Skip to content
Projects
Groups
Snippets
Help
This project
Loading...
Sign in / Register
Toggle navigation
K
k3s
Project
Project
Details
Activity
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Issues
0
Issues
0
List
Board
Labels
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Charts
Registry
Registry
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
Jacklull
k3s
Commits
7170c891
Commit
7170c891
authored
May 20, 2016
by
Mike Danese
Browse files
Options
Browse Files
Download
Plain Diff
Merge pull request #25270 from bobbyrullo/deps
Implement OIDC client AuthProvider
parents
11105355
f575f89c
Expand all
Hide whitespace changes
Inline
Side-by-side
Showing
15 changed files
with
532 additions
and
14 deletions
+532
-14
Godeps.json
Godeps/Godeps.json
+5
-5
oidc_test.go
plugin/pkg/auth/authenticator/token/oidc/oidc_test.go
+0
-0
provider.go
plugin/pkg/auth/authenticator/token/oidc/testing/provider.go
+194
-0
OWNERS
plugin/pkg/client/auth/oidc/OWNERS
+2
-0
oidc.go
plugin/pkg/client/auth/oidc/oidc.go
+270
-0
oidc_test.go
plugin/pkg/client/auth/oidc/oidc_test.go
+0
-0
plugins.go
plugin/pkg/client/auth/plugins.go
+1
-0
sig.go
vendor/github.com/coreos/go-oidc/jose/sig.go
+1
-2
sig_hmac.go
vendor/github.com/coreos/go-oidc/jose/sig_hmac.go
+1
-2
sig_rsa.go
vendor/github.com/coreos/go-oidc/jose/sig_rsa.go
+1
-2
key.go
vendor/github.com/coreos/go-oidc/key/key.go
+1
-1
oauth2.go
vendor/github.com/coreos/go-oidc/oauth2/oauth2.go
+30
-0
key.go
vendor/github.com/coreos/go-oidc/oidc/key.go
+11
-1
provider.go
vendor/github.com/coreos/go-oidc/oidc/provider.go
+6
-1
transport.go
vendor/github.com/coreos/go-oidc/oidc/transport.go
+9
-0
No files found.
Godeps/Godeps.json
View file @
7170c891
...
...
@@ -485,23 +485,23 @@
},
{
"ImportPath"
:
"github.com/coreos/go-oidc/http"
,
"Rev"
:
"
d7cb66526fffc811d602b6770581064f4b66b507
"
"Rev"
:
"
5cf2aa52da8c574d3aa4458f471ad6ae2240fe6b
"
},
{
"ImportPath"
:
"github.com/coreos/go-oidc/jose"
,
"Rev"
:
"
d7cb66526fffc811d602b6770581064f4b66b507
"
"Rev"
:
"
5cf2aa52da8c574d3aa4458f471ad6ae2240fe6b
"
},
{
"ImportPath"
:
"github.com/coreos/go-oidc/key"
,
"Rev"
:
"
d7cb66526fffc811d602b6770581064f4b66b507
"
"Rev"
:
"
5cf2aa52da8c574d3aa4458f471ad6ae2240fe6b
"
},
{
"ImportPath"
:
"github.com/coreos/go-oidc/oauth2"
,
"Rev"
:
"
d7cb66526fffc811d602b6770581064f4b66b507
"
"Rev"
:
"
5cf2aa52da8c574d3aa4458f471ad6ae2240fe6b
"
},
{
"ImportPath"
:
"github.com/coreos/go-oidc/oidc"
,
"Rev"
:
"
d7cb66526fffc811d602b6770581064f4b66b507
"
"Rev"
:
"
5cf2aa52da8c574d3aa4458f471ad6ae2240fe6b
"
},
{
"ImportPath"
:
"github.com/coreos/go-semver/semver"
,
...
...
plugin/pkg/auth/authenticator/token/oidc/oidc_test.go
View file @
7170c891
This diff is collapsed.
Click to expand it.
plugin/pkg/auth/authenticator/token/oidc/testing/provider.go
0 → 100644
View file @
7170c891
/*
Copyright 2016 The Kubernetes Authors All rights reserved.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package
testing
import
(
"bytes"
"crypto/rand"
"crypto/rsa"
"crypto/tls"
"crypto/x509"
"crypto/x509/pkix"
"encoding/json"
"encoding/pem"
"fmt"
"io/ioutil"
"math/big"
"net"
"net/http"
"net/http/httptest"
"net/url"
"os"
"path/filepath"
"testing"
"time"
"github.com/coreos/go-oidc/jose"
"github.com/coreos/go-oidc/key"
"github.com/coreos/go-oidc/oidc"
)
// NewOIDCProvider provides a bare minimum OIDC IdP Server useful for testing.
func
NewOIDCProvider
(
t
*
testing
.
T
)
*
OIDCProvider
{
privKey
,
err
:=
key
.
GeneratePrivateKey
()
if
err
!=
nil
{
t
.
Fatalf
(
"Cannot create OIDC Provider: %v"
,
err
)
return
nil
}
op
:=
&
OIDCProvider
{
Mux
:
http
.
NewServeMux
(),
PrivKey
:
privKey
,
}
op
.
Mux
.
HandleFunc
(
"/.well-known/openid-configuration"
,
op
.
handleConfig
)
op
.
Mux
.
HandleFunc
(
"/keys"
,
op
.
handleKeys
)
return
op
}
type
OIDCProvider
struct
{
Mux
*
http
.
ServeMux
PCFG
oidc
.
ProviderConfig
PrivKey
*
key
.
PrivateKey
}
func
(
op
*
OIDCProvider
)
ServeTLSWithKeyPair
(
cert
,
key
string
)
(
*
httptest
.
Server
,
error
)
{
srv
:=
httptest
.
NewUnstartedServer
(
op
.
Mux
)
srv
.
TLS
=
&
tls
.
Config
{
Certificates
:
make
([]
tls
.
Certificate
,
1
)}
var
err
error
srv
.
TLS
.
Certificates
[
0
],
err
=
tls
.
LoadX509KeyPair
(
cert
,
key
)
if
err
!=
nil
{
return
nil
,
fmt
.
Errorf
(
"Cannot load cert/key pair: %v"
,
err
)
}
srv
.
StartTLS
()
return
srv
,
nil
}
func
(
op
*
OIDCProvider
)
AddMinimalProviderConfig
(
srv
*
httptest
.
Server
)
{
op
.
PCFG
=
oidc
.
ProviderConfig
{
Issuer
:
MustParseURL
(
srv
.
URL
),
AuthEndpoint
:
MustParseURL
(
srv
.
URL
+
"/auth"
),
TokenEndpoint
:
MustParseURL
(
srv
.
URL
+
"/token"
),
KeysEndpoint
:
MustParseURL
(
srv
.
URL
+
"/keys"
),
ResponseTypesSupported
:
[]
string
{
"code"
},
SubjectTypesSupported
:
[]
string
{
"public"
},
IDTokenSigningAlgValues
:
[]
string
{
"RS256"
},
}
}
func
(
op
*
OIDCProvider
)
handleConfig
(
w
http
.
ResponseWriter
,
req
*
http
.
Request
)
{
b
,
err
:=
json
.
Marshal
(
&
op
.
PCFG
)
if
err
!=
nil
{
http
.
Error
(
w
,
err
.
Error
(),
http
.
StatusInternalServerError
)
return
}
w
.
Header
()
.
Set
(
"Content-Type"
,
"application/json"
)
w
.
Write
(
b
)
}
func
(
op
*
OIDCProvider
)
handleKeys
(
w
http
.
ResponseWriter
,
req
*
http
.
Request
)
{
keys
:=
struct
{
Keys
[]
jose
.
JWK
`json:"keys"`
}{
Keys
:
[]
jose
.
JWK
{
op
.
PrivKey
.
JWK
()},
}
b
,
err
:=
json
.
Marshal
(
keys
)
if
err
!=
nil
{
http
.
Error
(
w
,
err
.
Error
(),
http
.
StatusInternalServerError
)
return
}
w
.
Header
()
.
Set
(
"Cache-Control"
,
fmt
.
Sprintf
(
"public, max-age=%d"
,
int
(
time
.
Hour
.
Seconds
())))
w
.
Header
()
.
Set
(
"Expires"
,
time
.
Now
()
.
Add
(
time
.
Hour
)
.
Format
(
time
.
RFC1123
))
w
.
Header
()
.
Set
(
"Content-Type"
,
"application/json"
)
w
.
Write
(
b
)
}
func
MustParseURL
(
s
string
)
*
url
.
URL
{
u
,
err
:=
url
.
Parse
(
s
)
if
err
!=
nil
{
panic
(
fmt
.
Errorf
(
"Failed to parse url: %v"
,
err
))
}
return
u
}
// generateSelfSignedCert generates a self-signed cert/key pairs and writes to the certPath/keyPath.
// This method is mostly identical to crypto.GenerateSelfSignedCert except for the 'IsCA' and 'KeyUsage'
// in the certificate template. (Maybe we can merge these two methods).
func
GenerateSelfSignedCert
(
t
*
testing
.
T
,
host
,
certPath
,
keyPath
string
)
{
priv
,
err
:=
rsa
.
GenerateKey
(
rand
.
Reader
,
2048
)
if
err
!=
nil
{
t
.
Fatal
(
err
)
}
template
:=
x509
.
Certificate
{
SerialNumber
:
big
.
NewInt
(
1
),
Subject
:
pkix
.
Name
{
CommonName
:
fmt
.
Sprintf
(
"%s@%d"
,
host
,
time
.
Now
()
.
Unix
()),
},
NotBefore
:
time
.
Now
(),
NotAfter
:
time
.
Now
()
.
Add
(
time
.
Hour
*
24
*
365
),
KeyUsage
:
x509
.
KeyUsageKeyEncipherment
|
x509
.
KeyUsageDigitalSignature
|
x509
.
KeyUsageCertSign
,
ExtKeyUsage
:
[]
x509
.
ExtKeyUsage
{
x509
.
ExtKeyUsageServerAuth
},
BasicConstraintsValid
:
true
,
IsCA
:
true
,
}
if
ip
:=
net
.
ParseIP
(
host
);
ip
!=
nil
{
template
.
IPAddresses
=
append
(
template
.
IPAddresses
,
ip
)
}
else
{
template
.
DNSNames
=
append
(
template
.
DNSNames
,
host
)
}
derBytes
,
err
:=
x509
.
CreateCertificate
(
rand
.
Reader
,
&
template
,
&
template
,
&
priv
.
PublicKey
,
priv
)
if
err
!=
nil
{
t
.
Fatal
(
err
)
}
// Generate cert
certBuffer
:=
bytes
.
Buffer
{}
if
err
:=
pem
.
Encode
(
&
certBuffer
,
&
pem
.
Block
{
Type
:
"CERTIFICATE"
,
Bytes
:
derBytes
});
err
!=
nil
{
t
.
Fatal
(
err
)
}
// Generate key
keyBuffer
:=
bytes
.
Buffer
{}
if
err
:=
pem
.
Encode
(
&
keyBuffer
,
&
pem
.
Block
{
Type
:
"RSA PRIVATE KEY"
,
Bytes
:
x509
.
MarshalPKCS1PrivateKey
(
priv
)});
err
!=
nil
{
t
.
Fatal
(
err
)
}
// Write cert
if
err
:=
os
.
MkdirAll
(
filepath
.
Dir
(
certPath
),
os
.
FileMode
(
0755
));
err
!=
nil
{
t
.
Fatal
(
err
)
}
if
err
:=
ioutil
.
WriteFile
(
certPath
,
certBuffer
.
Bytes
(),
os
.
FileMode
(
0644
));
err
!=
nil
{
t
.
Fatal
(
err
)
}
// Write key
if
err
:=
os
.
MkdirAll
(
filepath
.
Dir
(
keyPath
),
os
.
FileMode
(
0755
));
err
!=
nil
{
t
.
Fatal
(
err
)
}
if
err
:=
ioutil
.
WriteFile
(
keyPath
,
keyBuffer
.
Bytes
(),
os
.
FileMode
(
0600
));
err
!=
nil
{
t
.
Fatal
(
err
)
}
}
plugin/pkg/client/auth/oidc/OWNERS
0 → 100644
View file @
7170c891
assignees:
- bobbyrullo
plugin/pkg/client/auth/oidc/oidc.go
0 → 100644
View file @
7170c891
/*
Copyright 2016 The Kubernetes Authors All rights reserved.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package
oidc
import
(
"encoding/base64"
"errors"
"fmt"
"net/http"
"strings"
"time"
"github.com/coreos/go-oidc/jose"
"github.com/coreos/go-oidc/oauth2"
"github.com/coreos/go-oidc/oidc"
"github.com/golang/glog"
"k8s.io/kubernetes/pkg/client/restclient"
"k8s.io/kubernetes/pkg/util/wait"
)
const
(
cfgIssuerUrl
=
"idp-issuer-url"
cfgClientID
=
"client-id"
cfgClientSecret
=
"client-secret"
cfgCertificateAuthority
=
"idp-certificate-authority"
cfgCertificateAuthorityData
=
"idp-certificate-authority-data"
cfgExtraScopes
=
"extra-scopes"
cfgIDToken
=
"id-token"
cfgRefreshToken
=
"refresh-token"
)
var
(
backoff
=
wait
.
Backoff
{
Duration
:
1
*
time
.
Second
,
Factor
:
2
,
Jitter
:
.1
,
Steps
:
5
,
}
)
func
init
()
{
if
err
:=
restclient
.
RegisterAuthProviderPlugin
(
"oidc"
,
newOIDCAuthProvider
);
err
!=
nil
{
glog
.
Fatalf
(
"Failed to register oidc auth plugin: %v"
,
err
)
}
}
func
newOIDCAuthProvider
(
_
string
,
cfg
map
[
string
]
string
,
persister
restclient
.
AuthProviderConfigPersister
)
(
restclient
.
AuthProvider
,
error
)
{
issuer
:=
cfg
[
cfgIssuerUrl
]
if
issuer
==
""
{
return
nil
,
fmt
.
Errorf
(
"Must provide %s"
,
cfgIssuerUrl
)
}
clientID
:=
cfg
[
cfgClientID
]
if
clientID
==
""
{
return
nil
,
fmt
.
Errorf
(
"Must provide %s"
,
cfgClientID
)
}
clientSecret
:=
cfg
[
cfgClientSecret
]
if
clientSecret
==
""
{
return
nil
,
fmt
.
Errorf
(
"Must provide %s"
,
cfgClientSecret
)
}
var
certAuthData
[]
byte
var
err
error
if
cfg
[
cfgCertificateAuthorityData
]
!=
""
{
certAuthData
,
err
=
base64
.
StdEncoding
.
DecodeString
(
cfg
[
cfgCertificateAuthorityData
])
if
err
!=
nil
{
return
nil
,
err
}
}
clientConfig
:=
restclient
.
Config
{
TLSClientConfig
:
restclient
.
TLSClientConfig
{
CAFile
:
cfg
[
cfgCertificateAuthority
],
CAData
:
certAuthData
,
},
}
trans
,
err
:=
restclient
.
TransportFor
(
&
clientConfig
)
if
err
!=
nil
{
return
nil
,
err
}
hc
:=
&
http
.
Client
{
Transport
:
trans
}
providerCfg
,
err
:=
oidc
.
FetchProviderConfig
(
hc
,
strings
.
TrimSuffix
(
issuer
,
"/"
))
if
err
!=
nil
{
return
nil
,
fmt
.
Errorf
(
"error fetching provider config: %v"
,
err
)
}
scopes
:=
strings
.
Split
(
cfg
[
cfgExtraScopes
],
","
)
oidcCfg
:=
oidc
.
ClientConfig
{
HTTPClient
:
hc
,
Credentials
:
oidc
.
ClientCredentials
{
ID
:
clientID
,
Secret
:
clientSecret
,
},
ProviderConfig
:
providerCfg
,
Scope
:
append
(
scopes
,
oidc
.
DefaultScope
...
),
}
client
,
err
:=
oidc
.
NewClient
(
oidcCfg
)
if
err
!=
nil
{
return
nil
,
fmt
.
Errorf
(
"error creating OIDC Client: %v"
,
err
)
}
oClient
:=
&
oidcClient
{
client
}
var
initialIDToken
jose
.
JWT
if
cfg
[
cfgIDToken
]
!=
""
{
initialIDToken
,
err
=
jose
.
ParseJWT
(
cfg
[
cfgIDToken
])
if
err
!=
nil
{
return
nil
,
err
}
}
return
&
oidcAuthProvider
{
initialIDToken
:
initialIDToken
,
refresher
:
&
idTokenRefresher
{
client
:
oClient
,
cfg
:
cfg
,
persister
:
persister
,
},
},
nil
}
type
oidcAuthProvider
struct
{
refresher
*
idTokenRefresher
initialIDToken
jose
.
JWT
}
func
(
g
*
oidcAuthProvider
)
WrapTransport
(
rt
http
.
RoundTripper
)
http
.
RoundTripper
{
at
:=
&
oidc
.
AuthenticatedTransport
{
TokenRefresher
:
g
.
refresher
,
RoundTripper
:
rt
,
}
at
.
SetJWT
(
g
.
initialIDToken
)
return
&
roundTripper
{
wrapped
:
at
,
refresher
:
g
.
refresher
,
}
}
func
(
g
*
oidcAuthProvider
)
Login
()
error
{
return
errors
.
New
(
"not yet implemented"
)
}
type
OIDCClient
interface
{
refreshToken
(
rt
string
)
(
oauth2
.
TokenResponse
,
error
)
verifyJWT
(
jwt
jose
.
JWT
)
error
}
type
roundTripper
struct
{
refresher
*
idTokenRefresher
wrapped
*
oidc
.
AuthenticatedTransport
}
func
(
r
*
roundTripper
)
RoundTrip
(
req
*
http
.
Request
)
(
*
http
.
Response
,
error
)
{
var
res
*
http
.
Response
var
err
error
firstTime
:=
true
wait
.
ExponentialBackoff
(
backoff
,
func
()
(
bool
,
error
)
{
if
!
firstTime
{
var
jwt
jose
.
JWT
jwt
,
err
=
r
.
refresher
.
Refresh
()
if
err
!=
nil
{
return
true
,
nil
}
r
.
wrapped
.
SetJWT
(
jwt
)
}
else
{
firstTime
=
false
}
res
,
err
=
r
.
wrapped
.
RoundTrip
(
req
)
if
err
!=
nil
{
return
true
,
nil
}
if
res
.
StatusCode
==
http
.
StatusUnauthorized
{
return
false
,
nil
}
return
true
,
nil
})
return
res
,
err
}
type
idTokenRefresher
struct
{
cfg
map
[
string
]
string
client
OIDCClient
persister
restclient
.
AuthProviderConfigPersister
intialIDToken
jose
.
JWT
}
func
(
r
*
idTokenRefresher
)
Verify
(
jwt
jose
.
JWT
)
error
{
claims
,
err
:=
jwt
.
Claims
()
if
err
!=
nil
{
return
err
}
now
:=
time
.
Now
()
exp
,
ok
,
err
:=
claims
.
TimeClaim
(
"exp"
)
switch
{
case
err
!=
nil
:
return
fmt
.
Errorf
(
"failed to parse 'exp' claim: %v"
,
err
)
case
!
ok
:
return
errors
.
New
(
"missing required 'exp' claim"
)
case
exp
.
Before
(
now
)
:
return
fmt
.
Errorf
(
"token already expired at: %v"
,
exp
)
}
return
nil
}
func
(
r
*
idTokenRefresher
)
Refresh
()
(
jose
.
JWT
,
error
)
{
rt
,
ok
:=
r
.
cfg
[
cfgRefreshToken
]
if
!
ok
{
return
jose
.
JWT
{},
errors
.
New
(
"No valid id-token, and cannot refresh without refresh-token"
)
}
tokens
,
err
:=
r
.
client
.
refreshToken
(
rt
)
if
err
!=
nil
{
return
jose
.
JWT
{},
fmt
.
Errorf
(
"could not refresh token: %v"
,
err
)
}
jwt
,
err
:=
jose
.
ParseJWT
(
tokens
.
IDToken
)
if
err
!=
nil
{
return
jose
.
JWT
{},
err
}
if
tokens
.
RefreshToken
!=
""
&&
tokens
.
RefreshToken
!=
rt
{
r
.
cfg
[
cfgRefreshToken
]
=
tokens
.
RefreshToken
}
r
.
cfg
[
cfgIDToken
]
=
jwt
.
Encode
()
err
=
r
.
persister
.
Persist
(
r
.
cfg
)
if
err
!=
nil
{
return
jose
.
JWT
{},
fmt
.
Errorf
(
"could not perist new tokens: %v"
,
err
)
}
return
jwt
,
r
.
client
.
verifyJWT
(
jwt
)
}
type
oidcClient
struct
{
client
*
oidc
.
Client
}
func
(
o
*
oidcClient
)
refreshToken
(
rt
string
)
(
oauth2
.
TokenResponse
,
error
)
{
oac
,
err
:=
o
.
client
.
OAuthClient
()
if
err
!=
nil
{
return
oauth2
.
TokenResponse
{},
err
}
return
oac
.
RequestToken
(
oauth2
.
GrantTypeRefreshToken
,
rt
)
}
func
(
o
*
oidcClient
)
verifyJWT
(
jwt
jose
.
JWT
)
error
{
return
o
.
client
.
VerifyJWT
(
jwt
)
}
plugin/pkg/client/auth/oidc/oidc_test.go
0 → 100644
View file @
7170c891
This diff is collapsed.
Click to expand it.
plugin/pkg/client/auth/plugins.go
View file @
7170c891
...
...
@@ -19,4 +19,5 @@ package plugins
import
(
// Initialize all known client auth plugins.
_
"k8s.io/kubernetes/plugin/pkg/client/auth/gcp"
_
"k8s.io/kubernetes/plugin/pkg/client/auth/oidc"
)
vendor/github.com/coreos/go-oidc/jose/sig.go
View file @
7170c891
...
...
@@ -2,7 +2,6 @@ package jose
import
(
"fmt"
"strings"
)
type
Verifier
interface
{
...
...
@@ -17,7 +16,7 @@ type Signer interface {
}
func
NewVerifier
(
jwk
JWK
)
(
Verifier
,
error
)
{
if
strings
.
ToUpper
(
jwk
.
Type
)
!=
"RSA"
{
if
jwk
.
Type
!=
"RSA"
{
return
nil
,
fmt
.
Errorf
(
"unsupported key type %q"
,
jwk
.
Type
)
}
...
...
vendor/github.com/coreos/go-oidc/jose/sig_hmac.go
View file @
7170c891
...
...
@@ -7,7 +7,6 @@ import (
_
"crypto/sha256"
"errors"
"fmt"
"strings"
)
type
VerifierHMAC
struct
{
...
...
@@ -21,7 +20,7 @@ type SignerHMAC struct {
}
func
NewVerifierHMAC
(
jwk
JWK
)
(
*
VerifierHMAC
,
error
)
{
if
strings
.
ToUpper
(
jwk
.
Alg
)
!=
"HS256"
{
if
jwk
.
Alg
!=
""
&&
jwk
.
Alg
!=
"HS256"
{
return
nil
,
fmt
.
Errorf
(
"unsupported key algorithm %q"
,
jwk
.
Alg
)
}
...
...
vendor/github.com/coreos/go-oidc/jose/sig_rsa.go
View file @
7170c891
...
...
@@ -5,7 +5,6 @@ import (
"crypto/rand"
"crypto/rsa"
"fmt"
"strings"
)
type
VerifierRSA
struct
{
...
...
@@ -20,7 +19,7 @@ type SignerRSA struct {
}
func
NewVerifierRSA
(
jwk
JWK
)
(
*
VerifierRSA
,
error
)
{
if
strings
.
ToUpper
(
jwk
.
Alg
)
!=
"RS256"
{
if
jwk
.
Alg
!=
""
&&
jwk
.
Alg
!=
"RS256"
{
return
nil
,
fmt
.
Errorf
(
"unsupported key algorithm %q"
,
jwk
.
Alg
)
}
...
...
vendor/github.com/coreos/go-oidc/key/key.go
View file @
7170c891
...
...
@@ -20,7 +20,7 @@ type PublicKey struct {
}
func
(
k
*
PublicKey
)
MarshalJSON
()
([]
byte
,
error
)
{
return
json
.
Marshal
(
k
.
jwk
)
return
json
.
Marshal
(
&
k
.
jwk
)
}
func
(
k
*
PublicKey
)
UnmarshalJSON
(
data
[]
byte
)
error
{
...
...
vendor/github.com/coreos/go-oidc/oauth2/oauth2.go
View file @
7170c891
...
...
@@ -56,6 +56,7 @@ const (
const
(
GrantTypeAuthCode
=
"authorization_code"
GrantTypeClientCreds
=
"client_credentials"
GrantTypeUserCreds
=
"password"
GrantTypeImplicit
=
"implicit"
GrantTypeRefreshToken
=
"refresh_token"
...
...
@@ -140,6 +141,11 @@ func NewClient(hc phttp.Client, cfg Config) (c *Client, err error) {
return
}
// Return the embedded HTTP client
func
(
c
*
Client
)
HttpClient
()
phttp
.
Client
{
return
c
.
hc
}
// Generate the url for initial redirect to oauth provider.
func
(
c
*
Client
)
AuthCodeURL
(
state
,
accessType
,
prompt
string
)
string
{
v
:=
c
.
commonURLValues
()
...
...
@@ -220,6 +226,30 @@ func (c *Client) ClientCredsToken(scope []string) (result TokenResponse, err err
return
parseTokenResponse
(
resp
)
}
// UserCredsToken posts the username and password to obtain a token scoped to the OAuth2 client via the "password" grant_type
// May not be supported by all OAuth2 servers.
func
(
c
*
Client
)
UserCredsToken
(
username
,
password
string
)
(
result
TokenResponse
,
err
error
)
{
v
:=
url
.
Values
{
"scope"
:
{
strings
.
Join
(
c
.
scope
,
" "
)},
"grant_type"
:
{
GrantTypeUserCreds
},
"username"
:
{
username
},
"password"
:
{
password
},
}
req
,
err
:=
c
.
newAuthenticatedRequest
(
c
.
tokenURL
.
String
(),
v
)
if
err
!=
nil
{
return
}
resp
,
err
:=
c
.
hc
.
Do
(
req
)
if
err
!=
nil
{
return
}
defer
resp
.
Body
.
Close
()
return
parseTokenResponse
(
resp
)
}
// RequestToken requests a token from the Token Endpoint with the specified grantType.
// If 'grantType' == GrantTypeAuthCode, then 'value' should be the authorization code.
// If 'grantType' == GrantTypeRefreshToken, then 'value' should be the refresh token.
...
...
vendor/github.com/coreos/go-oidc/oidc/key.go
View file @
7170c891
...
...
@@ -11,6 +11,11 @@ import (
"github.com/coreos/go-oidc/key"
)
// DefaultPublicKeySetTTL is the default TTL set on the PublicKeySet if no
// Cache-Control header is provided by the JWK Set document endpoint.
const
DefaultPublicKeySetTTL
=
24
*
time
.
Hour
// NewRemotePublicKeyRepo is responsible for fetching the JWK Set document.
func
NewRemotePublicKeyRepo
(
hc
phttp
.
Client
,
ep
string
)
*
remotePublicKeyRepo
{
return
&
remotePublicKeyRepo
{
hc
:
hc
,
ep
:
ep
}
}
...
...
@@ -20,6 +25,11 @@ type remotePublicKeyRepo struct {
ep
string
}
// Get returns a PublicKeySet fetched from the JWK Set document endpoint. A TTL
// is set on the Key Set to avoid it having to be re-retrieved for every
// encryption event. This TTL is typically controlled by the endpoint returning
// a Cache-Control header, but defaults to 24 hours if no Cache-Control header
// is found.
func
(
r
*
remotePublicKeyRepo
)
Get
()
(
key
.
KeySet
,
error
)
{
req
,
err
:=
http
.
NewRequest
(
"GET"
,
r
.
ep
,
nil
)
if
err
!=
nil
{
...
...
@@ -48,7 +58,7 @@ func (r *remotePublicKeyRepo) Get() (key.KeySet, error) {
return
nil
,
err
}
if
!
ok
{
return
nil
,
errors
.
New
(
"HTTP cache headers not set"
)
ttl
=
DefaultPublicKeySetTTL
}
exp
:=
time
.
Now
()
.
UTC
()
.
Add
(
ttl
)
...
...
vendor/github.com/coreos/go-oidc/oidc/provider.go
View file @
7170c891
...
...
@@ -6,6 +6,7 @@ import (
"fmt"
"net/http"
"net/url"
"strings"
"sync"
"time"
...
...
@@ -618,7 +619,11 @@ func NewHTTPProviderConfigGetter(hc phttp.Client, issuerURL string) *httpProvide
}
func
(
r
*
httpProviderConfigGetter
)
Get
()
(
cfg
ProviderConfig
,
err
error
)
{
req
,
err
:=
http
.
NewRequest
(
"GET"
,
r
.
issuerURL
+
discoveryConfigPath
,
nil
)
// If the Issuer value contains a path component, any terminating / MUST be removed before
// appending /.well-known/openid-configuration.
// https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfigurationRequest
discoveryURL
:=
strings
.
TrimSuffix
(
r
.
issuerURL
,
"/"
)
+
discoveryConfigPath
req
,
err
:=
http
.
NewRequest
(
"GET"
,
discoveryURL
,
nil
)
if
err
!=
nil
{
return
}
...
...
vendor/github.com/coreos/go-oidc/oidc/transport.go
View file @
7170c891
...
...
@@ -67,6 +67,15 @@ func (t *AuthenticatedTransport) verifiedJWT() (jose.JWT, error) {
return
t
.
jwt
,
nil
}
// SetJWT sets the JWT held by the Transport.
// This is useful for cases in which you want to set an initial JWT.
func
(
t
*
AuthenticatedTransport
)
SetJWT
(
jwt
jose
.
JWT
)
{
t
.
mu
.
Lock
()
defer
t
.
mu
.
Unlock
()
t
.
jwt
=
jwt
}
func
(
t
*
AuthenticatedTransport
)
RoundTrip
(
r
*
http
.
Request
)
(
*
http
.
Response
,
error
)
{
jwt
,
err
:=
t
.
verifiedJWT
()
if
err
!=
nil
{
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment