Documentation
¶
Overview ¶
Package csp provides VMware Cloud Services Platform token utilities.
Index ¶
- Constants
- Variables
- func GetAuthOptsOrExit() grpc.CallOption
- func GetIssuer(staging bool) string
- func GetIssuerUpdateFlagFromCentralConfig() bool
- func GetOrgNameFromOrgID(orgID, accessToken, issuer string) (string, error)
- func GetTanzuHubEndpoint(orgID, accessToken string, useStagingIssuer bool) (string, error)
- func GetToken(g *configapi.GlobalServerAuth) (*oauth2.Token, error)
- func IDTokenFromTokenSource(token *oauth2.Token) (idTok string)
- func IsExpired(tokenExpiry time.Time) bool
- func WithCredentialDiscovery() (grpc.CallOption, error)
- func WithStaticCreds(accessToken string) grpc.CallOption
- type Claims
- type LoginOption
- type TanzuCSPMetadata
- type Token
- type TokenSource
Constants ¶
const ( // AuthTokenDir is a directory where cluster access token and refresh tokens are stored. AuthTokenDir = "tokens" // ExtraIDToken is the key in the Extra fields map that contains id_token. ExtraIDToken = "id_token" // StgIssuer is the VMware CSP(VCSP) staging issuer. StgIssuer = "https://console-stg.cloud.vmware.com/csp/gateway/am/api" // ProdIssuer is the VMware CSP(VCSP) issuer. ProdIssuer = "https://console.cloud.vmware.com/csp/gateway/am/api" // StgIssuerTCSP is the Tanzu CSP (TCSP) staging issuer. StgIssuerTCSP = "https://console-stg.tanzu.broadcom.com/csp/gateway/am/api" // ProdIssuerTCSP is the Tanzu CSP (TCSP) issuer ProdIssuerTCSP = "https://console.tanzu.broadcom.com/csp/gateway/am/api" //nolint:gosec // Avoid "hardcoded credentials" false positive. // APITokenKey is the env var for an API token override. APITokenKey = "CSP_API_TOKEN" )
const ( // APITokenType Token type to denote the token obtained using API token APITokenType = "api-token" // IDTokenType Token type to denote the token obtained using interactive login flow IDTokenType = "id-token" )
Token types
Variables ¶
var ( // DefaultKnownIssuers are known OAuth2 endpoints in each CSP environment. DefaultKnownIssuers = map[string]oauth2.Endpoint{ StgIssuer: { AuthURL: "https://console-stg.cloud.vmware.com/csp/gateway/discovery", TokenURL: "https://console-stg.cloud.vmware.com/csp/gateway/am/api/auth/authorize", AuthStyle: oauth2.AuthStyleInHeader, }, ProdIssuer: { AuthURL: "https://console.cloud.vmware.com/csp/gateway/discovery", TokenURL: "https://console.cloud.vmware.com/csp/gateway/am/api/auth/authorize", AuthStyle: oauth2.AuthStyleInHeader, }, StgIssuerTCSP: { AuthURL: "https://console-stg.tanzu.broadcom.com/csp/gateway/discovery", TokenURL: "https://console-stg.tanzu.broadcom.com/csp/gateway/am/api/auth/authorize", AuthStyle: oauth2.AuthStyleInHeader, }, ProdIssuerTCSP: { AuthURL: "https://console.tanzu.broadcom.com/csp/gateway/discovery", TokenURL: "https://console.tanzu.broadcom.com/csp/gateway/am/api/auth/authorize", AuthStyle: oauth2.AuthStyleInHeader, }, } )
Functions ¶
func GetAuthOptsOrExit ¶
func GetAuthOptsOrExit() grpc.CallOption
GetAuthOptsOrExit returns the grpc auth options. If accessToken is not empty it uses it, else it fetches the token from the current auth context. If it encounters and error, it exits.
func GetIssuerUpdateFlagFromCentralConfig ¶ added in v1.4.0
func GetIssuerUpdateFlagFromCentralConfig() bool
GetIssuerUpdateFlagFromCentralConfig gets the issuer update flag (used to update the CLI config file) from Central config as best effort
func GetOrgNameFromOrgID ¶ added in v1.2.0
GetOrgNameFromOrgID fetches CSP Org Name given the Organization ID.
func GetTanzuHubEndpoint ¶ added in v1.3.0
GetTanzuHubEndpoint retrieves Tanzu Hub Endpoint through the CSP API or through Central Config as fallback
func GetToken ¶
func GetToken(g *configapi.GlobalServerAuth) (*oauth2.Token, error)
GetToken fetches a token for the current auth context.
func IDTokenFromTokenSource ¶
IDTokenFromTokenSource parses out the id token from extra info in tokensource if available, or returns empty string.
func IsExpired ¶
IsExpired checks for the token expiry and returns true if the token has expired else will return false
func WithCredentialDiscovery ¶
func WithCredentialDiscovery() (grpc.CallOption, error)
WithCredentialDiscovery returns a grpc.CallOption that adds credentials into gRPC calls. The credentials are loaded from the auth context found on the machine.
func WithStaticCreds ¶
func WithStaticCreds(accessToken string) grpc.CallOption
WithStaticCreds will wrap a static access token into a grpc.CallOption
Types ¶
type LoginOption ¶ added in v1.2.0
type LoginOption func(*cspLoginHandler) error
LoginOption is an optional configuration for Login().
func WithListenerPort ¶ added in v1.2.0
func WithListenerPort(port uint16) LoginOption
WithListenerPort specifies a TCP listener port on localhost, which will be used for the redirect_uri and to handle the authorization code callback. By default, a random high port will be chosen which requires the authorization server to support wildcard port numbers as described by https://tools.ietf.org/html/rfc8252#section-7.3: Being able to designate the listener port might be advantages under some circumstances (e.g. for determining what to port-forward from the host where the web browser is available)
func WithListenerPortFromEnv ¶ added in v1.2.0
func WithListenerPortFromEnv(envVarName string) LoginOption
WithListenerPortFromEnv sets the TCP listener port on localhost based on the value of the specified environment variable, which will be used for the redirect_uri and to handle the authorization code callback. By default, a random high port will be chosen which requires the authorization server to support wildcard port numbers as described by https://tools.ietf.org/html/rfc8252#section-7.3: Being able to designate the listener port might be advantages under some circumstances (e.g. for determining what to port-forward from the host where the web browser is available)
func WithOrgID ¶ added in v1.2.0
func WithOrgID(orgID string) LoginOption
WithOrgID causes the login to given Organization.
func WithRefreshToken ¶ added in v1.2.0
func WithRefreshToken(refreshToken string) LoginOption
WithRefreshToken causes the login to use refresh token instead of interactive login. If the refresh token is expired or invalid, the interactive login will kick in
type TanzuCSPMetadata ¶ added in v1.4.0
type TanzuCSPMetadata struct {
IssuerProduction string `json:"issuerProduction" yaml:"issuerProduction"`
IssuerStaging string `json:"issuerStaging" yaml:"issuerStaging"`
}
TanzuCSPMetadata to parse the CSP metadata from central config
func GetCSPMetadata ¶ added in v1.4.0
func GetCSPMetadata() TanzuCSPMetadata
GetCSPMetadata gets the CSP metadata from central config as best effort, If it fails to get the metadata from central config, it returns the default values
type Token ¶
type Token struct {
// IDToken for OIDC.
IDToken string `json:"id_token"`
// TokenType is the type of token.
TokenType string `json:"token_type"`
// ExpiresIn is expiration in seconds.
ExpiresIn int64 `json:"expires_in"`
// Scope of the token.
Scope string `json:"scope"`
// AccessToken from CSP.
AccessToken string `json:"access_token"`
// RefreshToken for use with Refresh Token grant.
RefreshToken string `json:"refresh_token"`
}
Token is a CSP token.
func GetAccessTokenFromAPIToken ¶
GetAccessTokenFromAPIToken fetches CSP access token using the API-token.
func TanzuLogin ¶ added in v1.2.0
func TanzuLogin(issuerURL string, opts ...LoginOption) (*Token, error)
type TokenSource ¶
type TokenSource struct {
oauth2.TokenSource
}
TokenSource supplies PerRPCCredentials from an oauth2.TokenSource using CSP as the IDP. It will supply access token through authorization header and id_token through user-Id header
func (TokenSource) GetRequestMetadata ¶
GetRequestMetadata gets the request metadata as a map from a TokenSource.
func (TokenSource) RequireTransportSecurity ¶
func (ts TokenSource) RequireTransportSecurity() bool
RequireTransportSecurity indicates whether the credentials requires transport security.
Source Files