forked from cyberark/conjur-api-go
/
authn.go
113 lines (92 loc) · 2.55 KB
/
authn.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
package conjurapi
import (
"encoding/base64"
"fmt"
"io"
"net/http"
"github.com/Nirupma-Verma/conjur-api-go/conjurapi/authn"
"github.com/Nirupma-Verma/conjur-api-go/conjurapi/response"
)
func (c *Client) RefreshToken() (err error) {
var token authn.AuthnToken
if c.NeedsTokenRefresh() {
var tokenBytes []byte
tokenBytes, err = c.authenticator.RefreshToken()
if err == nil {
token, err = authn.NewToken(tokenBytes)
if err != nil {
return
}
token.FromJSON(tokenBytes)
c.authToken = token
}
}
return
}
func (c *Client) NeedsTokenRefresh() bool {
return c.authToken == nil ||
c.authToken.ShouldRefresh() ||
c.authenticator.NeedsTokenRefresh()
}
func (c *Client) createAuthRequest(req *http.Request) error {
if err := c.RefreshToken(); err != nil {
return err
}
req.Header.Set(
"Authorization",
fmt.Sprintf("Token token=\"%s\"", base64.StdEncoding.EncodeToString(c.authToken.Raw())),
)
return nil
}
// Authenticate obtains a new access token.
func (c *Client) Authenticate(loginPair authn.LoginPair) ([]byte, error) {
resp, err := c.authenticate(loginPair)
if err != nil {
return nil, err
}
return response.DataResponse(resp)
}
// AuthenticateReader obtains a new access token and returns it as a data stream.
func (c *Client) AuthenticateReader(loginPair authn.LoginPair) (io.ReadCloser, error) {
resp, err := c.authenticate(loginPair)
if err != nil {
return nil, err
}
return response.SecretDataResponse(resp)
}
func (c *Client) authenticate(loginPair authn.LoginPair) (*http.Response, error) {
req, err := c.router.AuthenticateRequest(loginPair)
if err != nil {
return nil, err
}
return c.httpClient.Do(req)
}
// RotateAPIKey replaces the API key of a role on the server with a new
// random secret.
//
// The authenticated user must have update privilege on the role.
func (c *Client) RotateAPIKey(roleID string) ([]byte, error) {
resp, err := c.rotateAPIKey(roleID)
if err != nil {
return nil, err
}
return response.DataResponse(resp)
}
// RotateAPIKeyReader replaces the API key of a role on the server with a new
// random secret and returns it as a data stream.
//
// The authenticated user must have update privilege on the role.
func (c *Client) RotateAPIKeyReader(roleID string) (io.ReadCloser, error) {
resp, err := c.rotateAPIKey(roleID)
if err != nil {
return nil, err
}
return response.SecretDataResponse(resp)
}
func (c *Client) rotateAPIKey(roleID string) (*http.Response, error) {
req, err := c.router.RotateAPIKeyRequest(roleID)
if err != nil {
return nil, err
}
return c.SubmitRequest(req)
}