Documentation
¶
Index ¶
Constants ¶
View Source
const ( ActionRead = "read" ActionWrite = "write" ActionDelete = "delete" ActionUnsafe = "unsafe" ActionOther = "other" )
View Source
const (
// DiscoveryPath is the path to the discovery endpoint
DiscoveryPath = "/.well-known/openid-configuration"
)
Variables ¶
View Source
var ( // Exported error variables for client ID processing ErrClientIDClaimNotConfigured = errors.New("no client ID claim configured") ErrClientIDClaimNotFound = errors.New("client ID claim not found") ErrClientIDClaimNotString = errors.New("client ID claim is not a string") )
View Source
var (
ErrPermissionDenied = errors.New("permission denied")
)
Functions ¶
func IPCMetadataClientInterceptor ¶ added in v0.11.0
func IPCMetadataClientInterceptor(log *logger.Logger) connect.UnaryInterceptorFunc
IPCMetadataClientInterceptor transfers gRPC outgoing metadata to Connect request headers for IPC calls
Types ¶
type AuthNConfig ¶
type AuthNConfig struct {
EnforceDPoP bool `mapstructure:"enforceDPoP" json:"enforceDPoP" default:"false"`
Issuer string `mapstructure:"issuer" json:"issuer"`
Audience string `mapstructure:"audience" json:"audience"`
Policy PolicyConfig `mapstructure:"policy" json:"policy"`
CacheRefresh string `mapstructure:"cache_refresh_interval" json:"cache_refresh_interval"`
DPoPSkew time.Duration `mapstructure:"dpopskew" json:"dpopskew" default:"1h"`
TokenSkew time.Duration `mapstructure:"skew" json:"skew" default:"1m"`
}
AuthNConfig is the configuration need for the platform to validate tokens
type Authentication ¶
type Authentication struct {
// contains filtered or unexported fields
}
Authentication holds a jwks cache and information about the openid configuration
func NewAuthenticator ¶
func NewAuthenticator(ctx context.Context, cfg Config, logger *logger.Logger, wellknownRegistration func(namespace string, config any) error) (*Authentication, error)
Creates new authN which is used to verify tokens for a set of given issuers
func (Authentication) ConnectUnaryServerInterceptor ¶ added in v0.4.27
func (a Authentication) ConnectUnaryServerInterceptor() connect.UnaryInterceptorFunc
UnaryServerInterceptor is a grpc interceptor that verifies the token in the metadata
func (Authentication) IPCUnaryServerInterceptor ¶ added in v0.5.0
func (a Authentication) IPCUnaryServerInterceptor() connect.UnaryInterceptorFunc
IPCUnaryServerInterceptor is a grpc interceptor that: 1. verifies the token in the metadata 2. reauthorizes the token if the route is in the list 3. translates known IPC Connect request headers back to context metadata for downstream consumers
func (Authentication) MuxHandler ¶
func (a Authentication) MuxHandler(handler http.Handler) http.Handler
verifyTokenHandler is a http handler that verifies the token
type CasbinConfig ¶
type CasbinConfig struct {
PolicyConfig
RoleProvider authz.RoleProvider
}
type Config ¶
type Config struct {
Enabled bool `mapstructure:"enabled" json:"enabled" default:"true"`
PublicRoutes []string `mapstructure:"-" json:"-"`
// Used for re-authentication of IPC connections
IPCReauthRoutes []string `mapstructure:"-" json:"-"`
AuthNConfig `mapstructure:",squash"`
// Programmatic role provider overrides (not loaded from config)
RoleProvider authz.RoleProvider `mapstructure:"-" json:"-"`
RoleProviderFactories map[string]authz.RoleProviderFactory `mapstructure:"-" json:"-"`
}
AuthConfig pulls AuthN and AuthZ together
type Enforcer ¶
type Enforcer struct {
*casbin.Enforcer
Config CasbinConfig
Policy string
// contains filtered or unexported fields
}
func NewCasbinEnforcer ¶
func NewCasbinEnforcer(c CasbinConfig, logger *logger.Logger) (*Enforcer, error)
newCasbinEnforcer creates a new casbin enforcer
type OIDCConfiguration ¶
type OIDCConfiguration struct {
Issuer string `json:"issuer"`
AuthorizationEndpoint string `json:"authorization_endpoint"`
TokenEndpoint string `json:"token_endpoint"`
UserinfoEndpoint string `json:"userinfo_endpoint"`
JwksURI string `json:"jwks_uri"`
ResponseTypesSupported []string `json:"response_types_supported"`
SubjectTypesSupported []string `json:"subject_types_supported"`
IDTokenSigningAlgValuesSupported []string `json:"id_token_signing_alg_values_supported"`
RequireRequestURIRegistration bool `json:"require_request_uri_registration"`
}
OIDCConfiguration holds the openid configuration for the issuer. Currently only required fields are included (https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata)
func DiscoverOIDCConfiguration ¶
func DiscoverOIDCConfiguration(ctx context.Context, issuer string, logger *logger.Logger) (*OIDCConfiguration, error)
DiscoverOPENIDConfiguration discovers the openid configuration for the issuer provided
type PolicyConfig ¶
type PolicyConfig struct {
Builtin string `mapstructure:"-" json:"-"`
// Username claim to use for user information
UserNameClaim string `mapstructure:"username_claim" json:"username_claim" default:"preferred_username"`
// Claim to use for group/role information
GroupsClaim string `mapstructure:"groups_claim" json:"groups_claim" default:"realm_access.roles"`
// Role provider configuration (resolved via StartOptions)
RolesProvider RolesProviderConfig `mapstructure:"roles_provider" json:"roles_provider"`
// Claim to use to reference idP clientID
ClientIDClaim string `mapstructure:"client_id_claim" json:"client_id_claim" default:"azp"`
// Deprecated: Use GroupClain instead
RoleClaim string `mapstructure:"claim" json:"claim" default:"realm_access.roles"`
// Deprecated: Use Casbin grouping statements g, <user/group>, <role>
RoleMap map[string]string `mapstructure:"map" json:"map"`
// Override the builtin policy with a custom policy
Csv string `mapstructure:"csv" json:"csv"`
// Extend the builtin policy with a custom policy
Extension string `mapstructure:"extension" json:"extension"`
Model string `mapstructure:"model" json:"model"`
// Override the default string-adapter
Adapter persist.Adapter `mapstructure:"-" json:"-"`
}
type RolesProviderConfig ¶ added in v0.13.0
Source Files
Click to show internal directories.
Click to hide internal directories.