jwt

package module
v2.7.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Oct 29, 2024 License: Apache-2.0 Imports: 17 Imported by: 0

Documentation

Overview

* Copyright 2020 The NATS Authors * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License.

Index

Constants

View Source
const (
	NoLimit    = -1
	AnyAccount = "*"
)

NoLimit is used to indicate a limit field is unlimited in value.

View Source
const (
	ClusterTrafficSystem = "system"
	ClusterTrafficOwner  = "owner"
)
View Source
const (
	// OperatorClaim is the type of an operator JWT
	OperatorClaim = "operator"
	// AccountClaim is the type of an Account JWT
	AccountClaim = "account"
	// UserClaim is the type of an user JWT
	UserClaim = "user"
	// ActivationClaim is the type of an activation JWT
	ActivationClaim = "activation"
	// AuthorizationRequestClaim is the type of an auth request claim JWT
	AuthorizationRequestClaim = "authorization_request"
	// AuthorizationResponseClaim is the response for an auth request
	AuthorizationResponseClaim = "authorization_response"
	// GenericClaim is a type that doesn't match Operator/Account/User/ActionClaim
	GenericClaim = "generic"
)
View Source
const (
	// ResponseTypeSingleton is used for a service that sends a single response only
	ResponseTypeSingleton = "Singleton"

	// ResponseTypeStream is used for a service that will send multiple responses
	ResponseTypeStream = "Stream"

	// ResponseTypeChunked is used for a service that sends a single response in chunks (so not quite a stream)
	ResponseTypeChunked = "Chunked"
)
View Source
const (
	// Version is semantic version.
	Version = "2.4.0"

	// TokenTypeJwt is the JWT token type supported JWT tokens
	// encoded and decoded by this library
	// from RFC7519 5.1 "typ":
	// it is RECOMMENDED that "JWT" always be spelled using uppercase characters for compatibility
	TokenTypeJwt = "JWT"

	// AlgorithmNkey is the algorithm supported by JWT tokens
	// encoded and decoded by this library
	AlgorithmNkeyOld = "ed25519"
	AlgorithmNkey    = AlgorithmNkeyOld + "-nkey"
)
View Source
const (
	ConnectionTypeStandard   = "STANDARD"
	ConnectionTypeWebsocket  = "WEBSOCKET"
	ConnectionTypeLeafnode   = "LEAFNODE"
	ConnectionTypeLeafnodeWS = "LEAFNODE_WS"
	ConnectionTypeMqtt       = "MQTT"
	ConnectionTypeMqttWS     = "MQTT_WS"
	ConnectionTypeInProcess  = "IN_PROCESS"
)
View Source
const All = "*"
View Source
const Headers = SamplingRate(0)
View Source
const MaxInfoLength = 8 * 1024

Variables

This section is empty.

Functions

func DecorateJWT

func DecorateJWT(jwtString string) ([]byte, error)

DecorateJWT returns a decorated JWT that describes the kind of JWT

func DecorateSeed

func DecorateSeed(seed []byte) ([]byte, error)

DecorateSeed takes a seed and returns a string that wraps the seed in the form:

************************* IMPORTANT *************************
NKEY Seed printed below can be used sign and prove identity.
NKEYs are sensitive and should be treated as secrets.

-----BEGIN USER NKEY SEED-----
SUAIO3FHUX5PNV2LQIIP7TZ3N4L7TX3W53MQGEIVYFIGA635OZCKEYHFLM
------END USER NKEY SEED------

func FormatUserConfig

func FormatUserConfig(jwtString string, seed []byte) ([]byte, error)

FormatUserConfig returns a decorated file with a decorated JWT and decorated seed

func IsGenericClaimType

func IsGenericClaimType(s string) bool

func IssueUserJWT

func IssueUserJWT(scopedSigningKey nkeys.KeyPair, accountId string, publicUserKey string, name string, expirationDuration time.Duration, tags ...string) (string, error)

IssueUserJWT takes an account scoped signing key, account id, and use public key (and optionally a user's name, an expiration duration and tags) and returns a valid signed JWT. The scopedSigningKey, is a mandatory account scoped signing nkey pair to sign the generated jwt (note that it _must_ be a signing key attached to the account (and a _scoped_ signing key), not the account's private (seed) key). The accountId, is a mandatory public account nkey. Will return error when not set or not account nkey. The publicUserKey, is a mandatory public user nkey. Will return error when not set or not user nkey. The name, is an optional human-readable name. When absent, default to publicUserKey. The expirationDuration, is an optional but recommended duration, when the generated jwt needs to expire. If not set, JWT will not expire. The tags, is an optional list of tags to be included in the JWT.

Returns: string, resulting jwt. error, when issues arose.

func ParseDecoratedJWT

func ParseDecoratedJWT(contents []byte) (string, error)

ParseDecoratedJWT takes a creds file and returns the JWT portion.

func ParseDecoratedNKey

func ParseDecoratedNKey(contents []byte) (nkeys.KeyPair, error)

ParseDecoratedNKey takes a creds file, finds the NKey portion and creates a key pair from it.

func ParseDecoratedUserNKey

func ParseDecoratedUserNKey(contents []byte) (nkeys.KeyPair, error)

ParseDecoratedUserNKey takes a creds file, finds the NKey portion and creates a key pair from it. Similar to ParseDecoratedNKey but fails for non-user keys.

func ParseServerVersion

func ParseServerVersion(version string) (int, int, int, error)

func ValidateOperatorServiceURL

func ValidateOperatorServiceURL(v string) error

ValidateOperatorServiceURL returns an error if the URL is not a valid NATS or TLS url.

Types

type Account

type Account struct {
	Imports            Imports               `json:"imports,omitempty"`
	Exports            Exports               `json:"exports,omitempty"`
	Limits             OperatorLimits        `json:"limits,omitempty"`
	SigningKeys        SigningKeys           `json:"signing_keys,omitempty"`
	Revocations        RevocationList        `json:"revocations,omitempty"`
	DefaultPermissions Permissions           `json:"default_permissions,omitempty"`
	Mappings           Mapping               `json:"mappings,omitempty"`
	Authorization      ExternalAuthorization `json:"authorization,omitempty"`
	Trace              *MsgTrace             `json:"trace,omitempty"`
	ClusterTraffic     ClusterTraffic        `json:"cluster_traffic,omitempty"`
	Info
	GenericFields
}

Account holds account specific claims data

func (*Account) AddMapping

func (a *Account) AddMapping(sub Subject, to ...WeightedMapping)

func (*Account) EnableExternalAuthorization

func (a *Account) EnableExternalAuthorization(users ...string)

Helper function to setup external authorization.

func (*Account) HasExternalAuthorization

func (a *Account) HasExternalAuthorization() bool

Helper function to determine if external authorization is enabled.

func (*Account) Validate

func (a *Account) Validate(acct *AccountClaims, vr *ValidationResults)

Validate checks if the account is valid, based on the wrapper

type AccountClaims

type AccountClaims struct {
	ClaimsData
	Account `json:"nats,omitempty"`
}

AccountClaims defines the body of an account JWT

func DecodeAccountClaims

func DecodeAccountClaims(token string) (*AccountClaims, error)

DecodeAccountClaims decodes account claims from a JWT string

func NewAccountClaims

func NewAccountClaims(subject string) *AccountClaims

NewAccountClaims creates a new account JWT

func (*AccountClaims) ClaimType

func (a *AccountClaims) ClaimType() ClaimType

func (*AccountClaims) Claims

func (a *AccountClaims) Claims() *ClaimsData

Claims returns the accounts claims data

func (*AccountClaims) ClearRevocation

func (a *AccountClaims) ClearRevocation(pubKey string)

ClearRevocation removes any revocation for the public key

func (*AccountClaims) DidSign

func (a *AccountClaims) DidSign(c Claims) bool

DidSign checks the claims against the account's public key and its signing keys

func (*AccountClaims) Encode

func (a *AccountClaims) Encode(pair nkeys.KeyPair) (string, error)

Encode converts account claims into a JWT string

func (*AccountClaims) ExpectedPrefixes

func (a *AccountClaims) ExpectedPrefixes() []nkeys.PrefixByte

ExpectedPrefixes defines the types that can encode an account jwt, account and operator

func (*AccountClaims) GetTags

func (a *AccountClaims) GetTags() TagList

func (*AccountClaims) IsClaimRevoked

func (a *AccountClaims) IsClaimRevoked(claim *UserClaims) bool

IsClaimRevoked checks if the account revoked the claim passed in. Invalid claims (nil, no Subject or IssuedAt) will return true.

func (*AccountClaims) Payload

func (a *AccountClaims) Payload() interface{}

Payload pulls the accounts specific payload out of the claims

func (*AccountClaims) Revoke

func (a *AccountClaims) Revoke(pubKey string)

Revoke enters a revocation by public key using time.Now().

func (*AccountClaims) RevokeAt

func (a *AccountClaims) RevokeAt(pubKey string, timestamp time.Time)

RevokeAt enters a revocation by public key and timestamp into this account This will revoke all jwt issued for pubKey, prior to timestamp If there is already a revocation for this public key that is newer, it is kept. The value is expected to be a public key or "*" (means all public keys)

func (*AccountClaims) String

func (a *AccountClaims) String() string

func (*AccountClaims) Validate

func (a *AccountClaims) Validate(vr *ValidationResults)

Validate checks the accounts contents

type AccountLimits

type AccountLimits struct {
	Imports         int64 `json:"imports,omitempty"`         // Max number of imports
	Exports         int64 `json:"exports,omitempty"`         // Max number of exports
	WildcardExports bool  `json:"wildcards,omitempty"`       // Are wildcards allowed in exports
	DisallowBearer  bool  `json:"disallow_bearer,omitempty"` // User JWT can't be bearer token
	Conn            int64 `json:"conn,omitempty"`            // Max number of active connections
	LeafNodeConn    int64 `json:"leaf,omitempty"`            // Max number of active leaf node connections
}

func (*AccountLimits) IsUnlimited

func (a *AccountLimits) IsUnlimited() bool

IsUnlimited returns true if all limits are unlimited

type Activation

type Activation struct {
	ImportSubject Subject    `json:"subject,omitempty"`
	ImportType    ExportType `json:"kind,omitempty"`
	// IssuerAccount stores the public key for the account the issuer represents.
	// When set, the claim was issued by a signing key.
	IssuerAccount string `json:"issuer_account,omitempty"`
	GenericFields
}

Activation defines the custom parts of an activation claim

func (*Activation) IsService

func (a *Activation) IsService() bool

IsService returns true if an Activation is for a service

func (*Activation) IsStream

func (a *Activation) IsStream() bool

IsStream returns true if an Activation is for a stream

func (*Activation) Validate

func (a *Activation) Validate(vr *ValidationResults)

Validate checks the exports and limits in an activation JWT

type ActivationClaims

type ActivationClaims struct {
	ClaimsData
	Activation `json:"nats,omitempty"`
}

ActivationClaims holds the data specific to an activation JWT

func DecodeActivationClaims

func DecodeActivationClaims(token string) (*ActivationClaims, error)

DecodeActivationClaims tries to create an activation claim from a JWT string

func NewActivationClaims

func NewActivationClaims(subject string) *ActivationClaims

NewActivationClaims creates a new activation claim with the provided sub

func (*ActivationClaims) ClaimType

func (a *ActivationClaims) ClaimType() ClaimType

func (*ActivationClaims) Claims

func (a *ActivationClaims) Claims() *ClaimsData

Claims returns the generic part of the JWT

func (*ActivationClaims) Encode

func (a *ActivationClaims) Encode(pair nkeys.KeyPair) (string, error)

Encode turns an activation claim into a JWT strimg

func (*ActivationClaims) ExpectedPrefixes

func (a *ActivationClaims) ExpectedPrefixes() []nkeys.PrefixByte

ExpectedPrefixes defines the types that can sign an activation jwt, account and oeprator

func (*ActivationClaims) HashID

func (a *ActivationClaims) HashID() (string, error)

HashID returns a hash of the claims that can be used to identify it. The hash is calculated by creating a string with issuerPubKey.subjectPubKey.<subject> and constructing the sha-256 hash and base32 encoding that. <subject> is the exported subject, minus any wildcards, so foo.* becomes foo. the one special case is that if the export start with "*" or is ">" the <subject> "_"

func (*ActivationClaims) Payload

func (a *ActivationClaims) Payload() interface{}

Payload returns the activation specific part of the JWT

func (*ActivationClaims) String

func (a *ActivationClaims) String() string

func (*ActivationClaims) Validate

func (a *ActivationClaims) Validate(vr *ValidationResults)

Validate checks the claims

type AuthorizationRequest

type AuthorizationRequest struct {
	Server            ServerID          `json:"server_id"`
	UserNkey          string            `json:"user_nkey"`
	ClientInformation ClientInformation `json:"client_info"`
	ConnectOptions    ConnectOptions    `json:"connect_opts"`
	TLS               *ClientTLS        `json:"client_tls,omitempty"`
	RequestNonce      string            `json:"request_nonce,omitempty"`
	GenericFields
}

AuthorizationRequest represents all the information we know about the client that will be sent to an external authorization service.

type AuthorizationRequestClaims

type AuthorizationRequestClaims struct {
	ClaimsData
	AuthorizationRequest `json:"nats"`
}

AuthorizationRequestClaims defines an external auth request JWT. These wil be signed by a NATS server.

func DecodeAuthorizationRequestClaims

func DecodeAuthorizationRequestClaims(token string) (*AuthorizationRequestClaims, error)

DecodeAuthorizationRequestClaims tries to parse an auth request claims from a JWT string

func NewAuthorizationRequestClaims

func NewAuthorizationRequestClaims(subject string) *AuthorizationRequestClaims

NewAuthorizationRequestClaims creates an auth request JWT with the specific subject/public key.

func (*AuthorizationRequestClaims) ClaimType

func (ac *AuthorizationRequestClaims) ClaimType() ClaimType

func (*AuthorizationRequestClaims) Claims

func (ac *AuthorizationRequestClaims) Claims() *ClaimsData

Claims returns the request claims data.

func (*AuthorizationRequestClaims) Encode

func (ac *AuthorizationRequestClaims) Encode(pair nkeys.KeyPair) (string, error)

Encode tries to turn the auth request claims into a JWT string.

func (*AuthorizationRequestClaims) ExpectedPrefixes

func (ac *AuthorizationRequestClaims) ExpectedPrefixes() []nkeys.PrefixByte

ExpectedPrefixes defines the types that can encode an auth request jwt, servers.

func (*AuthorizationRequestClaims) Payload

func (ac *AuthorizationRequestClaims) Payload() interface{}

Payload pulls the request specific payload out of the claims.

func (*AuthorizationRequestClaims) String

func (ac *AuthorizationRequestClaims) String() string

func (*AuthorizationRequestClaims) Validate

Validate checks the generic and specific parts of the auth request jwt.

type AuthorizationResponse

type AuthorizationResponse struct {
	Jwt   string `json:"jwt,omitempty"`
	Error string `json:"error,omitempty"`
	// IssuerAccount stores the public key for the account the issuer represents.
	// When set, the claim was issued by a signing key.
	IssuerAccount string `json:"issuer_account,omitempty"`
	GenericFields
}

type AuthorizationResponseClaims

type AuthorizationResponseClaims struct {
	ClaimsData
	AuthorizationResponse `json:"nats"`
}

func DecodeAuthorizationResponseClaims

func DecodeAuthorizationResponseClaims(token string) (*AuthorizationResponseClaims, error)

DecodeAuthorizationResponseClaims tries to parse an auth request claims from a JWT string

func NewAuthorizationResponseClaims

func NewAuthorizationResponseClaims(subject string) *AuthorizationResponseClaims

func (*AuthorizationResponseClaims) ClaimType

func (ar *AuthorizationResponseClaims) ClaimType() ClaimType

func (*AuthorizationResponseClaims) Claims

Claims returns the request claims data.

func (*AuthorizationResponseClaims) Encode

Encode tries to turn the auth request claims into a JWT string.

func (*AuthorizationResponseClaims) ExpectedPrefixes

func (ar *AuthorizationResponseClaims) ExpectedPrefixes() []nkeys.PrefixByte

ExpectedPrefixes defines the types that can encode an auth request jwt, servers.

func (*AuthorizationResponseClaims) Payload

func (ar *AuthorizationResponseClaims) Payload() interface{}

Payload pulls the request specific payload out of the claims.

func (*AuthorizationResponseClaims) String

func (ar *AuthorizationResponseClaims) String() string

func (*AuthorizationResponseClaims) Validate

Validate checks the generic and specific parts of the auth request jwt.

type CIDRList

type CIDRList TagList

func (*CIDRList) Add

func (c *CIDRList) Add(p ...string)

func (*CIDRList) Contains

func (c *CIDRList) Contains(p string) bool

func (*CIDRList) Remove

func (c *CIDRList) Remove(p ...string)

func (*CIDRList) Set

func (c *CIDRList) Set(values string)

func (*CIDRList) UnmarshalJSON

func (c *CIDRList) UnmarshalJSON(body []byte) (err error)

type ClaimType

type ClaimType string

ClaimType is used to indicate the type of JWT being stored in a Claim

type Claims

type Claims interface {
	Claims() *ClaimsData
	Encode(kp nkeys.KeyPair) (string, error)
	ExpectedPrefixes() []nkeys.PrefixByte
	Payload() interface{}
	String() string
	Validate(vr *ValidationResults)
	ClaimType() ClaimType
	// contains filtered or unexported methods
}

Claims is a JWT claims

func Decode

func Decode(token string) (Claims, error)

Decode takes a JWT string decodes it and validates it and return the embedded Claims. If the token header doesn't match the expected algorithm, or the claim is not valid or verification fails an error is returned.

type ClaimsData

type ClaimsData struct {
	Audience  string `json:"aud,omitempty"`
	Expires   int64  `json:"exp,omitempty"`
	ID        string `json:"jti,omitempty"`
	IssuedAt  int64  `json:"iat,omitempty"`
	Issuer    string `json:"iss,omitempty"`
	Name      string `json:"name,omitempty"`
	NotBefore int64  `json:"nbf,omitempty"`
	Subject   string `json:"sub,omitempty"`
}

ClaimsData is the base struct for all claims

func (*ClaimsData) IsSelfSigned

func (c *ClaimsData) IsSelfSigned() bool

IsSelfSigned returns true if the claims issuer is the subject

func (*ClaimsData) String

func (c *ClaimsData) String(claim interface{}) string

Returns a JSON representation of the claim

func (*ClaimsData) Validate

func (c *ClaimsData) Validate(vr *ValidationResults)

Validate checks a claim to make sure it is valid. Validity checks include expiration and not before constraints.

type ClientInformation

type ClientInformation struct {
	Host    string  `json:"host,omitempty"`
	ID      uint64  `json:"id,omitempty"`
	User    string  `json:"user,omitempty"`
	Name    string  `json:"name,omitempty"`
	Tags    TagList `json:"tags,omitempty"`
	NameTag string  `json:"name_tag,omitempty"`
	Kind    string  `json:"kind,omitempty"`
	Type    string  `json:"type,omitempty"`
	MQTT    string  `json:"mqtt_id,omitempty"`
	Nonce   string  `json:"nonce,omitempty"`
}

ClientInformation is information about a client that is trying to authorize.

type ClientTLS

type ClientTLS struct {
	Version        string       `json:"version,omitempty"`
	Cipher         string       `json:"cipher,omitempty"`
	Certs          StringList   `json:"certs,omitempty"`
	VerifiedChains []StringList `json:"verified_chains,omitempty"`
}

ClientTLS is information about TLS state if present, including client certs. If the client certs were present and verified they will be under verified chains with the client peer cert being VerifiedChains[0]. These are complete and pem encoded. If they were not verified, they will be under certs.

type ClusterTraffic

type ClusterTraffic string

func (ClusterTraffic) Valid

func (ct ClusterTraffic) Valid() error

type ConnectOptions

type ConnectOptions struct {
	JWT         string `json:"jwt,omitempty"`
	Nkey        string `json:"nkey,omitempty"`
	SignedNonce string `json:"sig,omitempty"`
	Token       string `json:"auth_token,omitempty"`
	Username    string `json:"user,omitempty"`
	Password    string `json:"pass,omitempty"`
	Name        string `json:"name,omitempty"`
	Lang        string `json:"lang,omitempty"`
	Version     string `json:"version,omitempty"`
	Protocol    int    `json:"protocol"`
}

ConnectOptions represents options that were set in the CONNECT protocol from the client during authorization.

type Export

type Export struct {
	Name                 string          `json:"name,omitempty"`
	Subject              Subject         `json:"subject,omitempty"`
	Type                 ExportType      `json:"type,omitempty"`
	TokenReq             bool            `json:"token_req,omitempty"`
	Revocations          RevocationList  `json:"revocations,omitempty"`
	ResponseType         ResponseType    `json:"response_type,omitempty"`
	ResponseThreshold    time.Duration   `json:"response_threshold,omitempty"`
	Latency              *ServiceLatency `json:"service_latency,omitempty"`
	AccountTokenPosition uint            `json:"account_token_position,omitempty"`
	Advertise            bool            `json:"advertise,omitempty"`
	AllowTrace           bool            `json:"allow_trace,omitempty"`
	Info
}

Export represents a single export

func (*Export) ClearRevocation

func (e *Export) ClearRevocation(pubKey string)

ClearRevocation removes any revocation for the public key

func (*Export) IsChunkedResponse

func (e *Export) IsChunkedResponse() bool

IsChunkedResponse returns true if an export has a chunked response

func (*Export) IsClaimRevoked

func (e *Export) IsClaimRevoked(claim *ActivationClaims) bool

IsClaimRevoked checks if the activation revoked the claim passed in. Invalid claims (nil, no Subject or IssuedAt) will return true.

func (*Export) IsService

func (e *Export) IsService() bool

IsService returns true if an export is for a service

func (*Export) IsSingleResponse

func (e *Export) IsSingleResponse() bool

IsSingleResponse returns true if an export has a single response or no response type is set, also checks that the type is service

func (*Export) IsStream

func (e *Export) IsStream() bool

IsStream returns true if an export is for a stream

func (*Export) IsStreamResponse

func (e *Export) IsStreamResponse() bool

IsStreamResponse returns true if an export has a chunked response

func (*Export) Revoke

func (e *Export) Revoke(pubKey string)

Revoke enters a revocation by publickey using time.Now().

func (*Export) RevokeAt

func (e *Export) RevokeAt(pubKey string, timestamp time.Time)

RevokeAt enters a revocation by publickey and timestamp into this export If there is already a revocation for this public key that is newer, it is kept.

func (*Export) Validate

func (e *Export) Validate(vr *ValidationResults)

Validate appends validation issues to the passed in results list

type ExportType

type ExportType int

ExportType defines the type of import/export.

const (
	// Unknown is used if we don't know the type
	Unknown ExportType = iota
	// Stream defines the type field value for a stream "stream"
	Stream
	// Service defines the type field value for a service "service"
	Service
)

func (*ExportType) MarshalJSON

func (t *ExportType) MarshalJSON() ([]byte, error)

MarshalJSON marshals the enum as a quoted json string

func (ExportType) String

func (t ExportType) String() string

func (*ExportType) UnmarshalJSON

func (t *ExportType) UnmarshalJSON(b []byte) error

UnmarshalJSON unmashals a quoted json string to the enum value

type Exports

type Exports []*Export

Exports is a slice of exports

func (*Exports) Add

func (e *Exports) Add(i ...*Export)

Add appends exports to the list

func (*Exports) HasExportContainingSubject

func (e *Exports) HasExportContainingSubject(subject Subject) bool

HasExportContainingSubject checks if the export list has an export with the provided subject

func (Exports) Len

func (e Exports) Len() int

func (Exports) Less

func (e Exports) Less(i, j int) bool

func (Exports) Swap

func (e Exports) Swap(i, j int)

func (*Exports) Validate

func (e *Exports) Validate(vr *ValidationResults) error

Validate calls validate on all of the exports

type ExternalAuthorization

type ExternalAuthorization struct {
	AuthUsers       StringList `json:"auth_users,omitempty"`
	AllowedAccounts StringList `json:"allowed_accounts,omitempty"`
	XKey            string     `json:"xkey,omitempty"`
}

Enable external authorization for account users. AuthUsers are those users specified to bypass the authorization callout and should be used for the authorization service itself. AllowedAccounts specifies which accounts, if any, that the authorization service can bind an authorized user to. The authorization response, a user JWT, will still need to be signed by the correct account. If optional XKey is specified, that is the public xkey (x25519) and the server will encrypt the request such that only the holder of the private key can decrypt. The auth service can also optionally encrypt the response back to the server using it's publick xkey which will be in the authorization request.

func (*ExternalAuthorization) IsEnabled

func (ac *ExternalAuthorization) IsEnabled() bool

func (*ExternalAuthorization) Validate

func (ac *ExternalAuthorization) Validate(vr *ValidationResults)

type GenericClaims

type GenericClaims struct {
	ClaimsData
	Data map[string]interface{} `json:"nats,omitempty"`
}

GenericClaims can be used to read a JWT as a map for any non-generic fields

func DecodeGeneric

func DecodeGeneric(token string) (*GenericClaims, error)

DecodeGeneric takes a JWT string and decodes it into a ClaimsData and map

func NewGenericClaims

func NewGenericClaims(subject string) *GenericClaims

NewGenericClaims creates a map-based Claims

func (*GenericClaims) ClaimType

func (gc *GenericClaims) ClaimType() ClaimType

func (*GenericClaims) Claims

func (gc *GenericClaims) Claims() *ClaimsData

Claims returns the standard part of the generic claim

func (*GenericClaims) Encode

func (gc *GenericClaims) Encode(pair nkeys.KeyPair) (string, error)

Encode takes a generic claims and creates a JWT string

func (*GenericClaims) ExpectedPrefixes

func (gc *GenericClaims) ExpectedPrefixes() []nkeys.PrefixByte

ExpectedPrefixes returns the types allowed to encode a generic JWT, which is nil for all

func (*GenericClaims) Payload

func (gc *GenericClaims) Payload() interface{}

Payload returns the custom part of the claims data

func (*GenericClaims) String

func (gc *GenericClaims) String() string

func (*GenericClaims) Validate

func (gc *GenericClaims) Validate(vr *ValidationResults)

Validate checks the generic part of the claims data

type GenericFields

type GenericFields struct {
	Tags    TagList   `json:"tags,omitempty"`
	Type    ClaimType `json:"type,omitempty"`
	Version int       `json:"version,omitempty"`
}
type Header struct {
	Type      string `json:"typ"`
	Algorithm string `json:"alg"`
}

Header is a JWT Jose Header

func (*Header) Valid

func (h *Header) Valid() error

Valid validates the Header. It returns nil if the Header is a JWT header, and the algorithm used is the NKEY algorithm.

type Import

type Import struct {
	Name string `json:"name,omitempty"`
	// Subject field in an import is always from the perspective of the
	// initial publisher - in the case of a stream it is the account owning
	// the stream (the exporter), and in the case of a service it is the
	// account making the request (the importer).
	Subject Subject `json:"subject,omitempty"`
	Account string  `json:"account,omitempty"`
	Token   string  `json:"token,omitempty"`
	// Deprecated: use LocalSubject instead
	// To field in an import is always from the perspective of the subscriber
	// in the case of a stream it is the client of the stream (the importer),
	// from the perspective of a service, it is the subscription waiting for
	// requests (the exporter). If the field is empty, it will default to the
	// value in the Subject field.
	To Subject `json:"to,omitempty"`
	// Local subject used to subscribe (for streams) and publish (for services) to.
	// This value only needs setting if you want to change the value of Subject.
	// If the value of Subject ends in > then LocalSubject needs to end in > as well.
	// LocalSubject can contain $<number> wildcard references where number references the nth wildcard in Subject.
	// The sum of wildcard reference and * tokens needs to match the number of * token in Subject.
	LocalSubject RenamingSubject `json:"local_subject,omitempty"`
	Type         ExportType      `json:"type,omitempty"`
	Share        bool            `json:"share,omitempty"`
	AllowTrace   bool            `json:"allow_trace,omitempty"`
}

Import describes a mapping from another account into this one

func (*Import) GetTo

func (i *Import) GetTo() string

Returns the value of To without triggering the deprecation warning for a read

func (*Import) IsService

func (i *Import) IsService() bool

IsService returns true if the import is of type service

func (*Import) IsStream

func (i *Import) IsStream() bool

IsStream returns true if the import is of type stream

func (*Import) Validate

func (i *Import) Validate(actPubKey string, vr *ValidationResults)

Validate checks if an import is valid for the wrapping account

type Imports

type Imports []*Import

Imports is a list of import structs

func (*Imports) Add

func (i *Imports) Add(a ...*Import)

Add is a simple way to add imports

func (Imports) Len

func (i Imports) Len() int

func (Imports) Less

func (i Imports) Less(j, k int) bool

func (Imports) Swap

func (i Imports) Swap(j, k int)

func (*Imports) Validate

func (i *Imports) Validate(acctPubKey string, vr *ValidationResults)

Validate checks if an import is valid for the wrapping account

type Info

type Info struct {
	Description string `json:"description,omitempty"`
	InfoURL     string `json:"info_url,omitempty"`
}

func (Info) Validate

func (s Info) Validate(vr *ValidationResults)

type JetStreamLimits

type JetStreamLimits struct {
	MemoryStorage        int64 `json:"mem_storage,omitempty"`           // Max number of bytes stored in memory across all streams. (0 means disabled)
	DiskStorage          int64 `json:"disk_storage,omitempty"`          // Max number of bytes stored on disk across all streams. (0 means disabled)
	Streams              int64 `json:"streams,omitempty"`               // Max number of streams
	Consumer             int64 `json:"consumer,omitempty"`              // Max number of consumers
	MaxAckPending        int64 `json:"max_ack_pending,omitempty"`       // Max ack pending of a Stream
	MemoryMaxStreamBytes int64 `json:"mem_max_stream_bytes,omitempty"`  // Max bytes a memory backed stream can have. (0 means disabled/unlimited)
	DiskMaxStreamBytes   int64 `json:"disk_max_stream_bytes,omitempty"` // Max bytes a disk backed stream can have. (0 means disabled/unlimited)
	MaxBytesRequired     bool  `json:"max_bytes_required,omitempty"`    // Max bytes required by all Streams
}

func (*JetStreamLimits) IsUnlimited

func (j *JetStreamLimits) IsUnlimited() bool

IsUnlimited returns true if all limits are unlimited

type JetStreamTieredLimits

type JetStreamTieredLimits map[string]JetStreamLimits

type Limits

type Limits struct {
	UserLimits
	NatsLimits
}

Limits are used to control acccess for users and importing accounts

func (*Limits) IsUnlimited

func (l *Limits) IsUnlimited() bool

func (*Limits) Validate

func (l *Limits) Validate(vr *ValidationResults)

Validate checks the values in a limit struct

type Mapping

type Mapping map[Subject][]WeightedMapping

func (*Mapping) Validate

func (m *Mapping) Validate(vr *ValidationResults)

type MsgTrace

type MsgTrace struct {
	// Destination is the subject the server will send message traces to
	// if the inbound message contains the "traceparent" header and has
	// its sampled field indicating that the trace should be triggered.
	Destination Subject `json:"dest,omitempty"`
	// Sampling is used to set the probability sampling, that is, the
	// server will get a random number between 1 and 100 and trigger
	// the trace if the number is lower than this Sampling value.
	// The valid range is [1..100]. If the value is not set Validate()
	// will set the value to 100.
	Sampling int `json:"sampling,omitempty"`
}

MsgTrace holds distributed message tracing configuration

type NatsLimits

type NatsLimits struct {
	Subs    int64 `json:"subs,omitempty"`    // Max number of subscriptions
	Data    int64 `json:"data,omitempty"`    // Max number of bytes
	Payload int64 `json:"payload,omitempty"` // Max message payload
}

func (*NatsLimits) IsUnlimited

func (n *NatsLimits) IsUnlimited() bool

IsUnlimited returns true if all limits are unlimited

type Operator

type Operator struct {
	// Slice of other operator NKeys that can be used to sign on behalf of the main
	// operator identity.
	SigningKeys StringList `json:"signing_keys,omitempty"`
	// AccountServerURL is a partial URL like "https://host.domain.org:<port>/jwt/v1"
	// tools will use the prefix and build queries by appending /accounts/<account_id>
	// or /operator to the path provided. Note this assumes that the account server
	// can handle requests in a nats-account-server compatible way. See
	// https://github.com/nats-io/nats-account-server.
	AccountServerURL string `json:"account_server_url,omitempty"`
	// A list of NATS urls (tls://host:port) where tools can connect to the server
	// using proper credentials.
	OperatorServiceURLs StringList `json:"operator_service_urls,omitempty"`
	// Identity of the system account
	SystemAccount string `json:"system_account,omitempty"`
	// Min Server version
	AssertServerVersion string `json:"assert_server_version,omitempty"`
	// Signing of subordinate objects will require signing keys
	StrictSigningKeyUsage bool `json:"strict_signing_key_usage,omitempty"`
	GenericFields
}

Operator specific claims

func (*Operator) Validate

func (o *Operator) Validate(vr *ValidationResults)

Validate checks the validity of the operators contents

type OperatorClaims

type OperatorClaims struct {
	ClaimsData
	Operator `json:"nats,omitempty"`
}

OperatorClaims define the data for an operator JWT

func DecodeOperatorClaims

func DecodeOperatorClaims(token string) (*OperatorClaims, error)

DecodeOperatorClaims tries to create an operator claims from a JWt string

func NewOperatorClaims

func NewOperatorClaims(subject string) *OperatorClaims

NewOperatorClaims creates a new operator claim with the specified subject, which should be an operator public key

func (*OperatorClaims) ClaimType

func (oc *OperatorClaims) ClaimType() ClaimType

func (*OperatorClaims) Claims

func (oc *OperatorClaims) Claims() *ClaimsData

Claims returns the generic claims data

func (*OperatorClaims) DidSign

func (oc *OperatorClaims) DidSign(op Claims) bool

DidSign checks the claims against the operator's public key and its signing keys

func (*OperatorClaims) Encode

func (oc *OperatorClaims) Encode(pair nkeys.KeyPair) (string, error)

Encode the claims into a JWT string

func (*OperatorClaims) ExpectedPrefixes

func (oc *OperatorClaims) ExpectedPrefixes() []nkeys.PrefixByte

ExpectedPrefixes defines the nkey types that can sign operator claims, operator

func (*OperatorClaims) GetTags

func (oc *OperatorClaims) GetTags() TagList

func (*OperatorClaims) Payload

func (oc *OperatorClaims) Payload() interface{}

Payload returns the operator specific data for an operator JWT

func (*OperatorClaims) String

func (oc *OperatorClaims) String() string

func (*OperatorClaims) Validate

func (oc *OperatorClaims) Validate(vr *ValidationResults)

Validate the contents of the claims

type OperatorLimits

type OperatorLimits struct {
	NatsLimits
	AccountLimits
	JetStreamLimits
	JetStreamTieredLimits `json:"tiered_limits,omitempty"`
}

OperatorLimits are used to limit access by an account

func (*OperatorLimits) IsEmpty

func (o *OperatorLimits) IsEmpty() bool

IsEmpty returns true if all limits are 0/false/empty.

func (*OperatorLimits) IsJSEnabled

func (o *OperatorLimits) IsJSEnabled() bool

IsJSEnabled returns if this account claim has JS enabled either through a tier or the non tiered limits.

func (*OperatorLimits) IsUnlimited

func (o *OperatorLimits) IsUnlimited() bool

IsUnlimited returns true if all limits are unlimited

func (*OperatorLimits) Validate

func (o *OperatorLimits) Validate(vr *ValidationResults)

Validate checks that the operator limits contain valid values

type Permission

type Permission struct {
	Allow StringList `json:"allow,omitempty"`
	Deny  StringList `json:"deny,omitempty"`
}

Permission defines allow/deny subjects

func (*Permission) Empty

func (p *Permission) Empty() bool

func (*Permission) Validate

func (p *Permission) Validate(vr *ValidationResults, permitQueue bool)

Validate the allow, deny elements of a permission

type Permissions

type Permissions struct {
	Pub  Permission          `json:"pub,omitempty"`
	Sub  Permission          `json:"sub,omitempty"`
	Resp *ResponsePermission `json:"resp,omitempty"`
}

Permissions are used to restrict subject access, either on a user or for everyone on a server by default

func (*Permissions) Validate

func (p *Permissions) Validate(vr *ValidationResults)

Validate the pub and sub fields in the permissions list

type Prefix

type Prefix struct {
	nkeys.PrefixByte
}

Prefix holds the prefix byte for an NKey

type RenamingSubject

type RenamingSubject Subject

func (RenamingSubject) ToSubject

func (s RenamingSubject) ToSubject() Subject

Replaces reference tokens with *

func (RenamingSubject) Validate

func (s RenamingSubject) Validate(from Subject, vr *ValidationResults)

type ResponsePermission

type ResponsePermission struct {
	MaxMsgs int           `json:"max"`
	Expires time.Duration `json:"ttl"`
}

ResponsePermission can be used to allow responses to any reply subject that is received on a valid subscription.

func (*ResponsePermission) Validate

func (p *ResponsePermission) Validate(_ *ValidationResults)

Validate the response permission.

type ResponseType

type ResponseType string

ResponseType is used to store an export response type

type RevocationEntry

type RevocationEntry struct {
	PublicKey string
	TimeStamp int64
}

type RevocationList

type RevocationList map[string]int64

RevocationList is used to store a mapping of public keys to unix timestamps

func (RevocationList) ClearRevocation

func (r RevocationList) ClearRevocation(pubKey string)

ClearRevocation removes any revocation for the public key

func (RevocationList) IsRevoked

func (r RevocationList) IsRevoked(pubKey string, timestamp time.Time) bool

IsRevoked checks if the public key is in the revoked list with a timestamp later than the one passed in. Generally this method is called with an issue time but other time's can be used for testing.

func (RevocationList) MaybeCompact

func (r RevocationList) MaybeCompact() []RevocationEntry

MaybeCompact will compact the revocation list if jwt.All is found. Any revocation that is covered by a jwt.All revocation will be deleted, thus reducing the size of the JWT. Returns a slice of entries that were removed during the process.

func (RevocationList) Revoke

func (r RevocationList) Revoke(pubKey string, timestamp time.Time)

Revoke enters a revocation by publickey and timestamp into this export If there is already a revocation for this public key that is newer, it is kept.

type SamplingRate

type SamplingRate int

func (*SamplingRate) MarshalJSON

func (r *SamplingRate) MarshalJSON() ([]byte, error)

MarshalJSON marshals the field as "headers" or percentages

func (*SamplingRate) UnmarshalJSON

func (t *SamplingRate) UnmarshalJSON(b []byte) error

UnmarshalJSON unmashals numbers as percentages or "headers"

type Scope

type Scope interface {
	SigningKey() string
	ValidateScopedSigner(claim Claims) error
	Validate(vr *ValidationResults)
}

type ScopeType

type ScopeType int
const (
	UserScopeType ScopeType = iota + 1
)

func (*ScopeType) MarshalJSON

func (t *ScopeType) MarshalJSON() ([]byte, error)

func (ScopeType) String

func (t ScopeType) String() string

func (*ScopeType) UnmarshalJSON

func (t *ScopeType) UnmarshalJSON(b []byte) error

type ServerID

type ServerID struct {
	Name    string  `json:"name"`
	Host    string  `json:"host"`
	ID      string  `json:"id"`
	Version string  `json:"version,omitempty"`
	Cluster string  `json:"cluster,omitempty"`
	Tags    TagList `json:"tags,omitempty"`
	XKey    string  `json:"xkey,omitempty"`
}

ServerID is basic static info for a NATS server.

type ServiceLatency

type ServiceLatency struct {
	Sampling SamplingRate `json:"sampling"`
	Results  Subject      `json:"results"`
}

ServiceLatency is used when observing and exported service for latency measurements. Sampling 1-100, represents sampling rate, defaults to 100. Results is the subject where the latency metrics are published. A metric will be defined by the nats-server's ServiceLatency. Time durations are in nanoseconds. see https://github.com/nats-io/nats-server/blob/main/server/accounts.go#L524 e.g.

{
 "app": "dlc22",
 "start": "2019-09-16T21:46:23.636869585-07:00",
 "svc": 219732,
 "nats": {
   "req": 320415,
   "resp": 228268,
   "sys": 0
 },
 "total": 768415
}

func (*ServiceLatency) Validate

func (sl *ServiceLatency) Validate(vr *ValidationResults)

type SigningKeys

type SigningKeys map[string]Scope

SigningKeys is a map keyed by a public account key

func (SigningKeys) Add

func (sk SigningKeys) Add(keys ...string)

func (SigningKeys) AddScopedSigner

func (sk SigningKeys) AddScopedSigner(s Scope)

func (SigningKeys) Contains

func (sk SigningKeys) Contains(k string) bool

func (SigningKeys) GetScope

func (sk SigningKeys) GetScope(k string) (Scope, bool)

GetScope returns nil if the key is not associated

func (SigningKeys) Keys

func (sk SigningKeys) Keys() []string

func (*SigningKeys) MarshalJSON

func (sk *SigningKeys) MarshalJSON() ([]byte, error)

MarshalJSON serializes the scoped signing keys as an array

func (SigningKeys) Remove

func (sk SigningKeys) Remove(keys ...string)

func (*SigningKeys) UnmarshalJSON

func (sk *SigningKeys) UnmarshalJSON(data []byte) error

func (SigningKeys) Validate

func (sk SigningKeys) Validate(vr *ValidationResults)

type StringList

type StringList []string

StringList is a wrapper for an array of strings

func (*StringList) Add

func (u *StringList) Add(p ...string)

Add appends 1 or more strings to a list

func (*StringList) Contains

func (u *StringList) Contains(p string) bool

Contains returns true if the list contains the string

func (*StringList) Remove

func (u *StringList) Remove(p ...string)

Remove removes 1 or more strings from a list

type Subject

type Subject string

Subject is a string that represents a NATS subject

func (Subject) HasWildCards

func (s Subject) HasWildCards() bool

HasWildCards is used to check if a subject contains a > or *

func (Subject) IsContainedIn

func (s Subject) IsContainedIn(other Subject) bool

IsContainedIn does a simple test to see if the subject is contained in another subject

func (Subject) Validate

func (s Subject) Validate(vr *ValidationResults)

Validate checks that a subject string is valid, ie not empty and without spaces

type TagList

type TagList []string

TagList is a unique array of lower case strings All tag list methods lower case the strings in the arguments

func (*TagList) Add

func (u *TagList) Add(p ...string)

Add appends 1 or more tags to a list

func (*TagList) Contains

func (u *TagList) Contains(p string) bool

Contains returns true if the list contains the tags

func (*TagList) Remove

func (u *TagList) Remove(p ...string)

Remove removes 1 or more tags from a list

type TimeRange

type TimeRange struct {
	Start string `json:"start,omitempty"`
	End   string `json:"end,omitempty"`
}

TimeRange is used to represent a start and end time

func (*TimeRange) Validate

func (tr *TimeRange) Validate(vr *ValidationResults)

Validate checks the values in a time range struct

type User

type User struct {
	UserPermissionLimits
	// IssuerAccount stores the public key for the account the issuer represents.
	// When set, the claim was issued by a signing key.
	IssuerAccount string `json:"issuer_account,omitempty"`
	GenericFields
}

User defines the user specific data in a user JWT

func (*User) Validate

func (u *User) Validate(vr *ValidationResults)

Validate checks the permissions and limits in a User jwt

type UserClaims

type UserClaims struct {
	ClaimsData
	User `json:"nats,omitempty"`
}

UserClaims defines a user JWT

func DecodeUserClaims

func DecodeUserClaims(token string) (*UserClaims, error)

DecodeUserClaims tries to parse a user claims from a JWT string

func NewUserClaims

func NewUserClaims(subject string) *UserClaims

NewUserClaims creates a user JWT with the specific subject/public key

func (*UserClaims) ClaimType

func (u *UserClaims) ClaimType() ClaimType

func (*UserClaims) Claims

func (u *UserClaims) Claims() *ClaimsData

Claims returns the generic data from a user jwt

func (*UserClaims) Encode

func (u *UserClaims) Encode(pair nkeys.KeyPair) (string, error)

Encode tries to turn the user claims into a JWT string

func (*UserClaims) ExpectedPrefixes

func (u *UserClaims) ExpectedPrefixes() []nkeys.PrefixByte

ExpectedPrefixes defines the types that can encode a user JWT, account

func (*UserClaims) GetTags

func (u *UserClaims) GetTags() TagList

func (*UserClaims) HasEmptyPermissions

func (u *UserClaims) HasEmptyPermissions() bool

func (*UserClaims) IsBearerToken

func (u *UserClaims) IsBearerToken() bool

IsBearerToken returns true if nonce-signing requirements should be skipped

func (*UserClaims) Payload

func (u *UserClaims) Payload() interface{}

Payload returns the user specific data from a user JWT

func (*UserClaims) SetScoped

func (u *UserClaims) SetScoped(t bool)

func (*UserClaims) String

func (u *UserClaims) String() string

func (*UserClaims) Validate

func (u *UserClaims) Validate(vr *ValidationResults)

Validate checks the generic and specific parts of the user jwt

type UserLimits

type UserLimits struct {
	Src    CIDRList    `json:"src,omitempty"`
	Times  []TimeRange `json:"times,omitempty"`
	Locale string      `json:"times_location,omitempty"`
}

Src is a comma separated list of CIDR specifications

func (*UserLimits) Empty

func (u *UserLimits) Empty() bool

func (*UserLimits) IsUnlimited

func (u *UserLimits) IsUnlimited() bool

type UserPermissionLimits

type UserPermissionLimits struct {
	Permissions
	Limits
	BearerToken            bool       `json:"bearer_token,omitempty"`
	AllowedConnectionTypes StringList `json:"allowed_connection_types,omitempty"`
}

type UserScope

type UserScope struct {
	Kind        ScopeType            `json:"kind"`
	Key         string               `json:"key"`
	Role        string               `json:"role"`
	Template    UserPermissionLimits `json:"template"`
	Description string               `json:"description"`
}

func NewUserScope

func NewUserScope() *UserScope

func (UserScope) SigningKey

func (us UserScope) SigningKey() string

func (UserScope) Validate

func (us UserScope) Validate(vr *ValidationResults)

func (UserScope) ValidateScopedSigner

func (us UserScope) ValidateScopedSigner(c Claims) error

type ValidationIssue

type ValidationIssue struct {
	Description string
	Blocking    bool
	TimeCheck   bool
}

ValidationIssue represents an issue during JWT validation, it may or may not be a blocking error

func (*ValidationIssue) Error

func (ve *ValidationIssue) Error() string

type ValidationResults

type ValidationResults struct {
	Issues []*ValidationIssue
}

ValidationResults is a list of ValidationIssue pointers

func CreateValidationResults

func CreateValidationResults() *ValidationResults

CreateValidationResults creates an empty list of validation issues

func (*ValidationResults) Add

func (v *ValidationResults) Add(vi *ValidationIssue)

Add appends an issue to the list

func (*ValidationResults) AddError

func (v *ValidationResults) AddError(format string, args ...interface{})

AddError creates a new validation error and adds it to the list

func (*ValidationResults) AddTimeCheck

func (v *ValidationResults) AddTimeCheck(format string, args ...interface{})

AddTimeCheck creates a new validation issue related to a time check and adds it to the list

func (*ValidationResults) AddWarning

func (v *ValidationResults) AddWarning(format string, args ...interface{})

AddWarning creates a new validation warning and adds it to the list

func (*ValidationResults) Errors

func (v *ValidationResults) Errors() []error

Errors returns only blocking issues as errors

func (*ValidationResults) IsBlocking

func (v *ValidationResults) IsBlocking(includeTimeChecks bool) bool

IsBlocking returns true if the list contains a blocking error

func (*ValidationResults) IsEmpty

func (v *ValidationResults) IsEmpty() bool

IsEmpty returns true if the list is empty

func (*ValidationResults) Warnings

func (v *ValidationResults) Warnings() []string

Warnings returns only non blocking issues as strings

type WeightedMapping

type WeightedMapping struct {
	Subject Subject `json:"subject"`
	Weight  uint8   `json:"weight,omitempty"`
	Cluster string  `json:"cluster,omitempty"`
}

Mapping for publishes

func (*WeightedMapping) GetWeight

func (m *WeightedMapping) GetWeight() uint8

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL