credentials

package
v0.0.0-...-877fc11 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jun 7, 2024 License: Apache-2.0 Imports: 17 Imported by: 0

Documentation

Overview

Package credentials handles the access to credentials for consumers of credential sets.

A credentials set is just a set of simple key/values pair, for example username and password. Every credential consumer, for example repository implementation of other context types, (OCI repositories, OCM repositories, ...) uses the same procedure to get to its credentials:

  1. it composes a most significant typed ConsumerIdentity for every request. This is a set of name/value pairs describing the access context. For an OCI registry, this is for example: - the type (OCIRegistry) - the hostname - an optional port - the repository path
  2. it then requests credentials from its credentials Context for this consumer.
  3. the credentials context matches the requested consumer against configured consumers using a dedicated matcher. (For example: finding the consumer specification with the longest matching repository path prefix (for OCI))
  4. the credentials for the best matching entry are then returned to the requester.

The credentials context is the mediator between credential providers and credential consumers. Here

  • it is possible to explicitly configure credentials for consumer ids
  • it is possible to manage credential repositories providing named credential sets and
  • to map dedicated such sets to consumer ids.
  • specialized credential repositories, may propagate their contained credentials to auto-calculated consumer ids.

This way, there is a special credential repository type DockerConfig. It knows what its credentials are meant for (for accessing OCI registries). When instantiating such a repository, it automatically exposes its credentials under the appropriate consumer ids used by the OCI repository implementation. But docker does not allow for separate credentials for different repository prefixes in OCI registries (for example organisations in ghcr.io), only per host. Therefore, the propagated consumer ids do not provide the path property of a consumer id. Together with the path prefix matcher, those id settings therefore match all OCI credential requests for all repository paths of a dedicated host, as long as there is no more significant setting.

The credentials context also provides a configuration objeect managed by a ConfigurationContext and used to configure a credentials context. The serialization form of this object can be put into a configuration object of the configuration context. For example, the .ocmconfig file is then a serialization of such an object which is initially read by the OCM CLI to configure the used ConfigurationContext. If it describes a credentials configuration this one is applied to the credentials context. Such a credentials config object allows to

  • describe direct consumer id to credential set mappings
  • describe the instantiation of credential repositories (for example a dockerconfig repo)
  • the mapping of credential sets of any credential repository to consumer ids (for example mapping of vault entries to consumers (vault not implemented yet)

As for very context type the Context is the central element of this package. It provides access to the complete functionality by bundling all the settings required to provide credentials to its clients.

Index

Constants

View Source
const (
	ID_TYPE = internal.ID_TYPE

	ATTR_TYPE                  = internal.ATTR_TYPE
	ATTR_USERNAME              = internal.ATTR_USERNAME
	ATTR_PASSWORD              = internal.ATTR_PASSWORD
	ATTR_CERTIFICATE_AUTHORITY = internal.ATTR_CERTIFICATE_AUTHORITY
	ATTR_CERTIFICATE           = internal.ATTR_CERTIFICATE // PEM encoded
	ATTR_PRIVATE_KEY           = internal.ATTR_PRIVATE_KEY // PEM encoded
	ATTR_SERVER_ADDRESS        = internal.ATTR_SERVER_ADDRESS
	ATTR_IDENTITY_TOKEN        = internal.ATTR_IDENTITY_TOKEN
	ATTR_REGISTRY_TOKEN        = internal.ATTR_REGISTRY_TOKEN
	ATTR_TOKEN                 = internal.ATTR_TOKEN
)
View Source
const (
	KIND_CREDENTIALS = internal.KIND_CREDENTIALS
	KIND_CONSUMER    = internal.KIND_CONSUMER
	KIND_REPOSITORY  = internal.KIND_REPOSITORY
)
View Source
const AliasRepositoryType = internal.AliasRepositoryType
View Source
const CONTEXT_TYPE = internal.CONTEXT_TYPE

Variables

View Source
var (
	CompleteMatch = internal.CompleteMatch
	NoMatch       = internal.NoMatch
	PartialMatch  = internal.PartialMatch
)

Functions

func DefaultContext

func DefaultContext() internal.Context

func ErrUnknownCredentials

func ErrUnknownCredentials(name string) error

func GetClientCerts

func GetClientCerts(ctx ContextProvider, creds Credentials) ([]tls.Certificate, error)

func GetProvidedIdentityMatcher

func GetProvidedIdentityMatcher(obj interface{}) string

func GetRootCAs

func GetRootCAs(ctx ContextProvider, creds Credentials) (*x509.CertPool, error)

func GuessConsumerType

func GuessConsumerType(ctxp ContextProvider, spec string) string

func RepositoryUsage

func RepositoryUsage(scheme RepositoryTypeScheme) string

func WithConfigs

func WithConfigs(ctx config.Context) internal.Builder

func WithContext

func WithContext(ctx context.Context) internal.Builder

func WithRepositoyTypeScheme

func WithRepositoyTypeScheme(scheme RepositoryTypeScheme) internal.Builder

func WithStandardConumerMatchers

func WithStandardConumerMatchers(matchers internal.IdentityMatcherRegistry) internal.Builder

Types

type ConsumerIdentity

type ConsumerIdentity = internal.ConsumerIdentity

func GetProvidedConsumerId

func GetProvidedConsumerId(obj interface{}, uctx ...UsageContext) ConsumerIdentity

func NewConsumerIdentity

func NewConsumerIdentity(typ string, attrs ...string) ConsumerIdentity

type ConsumerIdentityProvider

type ConsumerIdentityProvider = internal.ConsumerIdentityProvider

type Context

type Context = internal.Context

func DefinedForContext

func DefinedForContext(ctx context.Context) (Context, bool)

func FromContext

func FromContext(ctx context.Context) Context

func FromProvider

func FromProvider(p ContextProvider) Context

func New

func New(mode ...datacontext.BuilderMode) Context

type ContextProvider

type ContextProvider = internal.ContextProvider

type Credentials

type Credentials = internal.Credentials

func CredentialsFor

func CredentialsFor(ctx ContextProvider, obj interface{}, uctx ...UsageContext) (Credentials, error)

func CredentialsForConsumer

func CredentialsForConsumer(ctx ContextProvider, id ConsumerIdentity, matchers ...IdentityMatcher) (Credentials, error)

CredentialsForConsumer determine effective credentials for a consumer. If no credentials are configured no error and nil is returned. It evaluates a found credentials source for the consumer to determine the final credential properties.

func CredentialsFromList

func CredentialsFromList(props ...string) Credentials

func NewCredentials

func NewCredentials(props common.Properties) Credentials

func RequiredCredentialsForConsumer

func RequiredCredentialsForConsumer(ctx ContextProvider, id ConsumerIdentity, matchers ...IdentityMatcher) (Credentials, error)

RequiredCredentialsForConsumer like CredentialsForConsumer, but an errors is returned if no credentials are found.

type CredentialsChain

type CredentialsChain = internal.CredentialsChain

type CredentialsSource

type CredentialsSource = internal.CredentialsSource

type CredentialsSpec

type CredentialsSpec = internal.CredentialsSpec

func CredentialsSpecFromList

func CredentialsSpecFromList(props ...string) CredentialsSpec

func NewCredentialsSpec

func NewCredentialsSpec(name string, repospec RepositorySpec) CredentialsSpec

func NewGenericCredentialsSpec

func NewGenericCredentialsSpec(name string, repospec *GenericRepositorySpec) CredentialsSpec

type DirectCredentials

type DirectCredentials = internal.DirectCredentials

type GenericCredentialsSpec

type GenericCredentialsSpec = internal.GenericCredentialsSpec

func ToGenericCredentialsSpec

func ToGenericCredentialsSpec(spec CredentialsSpec) (*GenericCredentialsSpec, error)

type GenericRepositorySpec

type GenericRepositorySpec = internal.GenericRepositorySpec

func ToGenericRepositorySpec

func ToGenericRepositorySpec(spec RepositorySpec) (*GenericRepositorySpec, error)

type IdentityMatcher

type IdentityMatcher = internal.IdentityMatcher

type IdentityMatcherInfo

type IdentityMatcherInfo = internal.IdentityMatcherInfo

type IdentityMatcherInfos

type IdentityMatcherInfos = internal.IdentityMatcherInfos

type IdentityMatcherRegistry

type IdentityMatcherRegistry = internal.IdentityMatcherRegistry

type ProviderIdentity

type ProviderIdentity = internal.ProviderIdentity

type Repository

type Repository = internal.Repository

type RepositorySpec

type RepositorySpec = internal.RepositorySpec

func NewGenericRepositorySpec

func NewGenericRepositorySpec(data []byte, unmarshaler runtime.Unmarshaler) (RepositorySpec, error)

type RepositoryTypeScheme

type RepositoryTypeScheme = internal.RepositoryTypeScheme

type StringUsageContext

type StringUsageContext = internal.StringUsageContext

type UsageContext

type UsageContext = internal.UsageContext

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL