Documentation ¶
Overview ¶
Package x509 provides a request authenticator that validates and extracts user information from client certificates
Index ¶
- Variables
- func DefaultVerifyOptions() x509.VerifyOptions
- func NewDynamicCAVerifier(verifyOptionsFn VerifyOptionFunc, auth authenticator.Request, ...) authenticator.Request
- func NewVerifier(opts x509.VerifyOptions, auth authenticator.Request, ...) authenticator.Request
- type Authenticator
- type StaticStringSlice
- type StringSliceProvider
- type StringSliceProviderFunc
- type UserConversion
- type UserConversionFunc
- type Verifier
- type VerifyOptionFunc
Constants ¶
This section is empty.
Variables ¶
var CommonNameUserConversion = UserConversionFunc(func(chain []*x509.Certificate) (*authenticator.Response, bool, error) { if len(chain[0].Subject.CommonName) == 0 { return nil, false, nil } fp := sha256.Sum256(chain[0].Raw) id := "X509SHA256=" + hex.EncodeToString(fp[:]) return &authenticator.Response{ User: &user.DefaultInfo{ Name: chain[0].Subject.CommonName, Groups: chain[0].Subject.Organization, Extra: map[string][]string{ user.CredentialIDKey: {id}, }, }, }, true, nil })
CommonNameUserConversion builds user info from a certificate chain using the subject's CommonName
Functions ¶
func DefaultVerifyOptions ¶
func DefaultVerifyOptions() x509.VerifyOptions
DefaultVerifyOptions returns VerifyOptions that use the system root certificates, current time, and requires certificates to be valid for client auth (x509.ExtKeyUsageClientAuth)
func NewDynamicCAVerifier ¶ added in v0.17.0
func NewDynamicCAVerifier(verifyOptionsFn VerifyOptionFunc, auth authenticator.Request, allowedCommonNames StringSliceProvider) authenticator.Request
NewDynamicCAVerifier create a request.Authenticator by verifying a client cert on the request, then delegating to the wrapped auth
func NewVerifier ¶
func NewVerifier(opts x509.VerifyOptions, auth authenticator.Request, allowedCommonNames sets.String) authenticator.Request
NewVerifier create a request.Authenticator by verifying a client cert on the request, then delegating to the wrapped auth
Types ¶
type Authenticator ¶
type Authenticator struct {
// contains filtered or unexported fields
}
Authenticator implements request.Authenticator by extracting user info from verified client certificates
func New ¶
func New(opts x509.VerifyOptions, user UserConversion) *Authenticator
New returns a request.Authenticator that verifies client certificates using the provided VerifyOptions, and converts valid certificate chains into user.Info using the provided UserConversion
func NewDynamic ¶ added in v0.17.0
func NewDynamic(verifyOptionsFn VerifyOptionFunc, user UserConversion) *Authenticator
NewDynamic returns a request.Authenticator that verifies client certificates using the provided VerifyOptionFunc (which may be dynamic), and converts valid certificate chains into user.Info using the provided UserConversion
func (*Authenticator) AuthenticateRequest ¶
func (a *Authenticator) AuthenticateRequest(req *http.Request) (*authenticator.Response, bool, error)
AuthenticateRequest authenticates the request using presented client certificates
type StaticStringSlice ¶ added in v0.17.0
type StaticStringSlice []string
StaticStringSlice a StringSliceProvider that returns a fixed value
func (StaticStringSlice) Value ¶ added in v0.17.0
func (s StaticStringSlice) Value() []string
Value returns the current string slice. Callers should never mutate the returned value.
type StringSliceProvider ¶ added in v0.17.0
type StringSliceProvider interface { // Value returns the current string slice. Callers should never mutate the returned value. Value() []string }
StringSliceProvider is a way to get a string slice value. It is heavily used for authentication headers among other places.
type StringSliceProviderFunc ¶ added in v0.17.0
type StringSliceProviderFunc func() []string
StringSliceProviderFunc is a function that matches the StringSliceProvider interface
func (StringSliceProviderFunc) Value ¶ added in v0.17.0
func (d StringSliceProviderFunc) Value() []string
Value returns the current string slice. Callers should never mutate the returned value.
type UserConversion ¶
type UserConversion interface {
User(chain []*x509.Certificate) (*authenticator.Response, bool, error)
}
UserConversion defines an interface for extracting user info from a client certificate chain
type UserConversionFunc ¶
type UserConversionFunc func(chain []*x509.Certificate) (*authenticator.Response, bool, error)
UserConversionFunc is a function that implements the UserConversion interface.
func (UserConversionFunc) User ¶
func (f UserConversionFunc) User(chain []*x509.Certificate) (*authenticator.Response, bool, error)
User implements x509.UserConversion
type Verifier ¶
type Verifier struct {
// contains filtered or unexported fields
}
Verifier implements request.Authenticator by verifying a client cert on the request, then delegating to the wrapped auth
func (*Verifier) AuthenticateRequest ¶
AuthenticateRequest verifies the presented client certificate, then delegates to the wrapped auth
type VerifyOptionFunc ¶ added in v0.17.0
type VerifyOptionFunc func() (x509.VerifyOptions, bool)
VerifyOptionFunc is function which provides a shallow copy of the VerifyOptions to the authenticator. This allows for cases where the options (particularly the CAs) can change. If the bool is false, then the returned VerifyOptions are ignored and the authenticator will express "no opinion". This allows a clear signal for cases where a CertPool is eventually expected, but not currently present.
func NewStaticVerifierFromFile ¶ added in v0.17.0
func NewStaticVerifierFromFile(clientCA string) (VerifyOptionFunc, error)
NewStaticVerifierFromFile creates a new verification func from a file. It reads the content and then fails. It will return a nil function if you pass an empty CA file.
func StaticVerifierFn ¶ added in v0.17.0
func StaticVerifierFn(opts x509.VerifyOptions) VerifyOptionFunc
StaticVerifierFn is a VerifyOptionFunc that always returns the same value. This allows verify options that cannot change.