auth

package
v0.6.5 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: May 25, 2026 License: Apache-2.0 Imports: 22 Imported by: 9

Documentation

Overview

SPDX-FileCopyrightText: (C) 2026 Intel Corporation SPDX-License-Identifier: Apache-2.0

Index

Constants

View Source 
const (
	// SharedSecretKey shared secret key for signing a token
	SharedSecretKey = "SHARED_SECRET_KEY"
	// OIDCServerURL - will be accessed as Environment variable
	OIDCServerURL = "OIDC_SERVER_URL"

	// OIDCTlsInsecureSkipVerify - will be accessed as Environment variable
	OIDCTlsInsecureSkipVerify = "OIDC_TLS_INSECURE_SKIP_VERIFY"

	// OpenidConfiguration is the discovery point on the OIDC server
	OpenidConfiguration = ".well-known/openid-configuration"
	// HS prefix for HS family algorithms
	HS = "HS"
	// RS prefix for RS family algorithms
	RS = "RS"
	// PS prefix for PS family algorithms
	PS = "PS"
)

Variables

View Source 
var (
	K8STokenFile = vaultK8STokenFile
)

Functions

func ExtractAllProjectIDsFromJWT 

func ExtractAllProjectIDsFromJWT(authHeader string) (map[string]bool, error)

ExtractAllProjectIDsFromJWT extracts all project UUIDs from JWT token roles without signature verification. Returns a map of project IDs for quick lookup. This function assumes the JWT has already been validated by upstream authentication middleware. Use ExtractAllProjectIDsFromJWTWithVerification if you need signature verification.

func ExtractAllProjectIDsFromJWTWithVerification 

func ExtractAllProjectIDsFromJWTWithVerification(authHeader string) (map[string]bool, error)

ExtractAllProjectIDsFromJWTWithVerification extracts all project UUIDs from JWT token roles and verifies the JWT signature using ORCH_JWT_SIGNING_KEY. Use this when the JWT has NOT been validated by upstream middleware.

func ExtractProjectIDFromJWT 

func ExtractProjectIDFromJWT(authHeader string) (string, error)

ExtractProjectIDFromJWT extracts the project UUID from JWT token roles without signature verification. This function assumes the JWT has already been validated by upstream authentication middleware. Use ExtractProjectIDFromJWTWithVerification if you need signature verification.

func ExtractProjectIDFromJWTWithVerification 

func ExtractProjectIDFromJWTWithVerification(authHeader string) (string, error)

ExtractProjectIDFromJWTWithVerification extracts the project UUID from JWT token roles and verifies the JWT signature using ORCH_JWT_SIGNING_KEY. Use this when the JWT has NOT been validated by upstream middleware.

func ValidateProjectAccess 

func ValidateProjectAccess(authHeader string, projectID string) error

ValidateProjectAccess checks if the ProjectID is accessible under the given user's JWT token without signature verification. It extracts all project UUIDs from the JWT roles and verifies that projectID is among them. This prevents users from accessing projects they don't have permissions for. This function assumes the JWT has already been validated by upstream authentication middleware. Use ValidateProjectAccessWithVerification if you need signature verification.

func ValidateProjectAccessWithVerification 

func ValidateProjectAccessWithVerification(authHeader string, projectID string) error

ValidateProjectAccessWithVerification checks if the ProjectID is accessible under the given user's JWT token and verifies the JWT signature using ORCH_JWT_SIGNING_KEY. Use this when the JWT has NOT been validated by upstream middleware.

Types

type Authenticator 

type Authenticator interface {
	// Authenticate authenticates a given string token
	Authenticate(string) (jwt.MapClaims, error)
}

Authenticator an authenticator interface to implement different authentication methods

type ClientSecretData 

type ClientSecretData struct {
	ClientID     string `json:"client_id"`
	ClientSecret string `json:"client_secret"`
}

type JwtAuthenticator 

type JwtAuthenticator struct {
}

JwtAuthenticator jwt authenticator

func (*JwtAuthenticator) ParseAndValidate 

func (j *JwtAuthenticator) ParseAndValidate(tokenString string) (jwt.Claims, error)

ParseAndValidate parse a jwt string token and validate it

type KeycloakClient 

type KeycloakClient struct {
	ID                           string        `json:"id"`
	ClientID                     string        `json:"clientId"`
	Name                         string        `json:"name"`
	Description                  string        `json:"description"`
	SurrogateAuthRequired        bool          `json:"surrogateAuthRequired"`
	Enabled                      bool          `json:"enabled"`
	AlwaysDisplayInConsole       bool          `json:"alwaysDisplayInConsole"`
	ClientAuthenticatorType      string        `json:"clientAuthenticatorType"`
	Secret                       string        `json:"secret"`
	RedirectUris                 []interface{} `json:"redirectUris"`
	WebOrigins                   []interface{} `json:"webOrigins"`
	NotBefore                    int           `json:"notBefore"`
	BearerOnly                   bool          `json:"bearerOnly"`
	ConsentRequired              bool          `json:"consentRequired"`
	StandardFlowEnabled          bool          `json:"standardFlowEnabled"`
	ImplicitFlowEnabled          bool          `json:"implicitFlowEnabled"`
	DirectAccessGrantsEnabled    bool          `json:"directAccessGrantsEnabled"`
	ServiceAccountsEnabled       bool          `json:"serviceAccountsEnabled"`
	AuthorizationServicesEnabled bool          `json:"authorizationServicesEnabled"`
	PublicClient                 bool          `json:"publicClient"`
	FrontchannelLogout           bool          `json:"frontchannelLogout"`
	Protocol                     string        `json:"protocol"`
	Attributes                   struct {
		OidcCibaGrantEnabled                  string `json:"oidc.ciba.grant.enabled"`
		Oauth2DeviceAuthorizationGrantEnabled string `json:"oauth2.device.authorization.grant.enabled"`
		ClientSecretCreationTime              string `json:"client.secret.creation.time"`
		BackchannelLogoutSessionRequired      string `json:"backchannel.logout.session.required"`
		BackchannelLogoutRevokeOfflineTokens  string `json:"backchannel.logout.revoke.offline.tokens"`
	} `json:"attributes"`
	AuthenticationFlowBindingOverrides struct {
	} `json:"authenticationFlowBindingOverrides"`
	FullScopeAllowed          bool `json:"fullScopeAllowed"`
	NodeReRegistrationTimeout int  `json:"nodeReRegistrationTimeout"`
	ProtocolMappers           []struct {
		ID              string `json:"id"`
		Name            string `json:"name"`
		Protocol        string `json:"protocol"`
		ProtocolMapper  string `json:"protocolMapper"`
		ConsentRequired bool   `json:"consentRequired"`
		Config          struct {
			UserSessionNote  string `json:"user.session.note"`
			IDTokenClaim     string `json:"id.token.claim"`
			AccessTokenClaim string `json:"access.token.claim"`
			ClaimName        string `json:"claim.name"`
			JSONTypeLabel    string `json:"jsonType.label"`
		} `json:"config"`
	} `json:"protocolMappers"`
	DefaultClientScopes  []string `json:"defaultClientScopes"`
	OptionalClientScopes []string `json:"optionalClientScopes"`
	Access               struct {
		View      bool `json:"view"`
		Configure bool `json:"configure"`
		Manage    bool `json:"manage"`
	} `json:"access"`
}

type KeycloakSecret 

type KeycloakSecret struct {
	Type  string `json:"type"`
	Value string `json:"value"`
}

type VaultAuth 

type VaultAuth interface {
	GetVaultToken(ctx context.Context) (string, error)
	GetM2MToken(ctx context.Context) (string, error)
	CreateClientSecret(ctx context.Context, username string, password string) (string, error)
	Logout(ctx context.Context) error
}

func NewVaultAuth 

func NewVaultAuth(keycloakServer string, vaultServer string, serviceAccount string) (VaultAuth, error)

Source Files

View all Source files

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.