jwt

package
v0.1.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Oct 3, 2024 License: MIT Imports: 11 Imported by: 0

Documentation

Overview

Package jwt provides primitives for working with JWT (Parser, Claims, and so on).

Index

Constants

View Source 
const DefaultClaimsCacheMaxEntries = 1000

Variables

This section is empty.

Functions

This section is empty.

Types

type AccessPolicy 

type AccessPolicy struct {
	// TenantID equals to tenant ID for which access is granted (if resource is not specified)
	// or which resource is owned by (if resource is specified).
	// max length is 36 characters (uuid)
	TenantID string `json:"tid,omitempty"`

	// TenantUUID equals to tenant UUID for which access is granted (if resource is not specified)
	// or which resource is owned by (if resource is specified).
	// max length is 36 characters (uuid)
	TenantUUID string `json:"tuid,omitempty"`

	// ResourceServerID must be unique resource server instance or cluster ID.
	// max length is 36 characters [a-Z0-9-_]
	ResourceServerID string `json:"rs,omitempty"`

	// ResourceNamespace AKA resource type, partitions resources within resource server.
	// E.g.: storage, task-manager, account-server, resource-manager, policy-manager etc.
	// max length is 36 characters [a-Z0-9-_]
	ResourceNamespace string `json:"rn,omitempty"`

	// ResourcePath AKA resource ID AKA resource pointer, is a unique identifier of
	// or path to (in scope of resource server and namespace) a single resource or resource collection
	// 		'path' notion remind that it can contain segments, each meaningfull to resource server
	// 			i.e. each sub-path can correspond to different resources, and access policies can be assigned with any sub-path granularity
	// 			but resource path will be considered as immutable,
	//			moving resources 'within' the path will break access control logic on both AuthZ server and resource server sides
	// 		e.g: vms, vm1, queues, queue1
	// max length is 255 characters [a-Z0-9-_]
	ResourcePath string `json:"rp,omitempty"`

	// Role - role available for the resource specified by resource id
	Role string `json:"role,omitempty"`

	AllowPermissions []string `json:"allow,omitempty"`
	DenyPermissions  []string `json:"deny,omitempty"`
}

AccessPolicy represents a single access policy.

type AudienceMissingError 

type AudienceMissingError struct {
	Claims *Claims
}

AudienceMissingError represents an error when JWT audience is missing, but it's required.

func (*AudienceMissingError) Error 

func (e *AudienceMissingError) Error() string

type AudienceNotExpectedError 

type AudienceNotExpectedError struct {
	Claims *Claims
}

AudienceNotExpectedError represents an error when JWT contains not expected audience.

func (*AudienceNotExpectedError) Error 

func (e *AudienceNotExpectedError) Error() string

type CachingKeysProvider 

type CachingKeysProvider interface {
	KeysProvider
	InvalidateCacheIfNeeded(ctx context.Context, issuer string) error
}

CachingKeysProvider is an interface for providing keys for verifying JWT. Unlike KeysProvider, it supports caching of obtained keys.

type CachingParser 

type CachingParser struct {
	*Parser
	ClaimsCache ClaimsCache
}

CachingParser uses the functionality of Parser to parse JWT, but stores resulted Claims objects in the cache.

func NewCachingParser 

func NewCachingParser(keysProvider KeysProvider, logger log.FieldLogger) (*CachingParser, error)

func NewCachingParserWithOpts 

func NewCachingParserWithOpts(
	keysProvider KeysProvider, logger log.FieldLogger, opts CachingParserOpts,
) (*CachingParser, error)

func (*CachingParser) InvalidateClaimsCache 

func (cp *CachingParser) InvalidateClaimsCache()

InvalidateClaimsCache removes all preserved parsed Claims objects from cache.

func (*CachingParser) Parse 

func (cp *CachingParser) Parse(ctx context.Context, token string) (*Claims, error)

Parse calls Parse method of embedded original Parser but stores result into cache.

type CachingParserOpts 

type CachingParserOpts struct {
	ParserOpts
	CacheMaxEntries              int
	CachePrometheusInstanceLabel string
}

type Claims 

type Claims struct {
	jwtgo.RegisteredClaims
	Scope           []AccessPolicy `json:"scope,omitempty"`
	Version         int            `json:"ver,omitempty"`
	UserID          string         `json:"uid,omitempty"`
	OriginID        string         `json:"origin,omitempty"`
	ClientID        string         `json:"client_id,omitempty"`
	TOTPTime        int64          `json:"totp_time,omitempty"`
	SubType         string         `json:"sub_type,omitempty"`
	OwnerTenantUUID string         `json:"owner_tuid,omitempty"`
}

Claims represents an extended version of JWT claims.

type ClaimsCache 

type ClaimsCache interface {
	Get(key [sha256.Size]byte) (*Claims, bool)
	Add(key [sha256.Size]byte, value *Claims)
	Purge()
	Len() int
}

ClaimsCache is an interface that must be implemented by used cache implementations.

type IssuerMissingError 

type IssuerMissingError struct {
	Claims *Claims
}

IssuerMissingError represents an error when JWT issuer is missing.

func (*IssuerMissingError) Error 

func (e *IssuerMissingError) Error() string

type IssuerUntrustedError 

type IssuerUntrustedError struct {
	Claims *Claims
}

IssuerUntrustedError represents an error when JWT issuer is untrusted.

func (*IssuerUntrustedError) Error 

func (e *IssuerUntrustedError) Error() string

type KeysProvider 

type KeysProvider interface {
	GetRSAPublicKey(ctx context.Context, issuer, keyID string) (interface{}, error)
}

KeysProvider is an interface for providing keys for verifying JWT.

type Parser 

type Parser struct {
	// contains filtered or unexported fields
}

Parser is an object for parsing, validation and verification JWT.

func NewParser 

func NewParser(keysProvider KeysProvider, logger log.FieldLogger) *Parser

NewParser creates new JWT parser with specified keys provider.

func NewParserWithOpts 

func NewParserWithOpts(keysProvider KeysProvider, logger log.FieldLogger, opts ParserOpts) *Parser

NewParserWithOpts creates new JWT parser with specified keys provider and additional options.

func (*Parser) AddTrustedIssuer 

func (p *Parser) AddTrustedIssuer(issName, issURL string)

AddTrustedIssuer adds trusted issuer with specified name and URL.

func (*Parser) AddTrustedIssuerURL 

func (p *Parser) AddTrustedIssuerURL(issURL string) error

AddTrustedIssuerURL adds trusted issuer URL.

func (*Parser) GetURLForIssuer 

func (p *Parser) GetURLForIssuer(issuer string) (string, bool)

GetURLForIssuer returns URL for issuer if it is trusted.

func (*Parser) Parse 

func (p *Parser) Parse(ctx context.Context, token string) (*Claims, error)

Parse parses, validates and verifies passed token (it's string representation). Parsed claims is returned.

type ParserOpts 

type ParserOpts struct {
	SkipClaimsValidation          bool
	RequireAudience               bool
	ExpectedAudience              []string
	TrustedIssuerNotFoundFallback TrustedIssNotFoundFallback
}

ParserOpts additional options for parser.

type SignAlgUnknownError 

type SignAlgUnknownError struct {
	Alg string
}

SignAlgUnknownError represents an error when JWT signing algorithm is unknown.

func (*SignAlgUnknownError) Error 

func (e *SignAlgUnknownError) Error() string

type TrustedIssNotFoundFallback 

type TrustedIssNotFoundFallback func(ctx context.Context, p *Parser, iss string) (issURL string, issFound bool)

TrustedIssNotFoundFallback is a function called when given issuer is not found in the list of trusted ones. For example, it could be analyzed and then added to the list by calling AddTrustedIssuerURL method.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.