tok

package

v1.4.3 Latest Latest Go to latest Published: Mar 25, 2026 License: MIT Imports: 24 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/NVIDIA/aistore

Links

Documentation ¶

Overview ¶

Package tok provides AuthN token (structure and methods) for validation by AIS gateways

Copyright (c) 2025-2026, NVIDIA CORPORATION. All rights reserved.

Package tok provides AuthN token (structure and methods) for validation by AIS gateways

Copyright (c) 2026, NVIDIA CORPORATION. All rights reserved.

Package tok provides AuthN token (structure and methods) for validation by AIS gateways

Copyright (c) 2018-2026, NVIDIA CORPORATION. All rights reserved.

Index ¶

Variables
func GetKeyID(t *jwt.Token) (string, error)
type AISClaims
- func AdminClaims(regClaims *jwt.RegisteredClaims) *AISClaims
- func StandardClaims(regClaims *jwt.RegisteredClaims, bucketACLs []*authn.BckACL, ...) *AISClaims
- func (c *AISClaims) CheckPermissions(clusterID string, bck *cmn.Bck, perms apc.AccessAttrs) error
- func (c *AISClaims) IsExpired() bool
- func (c *AISClaims) IsUser(user string) bool
- func (c *AISClaims) String() string
- func (c *AISClaims) Validate() error
type CacheConfig
type DiscoveryConf
type JWKSRoundTripper
- func NewJWKSRoundTripper(base http.RoundTripper, statsT stats.Tracker) *JWKSRoundTripper
- func (jrt *JWKSRoundTripper) RoundTrip(req *http.Request) (*http.Response, error)
type KeyCacheManager
- func NewKeyCacheManager(oidc *cmn.OIDCConf, client *http.Client, cacheConf *CacheConfig, ...) *KeyCacheManager
- func (km *KeyCacheManager) IncCounter(metric string)
- func (km *KeyCacheManager) Init(rootCtx context.Context)
- func (km *KeyCacheManager) PopulateJWKSCache(ctx context.Context) error
- func (km *KeyCacheManager) ResolveKey(ctx context.Context, tok *jwt.Token) (any, error)
- func (km *KeyCacheManager) ValidateKey(ctx context.Context, reqConf *authn.ServerConf) (int, error)
type KeyProvider
type Parser
type ServerKeyProvider
type Signer
type StaticKeyProvider
- func NewStaticKeyProvider(conf *cmn.AuthConf) (*StaticKeyProvider, error)
- func (s *StaticKeyProvider) ResolveKey(_ context.Context, t *jwt.Token) (any, error)
- func (s *StaticKeyProvider) ValidateKey(_ context.Context, reqConf *authn.ServerConf) (int, error)
type TokenHdr
- func ExtractToken(hdr http.Header) (*TokenHdr, error)
type TokenParser
- func NewTokenParser(keyProvider KeyProvider, conf *cmn.AuthConf) *TokenParser
- func (p *TokenParser) ValidateToken(ctx context.Context, tokenStr string) (*AISClaims, error)

Constants ¶

This section is empty.

Variables ¶

View Source

var (
	ErrNoPermissions = errors.New("insufficient permissions")
	ErrInvalidToken  = errors.New("invalid token")
	ErrNoSubject     = errors.New("missing 'sub' claim")
	ErrNoToken       = errors.New("token required")
	ErrTokenExpired  = errors.New("token expired")
	ErrTokenRevoked  = errors.New("token revoked")
)

View Source

var ErrNoJWKSForIssuer = errors.New("no JWKS entry exists for issuer")

View Source

var (
	ErrNoStaticKey = errors.New("no static key in config")
)

Functions ¶

func GetKeyID ¶ added in v1.4.3

func GetKeyID(t *jwt.Token) (string, error)

GetKeyID returns the key ID from the provided token's headers Used by callers (KeyProviders) that must look up the associated public key of a token in a JWKS

Types ¶

type AISClaims ¶ added in v1.4.1

type AISClaims struct {
	ClusterACLs []*authn.CluACL `json:"clusters"`
	BucketACLs  []*authn.BckACL `json:"buckets,omitempty"`
	IsAdmin     bool            `json:"admin"`
	jwt.RegisteredClaims
}

AISClaims contains JWT claims with additional AIS functionality Note: JWTs relying on legacy claims issued prior to v4.3 will fail validation on v4.3 clusters Deprecated legacy claims 'username' and 'expires' have been removed in favor of 'sub' and 'exp'

func AdminClaims ¶ added in v1.4.1

func AdminClaims(regClaims *jwt.RegisteredClaims) *AISClaims

func StandardClaims ¶ added in v1.4.1

func StandardClaims(regClaims *jwt.RegisteredClaims, bucketACLs []*authn.BckACL, clusterACLs []*authn.CluACL) *AISClaims

func (*AISClaims) CheckPermissions ¶ added in v1.4.1

func (c *AISClaims) CheckPermissions(clusterID string, bck *cmn.Bck, perms apc.AccessAttrs) error

func (*AISClaims) IsExpired ¶ added in v1.4.1

func (c *AISClaims) IsExpired() bool

func (*AISClaims) IsUser ¶ added in v1.4.1

func (c *AISClaims) IsUser(user string) bool

func (*AISClaims) String ¶ added in v1.4.1

func (c *AISClaims) String() string

func (*AISClaims) Validate ¶ added in v1.4.1

func (c *AISClaims) Validate() error

Validate implements Claims interface to add extra claims validation after parsing a token

type CacheConfig ¶ added in v1.4.1

type CacheConfig struct {
	DiscoveryConf           *DiscoveryConf
	MinCacheRefreshInterval *time.Duration
}

type DiscoveryConf ¶ added in v1.4.1

type DiscoveryConf struct {
	Retries   int
	BaseDelay time.Duration
}

type JWKSRoundTripper ¶ added in v1.4.2

type JWKSRoundTripper struct {
	// contains filtered or unexported fields
}

JWKSRoundTripper wraps http.RoundTripper to track latency of JWKS fetches

func NewJWKSRoundTripper ¶ added in v1.4.2

func NewJWKSRoundTripper(base http.RoundTripper, statsT stats.Tracker) *JWKSRoundTripper

func (*JWKSRoundTripper) RoundTrip ¶ added in v1.4.2

func (jrt *JWKSRoundTripper) RoundTrip(req *http.Request) (*http.Response, error)

RoundTrip implements http.RoundTripper with additional stats wrapping

type KeyCacheManager ¶ added in v1.4.1

type KeyCacheManager struct {
	// contains filtered or unexported fields
}

func NewKeyCacheManager ¶ added in v1.4.1

func NewKeyCacheManager(oidc *cmn.OIDCConf, client *http.Client, cacheConf *CacheConfig, statsT stats.Tracker) *KeyCacheManager

NewKeyCacheManager creates an instance of KeyCacheManager with an unpopulated cache After creating, call Init with a long-lived context to create a key cache Optionally, also pre-populate the cache to register and preload the allowed issuers

func (*KeyCacheManager) IncCounter ¶ added in v1.4.2

func (km *KeyCacheManager) IncCounter(metric string)

func (*KeyCacheManager) Init ¶ added in v1.4.1

func (km *KeyCacheManager) Init(rootCtx context.Context)

Init prepares a key cache manager to provide to a token parser The provided context must be valid for the life of the cache for automatic refresh

func (*KeyCacheManager) PopulateJWKSCache ¶ added in v1.4.1

func (km *KeyCacheManager) PopulateJWKSCache(ctx context.Context) error

PopulateJWKSCache looks up JWKS URLs, adds them to the cache, and preloads JWKS Returns error only on context cancellation or invalid config

func (*KeyCacheManager) ResolveKey ¶ added in v1.4.3

func (km *KeyCacheManager) ResolveKey(ctx context.Context, tok *jwt.Token) (any, error)

func (*KeyCacheManager) ValidateKey ¶ added in v1.4.3

func (km *KeyCacheManager) ValidateKey(ctx context.Context, reqConf *authn.ServerConf) (int, error)

ValidateKey checks if the public key provided in the request struct exists with any configured issuers

type KeyProvider ¶ added in v1.4.3

type KeyProvider interface {
	// ResolveKey returns a key that should be used to validate the given token
	ResolveKey(ctx context.Context, tok *jwt.Token) (any, error)
}

type Parser ¶ added in v1.4.1

type Parser interface {
	// ValidateToken verifies JWT signature and extracts token claims.
	ValidateToken(ctx context.Context, tokenStr string) (*AISClaims, error)
}

type ServerKeyProvider ¶ added in v1.4.3

type ServerKeyProvider interface {
	KeyProvider
	// ValidateKey checks a given public key or secret checksum and returns an error iff it is invalid
	ValidateKey(ctx context.Context, conf *authn.ServerConf) (int, error)
}

ServerKeyProvider extends KeyProvider with functionality only used on the AIS server side (not authN service)

type Signer ¶ added in v1.4.3

type Signer interface {
	KeyProvider
	SignToken(c jwt.Claims) (string, error)
	ValidationConf() *authn.ServerConf
}

type StaticKeyProvider ¶ added in v1.4.3

type StaticKeyProvider struct {
	// contains filtered or unexported fields
}

func NewStaticKeyProvider ¶ added in v1.4.3

func NewStaticKeyProvider(conf *cmn.AuthConf) (*StaticKeyProvider, error)

func (*StaticKeyProvider) ResolveKey ¶ added in v1.4.3

func (s *StaticKeyProvider) ResolveKey(_ context.Context, t *jwt.Token) (any, error)

ResolveKey for static provider resolves key directly from config

func (*StaticKeyProvider) ValidateKey ¶ added in v1.4.3

func (s *StaticKeyProvider) ValidateKey(_ context.Context, reqConf *authn.ServerConf) (int, error)

ValidateKey checks if the request struct contains a key or checksum consistent with our current config

type TokenHdr ¶ added in v1.4.1

type TokenHdr struct {
	// Request header containing token string
	Header string
	// Raw token string from request
	Token string
}

func ExtractToken ¶

func ExtractToken(hdr http.Header) (*TokenHdr, error)

ExtractToken extracts JWT token from either Authorization header (Bearer token) or X-Amz-Security-Token header with the following priority:

Authorization: Bearer <token> (standard JWT auth)
X-Amz-Security-Token: enables native AWS SDK clients to authenticate using AIS-compatible JWT tokens passed when using SigV4 authentication.

type TokenParser ¶ added in v1.4.1

type TokenParser struct {
	// contains filtered or unexported fields
}

func NewTokenParser ¶ added in v1.4.1

func NewTokenParser(keyProvider KeyProvider, conf *cmn.AuthConf) *TokenParser

NewTokenParser creates a new instance of TokenParser given a key provider and an optional set of auth configs

func (*TokenParser) ValidateToken ¶ added in v1.4.1

func (p *TokenParser) ValidateToken(ctx context.Context, tokenStr string) (*AISClaims, error)

ValidateToken verifies JWT signature and extracts token claims (supporting both HMAC (HS256) and RSA (RS256) signing methods) - HS256: validates with secret (symmetric) - RS256: validates with pubKey (asymmetric)

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL