token

package
v0.11.3 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Sep 18, 2023 License: Apache-2.0 Imports: 24 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

View Source
var (
	ErrJWKSNotFound    = errors.New("kid not found in JWKS")
	ErrJWKSInvalidType = errors.New("certificate must be ecdsa")
	ErrJWKSKeyExists   = errors.New("key with the same kid already exists")
)

Various errors returned by a JWKS.

Functions

func Fingerprint

func Fingerprint(cert *x509.Certificate) string

Fingerprint returns the fingerprint of the given certificate.

func Fprint

func Fprint(w io.Writer, token string, opts ...PrintOption) error

Fprint prints the given token string using the methods passed as options in the given io.Writer. If you pass no option, this function is a noop

func FromRequest

func FromRequest(req *elemental.Request) string

FromRequest retrieves the token from the given elemental.Request first looking at the cookie x-a3s-token, then the request.Password.

func FromSession

func FromSession(session bahamut.Session) string

FromSession retrieves the token from the given bahamut.Session first looking at the cookie x-a3s-token, then the session.Token(.

Types

type ErrJWKSRemote

type ErrJWKSRemote struct {
	Err error
}

A ErrJWKSRemote represents an error while interacting with a remote JWKS.

func (ErrJWKSRemote) Error

func (e ErrJWKSRemote) Error() string

func (ErrJWKSRemote) Unwrap

func (e ErrJWKSRemote) Unwrap() error

Unwrap returns the warped error.

type IdentityToken

type IdentityToken struct {

	// The identity claims of the token.
	Identity []string `json:"identity"`

	// If true, the token can be used to get a new token.
	// with a longer expiration time.
	Refresh bool `json:"refresh,omitempty"`

	// Opaque user information transmitted in the token.
	Opaque map[string]string `json:"opaque,omitempty"`

	// Restrictions applied on dynamically computed permissions.
	Restrictions *permissions.Restrictions `json:"restrictions,omitempty"`

	// Information relative to the autentication source used to
	// validate bearer's Identity.
	Source Source `json:"-"`

	jwt.RegisteredClaims
}

An IdentityToken represents a normalized identity token.

func NewIdentityToken

func NewIdentityToken(source Source) *IdentityToken

NewIdentityToken returns a new IdentityToken with the given Source.

func Parse

func Parse(tokenString string, keychain *JWKS, trustedIssuer string, requiredAudience string) (*IdentityToken, error)

Parse returns a validated IdentityToken from the given token string using the given JWKS, mandatory trusted issuer and requiredAudience. The token must contain the "kid" header, and that ID must match an existing key in JWKS. The function will populate the identity token's source using the @source* claims. The claim @source:type is mandatory and the function will return an error if it is missing.

func ParseUnverified

func ParseUnverified(tokenString string) (*IdentityToken, error)

ParseUnverified returns a non validated IdentityToken from the given tokenString, This method does not do any additional check on signature, issuer or audience and should only used to peek some data from the token before actually verifying it.

func (*IdentityToken) JWT

func (t *IdentityToken) JWT(key crypto.PrivateKey, kid string, issuer string, audience jwt.ClaimStrings, exp time.Time, cloak []string) (string, error)

JWT returns the signed JWT string signed by the given crypto.PrivateKey. The given kid must match the ID of the public key. The JWT iss and aud will be set to the provided issuer and audience, whatever was any current values. The iat field will be set time.Now(), also ignoring current values. The exp field will be set to the provided time.Time. If it is a zero value time.Time, then any current value will be kept (potentially ending in an already expired token if the current value is also zero). cloak, if not empty, will remove any identity claims that are not prefixed with any string from the array.

func (*IdentityToken) Restrict

func (t *IdentityToken) Restrict(restrictions permissions.Restrictions) (err error)

Restrict applies the given permissions to the token. If the token is not already restricted the restrictions will be applied as is. If it is already restricted, the new restrictions will be applied over the existing ones, and the function will return an error if the requested restrictions break the limits of the current ones.

type Issuer

type Issuer interface {
	Issue() *IdentityToken
}

An Issuer is an object that can issue IdentityToken.

type JWKS

type JWKS struct {
	Keys []*JWKSKey `json:"keys"`

	sync.RWMutex
	// contains filtered or unexported fields
}

A JWKS is a structure to manage a JSON Web Key Set.

func JWKSFromTokenIssuer

func JWKSFromTokenIssuer(ctx context.Context, idt *IdentityToken, tlsConfig *tls.Config) (*JWKS, error)

JWKSFromTokenIssuer will retrieve a remote JWKS from the issuer field in the given idt, using the eventually given tlsConfig to retrieve the JWKS.. You usually want to pass a non verified IdentityToken here (from ParseUnverified for instance) so you can then correctly verify it using Parse().

func NewJWKS

func NewJWKS() *JWKS

NewJWKS returns a new JWKS.

func NewRemoteJWKS

func NewRemoteJWKS(ctx context.Context, client *http.Client, url string) (*JWKS, error)

NewRemoteJWKS returns a JWKS prepulated with the data found at the given URL using the provided http.Client. If http.Client is nil, the default client will be used.

func (*JWKS) Append

func (j *JWKS) Append(cert *x509.Certificate) error

Append appends a new certificate to the JWKS.

func (*JWKS) AppendWithPrivate

func (j *JWKS) AppendWithPrivate(cert *x509.Certificate, private crypto.PrivateKey) error

AppendWithPrivate appends a new certificate and its private key to the JWKS.

func (*JWKS) Del

func (j *JWKS) Del(kid string) bool

Del deletes the key with the given ID. Returns true if something was deleted, false otherwise.

func (*JWKS) Get

func (j *JWKS) Get(kid string) (*JWKSKey, error)

Get returns the key with the given ID. Returns ErrJWKSNotFound if not found.

func (*JWKS) GetLast

func (j *JWKS) GetLast() *JWKSKey

GetLast returns the last inserted key.

type JWKSKey

type JWKSKey struct {
	KTY string `json:"kty"`
	KID string `json:"kid"`
	Use string `json:"use"`
	Alg string `json:"alg,omitempty"`
	N   string `json:"n,omitempty"`
	X   string `json:"x,omitempty"`
	Y   string `json:"y,omitempty"`
	CRV string `json:"crv,omitempty"`
	// contains filtered or unexported fields
}

JWKSKey represents a single key stored in a JWKS.

func (*JWKSKey) Curve

func (k *JWKSKey) Curve() elliptic.Curve

Curve returns the curve used by the key.

func (*JWKSKey) PrivateKey

func (k *JWKSKey) PrivateKey() crypto.PrivateKey

PrivateKey returns the crypto.PrivateKey associated to the public key, if it was given it was added to the JWKS.

func (*JWKSKey) PublicKey

func (k *JWKSKey) PublicKey() crypto.PublicKey

PublicKey returns a ready to use crypto.PublicKey.

type PrintOption

type PrintOption func(*printCfg)

PrintOption represents options that can be passed to token.Print

func PrintOptionDecoded

func PrintOptionDecoded(enabled bool) PrintOption

PrintOptionDecoded prints the information contained in the token.

func PrintOptionQRCode

func PrintOptionQRCode(enabled bool) PrintOption

PrintOptionQRCode prints the token as a QRCode.

func PrintOptionRaw

func PrintOptionRaw(enabled bool) PrintOption

PrintOptionRaw sets the printer to print the raw token.

type Source

type Source struct {
	Type      string `json:"type"`
	Namespace string `json:"namespace,omitempty"`
	Name      string `json:"name,omitempty"`
}

A Source represents the authentication source info used to derive an IdentityToken.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL