GO-2023-2400: Escalation of privileges in github.com/sap/cloud-security-client-go

auth

package

v0.5.1 Latest Latest Go to latest Published: Nov 10, 2020 License: Apache-2.0 Imports: 20 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/sap/cloud-security-client-go

Links

Open Source Insights

Documentation ¶

Index ¶

func DefaultErrorHandler(w http.ResponseWriter, r *http.Request, err error)
type AuthMiddleware
- func NewAuthMiddleware(oAuthConfig OAuthConfig, options Options) *AuthMiddleware
type MockConfig
type MockServer
- func NewOIDCMockServer() (*MockServer, error)
type OAuthConfig
type OIDCClaims
- func (c OIDCClaims) GetClaimAsString(claim string) (string, error)
- func (c OIDCClaims) GetClaimAsStringSlice(claim string) ([]string, error)
type OIDCClaimsBuilder
- func NewOIDCClaimsBuilder(base OIDCClaims) *OIDCClaimsBuilder
type OIDCHeaderBuilder
- func NewOIDCHeaderBuilder(base map[string]interface{}) *OIDCHeaderBuilder
type Options

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

func DefaultErrorHandler ¶

func DefaultErrorHandler(w http.ResponseWriter, r *http.Request, err error)

Types ¶

type AuthMiddleware ¶

type AuthMiddleware struct {
	// contains filtered or unexported fields
}

func NewAuthMiddleware ¶

func NewAuthMiddleware(oAuthConfig OAuthConfig, options Options) *AuthMiddleware

func (*AuthMiddleware) Authenticate ¶

func (m *AuthMiddleware) Authenticate(r *http.Request) (*OIDCClaims, error)

func (*AuthMiddleware) ClearCache ¶

func (m *AuthMiddleware) ClearCache()

Clear the entire storage of cached oidc tenants including their JWKs

func (*AuthMiddleware) Handler ¶

func (m *AuthMiddleware) Handler(h http.Handler) http.Handler

func (*AuthMiddleware) ParseAndValidateJWT ¶

func (m *AuthMiddleware) ParseAndValidateJWT(rawToken string) (*jwt.Token, error)

type MockConfig ¶

type MockConfig struct {
	ClientID     string
	ClientSecret string
	URL          string
	Domain       string
}

func (MockConfig) GetClientID ¶

func (c MockConfig) GetClientID() string

func (MockConfig) GetClientSecret ¶

func (c MockConfig) GetClientSecret() string

func (MockConfig) GetDomain ¶

func (c MockConfig) GetDomain() string

func (MockConfig) GetURL ¶

func (c MockConfig) GetURL() string

type MockServer ¶

type MockServer struct {
	Server              *httptest.Server
	Config              *MockConfig
	RSAKey              *rsa.PrivateKey
	WellKnownHitCounter int
	JWKsHitCounter      int
}

func NewOIDCMockServer ¶

func NewOIDCMockServer() (*MockServer, error)

func (*MockServer) ClearAllHitCounters ¶

func (m *MockServer) ClearAllHitCounters()

func (*MockServer) DefaultClaims ¶

func (m *MockServer) DefaultClaims() OIDCClaims

func (*MockServer) DefaultHeaders ¶

func (m *MockServer) DefaultHeaders() map[string]interface{}

func (*MockServer) JWKsHandler ¶

func (m *MockServer) JWKsHandler(w http.ResponseWriter, _ *http.Request)

func (*MockServer) SignToken ¶

func (m *MockServer) SignToken(claims OIDCClaims, header map[string]interface{}) (string, error)

func (*MockServer) SignTokenWithAdditionalClaims ¶

func (m *MockServer) SignTokenWithAdditionalClaims(claims OIDCClaims, additionalClaims map[string]interface{}, header map[string]interface{}) (string, error)

Sign token with additional non-standard oidc claims. additionalClaims must not contain any oidc standard claims or duplicates

func (*MockServer) WellKnownHandler ¶

func (m *MockServer) WellKnownHandler(w http.ResponseWriter, _ *http.Request)

type OAuthConfig ¶

type OAuthConfig interface {
	GetClientID() string
	GetClientSecret() string
	GetURL() string
	GetDomain() string
}

OAuthConfig interface has to be implemented to instantiate NewAuthMiddleware. For IAS the standard implementation IASConfig from ../env/iasConfig.go package can be used.

type OIDCClaims ¶

type OIDCClaims struct {
	jwtgo.StandardClaims
	GivenName  string `json:"given_name,omitempty"`
	FamilyName string `json:"family_name,omitempty"`
	Email      string `json:"email,omitempty"`
	ZoneID     string `json:"zone_uuid,omitempty"`
	UserUUID   string `json:"user_uuid,omitempty"`
	// contains filtered or unexported fields
}

func (OIDCClaims) GetClaimAsString ¶

func (c OIDCClaims) GetClaimAsString(claim string) (string, error)

Get a custom claim type asserted as string. The claim name is case sensitive. Returns error if the claim is not available or not a string.

func (OIDCClaims) GetClaimAsStringSlice ¶

func (c OIDCClaims) GetClaimAsStringSlice(claim string) ([]string, error)

Get a custom claim type asserted as string slice. The claim name is case sensitive. Returns error if the claim is not available or not an array.

type OIDCClaimsBuilder ¶

type OIDCClaimsBuilder struct {
	// contains filtered or unexported fields
}

func NewOIDCClaimsBuilder ¶

func NewOIDCClaimsBuilder(base OIDCClaims) *OIDCClaimsBuilder

func (*OIDCClaimsBuilder) Audience ¶

func (b *OIDCClaimsBuilder) Audience(aud ...string) *OIDCClaimsBuilder

func (*OIDCClaimsBuilder) Build ¶

func (b *OIDCClaimsBuilder) Build() OIDCClaims

func (*OIDCClaimsBuilder) Email ¶

func (b *OIDCClaimsBuilder) Email(email string) *OIDCClaimsBuilder

func (*OIDCClaimsBuilder) ExpiresAt ¶

func (b *OIDCClaimsBuilder) ExpiresAt(expiresAt time.Time) *OIDCClaimsBuilder

func (*OIDCClaimsBuilder) FamilyName ¶

func (b *OIDCClaimsBuilder) FamilyName(familyName string) *OIDCClaimsBuilder

func (*OIDCClaimsBuilder) GivenName ¶

func (b *OIDCClaimsBuilder) GivenName(givenName string) *OIDCClaimsBuilder

func (*OIDCClaimsBuilder) ID ¶

func (b *OIDCClaimsBuilder) ID(id string) *OIDCClaimsBuilder

func (*OIDCClaimsBuilder) IssuedAt ¶

func (b *OIDCClaimsBuilder) IssuedAt(issuedAt time.Time) *OIDCClaimsBuilder

func (*OIDCClaimsBuilder) Issuer ¶

func (b *OIDCClaimsBuilder) Issuer(issuer string) *OIDCClaimsBuilder

func (*OIDCClaimsBuilder) NotBefore ¶

func (b *OIDCClaimsBuilder) NotBefore(notBefore time.Time) *OIDCClaimsBuilder

func (*OIDCClaimsBuilder) Subject ¶

func (b *OIDCClaimsBuilder) Subject(subject string) *OIDCClaimsBuilder

func (*OIDCClaimsBuilder) UserUUID ¶

func (b *OIDCClaimsBuilder) UserUUID(userUUID string) *OIDCClaimsBuilder

func (*OIDCClaimsBuilder) WithoutAudience ¶

func (b *OIDCClaimsBuilder) WithoutAudience() *OIDCClaimsBuilder

func (*OIDCClaimsBuilder) WithoutExpiresAt ¶

func (b *OIDCClaimsBuilder) WithoutExpiresAt() *OIDCClaimsBuilder

func (*OIDCClaimsBuilder) WithoutIssuedAt ¶

func (b *OIDCClaimsBuilder) WithoutIssuedAt() *OIDCClaimsBuilder

func (*OIDCClaimsBuilder) WithoutNotBefore ¶

func (b *OIDCClaimsBuilder) WithoutNotBefore() *OIDCClaimsBuilder

func (*OIDCClaimsBuilder) ZoneID ¶

func (b *OIDCClaimsBuilder) ZoneID(zoneID string) *OIDCClaimsBuilder

type OIDCHeaderBuilder ¶

type OIDCHeaderBuilder struct {
	// contains filtered or unexported fields
}

func NewOIDCHeaderBuilder ¶

func NewOIDCHeaderBuilder(base map[string]interface{}) *OIDCHeaderBuilder

func (*OIDCHeaderBuilder) Alg ¶

func (b *OIDCHeaderBuilder) Alg(alg string) *OIDCHeaderBuilder

func (*OIDCHeaderBuilder) Build ¶

func (b *OIDCHeaderBuilder) Build() map[string]interface{}

func (*OIDCHeaderBuilder) KeyID ¶

func (b *OIDCHeaderBuilder) KeyID(keyID string) *OIDCHeaderBuilder

type Options ¶

type Options struct {
	UserContext  string
	ErrorHandler errorHandler
	HTTPClient   *http.Client
}

Options can be used as a argument to instantiate a AuthMiddle with NewAuthMiddleware.

UserContext property under which the token is accessible in the request context. Default: "user"

ErrorHandler called if the jwt verification fails. Default: DefaultErrorHandler

HTTPClient which is used for OIDC discovery and to retrieve JWKs (JSON Web Keys). Default: basic http.Client with a timeout of 15 seconds

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL