error)

type TokenSource

type TokenSource struct {
	oauth2.TokenSource
}

TokenSource supplies PerRPCCredentials from an oauth2.TokenSource using CSP as the IDP. It will supply access token through authorization header and id_token through user-Id header

func (TokenSource) GetRequestMetadata

func (ts TokenSource) GetRequestMetadata(ctx context.Context, uri ...string) (map[string]string, error)

GetRequestMetadata gets the request metadata as a map from a TokenSource.

func (TokenSource) RequireTransportSecurity

func (ts TokenSource) RequireTransportSecurity() bool

RequireTransportSecurity indicates whether the credentials requires transport security.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL