package x509
import "k8s.io/apiserver/pkg/authentication/request/x509"
Package x509 provides a request authenticator that validates and extracts user information from client certificates
Index ¶
- Variables
- func DefaultVerifyOptions() x509.VerifyOptions
- func NewVerifier(opts x509.VerifyOptions, auth authenticator.Request, allowedCommonNames sets.String) authenticator.Request
- type Authenticator
- func New(opts x509.VerifyOptions, user UserConversion) *Authenticator
- func (a *Authenticator) AuthenticateRequest(req *http.Request) (*authenticator.Response, bool, error)
- type UserConversion
- type UserConversionFunc
- type Verifier
Variables ¶
var CommonNameUserConversion = UserConversionFunc(func(chain []*x509.Certificate) (*authenticator.Response, bool, error) { if len(chain[0].Subject.CommonName) == 0 { return nil, false, nil } return &authenticator.Response{ User: &user.DefaultInfo{ Name: chain[0].Subject.CommonName, Groups: chain[0].Subject.Organization, }, }, true, nil })
CommonNameUserConversion builds user info from a certificate chain using the subject's CommonName
Functions ¶
func DefaultVerifyOptions ¶
func DefaultVerifyOptions() x509.VerifyOptions
DefaultVerifyOptions returns VerifyOptions that use the system root certificates, current time, and requires certificates to be valid for client auth (x509.ExtKeyUsageClientAuth)
func NewVerifier ¶
func NewVerifier(opts x509.VerifyOptions, auth authenticator.Request, allowedCommonNames sets.String) authenticator.Request
NewVerifier create a request.Authenticator by verifying a client cert on the request, then delegating to the wrapped auth
Types ¶
type Authenticator ¶
type Authenticator struct {
// contains filtered or unexported fields
}
Authenticator implements request.Authenticator by extracting user info from verified client certificates
func New ¶
func New(opts x509.VerifyOptions, user UserConversion) *Authenticator
New returns a request.Authenticator that verifies client certificates using the provided VerifyOptions, and converts valid certificate chains into user.Info using the provided UserConversion
func (*Authenticator) AuthenticateRequest ¶
func (a *Authenticator) AuthenticateRequest(req *http.Request) (*authenticator.Response, bool, error)
AuthenticateRequest authenticates the request using presented client certificates
type UserConversion ¶
type UserConversion interface {
User(chain []*x509.Certificate) (*authenticator.Response, bool, error)
}
UserConversion defines an interface for extracting user info from a client certificate chain
type UserConversionFunc ¶
type UserConversionFunc func(chain []*x509.Certificate) (*authenticator.Response, bool, error)
UserConversionFunc is a function that implements the UserConversion interface.
func (UserConversionFunc) User ¶
func (f UserConversionFunc) User(chain []*x509.Certificate) (*authenticator.Response, bool, error)
User implements x509.UserConversion
type Verifier ¶
type Verifier struct {
// contains filtered or unexported fields
}
Verifier implements request.Authenticator by verifying a client cert on the request, then delegating to the wrapped auth
func (*Verifier) AuthenticateRequest ¶
AuthenticateRequest verifies the presented client certificate, then delegates to the wrapped auth
Source Files ¶
doc.go x509.go
- Version
- v0.15.7
- Published
- Dec 11, 2019
- Platform
- linux/amd64
- Imports
- 10 packages
- Last checked
- 1 minute ago –
Tools for package owners.