-
Notifications
You must be signed in to change notification settings - Fork 9
/
Copy pathcredentials.go
79 lines (64 loc) · 2.18 KB
/
credentials.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
package alks
import (
"errors"
"net/http"
)
const (
accessKeyHeader = "ALKS-STS-Access-Key"
secretKeyHeader = "ALKS-STS-Secret-Key"
sessionTokenHeader = "ALKS-STS-Session-Token"
)
// Basic represents LDAP based credentials in the configuration of the ALKS client
type Basic struct {
Username string `json:"-"`
Password string `json:"-"`
}
// STS represents AWS STS credentials in the configuration of the ALKS client
type STS struct {
AccessKey string `json:"-"`
SecretKey string `json:"-"`
SessionToken string `json:"-"`
}
// Bearer represents an Okta bearer token in the configuration of the ALKS client
type Bearer struct {
Token string `json:"-"`
}
// AuthInjecter is the interface that wraps the InjectAuth method.
//
// Implementations are expect to add their authentication data to request without
// destroying existing data (if any) and should implement fallbacks when
// possible. Failing that, an error should be reported to the caller.
type AuthInjecter interface {
InjectAuth(req *http.Request) error
}
// InjectAuth will add an Authorization header to an ALKS client request containing
// the caller's username and password.
func (b *Basic) InjectAuth(req *http.Request) error {
if _, _, ok := req.BasicAuth(); ok {
return errors.New("Basic Auth header already exists")
}
req.SetBasicAuth(b.Username, b.Password)
return nil
}
// InjectAuth will add ALKS headers to client requests containing
// the caller's STS credentials.
func (s *STS) InjectAuth(req *http.Request) error {
if req.Header.Get(accessKeyHeader) != "" &&
req.Header.Get(secretKeyHeader) != "" &&
req.Header.Get(sessionTokenHeader) != "" {
return errors.New("STS Auth headers already exist")
}
req.Header.Add(accessKeyHeader, s.AccessKey)
req.Header.Add(secretKeyHeader, s.SecretKey)
req.Header.Add(sessionTokenHeader, s.SessionToken)
return nil
}
// InjectAuth will add an authorization header to an ALKS client request containing
// the caller's Okta bearer token.
func (b *Bearer) InjectAuth(req *http.Request) error {
if req.Header.Get("Authorization") != "" {
return errors.New("Authorization header already exists")
}
req.Header.Add("Authorization", "Bearer "+b.Token)
return nil
}