package x509

import "k8s.io/kubernetes/plugin/pkg/auth/authenticator/request/x509"

Package x509 provides a request authenticator that validates and extracts user information from client certificates

Index

Variables 

var CommonNameUserConversion = UserConversionFunc(func(chain []*x509.Certificate) (user.Info, bool, error) {
	if len(chain[0].Subject.CommonName) == 0 {
		return nil, false, nil
	}
	return &user.DefaultInfo{
		Name:   chain[0].Subject.CommonName,
		Groups: chain[0].Subject.Organization,
	}, true, nil
})

CommonNameUserConversion builds user info from a certificate chain using the subject's CommonName 

var DNSNameUserConversion = UserConversionFunc(func(chain []*x509.Certificate) (user.Info, bool, error) {
	if len(chain[0].DNSNames) == 0 {
		return nil, false, nil
	}
	return &user.DefaultInfo{Name: chain[0].DNSNames[0]}, true, nil
})

DNSNameUserConversion builds user info from a certificate chain using the first DNSName on the certificate 

var EmailAddressUserConversion = UserConversionFunc(func(chain []*x509.Certificate) (user.Info, bool, error) {
	var emailAddressOID asn1.ObjectIdentifier = []int{1, 2, 840, 113549, 1, 9, 1}
	if len(chain[0].EmailAddresses) == 0 {
		for _, name := range chain[0].Subject.Names {
			if name.Type.Equal(emailAddressOID) {
				return &user.DefaultInfo{Name: name.Value.(string)}, true, nil
			}
		}
		return nil, false, nil
	}
	return &user.DefaultInfo{Name: chain[0].EmailAddresses[0]}, true, nil
})

EmailAddressUserConversion builds user info from a certificate chain using the first EmailAddress on the certificate

Functions

func DefaultVerifyOptions 

func DefaultVerifyOptions() x509.VerifyOptions

DefaultVerifyOptions returns VerifyOptions that use the system root certificates, current time, and requires certificates to be valid for client auth (x509.ExtKeyUsageClientAuth)

func NewVerifier 

func NewVerifier(opts x509.VerifyOptions, auth authenticator.Request, allowedCommonNames sets.String) authenticator.Request

NewVerifier create a request.Authenticator by verifying a client cert on the request, then delegating to the wrapped auth

Types

type Authenticator 

type Authenticator struct {
	// contains filtered or unexported fields
}

Authenticator implements request.Authenticator by extracting user info from verified client certificates

func New 

func New(opts x509.VerifyOptions, user UserConversion) *Authenticator

New returns a request.Authenticator that verifies client certificates using the provided VerifyOptions, and converts valid certificate chains into user.Info using the provided UserConversion

func (*Authenticator) AuthenticateRequest 

func (a *Authenticator) AuthenticateRequest(req *http.Request) (user.Info, bool, error)

AuthenticateRequest authenticates the request using presented client certificates

type UserConversion 

type UserConversion interface {
	User(chain []*x509.Certificate) (user.Info, bool, error)
}

UserConversion defines an interface for extracting user info from a client certificate chain

type UserConversionFunc 

type UserConversionFunc func(chain []*x509.Certificate) (user.Info, bool, error)

UserConversionFunc is a function that implements the UserConversion interface.

func (UserConversionFunc) User 

func (f UserConversionFunc) User(chain []*x509.Certificate) (user.Info, bool, error)

User implements x509.UserConversion

type Verifier 

type Verifier struct {
	// contains filtered or unexported fields
}

Verifier implements request.Authenticator by verifying a client cert on the request, then delegating to the wrapped auth

func (*Verifier) AuthenticateRequest 

func (a *Verifier) AuthenticateRequest(req *http.Request) (user.Info, bool, error)

AuthenticateRequest verifies the presented client certificate, then delegates to the wrapped auth

Source Files

doc.go x509.go

Version
v1.5.0
Published
Dec 12, 2016
Platform
linux/amd64
Imports
10 packages
Last checked
1 minute ago

Tools for package owners.