Documentation
¶
Index ¶
- func TokenEndpoint(endpoint environments.AzureADEndpoint, tenant string, version TokenVersion) (e string)
- type Authorizer
- func NewAutorestAuthorizerWrapper(autorestAuthorizer autorest.Authorizer) (Authorizer, error)
- func NewAzureCliAuthorizer(ctx context.Context, api environments.Api, tenantId string) (Authorizer, error)
- func NewCachedAuthorizer(src Authorizer) Authorizer
- func NewClientCertificateAuthorizer(ctx context.Context, environment environments.Environment, ...) (Authorizer, error)
- func NewClientSecretAuthorizer(ctx context.Context, environment environments.Environment, ...) (Authorizer, error)
- func NewGitHubOIDCAuthorizer(ctx context.Context, environment environments.Environment, ...) (Authorizer, error)
- func NewMsiAuthorizer(ctx context.Context, api environments.Api, msiEndpoint, clientId string) (Authorizer, error)
- type AutorestAuthorizerWrapper
- type AzureCliAuthorizer
- type AzureCliConfig
- type CachedAuthorizer
- type Claims
- type ClientCredentialsConfig
- type ClientCredentialsType
- type Config
- type GitHubOIDCAuthorizer
- type GitHubOIDCConfig
- type MsiAuthorizer
- type MsiConfig
- type ServicePrincipalToken
- type TokenVersion
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func TokenEndpoint ¶ added in v0.7.0
func TokenEndpoint(endpoint environments.AzureADEndpoint, tenant string, version TokenVersion) (e string)
Types ¶
type Authorizer ¶
type Authorizer interface {
Token() (*oauth2.Token, error)
AuxiliaryTokens() ([]*oauth2.Token, error)
}
Authorizer is anything that can return an access token for authorizing API connections
func NewAutorestAuthorizerWrapper ¶ added in v0.34.0
func NewAutorestAuthorizerWrapper(autorestAuthorizer autorest.Authorizer) (Authorizer, error)
NewAutorestAuthorizerWrapper returns an Authorizer that sources tokens from a supplied autorest.BearerAuthorizer
func NewAzureCliAuthorizer ¶
func NewAzureCliAuthorizer(ctx context.Context, api environments.Api, tenantId string) (Authorizer, error)
NewAzureCliAuthorizer returns an Authorizer which authenticates using the Azure CLI.
func NewCachedAuthorizer ¶ added in v0.26.0
func NewCachedAuthorizer(src Authorizer) Authorizer
NewCachedAuthorizer returns an Authorizer that caches an access token for the duration of its validity. If the cached token expires, a new one is acquired and cached.
func NewClientCertificateAuthorizer ¶
func NewClientCertificateAuthorizer(ctx context.Context, environment environments.Environment, api environments.Api, tokenVersion TokenVersion, tenantId string, auxTenantIds []string, clientId string, pfxData []byte, pfxPath, pfxPass string) (Authorizer, error)
NewClientCertificateAuthorizer returns an authorizer which uses client certificate authentication.
func NewClientSecretAuthorizer ¶
func NewClientSecretAuthorizer(ctx context.Context, environment environments.Environment, api environments.Api, tokenVersion TokenVersion, tenantId string, auxTenantIds []string, clientId, clientSecret string) (Authorizer, error)
NewClientSecretAuthorizer returns an authorizer which uses client secret authentication.
func NewGitHubOIDCAuthorizer ¶ added in v0.40.0
func NewGitHubOIDCAuthorizer(ctx context.Context, environment environments.Environment, api environments.Api, tenantId string, auxTenantIds []string, clientId, idTokenRequestUrl, idTokenRequestToken string) (Authorizer, error)
NewGitHubOIDCAuthorizer returns an authorizer which acquires a client assertion from a GitHub endpoint, then uses client assertion authentication to obtain an access token.
func NewMsiAuthorizer ¶ added in v0.6.0
func NewMsiAuthorizer(ctx context.Context, api environments.Api, msiEndpoint, clientId string) (Authorizer, error)
NewMsiAuthorizer returns an authorizer which uses managed service identity to for authentication.
type AutorestAuthorizerWrapper ¶ added in v0.34.0
type AutorestAuthorizerWrapper struct {
// contains filtered or unexported fields
}
AutorestAuthorizerWrapper is an Authorizer which sources tokens from an autorest.Authorizer Fully supports: - autorest.BearerAuthorizer - autorest.MultiTenantBearerAuthorizer For other types that satisfy autorest.Authorizer, the Authorization and X-Ms-Authorization-Auxiliary headers are parsed for access token values, but additional metadata such as refresh tokens and expiry are not provided.
func (*AutorestAuthorizerWrapper) AuxiliaryTokens ¶ added in v0.35.0
func (a *AutorestAuthorizerWrapper) AuxiliaryTokens() ([]*oauth2.Token, error)
AuxiliaryTokens returns additional tokens for auxiliary tenant IDs, sourced from an autorest.MultiTenantBearerAuthorizer, for use in multi-tenant scenarios
type AzureCliAuthorizer ¶
type AzureCliAuthorizer struct {
// TenantID is optional and forces selection of the specified tenant. Must be a valid UUID.
TenantID string
// contains filtered or unexported fields
}
AzureCliAuthorizer is an Authorizer which supports the Azure CLI.
func (*AzureCliAuthorizer) AuxiliaryTokens ¶ added in v0.35.0
func (a *AzureCliAuthorizer) AuxiliaryTokens() ([]*oauth2.Token, error)
AuxiliaryTokens returns additional tokens for auxiliary tenant IDs, for use in multi-tenant scenarios
type AzureCliConfig ¶
type AzureCliConfig struct {
Endpoint environments.ApiEndpoint
// TenantID is the required tenant ID for the primary token
TenantID string
// AuxiliaryTenantIDs is an optional list of tenant IDs for which to obtain additional tokens
AuxiliaryTenantIDs []string
}
AzureCliConfig configures an AzureCliAuthorizer.
func NewAzureCliConfig ¶
func NewAzureCliConfig(api environments.Api, tenantId string) (*AzureCliConfig, error)
NewAzureCliConfig validates the supplied tenant ID and returns a new AzureCliConfig.
func (*AzureCliConfig) TokenSource ¶
func (c *AzureCliConfig) TokenSource(ctx context.Context) Authorizer
TokenSource provides a source for obtaining access tokens using AzureCliAuthorizer.
type CachedAuthorizer ¶ added in v0.7.0
type CachedAuthorizer struct {
// Source contains the underlying Authorizer for obtaining tokens
Source Authorizer
// contains filtered or unexported fields
}
CachedAuthorizer caches a token until it expires, then acquires a new token from Source
func (*CachedAuthorizer) AuxiliaryTokens ¶ added in v0.35.0
func (c *CachedAuthorizer) AuxiliaryTokens() ([]*oauth2.Token, error)
AuxiliaryTokens returns additional tokens for auxiliary tenant IDs, for use in multi-tenant scenarios
func (*CachedAuthorizer) BearerAuthorizerCallback ¶ added in v0.37.0
func (c *CachedAuthorizer) BearerAuthorizerCallback() *autorest.BearerAuthorizerCallback
BearerAuthorizerCallback is a helper that returns an *autorest.BearerAuthorizerCallback for use in data plane API clients in the Azure SDK
func (*CachedAuthorizer) Token ¶ added in v0.26.0
func (c *CachedAuthorizer) Token() (*oauth2.Token, error)
Token returns the current token if it's still valid, else will acquire a new token
func (*CachedAuthorizer) WithAuthorization ¶ added in v0.35.0
func (c *CachedAuthorizer) WithAuthorization() autorest.PrepareDecorator
WithAuthorization implements the autorest.Authorizer interface
type Claims ¶
type Claims struct {
Audience string `json:"aud"`
Issuer string `json:"iss"`
IdentityProvider string `json:"idp"`
ObjectId string `json:"oid"`
Roles []string `json:"roles"`
Scopes string `json:"scp"`
Subject string `json:"sub"`
TenantRegionScope string `json:"tenant_region_scope"`
TenantId string `json:"tid"`
Version string `json:"ver"`
AppDisplayName string `json:"app_displayname,omitempty"`
AppId string `json:"appid,omitempty"`
IdType string `json:"idtyp,omitempty"`
}
Claims is used to unmarshall the claims from a JWT issued by the Microsoft Identity Platform.
type ClientCredentialsConfig ¶ added in v0.7.0
type ClientCredentialsConfig struct {
// Environment is the national cloud environment to use
Environment environments.Environment
// TenantID is the required tenant ID for the primary token
TenantID string
// AuxiliaryTenantIDs is an optional list of tenant IDs for which to obtain additional tokens
AuxiliaryTenantIDs []string
// ClientID is the application's ID.
ClientID string
// ClientSecret is the application's secret.
ClientSecret string
// PrivateKey contains the contents of an RSA private key or the
// contents of a PEM file that contains a private key. The provided
// private key is used to sign JWT assertions.
// PEM containers with a passphrase are not supported.
// Use the following command to convert a PKCS 12 file into a PEM.
//
// $ openssl pkcs12 -in key.p12 -out key.pem -nodes
//
PrivateKey []byte
// Certificate contains the (optionally PEM encoded) X509 certificate registered
// for the application with which you are authenticating. Used when FederatedAssertion is empty.
Certificate []byte
// FederatedAssertion contains a JWT provided by a trusted third-party vendor
// for obtaining an access token with a federated credential. When empty, an
// assertion will be created and signed using the specified PrivateKey and Certificate
FederatedAssertion string
// Resource specifies an API resource for which to request access (used for v1 tokens)
Resource string
// Scopes specifies a list of requested permission scopes (used for v2 tokens)
Scopes []string
// TokenURL is the clientCredentialsToken endpoint, which overrides the default endpoint constructed from a tenant ID
TokenURL string
// TokenVersion is the auth token version to acquire
TokenVersion TokenVersion
// Audience optionally specifies the intended audience of the
// request. If empty, the value of TokenURL is used as the
// intended audience.
Audience string
}
ClientCredentialsConfig is the configuration for using client credentials flow.
For more information see: https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow#get-a-token https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-certificate-credentials
func (*ClientCredentialsConfig) TokenSource ¶ added in v0.7.0
func (c *ClientCredentialsConfig) TokenSource(ctx context.Context, authType ClientCredentialsType) (source Authorizer)
TokenSource provides a source for obtaining access tokens using clientAssertionAuthorizer or clientSecretAuthorizer.
type ClientCredentialsType ¶ added in v0.7.0
type ClientCredentialsType int
const ( ClientCredentialsAssertionType ClientCredentialsType = iota ClientCredentialsSecretType )
type Config ¶
type Config struct {
// Specifies the national cloud environment to use
Environment environments.Environment
// Version specifies the token version to acquire from Microsoft Identity Platform.
// Ignored when using Azure CLI or Managed Identity authentication.
Version TokenVersion
// Azure Active Directory tenant to connect to, should be a valid UUID
TenantID string
// Auxiliary tenant IDs for which to obtain tokens in a multi-tenant scenario
AuxiliaryTenantIDs []string
// Client ID for the application used to authenticate the connection
ClientID string
// Enables authentication using Azure CLI
EnableAzureCliToken bool
// Enables authentication using managed service identity.
EnableMsiAuth bool
// Specifies a custom MSI endpoint to connect to
MsiEndpoint string
// Enables client certificate authentication using client assertions
EnableClientCertAuth bool
// Specifies the contents of a client certificate PKCS#12 bundle
ClientCertData []byte
// Specifies the path to a client certificate PKCS#12 bundle (.pfx file)
ClientCertPath string
// Specifies the encryption password to unlock a client certificate
ClientCertPassword string
// Enables client secret authentication using client credentials
EnableClientSecretAuth bool
// Specifies the password to authenticate with using client secret authentication
ClientSecret string
// Enables GitHub OIDC authentication
EnableGitHubOIDCAuth bool
// The URL for GitHub's OIDC provider
IDTokenRequestURL string
// The bearer token for the request to GitHub's OIDC provider
IDTokenRequestToken string
}
Config sets up NewAuthorizer to return an Authorizer based on the provided configuration.
func (*Config) NewAuthorizer ¶
func (c *Config) NewAuthorizer(ctx context.Context, api environments.Api) (Authorizer, error)
NewAuthorizer returns a suitable Authorizer depending on what is defined in the Config Authorizers are selected for authentication methods in the following preferential order: - Client certificate authentication - Client secret authentication - GitHub OIDC authentication - MSI authentication - Azure CLI authentication
Whether one of these is returned depends on whether it is enabled in the Config, and whether sufficient configuration fields are set to enable that authentication method.
For client certificate authentication, specify TenantID, ClientID and ClientCertData / ClientCertPath. For client secret authentication, specify TenantID, ClientID and ClientSecret. For GitHub OIDC authentication, specify TenantID, ClientID, IDTokenRequestURL and IDTokenRequestToken. MSI authentication (if enabled) using the Azure Metadata Service is then attempted Azure CLI authentication (if enabled) is attempted last
It's recommended to only enable the mechanisms you have configured and are known to work in the execution environment. If any authentication mechanism fails due to misconfiguration or some other error, the function will return (nil, error) and later mechanisms will not be attempted.
type GitHubOIDCAuthorizer ¶ added in v0.40.0
type GitHubOIDCAuthorizer struct {
// contains filtered or unexported fields
}
func (*GitHubOIDCAuthorizer) AuxiliaryTokens ¶ added in v0.40.0
func (a *GitHubOIDCAuthorizer) AuxiliaryTokens() ([]*oauth2.Token, error)
type GitHubOIDCConfig ¶ added in v0.40.0
type GitHubOIDCConfig struct {
// Environment is the national cloud environment to use
Environment environments.Environment
// TenantID is the required tenant ID for the primary token
TenantID string
// AuxiliaryTenantIDs is an optional list of tenant IDs for which to obtain additional tokens
AuxiliaryTenantIDs []string
// ClientID is the application's ID.
ClientID string
// IDTokenRequestURL is the URL for GitHub's OIDC provider.
IDTokenRequestURL string
// IDTokenRequestToken is the bearer token for the request to the OIDC provider.
IDTokenRequestToken string
// Scopes specifies a list of requested permission scopes (used for v2 tokens)
Scopes []string
// TokenURL is the clientCredentialsToken endpoint, which overrides the default endpoint constructed from a tenant ID
TokenURL string
// Audience optionally specifies the intended audience of the
// request. If empty, the value of TokenURL is used as the
// intended audience.
Audience string
}
func (*GitHubOIDCConfig) TokenSource ¶ added in v0.40.0
func (c *GitHubOIDCConfig) TokenSource(ctx context.Context) Authorizer
type MsiAuthorizer ¶ added in v0.6.0
type MsiAuthorizer struct {
// contains filtered or unexported fields
}
MsiAuthorizer is an Authorizer which supports managed service identity.
func (*MsiAuthorizer) AuxiliaryTokens ¶ added in v0.35.0
func (a *MsiAuthorizer) AuxiliaryTokens() ([]*oauth2.Token, error)
AuxiliaryTokens returns additional tokens for auxiliary tenant IDs, for use in multi-tenant scenarios
type MsiConfig ¶ added in v0.6.0
type MsiConfig struct {
// ClientID is optionally used to determine which application to assume when a resource has multiple managed identities
ClientID string
// MsiApiVersion is the API version to use when requesting a token from the metadata service
MsiApiVersion string
// MsiEndpoint is the endpoint where the metadata service can be found
MsiEndpoint string
// Resource is the service for which to request an access token
Resource string
}
MsiConfig configures an MsiAuthorizer.
func NewMsiConfig ¶ added in v0.6.0
NewMsiConfig returns a new MsiConfig with a configured metadata endpoint and resource. clientId and objectId can be left blank when a single managed identity is available
func (*MsiConfig) TokenSource ¶ added in v0.6.0
func (c *MsiConfig) TokenSource(ctx context.Context) Authorizer
TokenSource provides a source for obtaining access tokens using MsiAuthorizer.
type ServicePrincipalToken ¶ added in v0.35.0
type TokenVersion ¶ added in v0.5.0
type TokenVersion int
const ( TokenVersion2 TokenVersion = iota TokenVersion1 )
Source Files