server

Documentation

Index

• Variables
• func New(loginService *LoginService, authClient authclient.Client, config *Config) (http.Handler, error)
• type Config
  • func (c *Config) Compile() error
• type LoginService
  • func NewLoginService(config *Config) (*LoginService, error)
  • func (s *LoginService) Authorize(username, service, destination, nonce string, groups []string, ...) (string, error)
  • func (s *LoginService) Exchange(curToken, curService, curNonce, newService, nonce string) (string, error)

Variables

var (
	// ErrBadService means the service does not follow the specification.
	ErrBadService = errors.New("bad service")

	// ErrBadDestinationScheme is returned when the destination
	// scheme isn't HTTPS.
	ErrBadDestinationScheme = errors.New("bad destination scheme")

	// ErrUnauthorizedService means that the target service has
	// not been whitelisted.
	ErrUnauthorizedService = errors.New("unauthorized service")

	// ErrUnauthorizedDestination means that the destination is
	// not part of the service.
	ErrUnauthorizedDestination = errors.New("unauthorized destination")

	// ErrUnauthorized can be returned by the Exchange method if
	// group ACLs do not match the current ticket.
	ErrUnauthorized = errors.New("unauthorized")
)

Functions

func New

func New(loginService *LoginService, authClient authclient.Client, config *Config) (http.Handler, error)

New returns a new Server.

Types

type Config

type Config struct {
	login.Config `yaml:",inline"`

	URLPrefix string `yaml:"url_path_prefix"`

	AllowedCORSOrigins []string `yaml:"allowed_cors_origins"`

	SecretKeyFile    string   `yaml:"secret_key_file"`
	PublicKeyFile    string   `yaml:"public_key_file"`
	Domain           string   `yaml:"domain"`
	AllowedServices  []string `yaml:"allowed_services"`
	AllowedExchanges []*struct {
		SrcRegexp string `yaml:"src_regexp"`
		DstRegexp string `yaml:"dst_regexp"`
		// contains filtered or unexported fields
	} `yaml:"allowed_exchanges"`
	ServiceTTLs []*struct {
		Regexp     string `yaml:"regexp"`
		TTLSeconds int    `yaml:"ttl"`
		// contains filtered or unexported fields
	} `yaml:"service_ttls"`

	KeyStore             *clientutil.BackendConfig `yaml:"keystore"`
	KeyStoreEnableGroups []string                  `yaml:"keystore_enable_groups"`

	LoginDelayMs float64 `yaml:"login_delay_ms"`
	// contains filtered or unexported fields
}

Config data for the SSO service.

func (*Config) Compile

func (c *Config) Compile() error

Compile the configuration (parse regular expressions, etc).

type LoginService

type LoginService struct {
	// contains filtered or unexported fields
}

LoginService provides the business logic for the SSO server, offering the Authorize and Exchange methods.

func NewLoginService

func NewLoginService(config *Config) (*LoginService, error)

NewLoginService returns a new LoginService with the specified configuration.

func (*LoginService) Authorize

func (s *LoginService) Authorize(username, service, destination, nonce string, groups []string, maxTTL time.Duration) (string, error)

Authorize a user to access a service by generating a token for it. Note that the user must already be successfully identified by some other means (e.g. passing a login form, etc). The 'maxTTL' parameter, if non-zero, caps the time-to-live of the ticket, which is otherwise determined depending on the service configuration.

func (*LoginService) Exchange

func (s *LoginService) Exchange(curToken, curService, curNonce, newService, nonce string) (string, error)

Exchange a token for a new one scoped to a different service.