pkg

package
v0.13.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Mar 30, 2020 License: GPL-3.0 Imports: 24 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	// IrmaFormat is used to indicate a contract is in he form of a base64 encoded IRMA signature
	IrmaFormat ContractFormat = "irma"
	// JwtFormat is used to indicate a contract in in the form of a Jwt encoded signature
	JwtFormat ContractFormat = "JWT"
	// Valid is used to indicate a contract was valid on the time of testing
	Valid ValidationState = "VALID"
	// Invalid is used to indicate a contract was invalid on the time of testing
	Invalid ValidationState = "INVALID"
)
View Source 
const ConfActingPartyCN = "actingPartyCn"

ConfActingPartyCN is the config key to provide the Acting party common name

View Source 
const ConfAddress = "address"

ConfAddress is the config key for the address the http server listens on

View Source 
const ConfAutoUpdateIrmaSchemas = "skipAutoUpdateIrmaSchemas"

ConfAutoUpdateIrmaSchemas is the config key to provide an option to skip auto updating the irma schemas

View Source 
const ConfEnableCORS = "enableCORS"
View Source 
const ConfIrmaConfigPath = "irmaConfigPath"

ConfIrmaConfigPath is the config key to provide the irma configuration path

View Source 
const ConfIrmaSchemeManager = "irmaSchemeManager"

ConfIrmaSchemeManager allows selecting an IRMA scheme manager. During development this can ben irma-demo. Production should be pdfb

View Source 
const ConfMode = "mode"

ConfMode is the config name for the engine mode

View Source 
const JwtBearerGrantType = "urn:ietf:params:oauth:grant-type:jwt-bearer"

JwtBearerGrantType defines the grant-type to use in the access token request

View Source 
const PublicURL = "publicUrl"

PublicURL is the config key for the public URL the http/irma server can be discovered

Variables

View Source 
var ErrContractNotFound = errors.New("contract not found")

ErrContractNotFound is used when a certain combination of type, language and version cannot resolve to a contract

View Source 
var ErrInvalidContractFormat = errors.New("unknown contract type")

ErrInvalidContractFormat indicates tha a contract format is unknown.

View Source 
var ErrInvalidContractText = errors.New("invalid contract text")

ErrInvalidContractText is used when contract texts cannot be parsed or contain invalid values

View Source 
var ErrLegalEntityNotFound = errors.New("missing legal entity in contract text")

ErrLegalEntityNotFound is returned when the legalEntity can not be found based on the contract text

View Source 
var ErrLegalEntityNotProvided = errors.New("legalEntity not provided")

ErrLegalEntityNotProvided indicates that the legalEntity is missing

View Source 
var ErrMissingActingParty = errors.New("missing actingPartyCn")

ErrMissingActingParty is returned when the actingPartyCn is missing from the config

View Source 
var ErrMissingPublicURL = errors.New("missing publicUrl")

ErrMissingPublicURL is returned when the publicUrl is missing from the config

View Source 
var ErrSessionNotFound = errors.New("session not found")

ErrSessionNotFound is returned when there is no contract signing session found for a certain SessionID

View Source 
var ErrUnknownContractFormat = errors.New("unknown contract format")

ErrUnknownContractFormat is returned when the contract format is unknown

View Source 
var NowFunc = time.Now

NowFunc is used to store a function that returns the current time. This can be changed when you want to mock the current time.

View Source 
var StandardSignerAttributes = []string{
	".gemeente.personalData.fullname",
	".gemeente.personalData.firstnames",
	".gemeente.personalData.prefix",
	".gemeente.personalData.familyname",
	"pbdf.pbdf.email.email",
}

StandardSignerAttributes defines the standard list of attributes used for a contract. If SignerAttribute name starts with a dot '.', it uses the configured scheme manager

Functions

func GetIrmaConfig 

func GetIrmaConfig(config AuthConfig) *irma.Configuration

GetIrmaConfig creates and returns an IRMA config. The config sets the given irma path or a temporary folder. Then it downloads the schemas.

func GetIrmaServer 

func GetIrmaServer(config AuthConfig) *irmaserver.Server

GetIrmaServer creates and starts the irma server instance. The server can be used by a IRMA client like the app to handle IRMA sessions

Types

type AccessTokenHandler added in v0.13.0 

type AccessTokenHandler interface {
	// CreateJwtBearerToken from a JwtBearerTokenRequest. Returns a signed JWT string.
	CreateJwtBearerToken(request *CreateJwtBearerTokenRequest) (token *JwtBearerTokenResponse, err error)

	// ParseAndValidateJwtBearerToken accepts a jwt encoded bearer token as string and returns the NutsJwtBearerToken object if valid.
	// it returns a ErrLegalEntityNotProvided if the issuer does not contain an legal entity
	// it returns a ErrOrganizationNotFound if the organization in the issuer could not be found in the registry
	ParseAndValidateJwtBearerToken(token string) (*NutsJwtBearerToken, error)

	// BuildAccessToken create a jwt encoded access token from a NutsJwtBearerToken and a ContractValidationResult.
	BuildAccessToken(jwtClaims *NutsJwtBearerToken, identityValidationResult *ContractValidationResult) (token string, err error)

	// ParseAndValidateAccessToken parses and validates an AccessToken and returns a filled NutsAccessToken as result.
	// it returns a ErrLegalEntityNotProvided if the issuer does not contain an legal entity
	// it returns a ErrOrganizationNotFound if the organization in the issuer could not be found in the registry
	ParseAndValidateAccessToken(accessToken string) (*NutsAccessToken, error)
}

AccessTokenHandler interface must be implemented by Access token handlers. Ir defines the interface to handle all logic concerning creating and introspecting OAuth 2.0 Access tokens

type AccessTokenResponse added in v0.13.0 

type AccessTokenResponse struct {
	AccessToken string
}

AccessTokenResponse defines the return value back to the api for the CreateAccessToken method

type Auth 

type Auth struct {
	Config AuthConfig

	ContractSessionHandler ContractSessionHandler
	ContractValidator      ContractValidator
	AccessTokenHandler     AccessTokenHandler
	// contains filtered or unexported fields
}

Auth is the main struct of the Auth service

func AuthInstance 

func AuthInstance() *Auth

AuthInstance create an returns a singleton of the Auth struct

func (*Auth) Configure 

func (auth *Auth) Configure() (err error)

Configure the Auth struct by creating a validator and create an Irma server

func (*Auth) ContractByType 

func (auth *Auth) ContractByType(contractType ContractType, language Language, version Version) (*Contract, error)

ContractByType returns a Contract of a certain type, language and version. If for the combination of type, version and language no contract can be found, the error is of type ErrContractNotFound

func (*Auth) ContractSessionStatus 

func (auth *Auth) ContractSessionStatus(sessionID string) (*SessionStatusResult, error)

ContractSessionStatus returns the current session status for a given sessionID. If the session is not found, the error is an ErrSessionNotFound and SessionStatusResult is nil

func (*Auth) CreateAccessToken added in v0.13.0 

func (auth *Auth) CreateAccessToken(request CreateAccessTokenRequest) (*AccessTokenResponse, error)

CreateAccessToken extracts the claims out of the request, checks the validity and builds the access token

func (*Auth) CreateContractSession 

func (auth *Auth) CreateContractSession(sessionRequest CreateSessionRequest) (*CreateSessionResult, error)

CreateContractSession creates a session based on an IRMA contract. This allows the user to permit the application to use the Nuts Network in its name. The user can limit the application in time and scope. By signing it with IRMA other nodes in the network can verify the validity of the contract.

func (*Auth) CreateJwtBearerToken added in v0.13.0 

func (auth *Auth) CreateJwtBearerToken(request CreateJwtBearerTokenRequest) (*JwtBearerTokenResponse, error)

CreateJwtBearerToken creates a JwtBearerToken from the given CreateJwtBearerTokenRequest

func (*Auth) IntrospectAccessToken added in v0.13.0 

func (auth *Auth) IntrospectAccessToken(token string) (*NutsAccessToken, error)

IntrospectAccessToken fills the fields in NutsAccessToken from the given Jwt Access Token

func (*Auth) KeyExistsFor added in v0.13.0 

func (auth *Auth) KeyExistsFor(legalEntity string) bool

KeyExistsFor check if the private key exists on this node by calling the same function on the cryptoClient

func (*Auth) OrganizationNameByID added in v0.13.0 

func (auth *Auth) OrganizationNameByID(legalEntity string) (string, error)

OrganizationNameByID returns the name of an organisation from the registry

func (*Auth) ValidateContract 

func (auth *Auth) ValidateContract(request ValidationRequest) (*ContractValidationResult, error)

ValidateContract validates a given contract. Currently two ContractType's are accepted: Irma and Jwt. Both types should be passed as a base64 encoded string in the ContractString of the request paramContractString of the request param

type AuthClient 

type AuthClient interface {
	CreateContractSession(sessionRequest CreateSessionRequest) (*CreateSessionResult, error)
	ContractSessionStatus(sessionID string) (*SessionStatusResult, error)
	ContractByType(contractType ContractType, language Language, version Version) (*Contract, error)
	ValidateContract(request ValidationRequest) (*ContractValidationResult, error)
	CreateAccessToken(request CreateAccessTokenRequest) (*AccessTokenResponse, error)
	CreateJwtBearerToken(request CreateJwtBearerTokenRequest) (*JwtBearerTokenResponse, error)
	IntrospectAccessToken(token string) (*NutsAccessToken, error)
	KeyExistsFor(legalEntity string) bool
	OrganizationNameByID(legalEntity string) (string, error)
}

AuthClient is the interface which should be implemented for clients or mocks

type AuthConfig 

type AuthConfig struct {
	Mode                      string
	Address                   string
	PublicUrl                 string
	IrmaConfigPath            string
	IrmaSchemeManager         string
	SkipAutoUpdateIrmaSchemas bool
	ActingPartyCn             string
	EnableCORS                bool
}

AuthConfig holds all the configuration params

type Contract 

type Contract struct {
	Type                 ContractType `json:"type"`
	Version              Version      `json:"version"`
	Language             Language     `json:"language"`
	SignerAttributes     []string     `json:"signer_attributes"`
	SignerDemoAttributes []string     `json:"-"`
	Template             string       `json:"template"`
	TemplateAttributes   []string     `json:"template_attributes"`
	Regexp               string       `json:"-"`
}

Contract stores the properties of a contract

func ContractByType 

func ContractByType(contractType ContractType, language Language, version Version) (*Contract, error)

ContractByType returns the contract for a certain type, language and version. If version is omitted "v1" is used If no contract is found, the error vaule of ErrContractNotFound is returned.

func ContractFromMessageContents 

func ContractFromMessageContents(contents string) (*Contract, error)

ContractFromMessageContents finds the contract for a certain message. Every message should begin with a special sequence like "NL:ContractName:version".

type ContractFormat 

type ContractFormat string

ContractFormat describes the format of a signed contract. Based on the format an appropriate validator can be selected.

type ContractSessionHandler 

type ContractSessionHandler interface {
	SessionStatus(session SessionID) (*SessionStatusResult, error)
	StartSession(request interface{}, handler irmaserver.SessionHandler) (*irma.Qr, string, error)
}

ContractSessionHandler interface must be implemented by ContractSessionHandlers

type ContractType 

type ContractType string

ContractType contains type of the contract to sign. Example: "BehandelaarLogin"

type ContractValidationResult added in v0.13.0 

type ContractValidationResult struct {
	ValidationResult ValidationState `json:"validation_result"`
	ContractFormat   ContractFormat  `json:"contract_format"`
	// DisclosedAttributes contain the attributes used to sign this contract
	DisclosedAttributes map[string]string `json:"disclosed_attributes"`
}

ContractValidationResult contains the result of a contract validation

type ContractValidator 

type ContractValidator interface {
	ValidateContract(contract string, format ContractFormat, actingPartyCN string) (*ContractValidationResult, error)
	ValidateJwt(contract string, actingPartyCN string) (*ContractValidationResult, error)
	IsInitialized() bool
}

ContractValidator interface must be implemented by contract validators

type CreateAccessTokenRequest added in v0.13.0 

type CreateAccessTokenRequest struct {
	JwtBearerToken   string
	VendorIdentifier string
}

CreateAccessTokenRequest contains all information to create an access token from a JwtBearerToken

type CreateJwtBearerTokenRequest added in v0.13.0 

type CreateJwtBearerTokenRequest struct {
	Actor         string
	Custodian     string
	IdentityToken string
	Subject       string
	Scope         string
}

CreateJwtBearerTokenRequest contains all information to create a JwtBearerToken

type CreateSessionRequest 

type CreateSessionRequest struct {
	// ContractType such as "BehandelaarLogin"
	Type ContractType
	// Version of the contract such as "v1"
	Version Version
	// Language of the contact such as "NL"
	Language Language
	// LegalEntity denotes the organization of the user
	LegalEntity string
	// ValidFrom describes the time from which this contract should be considered valid
	ValidFrom time.Time
	// ValidFrom describes the time until this contract should be considered valid
	ValidTo time.Time
	// TemplateAttributes is an object containing extra template values. example: {"reason":"providing care"}
	TemplateAttributes map[string]string
}

CreateSessionRequest is used to create a contract signing session.

type CreateSessionResult 

type CreateSessionResult struct {
	QrCodeInfo irma.Qr
	SessionID  string
}

CreateSessionResult contains the results needed to setup an irma flow

type DefaultIrmaClient added in v0.13.0 

type DefaultIrmaClient struct {
	I *irmaserver.Server
}

DefaultIrmaClient is a wrapper for the Irma Server

func (*DefaultIrmaClient) GetSessionResult added in v0.13.0 

func (d *DefaultIrmaClient) GetSessionResult(token string) *server.SessionResult

GetSessionResult forwards to Irma Server instance

func (*DefaultIrmaClient) StartSession added in v0.13.0 

func (d *DefaultIrmaClient) StartSession(request interface{}, handler irmaserver.SessionHandler) (*irma.Qr, string, error)

StartSession forwards to Irma Server instance

type DefaultValidator 

type DefaultValidator struct {
	IrmaServer IrmaServerClient
	IrmaConfig *irma.Configuration
	Registry   registry.RegistryClient
	Crypto     nutscrypto.Client
}

DefaultValidator validates contracts using the irma logic.

func (DefaultValidator) BuildAccessToken added in v0.13.0 

func (v DefaultValidator) BuildAccessToken(jwtBearerToken *NutsJwtBearerToken, identityValidationResult *ContractValidationResult) (string, error)

BuildAccessToken builds an access token based on the oauth claims and the identity of the user provided by the identityValidationResult The token gets signed with the custodians private key and returned as a string.

func (DefaultValidator) CreateIdentityTokenFromIrmaContract added in v0.13.0 

func (v DefaultValidator) CreateIdentityTokenFromIrmaContract(contract *SignedIrmaContract, legalEntity string) (string, error)

CreateIdentityTokenFromIrmaContract from a signed irma contract. Returns a JWT signed with the provided legalEntity.

func (DefaultValidator) CreateJwtBearerToken added in v0.13.0 

func (v DefaultValidator) CreateJwtBearerToken(request *CreateJwtBearerTokenRequest) (*JwtBearerTokenResponse, error)

CreateJwtBearerToken creates a JwtBearerTokenResponse containing a jwtBearerToken from a CreateJwtBearerTokenRequest.

func (DefaultValidator) IsInitialized added in v0.13.0 

func (v DefaultValidator) IsInitialized() bool

IsInitialized is a helper function to determine if the validator has been initialized properly.

func (DefaultValidator) ParseAndValidateAccessToken added in v0.13.0 

func (v DefaultValidator) ParseAndValidateAccessToken(accessToken string) (*NutsAccessToken, error)

ParseAndValidateAccessToken parses and validates a accesstoken string and returns a filled in NutsAccessToken.

func (DefaultValidator) ParseAndValidateJwtBearerToken added in v0.13.0 

func (v DefaultValidator) ParseAndValidateJwtBearerToken(acString string) (*NutsJwtBearerToken, error)

ParseAndValidateJwtBearerToken validates the jwt signature and returns the containing claims

func (DefaultValidator) SessionStatus 

func (v DefaultValidator) SessionStatus(id SessionID) (*SessionStatusResult, error)

SessionStatus returns the current status of a certain session. It returns nil if the session is not found

func (DefaultValidator) StartSession 

func (v DefaultValidator) StartSession(request interface{}, handler irmaserver.SessionHandler) (*irma.Qr, string, error)

StartSession starts an irma session. This is mainly a wrapper around the irma.IrmaServer.StartSession

func (DefaultValidator) ValidateContract 

func (v DefaultValidator) ValidateContract(b64EncodedContract string, format ContractFormat, actingPartyCN string) (*ContractValidationResult, error)

ValidateContract is the entrypoint for contract validation. It decodes the base64 encoded contract, parses the contract string, and validates the contract. Returns nil, ErrUnknownContractFormat if the contract used in the message is unknown

func (DefaultValidator) ValidateJwt 

func (v DefaultValidator) ValidateJwt(token string, actingPartyCN string) (*ContractValidationResult, error)

ValidateJwt validates a JWT formatted identity token

type IrmaServerClient added in v0.13.0 

type IrmaServerClient interface {
	GetSessionResult(token string) *server.SessionResult
	StartSession(request interface{}, handler irmaserver.SessionHandler) (*irma.Qr, string, error)
}

IrmaServerClient is an abstraction for the Irma Server, mainly for enabling better testing

type JwtBearerTokenResponse added in v0.13.0 

type JwtBearerTokenResponse struct {
	BearerToken string
}

JwtBearerTokenResponse defines the return value back to the api for the createJwtBearerToken method

type Language 

type Language string

Language of the contract in all caps. example: "NL"

type NutsAccessToken added in v0.13.0 

type NutsAccessToken struct {
	jwt.StandardClaims
	SubjectID  string `json:"sid"`
	Scope      string `json:"scope"`
	Name       string `json:"name"`
	GivenName  string `json:"given_name"`
	Prefix     string `json:"prefix"`
	FamilyName string `json:"family_name"`
	Email      string `json:"email"`
}

NutsAccessToken is a OAuth 2.0 access token which provides context to a request. Its contents are derived from a Jwt Bearer token. The Jwt Bearer token is verified by the authorization server and stripped from the proof to make it compact.

type NutsIdentityToken added in v0.13.0 

type NutsIdentityToken struct {
	jwt.StandardClaims
	//Identifier of the legalEntity who issued and signed the token
	//Issuer string
	// What kind of signature? Currently only IRMA is supported
	Type ContractFormat `json:"type"`
	// The base64 encoded signature
	Signature string `json:"sig"`
}

NutsIdentityToken contains the signed identity of the user performing the request

type NutsJwtBearerToken added in v0.13.0 

type NutsJwtBearerToken struct {
	jwt.StandardClaims
	IdentityToken string `json:"usi"`
	SubjectID     string `json:"sid"`
	Scope         string `json:"scope"`
}

NutsJwtBearerToken contains the deserialized Jwt Bearer Token as defined in rfc7523. It contains a NutsIdentity token which can be verified by the authorization server.

type SessionID 

type SessionID string

SessionID contains a number to uniquely identify a contract signing session

type SessionStatusResult 

type SessionStatusResult struct {
	server.SessionResult
	// NutsAuthToken contains the JWT if the sessionStatus is DONE
	NutsAuthToken string `json:"nuts_auth_token"`
}

SessionStatusResult contains the current state of a session. If the session is DONE it also contains a JWT in the NutsAuthToken

type SignedIrmaContract 

type SignedIrmaContract struct {
	IrmaContract irma.SignedMessage
}

SignedIrmaContract holds the contract and additional methods to parse and validate.

func ParseIrmaContract 

func ParseIrmaContract(rawContract string) (*SignedIrmaContract, error)

ParseIrmaContract parses a json string containing a signed irma contract.

func (*SignedIrmaContract) Validate 

func (sc *SignedIrmaContract) Validate(actingPartyCn string, configuration *irma.Configuration) (*ContractValidationResult, error)

Validate the SignedIrmaContract looks at the irma crypto and the actual message such as: Is the timeframe valid and does the common name corresponds with the contract message.

type ValidationRequest 

type ValidationRequest struct {
	// ContractFormat specifies the type of format used for the contract, e.g. 'irma'
	ContractFormat ContractFormat

	// The actual contract in string format to validate
	ContractString string

	// ActingPartyCN is the common name of the Acting party extracted from the client cert
	ActingPartyCN string
}

ValidationRequest is used to pass all information to ValidateContract

type ValidationState 

type ValidationState string

ValidationState contains the outcome of the validation. It van be VALID or INVALID. This makes it human readable.

type Version 

type Version string

Version of the contract. example: "v1"

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.