bascule

package module
v0.9.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Oct 6, 2020 License: Apache-2.0 Imports: 11 Imported by: 19

README

bascule

The library for authorization: both acquiring and validating.

Build Status codecov.io Code Climate Issue Count Go Report Card Apache V2 License GitHub release GoDoc Quality Gate Status

Summary

This library provides validation of Tokens used for authorization as well as a way to acquire Authorization header values. Tokens can be parsed and validated from http requests. Bascule provides a generic framework that can be configured, but currently can support basic and jwt authorization.

Table of Contents

Code of Conduct

This project and everyone participating in it are governed by the XMiDT Code Of Conduct. By participating, you agree to this Code.

Acquiring Authorization

The acquire subpackage handles getting the value for an Authorization header of an http request. The JWT acquirer gets a JWT from a configurable endpoint, caches it, and will get a new JWT at a configurable time before the current JWT expires.

Validating Authorization

Validation of Tokens happens once an authorization value has been parsed into something that implements the Token interface.
The basculehttp subpackage provides http decorators/middleware that will parse an http request into a Token and validate it with configurable rules.

Read more about the basculehttp subpackage in its README.

Install

This repo is a library of packages used for the authorization. There is no installation.

Contributing

Refer to CONTRIBUTING.md.

Documentation

Overview

package bascule provides a token interface and basic implementation, which can be validated and added and taken from a context. Some basic checks which can be used to validate are also provided.

Index

Constants

This section is empty.

Variables

View Source 
var (
	ErrorKey interface{} = "error"
)

Functions

func GetNestedAttribute added in v0.9.0 

func GetNestedAttribute(attributes Attributes, keys ...string) (interface{}, bool)

GetNestedAttribute uses multiple keys in order to obtain an attribute.

func NonEmptyStringListCheck 

func NonEmptyStringListCheck(_ context.Context, vals []interface{}) error

NonEmptyStringListCheck checks that the list of values given are a list of one or more nonempty strings.

func WithAuthentication 

func WithAuthentication(ctx context.Context, auth Authentication) context.Context

WithAuthentication adds the auth given to the context given, provided a way for other users of the context to get the authentication.

Types

type Attributes 

type Attributes interface {
	Get(key string) (interface{}, bool)
}

Attributes is the interface that wraps methods which dictate how to interact with a token's attributes. Getter functions return a boolean as second element which indicates that a value of the requested type exists at the given key path.

func NewAttributes added in v0.8.0 

func NewAttributes(m map[string]interface{}) Attributes

NewAttributes builds an Attributes instance with the given map as datasource.

type Authentication 

type Authentication struct {
	Authorization Authorization
	Token         Token
	Request       Request
}

Authentication represents the output of a security pipeline.

func FromContext 

func FromContext(ctx context.Context) (Authentication, bool)

FromContext gets the Authentication from the context provided.

type Authorization 

type Authorization string

Authorization represents the authorization mechanism performed on the token, e.g. "Basic", "Bearer", etc for HTTP security environments.

type BasicAttributes added in v0.9.0 

type BasicAttributes map[string]interface{}

func (BasicAttributes) Get added in v0.9.0 

func (a BasicAttributes) Get(key string) (interface{}, bool)

type ClaimsWithLeeway 

type ClaimsWithLeeway struct {
	jwt.MapClaims
	Leeway Leeway
}

func (*ClaimsWithLeeway) GetMap added in v0.5.0 

func (c *ClaimsWithLeeway) GetMap() (map[string]interface{}, error)

GetMap returns a map of string to interfaces of the values in the ClaimsWithLeeway

func (*ClaimsWithLeeway) UnmarshalJSON added in v0.5.0 

func (c *ClaimsWithLeeway) UnmarshalJSON(data []byte) error

func (*ClaimsWithLeeway) Valid 

func (c *ClaimsWithLeeway) Valid() error

Valid implements the jwt.Claims interface, ensuring that the token claism are valid. This implementation checks the time based claims: exp, iat, nbf.

type Error 

type Error interface {
	Cause() error
	Reason() string
}

Error is an optional interface to be implemented by security related errors

type Errors 

type Errors []error

Errors is a Multierror that also acts as an error, so that a log-friendly string can be returned but each error in the list can also be accessed.

func (Errors) Error 

func (e Errors) Error() string

Error concatenates the list of error strings to provide a single string that can be used to represent the errors that occurred.

func (Errors) Errors 

func (e Errors) Errors() []error

Errors returns the list of errors.

type JWTParser 

type JWTParser interface {
	ParseJWT(string, jwt.Claims, jwt.Keyfunc) (*jwt.Token, error)
}

JWTParser parses raw Tokens into JWT objects 

var DefaultJWTParser JWTParser = defaultJWTParser{}

DefaultJWTParser is the parser implementation that simply delegates to the jwt-go library's jws.ParseJWT function.

type Leeway 

type Leeway struct {
	EXP int64 `json:"expLeeway"`
	NBF int64 `json:"nbfLeeway"`
	IAT int64 `json:"iatLeeway"`
}

Leeway is the amount of buffer to include with the time, to allow for clock skew.

type Logger 

type Logger interface {
	Log(keyvals ...interface{}) error
}

logger we expect for the decorators

func GetDefaultLoggerFunc 

func GetDefaultLoggerFunc(ctx context.Context) Logger

GetDefaultLoggerFunc a function that returns the default logger, which doesn't do anything

func NewDefaultLogger 

func NewDefaultLogger() Logger

NewDefaultLogger returns the default logger, which doesn't do anything.

type MultiError 

type MultiError interface {
	Errors() []error
}

MultiError is an interface that provides a list of errors.

type Request 

type Request struct {
	URL    *url.URL
	Method string
}

Request holds request information that may be useful for validating the token.

type Token 

type Token interface {
	// Type is the custom token type assigned by plugin code
	Type() string

	// Principal is the security principal, e.g. the user name or client id
	Principal() string

	// Attributes are an arbitrary set of name/value pairs associated with the token.
	// Typically, these will be filled with information supplied by the user, e.g. the claims of a JWT.
	Attributes() Attributes
}

Token is the behavior supplied by all secure tokens

func NewToken 

func NewToken(tokenType, principal string, attributes Attributes) Token

NewToken creates a Token from basic information. Many secure pipelines can use the returned value as their token. Specialized pipelines can create additional interfaces and augment the returned Token as desired. Alternatively, some pipelines can simply create their own Tokens out of whole cloth.

type Validator 

type Validator interface {
	Check(context.Context, Token) error
}

Validator is the rule type that determines if a Token is valid. Each rule should do exactly (1) thing, and then be composed by application-layer code. Validators are invoked for both authentication and authorization. We may need to have different rule types for those two things, but for now this works.

type ValidatorFunc 

type ValidatorFunc func(context.Context, Token) error

ValidatorFunc is the Check function that a Validator has.

func CreateAllowAllCheck 

func CreateAllowAllCheck() ValidatorFunc

CreateAllowAllCheck returns a Validator that never returns an error.

func CreateListAttributeCheck 

func CreateListAttributeCheck(keys []string, checks ...func(context.Context, []interface{}) error) ValidatorFunc

CreateListAttributeCheck returns a Validator that runs checks against the content found in the key given. It runs every check and returns all errors it finds.

func CreateNonEmptyPrincipalCheck 

func CreateNonEmptyPrincipalCheck() ValidatorFunc

CreateNonEmptyPrincipalCheck returns a Validator that checks that the token's Principal isn't an empty string.

func CreateNonEmptyTypeCheck 

func CreateNonEmptyTypeCheck() ValidatorFunc

CreateNonEmptyTypeCheck returns a Validator that checks that the token's type isn't an empty string.

func CreateValidTypeCheck 

func CreateValidTypeCheck(validTypes []string) ValidatorFunc

CreateValidTypeCheck returns a Validator that checks that the token's type is one of the given valid types.

func (ValidatorFunc) Check 

func (vf ValidatorFunc) Check(ctx context.Context, t Token) error

Check runs the validatorFunc, making a ValidatorFunc also a Validator.

type Validators 

type Validators []Validator

Validators are a list of objects that implement the Validator interface.

func (Validators) Check 

func (v Validators) Check(ctx context.Context, t Token) error

Check runs through the list of validator Checks and adds any errors returned to the list of errors, which is an Errors type.

Source Files

View all Source files

Directories

Path Synopsis
Package acquire is used for getting Auths to pass in http requests.
 Package acquire is used for getting Auths to pass in http requests.
package basculehttp contains some basic http middleware (in the form of Alice-style decorators) that can be used to extract and parse a Token from an http header, validate the Token, and allow for the consumer to add additional logs or metrics upon an error or a valid Token.
 package basculehttp contains some basic http middleware (in the form of Alice-style decorators) that can be used to extract and parse a Token from an http header, validate the Token, and allow for the consumer to add additional logs or metrics upon an error or a valid Token.
examples
acquirer Module
basculehttp Module
Package key provides a simple API for loading public and private keys from resources.
 Package key provides a simple API for loading public and private keys from resources.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.