▽

Package database

Constants

const AccountsDBName = "iam-accounts"

func LocalCouchDBClient ¶

func LocalCouchDBClient(log logr.Logger) (*kivik.Client, error)

func NewCouchDBClient ¶

func NewCouchDBClient(log logr.Logger) (*kivik.Client, error)

func NewRedisClient ¶

func NewRedisClient() (*redis.Client, error)

func ToFullyQualified ¶

func ToFullyQualified(userID string) string

ToFullyQualified returns a fully qualified name in the form of `acct:{org}@{username}`.

type BarcodeUser ¶

type BarcodeUser struct {
    Key string `json:"key"`
}

type ClientCredentialsDB ¶

ClientCredentialsDB is the client credentials that is persisted in redis

type ClientCredentialsDB struct {
    Secret string `json:"client_secret"`
}

type ClientProfileDB ¶

ClientProfileDB is the client profile that is persisted in redis

type ClientProfileDB struct {
    ClientName        string   `json:"clientName"`
    ID                string   `json:"id"`
    Name              string   `json:"name"`
    Owner             string   `json:"owner"`
    RedirectURIs      []string `json:"redirect_uris"`
    PrintBarcodeURI   string   `json:"print_barcode_uri"`
    PrintBarcodeTypes []string `json:"print_barcode_types"`
    GrantTypes        []string `json:"grant_types"`
    ResponseTypes     []string `json:"response_types"`
    ResponseModes     []string `json:"response_modes"`
    Scopes            []string `json:"scopes"`
    Audience          []string `json:"audience"`
    Roles             []string `json:"roles"`
    Public            bool     `json:"public"`
}

type Doc ¶

type Doc struct {
    ID         string          `json:"_id"`
    Value      json.RawMessage `json:"value"`
    Rev        string          `json:"_rev,omitempty"`
    Expiration int64           `json:"expiration,omitempty"`
}

type GobSerializer ¶

Gob serializer

type GobSerializer struct{}

func (GobSerializer) Deserialize ¶

func (gs GobSerializer) Deserialize(d []byte, s *sessions.Session) error

func (GobSerializer) Serialize ¶

func (gs GobSerializer) Serialize(s *sessions.Session) ([]byte, error)

type KeyGenFunc ¶

KeyGenFunc defines a function used by store to generate a key

type KeyGenFunc func() (string, error)

type KeyPrefix ¶

type KeyPrefix string

const (
    KeyPrefixAuthorizationCode KeyPrefix = "auth-code"
    KeyPrefixAccessToken       KeyPrefix = "access-token"
    KeyPrefixAccessTokenReq    KeyPrefix = "access-token-request"
    KeyPrefixRefreshToken      KeyPrefix = "refresh-token"
    KeyPrefixRefreshTokenReq   KeyPrefix = "refresh-token-request"
    KeyPrefixOpenIDConnect     KeyPrefix = "oidc"
    KeyPrefixPKCE              KeyPrefix = "pkce"
    KeyPrefixClientCreds       KeyPrefix = "client-creds"
    KeyPrefixClientProfile     KeyPrefix = "client-profile"
    KeyPrefixClient            KeyPrefix = "client"
    KeyPrefixPIN               KeyPrefix = "pin"
    KeyPrefixDeviceAccount     KeyPrefix = "device-acct"
    KeyPrefixProfile           KeyPrefix = "profile"
    KeyPrefixAlias             KeyPrefix = "alias"
    KeyPrefixDeviceLogin       KeyPrefix = "device-login"
    KeyPrefixBarcode           KeyPrefix = "barcode"
    KeyPrefixBarcodeCode       KeyPrefix = "barcode-code"
    KeyPrefixBarcodeKey        KeyPrefix = "barcode-key"
    KeyPrefixBarcodeUser       KeyPrefix = "barcode-user"
    KeyPrefixLoginHint         KeyPrefix = "login-hint"
)

type Options ¶

type Options func(d *Doc)

func WithExpiration ¶

func WithExpiration(ttl time.Duration) Options

set the doc's expiration to the new time

type SessionSerializer ¶

SessionSerializer provides an interface for serialize/deserialize a session

type SessionSerializer interface {
    Serialize(s *sessions.Session) ([]byte, error)
    Deserialize(b []byte, s *sessions.Session) error
}

type SessionStore ¶

SessionStore stores gorilla sessions in Redis

type SessionStore struct {
    // contains filtered or unexported fields
}

func NewRedisSessionStore ¶

func NewRedisSessionStore(_ context.Context, client redis.UniversalClient) (*SessionStore, error)

NewRedisSessionStore returns a new SessionStore with default configuration

func (*SessionStore) Close ¶

func (s *SessionStore) Close() error

Close closes the Redis store

func (*SessionStore) Get ¶

func (s *SessionStore) Get(r *http.Request, name string) (*sessions.Session, error)

Get returns a session for the given name after adding it to the registry.

func (*SessionStore) KeyGen ¶

func (s *SessionStore) KeyGen(f KeyGenFunc)

KeyGen sets the key generator function

func (*SessionStore) KeyPrefix ¶

func (s *SessionStore) KeyPrefix(keyPrefix string)

KeyPrefix sets the key prefix to store session in Redis

func (*SessionStore) New ¶

func (s *SessionStore) New(r *http.Request, name string) (*sessions.Session, error)

New returns a session for the given name without adding it to the registry.

func (*SessionStore) Options ¶

func (s *SessionStore) Options(opts sessions.Options)

Options set options to use when a new session is created

func (*SessionStore) Save ¶

func (s *SessionStore) Save(_ *http.Request, w http.ResponseWriter, session *sessions.Session) error

Save adds a single session to the response.

If the Options.MaxAge of the session is <= 0 then the session file will be deleted from the store. With this process it enforces the properly session cookie handling so no need to trust in the cookie management in the web browser.

func (*SessionStore) Serializer ¶

func (s *SessionStore) Serializer(ss SessionSerializer)

Serializer sets the session serializer to store session

type Store ¶

type Store struct {
    Log          logr.Logger
    CouchDB      *kivik.Client
    RedisDB      *redis.Client
    Sessions     *SessionStore
    CouchDBLocal *kivik.Client
    // contains filtered or unexported fields
}

func NewOperatorStore ¶

func NewOperatorStore(log logr.Logger) (*Store, error)

NewOperatorStore Store for operator

func NewProviderStore ¶

func NewProviderStore(log logr.Logger) (*Store, error)

NewProviderStore Store for provider

func (*Store) AddAliasToProfile ¶

func (s *Store) AddAliasToProfile(ctx context.Context, userProfile *profile.Profile) error

func (*Store) ClientAssertionJWTValid ¶

func (s *Store) ClientAssertionJWTValid(_ context.Context, _ string) error

ClientAssertionJWTValid returns an error if the JTI is known or the DB check failed and nil if the JTI is not known.

func (*Store) CreateAccessTokenSession ¶

func (s *Store) CreateAccessTokenSession(ctx context.Context, signature string, request fosite.Requester) (err error)

func (*Store) CreateAlias ¶

func (s *Store) CreateAlias(ctx context.Context, alias, subject string) (err error)

func (*Store) CreateAuthorizeCodeSession ¶

func (s *Store) CreateAuthorizeCodeSession(_ context.Context, code string, req fosite.Requester) (err error)

func (*Store) CreateBarcode ¶

func (s *Store) CreateBarcode(ctx context.Context, key, secret, subject string) (err error)

func (*Store) CreateBarcodeCode ¶

func (s *Store) CreateBarcodeCode(_ context.Context, signature, subject, issuedBy, clientID, barcodeType, challenge string) (err error)

func (*Store) CreateBarcodeKey ¶

func (s *Store) CreateBarcodeKey(_ context.Context, challenge, barcodeKey string) (err error)

func (*Store) CreateBarcodeUser ¶

func (s *Store) CreateBarcodeUser(ctx context.Context, subject, barcodeKey string) (err error)

CreateBarcodeUser creates record with key: barcode-user:subject value: barcode key into DB.

func (*Store) CreateIdentityProfile ¶

func (s *Store) CreateIdentityProfile(ctx context.Context, p profile.Profile) error

func (*Store) CreateOpenIDConnectSession ¶

func (s *Store) CreateOpenIDConnectSession(_ context.Context, authorizeCode string, req fosite.Requester) error

CreateOpenIDConnectSession creates an open id connect session for a given authorize code. This is relevant for explicit open id connect flow.

func (*Store) CreatePKCERequestSession ¶

func (s *Store) CreatePKCERequestSession(_ context.Context, signature string, req fosite.Requester) error

func (*Store) CreateRefreshTokenSession ¶

func (s *Store) CreateRefreshTokenSession(ctx context.Context, signature string, request fosite.Requester) (err error)

func (*Store) DecryptCouchDB ¶

func (s *Store) DecryptCouchDB(ctx context.Context, key []byte) error

func (*Store) DeleteAccessTokenSession ¶

func (s *Store) DeleteAccessTokenSession(_ context.Context, signature string) (err error)

func (*Store) DeleteBarcode ¶

func (s *Store) DeleteBarcode(ctx context.Context, key string) (err error)

func (*Store) DeleteBarcodeCode ¶

func (s *Store) DeleteBarcodeCode(_ context.Context, code string) (err error)

func (*Store) DeleteBarcodeKey ¶

func (s *Store) DeleteBarcodeKey(_ context.Context, challenge string) (err error)

func (*Store) DeleteClient ¶

func (s *Store) DeleteClient(ctx context.Context, id string) error

func (*Store) DeleteOpenIDConnectSession ¶

func (s *Store) DeleteOpenIDConnectSession(_ context.Context, _ string) error

Deprecated: DeleteOpenIDConnectSession is not called from anywhere. Originally, it should remove an open id connect session from the store.

func (*Store) DeletePKCERequestSession ¶

func (s *Store) DeletePKCERequestSession(_ context.Context, signature string) error

func (*Store) DeleteRefreshTokenSession ¶

func (s *Store) DeleteRefreshTokenSession(_ context.Context, signature string) (err error)

func (*Store) EncryptCouchDB ¶

func (s *Store) EncryptCouchDB(ctx context.Context, key []byte) error

func (*Store) ExpireIdentityProfile ¶

func (s *Store) ExpireIdentityProfile(ctx context.Context, subject string) (err error)

func (*Store) GetAccessTokenSession ¶

func (s *Store) GetAccessTokenSession(ctx context.Context, signature string, session fosite.Session) (request fosite.Requester, err error)

func (*Store) GetAuthorizeCodeSession ¶

func (s *Store) GetAuthorizeCodeSession(ctx context.Context, code string, session fosite.Session) (request fosite.Requester, err error)

func (*Store) GetBarcode ¶

func (s *Store) GetBarcode(ctx context.Context, key string) (barcode *barcode.Barcode, err error)

func (*Store) GetBarcodeCode ¶

func (s *Store) GetBarcodeCode(_ context.Context, signature string) (barcodeCode *barcode.Code, err error)

func (*Store) GetBarcodeKey ¶

func (s *Store) GetBarcodeKey(_ context.Context, challenge string) (barcodeKey *barcode.BarcodeKey, err error)

func (*Store) GetBarcodeUser ¶

func (s *Store) GetBarcodeUser(ctx context.Context, subject string) (barCodeKey string, err error)

GetBarcodeUser checks if the subject already has barcode and fetches the barcode key if present.

func (*Store) GetClient ¶

func (s *Store) GetClient(ctx context.Context, id string) (fosite.Client, error)

GetClient loads the client by its ID or returns an error if the client does not exist or another error occurred.

func (*Store) GetClients ¶

func (s *Store) GetClients(ctx context.Context, owner string) ([]*client.Client, error)

func (*Store) GetDeviceAccount ¶

func (s *Store) GetDeviceAccount(ctx context.Context, username string) (acct *device.Account, err error)

func (*Store) GetDocWithKey ¶

func (s *Store) GetDocWithKey(ctx context.Context, docID string, oldKey []byte) (*Doc, error)

getDocWithKey retrieves doc with given docID given a specific key this function assumes we have encryption enabled and that all current values are in the correct format of encryptedValue: [value]

func (*Store) GetIAMClient ¶

func (s *Store) GetIAMClient(ctx context.Context, id string) (*client.Client, error)

GetClient returns an EdgeIAMClient by client id

func (*Store) GetIdentityProfile ¶

func (s *Store) GetIdentityProfile(ctx context.Context, subject string) (profile *profile.Profile, err error)

func (*Store) GetLoginSession ¶

func (s *Store) GetLoginSession(signature string) (loginSession *session.LoginSession, err error)

func (*Store) GetOpenIDConnectSession ¶

func (s *Store) GetOpenIDConnectSession(ctx context.Context, authorizeCode string, requester fosite.Requester) (fosite.Requester, error)

IsOpenIDConnectSession returns error - nil if a session was found, - ErrNotFound if no session was found - or an arbitrary error if an error occurred.

func (*Store) GetPKCERequestSession ¶

func (s *Store) GetPKCERequestSession(ctx context.Context, signature string, session fosite.Session) (fosite.Requester, error)

func (*Store) GetRefreshTokenSession ¶

func (s *Store) GetRefreshTokenSession(ctx context.Context, signature string, session fosite.Session) (request fosite.Requester, err error)

func (*Store) GetSubjectFromAlias ¶

func (s *Store) GetSubjectFromAlias(ctx context.Context, alias string) (subject string, err error)

func (*Store) InvalidateAuthorizeCodeSession ¶

func (s *Store) InvalidateAuthorizeCodeSession(_ context.Context, code string) (err error)

func (*Store) InvalidateBarcodeCode ¶

func (s *Store) InvalidateBarcodeCode(_ context.Context, signature, subject, issuedBy, clientID, barcodeType, challenge string) (err error)

func (*Store) InvalidateLoginSession ¶

func (s *Store) InvalidateLoginSession(signature string) error

func (*Store) IsOffline ¶

func (s *Store) IsOffline() bool

func (*Store) LoginWithPIN ¶

func (s *Store) LoginWithPIN(ctx context.Context, userID string, pincode string) (*pin.Data, error)

func (*Store) RevokeAccessToken ¶

func (s *Store) RevokeAccessToken(ctx context.Context, requestID string) error

RevokeAccessToken revokes an access token as specified in: https://tools.ietf.org/html/rfc7009#section-2.1 If the token passed to the request is an access token, the server MAY revoke the respective refresh token as well.

func (*Store) RevokeRefreshToken ¶

func (s *Store) RevokeRefreshToken(_ context.Context, requestID string) error

RevokeRefreshToken revokes a refresh token as specified in: https://tools.ietf.org/html/rfc7009#section-2.1 If the particular token is a refresh token and the authorization server supports the revocation of access tokens, then the authorization server SHOULD also invalidate all access tokens based on the same authorization grant (see Implementation Note).

func (*Store) RevokeRefreshTokenMaybeGracePeriod ¶

func (s *Store) RevokeRefreshTokenMaybeGracePeriod(ctx context.Context, requestID string, _ string) error

RevokeRefreshTokenMaybeGracePeriod revokes a refresh token as specified in: https://tools.ietf.org/html/rfc7009#section-2.1 If the particular token is a refresh token and the authorization server supports the revocation of access tokens, then the authorization server SHOULD also invalidate all access tokens based on the same authorization grant (see Implementation Note).

If the Refresh Token grace period is greater than zero in configuration the token will have its expiration time set as UTCNow + GracePeriod.

func (*Store) RotateCouchEncryptionKey ¶

func (s *Store) RotateCouchEncryptionKey(ctx context.Context, oldKey []byte, newKey []byte) error

updates the couchdb database to use a new key to store encrypted items

func (*Store) RunOfflineDetection ¶

func (s *Store) RunOfflineDetection()

func (*Store) SaveClientCredentials ¶

func (s *Store) SaveClientCredentials(ctx context.Context, clientID string, credentials *client.Credentials) (*client.Credentials, error)

func (*Store) SaveClientProfile ¶

func (s *Store) SaveClientProfile(ctx context.Context, clientID string, profile *client.Profile) (*client.Profile, error)

func (*Store) SaveDeviceAccount ¶

func (s *Store) SaveDeviceAccount(ctx context.Context, acc device.Account) error

func (*Store) SavePIN ¶

func (s *Store) SavePIN(ctx context.Context, userID string, pincode string) error

func (*Store) SetClientAssertionJWT ¶

func (s *Store) SetClientAssertionJWT(_ context.Context, _ string, _ time.Time) error

SetClientAssertionJWT marks a JTI as known for the given expiry time. Before inserting the new JTI, it will clean up any existing JTIs that have expired as those tokens can not be replayed due to the expiry.

func (*Store) SetLoginSession ¶

func (s *Store) SetLoginSession(signature string, session *session.LoginSession) error