auth

package
v0.41.6 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Aug 26, 2024 License: Apache-2.0 Imports: 30 Imported by: 9

Documentation

Index

Constants

View Source 
const (
	// OIDCLabelKey is used to filter out all the informers that related to OIDC work
	OIDCLabelKey = "eventing.knative.dev/oidc"

	// OIDCLabelSelector is the label selector for the OIDC resources
	OIDCLabelSelector = OIDCLabelKey
)
View Source 
const (
	AuthHeaderKey = "Authorization"
)
View Source 
const (
	TokenExpirationTime = time.Hour
)

Variables

This section is empty.

Functions

func DeleteOIDCServiceAccountIfExists added in v0.40.0 

func DeleteOIDCServiceAccountIfExists(ctx context.Context, serviceAccountLister corev1listers.ServiceAccountLister, kubeclient kubernetes.Interface, gvk schema.GroupVersionKind, objectMeta metav1.ObjectMeta) error

DeleteOIDCServiceAccountIfExists makes sure the given resource does not have an OIDC service account. If it does that service account is deleted.

func EnsureOIDCServiceAccountExistsForResource 

func EnsureOIDCServiceAccountExistsForResource(ctx context.Context, serviceAccountLister corev1listers.ServiceAccountLister, kubeclient kubernetes.Interface, gvk schema.GroupVersionKind, objectMeta metav1.ObjectMeta) error

EnsureOIDCServiceAccountExistsForResource makes sure the given resource has an OIDC service account with an owner reference to the resource set.

func GetAudience 

func GetAudience(gvk schema.GroupVersionKind, objectMeta metav1.ObjectMeta) string

GetAudience returns the audience string for the given object in the format <group>/<kind>/<namespace>/<name>

func GetJWTExpiry added in v0.40.0 

func GetJWTExpiry(token string) (time.Time, error)

GetJWTExpiry returns the expiry time of the token in UTC

func GetJWTFromHeader 

func GetJWTFromHeader(header http.Header) string

GetJWTFromHeader Returns the JWT from the Authorization header

func GetOIDCServiceAccountForResource 

func GetOIDCServiceAccountForResource(gvk schema.GroupVersionKind, objectMeta metav1.ObjectMeta) *v1.ServiceAccount

GetOIDCServiceAccountForResource returns the service account to use for OIDC authentication for the given resource.

func GetOIDCServiceAccountNameForResource 

func GetOIDCServiceAccountNameForResource(gvk schema.GroupVersionKind, objectMeta metav1.ObjectMeta) string

GetOIDCServiceAccountNameForResource returns the service account name to use for OIDC authentication for the given resource.

func SetAuthHeader 

func SetAuthHeader(jwt string, header http.Header)

SetAuthHeader sets Authorization header with the given JWT

func SetupOIDCServiceAccount added in v0.40.0 

func SetupOIDCServiceAccount(ctx context.Context, flags feature.Flags, serviceAccountLister corev1listers.ServiceAccountLister, kubeclient kubernetes.Interface, gvk schema.GroupVersionKind, objectMeta metav1.ObjectMeta, marker OIDCIdentityStatusMarker, setAuthStatus func(a *duckv1.AuthStatus)) pkgreconciler.Event

Types

type IDToken 

type IDToken struct {
	Issuer          string
	Audience        []string
	Subject         string
	Expiry          time.Time
	IssuedAt        time.Time
	AccessTokenHash string
}

type OIDCIdentityStatusMarker added in v0.40.0 

type OIDCIdentityStatusMarker interface {
	MarkOIDCIdentityCreatedSucceeded()
	MarkOIDCIdentityCreatedSucceededWithReason(reason, messageFormat string, messageA ...interface{})
	MarkOIDCIdentityCreatedFailed(reason, messageFormat string, messageA ...interface{})
}

type OIDCTokenProvider 

type OIDCTokenProvider struct {
	// contains filtered or unexported fields
}

func NewOIDCTokenProvider 

func NewOIDCTokenProvider(ctx context.Context) *OIDCTokenProvider

func (*OIDCTokenProvider) GetJWT 

func (c *OIDCTokenProvider) GetJWT(serviceAccount types.NamespacedName, audience string) (string, error)

GetJWT returns a JWT from the given service account for the given audience.

func (*OIDCTokenProvider) GetNewJWT added in v0.40.0 

func (c *OIDCTokenProvider) GetNewJWT(serviceAccount types.NamespacedName, audience string) (string, error)

GetNewJWT returns a new JWT from the given service account for the given audience without using the token cache.

type OIDCTokenVerifier 

type OIDCTokenVerifier struct {
	// contains filtered or unexported fields
}

func NewOIDCTokenVerifier 

func NewOIDCTokenVerifier(ctx context.Context) *OIDCTokenVerifier

func (*OIDCTokenVerifier) VerifyJWT 

func (c *OIDCTokenVerifier) VerifyJWT(ctx context.Context, jwt, audience string) (*IDToken, error)

VerifyJWT verifies the given JWT for the expected audience and returns the parsed ID token.

func (*OIDCTokenVerifier) VerifyJWTFromRequest added in v0.40.0 

func (tokenVerifier *OIDCTokenVerifier) VerifyJWTFromRequest(ctx context.Context, r *http.Request, audience *string, response http.ResponseWriter) error

VerifyJWTFromRequest will verify the incoming request contains the correct JWT token

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.