token

package
v0.4.29 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Nov 23, 2024 License: Apache-2.0 Imports: 27 Imported by: 0

Documentation

Overview

SPDX-FileCopyrightText: 2017 Comcast Cable Communications Management, LLC SPDX-License-Identifier: Apache-2.0

SPDX-FileCopyrightText: 2017 Comcast Cable Communications Management, LLC SPDX-License-Identifier: Apache-2.0

SPDX-FileCopyrightText: 2017 Comcast Cable Communications Management, LLC SPDX-License-Identifier: Apache-2.0

SPDX-FileCopyrightText: 2017 Comcast Cable Communications Management, LLC SPDX-License-Identifier: Apache-2.0

SPDX-FileCopyrightText: 2017 Comcast Cable Communications Management, LLC SPDX-License-Identifier: Apache-2.0

SPDX-FileCopyrightText: 2017 Comcast Cable Communications Management, LLC SPDX-License-Identifier: Apache-2.0

SPDX-FileCopyrightText: 2017 Comcast Cable Communications Management, LLC SPDX-License-Identifier: Apache-2.0

SPDX-FileCopyrightText: 2017 Comcast Cable Communications Management, LLC SPDX-License-Identifier: Apache-2.0

Index

Constants

View Source 
const (
	DefaultTrustLevelNoCertificates   = 0
	DefaultTrustLevelExpiredUntrusted = 0
	DefaultTrustLevelExpiredTrusted   = 500
	DefaultTrustLevelUntrusted        = 0
	DefaultTrustLevelTrusted          = 1000
)
View Source 
const (
	// ClaimTrust is the name of the trust value within JWT claims issued
	// by themis. This claim will be written based upon TLS connection state.
	ClaimTrust = "trust"
)
View Source 
const (
	DefaultAlg = "RS256"
)

Variables

View Source 
var (
	ErrRemoteURLRequired = errors.New("A URL for the remote claimer is required")
	ErrMissingKey        = errors.New("A key is required for all claims and metadata values")
)
View Source 
var (
	ErrVariableNotAllowed = errors.New("Either header/parameter or variable can specified, but not all three")
)

Functions

func DecodeRemoteClaimsResponse 

func DecodeRemoteClaimsResponse(_ context.Context, response *http.Response) (interface{}, error)

func DecodeServerRequest 

func DecodeServerRequest(rb RequestBuilders) func(context.Context, *http.Request) (interface{}, error)

func EncodeIssueResponse 

func EncodeIssueResponse(_ context.Context, response http.ResponseWriter, value interface{}) error

func NewClaimsEndpoint 

func NewClaimsEndpoint(cb ClaimBuilder) endpoint.Endpoint

NewClaimsEndpoint returns a go-kit endpoint that returns just the claims

func NewIssueEndpoint 

func NewIssueEndpoint(f Factory) endpoint.Endpoint

NewIssueEndpoint returns a go-kit endpoint for a token factory's NewToken method

func Unmarshal 

func Unmarshal(configKey string, b ...RequestBuilder) func(TokenIn) (TokenOut, error)

Unmarshal returns an uber/fx style factory that produces the relevant components for a single token factory.

Types

type BuildError added in v0.4.1 

type BuildError struct {
	Err error
}

BuildError is the error type usually returned by RequestBuilder.Build to indicate what happened during each request builder.

func (BuildError) Error added in v0.4.1 

func (be BuildError) Error() string

Error returns the nested error's Error text

func (BuildError) StatusCode added in v0.4.1 

func (be BuildError) StatusCode() int

StatusCode returns the largest numeric HTTP status code of any embedded errors, or http.StatusBadRequest is none of the embedded errors reported status codes.

func (BuildError) Unwrap added in v0.4.1 

func (be BuildError) Unwrap() error

type ClaimBuilder 

type ClaimBuilder interface {
	AddClaims(context.Context, *Request, map[string]interface{}) error
}

ClaimBuilder is a strategy for building token claims, given a token Request

type ClaimBuilderFunc 

type ClaimBuilderFunc func(context.Context, *Request, map[string]interface{}) error

func (ClaimBuilderFunc) AddClaims 

func (cbf ClaimBuilderFunc) AddClaims(ctx context.Context, tr *Request, target map[string]interface{}) error

type ClaimBuilders 

type ClaimBuilders []ClaimBuilder

ClaimBuilders implements a pipeline of ClaimBuilder instances, invoked in sequence.

func NewClaimBuilders 

func NewClaimBuilders(n random.Noncer, client xhttpclient.Interface, o Options) (ClaimBuilders, error)

NewClaimBuilders constructs a ClaimBuilders from configuration. The returned instance is typically used in configuration a token Factory. It can be used as a standalone service component with an endpoint.

The returned builders do not include those claims derived from HTTP requests. Claims derived from HTTP requests are handled by NewRequestBuilders and DecodeServerRequest.

func (ClaimBuilders) AddClaims 

func (cbs ClaimBuilders) AddClaims(ctx context.Context, r *Request, target map[string]interface{}) error

type ClaimsHandler 

type ClaimsHandler http.Handler

func NewClaimsHandler 

func NewClaimsHandler(e endpoint.Endpoint, rb RequestBuilders) ClaimsHandler

type ClientCertificates added in v0.4.25 

type ClientCertificates struct {
	// RootCAFile is the PEM bundle of certificates used for client certificate verification.
	// If unset, the system verifier and/or bundle is used.
	//
	// Generally, this value should be the same as the the mtls.clientCACertificateFile.
	RootCAFile string

	// IntermediatesFile is the PEM bundle of certificates used for client certificate verification.
	// If unset, no intermediary certificates are considered.
	IntermediatesFile string

	// Trust defines the trust levels to set for various situations involving
	// client certificates.
	Trust Trust
}

ClientCertificates describes how peer certificates are to be handled when it comes to issuing tokens.

type DecodeClaimsError added in v0.3.0 

type DecodeClaimsError struct {
	URL        string
	StatusCode int
	Err        error
}

func (*DecodeClaimsError) Error added in v0.3.0 

func (dce *DecodeClaimsError) Error() string

func (*DecodeClaimsError) MarshalJSON added in v0.3.0 

func (dce *DecodeClaimsError) MarshalJSON() ([]byte, error)

func (*DecodeClaimsError) Unwrap added in v0.3.0 

func (dce *DecodeClaimsError) Unwrap() error

type Factory 

type Factory interface {
	// NewToken uses a Request to produce a signed JWT token
	NewToken(context.Context, *Request) (string, error)
}

Factory is a creation strategy for signed JWT tokens

func NewFactory 

func NewFactory(o Options, cb ClaimBuilder, kr key.Registry) (Factory, error)

NewFactory creates a token Factory from a Descriptor. The supplied Noncer is used if and only if d.Nonce is true. Alternatively, supplying a nil Noncer will disable nonce creation altogether. The token's key pair is registered with the given key Registry.

type InvalidPartnerIDError added in v0.4.1 

type InvalidPartnerIDError struct{}

InvalidPartnerIDError is the error object returned when a blank, wildcard, or otherwise invalid partner id is submitted

func (InvalidPartnerIDError) Error added in v0.4.1 

func (ipe InvalidPartnerIDError) Error() string

Error returns the error string associated with an invalid partner id

func (InvalidPartnerIDError) StatusCode added in v0.4.1 

func (ipe InvalidPartnerIDError) StatusCode() int

type IssueHandler 

type IssueHandler http.Handler

func NewIssueHandler 

func NewIssueHandler(e endpoint.Endpoint, rb RequestBuilders) IssueHandler

type Options 

type Options struct {
	// Alg is the required JWT signing algorithm to use
	Alg string

	// ClientCertificates describes how peer certificates affect the issued tokens.
	// If unset, client certificates are not considered when issuing tokens.
	ClientCertificates *ClientCertificates

	// Key describes the signing key to use
	Key key.Descriptor

	// Claims is an optional map of claims to add to every token emitted by this factory.
	// Any claims here can be overridden by claims within a token Request.
	//
	// None of these claims receive any special processing.  They are copied as is from the HTTP request
	// or statically from configuration.  For special processing around the partner id, set the PartnerID field.
	Claims []Value

	// Metadata describes non-claim data, which can be statically configured or supplied via a request
	Metadata []Value

	// PartnerID is the optional partner id configuration.  If unset, no partner id processing is
	// performed, though a partner id may still be configured as part of the claims.
	PartnerID *PartnerID

	// Nonce indicates whether a nonce (jti) should be applied to each token emitted
	// by this factory.
	Nonce bool

	// DisableTime completely disables all time-based claims, such as iat.  Setting this to true
	// also causes Duration and NotBeforeDelta to be ignored.
	DisableTime bool

	// Duration specifies how long the token should be valid for.  An exp claim is set
	// using this duration from the current time if this field is positive.
	Duration time.Duration

	// DisableNotBefore specifically controls the nbf claim.
	DisableNotBefore bool

	// NotBeforeDelta is a golang duration that determines the nbf field.  This field
	// is parsed and added to the current time at the moment a token is issued.  The result
	// is set as an nbf claim.  Note that the duration may be zero or negative.
	//
	// If either DisableTime or DisableNotBefore are true, this field is ignored and no nbf claim is emitted.
	NotBeforeDelta time.Duration

	// Remote specifies an optional external system that takes metadata from a token request
	// and returns a set of claims to be merged into tokens returned by the Factory.  Returned
	// claims from the remote system do not override claims configured on the Factory.
	Remote *RemoteClaims
}

Options holds the configurable information for a token Factory

type PartnerID added in v0.4.1 

type PartnerID struct {
	// Claim is the name of the claim key for the partner id.  If unset, no claim is set.
	Claim string

	// Metadata is the name of the metadata key for the partner id.  If unset, no metadata
	// is set and thus the partner id won't be transmitted to remote systems.
	Metadata string

	// Header is the HTTP header containing the partner id
	Header string

	// Parameter is the HTTP parameter containing the partner id
	Parameter string

	// Default is the default value for the partner id
	Default string
}

PartnerID describes how to extract the partner id from an HTTP request. Partner IDs require some special processing.

type RemoteClaims 

type RemoteClaims struct {
	// Method is the HTTP method used to invoke the URL
	Method string

	// URL is the remote endpoint that is expected to receive Request.Metadata and return a JSON document
	// which is merged into the token claims
	URL string
}

RemoteClaims describes a remote HTTP endpoint that can produce claims given the metadata from a token request.

type Request 

type Request struct {
	// Logger is the zap logger which can be used to log information about the request.
	// This field is always set.
	Logger *zap.Logger

	// Claims holds the extra claims to add to tokens.  These claims will override any configured claims in a Factory,
	// but will not override time-based claims such as nbf or exp.
	Claims map[string]interface{}

	// Metadata holds non-claim information about the request, usually garnered from the original HTTP request.  This
	// metadata is available to lower levels of infrastructure used by the Factory.
	Metadata map[string]interface{}

	// TLS represents the state of any underlying TLS connection.
	// For non-tls connections, this field is unset.
	TLS *tls.ConnectionState
}

Request is a token creation request. Clients can pass in arbitrary claims, typically things like "iss", to merge and override anything set on the factory via configuration.

func BuildRequest 

func BuildRequest(original *http.Request, rb RequestBuilders) (*Request, error)

BuildRequest applies a sequence of RequestBuilder instances to produce a token factory Request

func NewRequest 

func NewRequest() *Request

NewRequest returns an empty, fully initialized token Request

type RequestBuilder 

type RequestBuilder interface {
	Build(*http.Request, *Request) error
}

RequestBuilder is a strategy for building a token factory Request from an HTTP request.

Note: before invoking a RequestBuilder, calling code should parse the HTTP request form.

type RequestBuilderFunc 

type RequestBuilderFunc func(*http.Request, *Request) error

func (RequestBuilderFunc) Build 

func (rbf RequestBuilderFunc) Build(original *http.Request, tr *Request) error

type RequestBuilders 

type RequestBuilders []RequestBuilder

RequestBuilders represents a set of RequestBuilder strategies that can be invoked in sequence.

func NewRequestBuilders 

func NewRequestBuilders(o Options) (RequestBuilders, error)

NewRequestBuilders creates a RequestBuilders sequence given an Options configuration. Only claims and metadata that are HTTP-based are included in the results. Claims and metadata that are statically assigned values are handled by ClaimBuilder objects and are part of the Factory configuration.

func (RequestBuilders) Build 

func (rbs RequestBuilders) Build(original *http.Request, tr *Request) error

Build invokes each request builder in sequence. Prior to invoking any of the chain of builders,

type TokenIn 

type TokenIn struct {
	fx.In

	Logger       *zap.Logger
	Noncer       random.Noncer `optional:"true"`
	Keys         key.Registry
	Unmarshaller config.Unmarshaller
	Client       xhttpclient.Interface `optional:"true"`
}

type TokenOut 

type TokenOut struct {
	fx.Out

	ClaimBuilder  ClaimBuilder
	Factory       Factory
	IssueHandler  IssueHandler
	ClaimsHandler ClaimsHandler
}

type Trust added in v0.4.25 

type Trust struct {
	// NoCertificates is the trust level to set when no client certificates are present.
	// If unset, DefaultTrustLevelNoCertificates is used.
	NoCertificates int

	// ExpiredUntrusted is the trust level to set when a certificate has both expired
	// and is within an CA chain that we do not trust.
	//
	// If unset, DefaultTrustLevelExpiredTrusted is used.
	ExpiredUntrusted int

	// ExpiredTrusted is the trust level to set when a certificate has both expired
	// and IS within a trusted CA chain.
	//
	// If unset, DefaultTrustLevelExpiredTrusted is used.
	ExpiredTrusted int

	// Untrusted is the trust level to set when a client has an otherwise valid
	// certificate, but that certificate is part of an untrusted chain.
	//
	// If unset, DefaultTrustLevelUntrusted is used.
	Untrusted int

	// Trusted is the trust level to set when a client certificate is part of
	//
	// If unset, DefaultTrustLevelTrusted is used.
	// a trusted CA chain.
	Trusted int
}

Trust describes the various levels of trust based upon client certificate state.

type Value 

type Value struct {
	// Key is the key to use for this value.  Typically, this is the name of a claim.
	Key string

	// Header is an HTTP header from which the value is pulled
	Header string

	// Parameter is a URL query parameter (including form data) from which the value is pulled
	Parameter string

	// Variable is a URL gorilla/mux variable from with the value is pulled
	Variable string

	// JSON is the value embedded as a JSON snippet.  If this field is set, Value is ignored.
	// Using this field is convenient to avoid viper's lowercasing of keys.  It's also handy
	// to embed arbitrary structures in claims.
	JSON string

	// Value is the statically assigned value from configuration
	Value interface{}
}

Value describes how to extract a key/value pair from either an HTTP request or from configuration.

func (Value) IsFromHTTP added in v0.4.5 

func (v Value) IsFromHTTP() bool

IsFromHTTP tests if this value is extracted from an HTTP request

func (Value) IsStatic added in v0.4.5 

func (v Value) IsStatic() bool

IsStatic tests if this value is statically configured and does not come from an HTTP request.

func (Value) RawMessage added in v0.4.5 

func (v Value) RawMessage() (json.RawMessage, error)

RawMessage precomputes the JSON for this value. If the JSON field is set, it is verified by unmarshaling. Otherwise, the Value field is marshaled.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.