webhook

package
v3.1.3 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Apr 10, 2024 License: Apache-2.0 Imports: 27 Imported by: 0

Documentation

Overview

Package webhook provides the handlers and customization points for implementing a K8s webhook for authentication and authorization using Athenz.

Package webhook is originated from https://github.com/yahoo/k8s-athenz-webhook/releases/tag/v0.1.4 Copyright 2019 Verizon Media Inc. Licensed under the terms of the 3-Clause BSD License. See LICENSE file in github.com/yahoo/k8s-athenz-webhook/blob/v0.1.4/LICENSE for terms.

Index

Constants

View Source 
const (
	CacheActive = true
	CacheStale  = false
)

Variables

View Source 
var DefaultClientTimeout = 10 * time.Second

DefaultClientTimeout is used when no timeout is supplied in the config.

Functions

func ConvertIntoV1 added in v3.1.0 

func ConvertIntoV1(rV1Beta1 authzv1beta1.SubjectAccessReview) authz.SubjectAccessReview

func IsLogEnabled 

func IsLogEnabled(ctx context.Context, flag LogFlags) bool

IsLogEnabled returns true if the supplied flag is set in the configuration log flags bitmask.

func NewAuthenticator 

func NewAuthenticator(c AuthenticationConfig) http.Handler

NewAuthenticator returns a handler that can service an authentication request.

func NewAuthorizer 

func NewAuthorizer(c AuthorizationConfig) http.Handler

NewAuthorizer returns a handler that can service an authorization request.

func VerifyToken 

func VerifyToken(token string, checkExpiry bool) error

VerifyToken returns an error if the supplied ntoken was not well-formed. When checkExpiry is true, an expiry check on the token is also performed.

Types

type AthenzAccessCheck 

type AthenzAccessCheck struct {
	Action   string // the action to authorize
	Resource string // fully qualified Athenz resource name including domain prefix (e.g. "my.domain:the-resource")
}

AthenzAccessCheck encapsulates the parameters for an authz check against Athenz.

func (AthenzAccessCheck) String 

func (a AthenzAccessCheck) String() string

type AthenzPrincipal 

type AthenzPrincipal struct {
	Domain  string // Athenz domain
	Service string // local name
	Token   string // the token
}

AthenzPrincipal represents a valid Athenz principal.

type AuthenticationConfig 

type AuthenticationConfig struct {
	Config            // base config
	Mapper UserMapper // user mapper
}

AuthenticationConfig is the authentication configuration

type AuthorizationConfig 

type AuthorizationConfig struct {
	Config                                       // the base config
	HelpMessage               string             // additional message for the user on internal authz errors
	Token                     IdentityToken      // the token provider for calls to Athenz
	AthenzX509                IdentityAthenzX509 // the x509 provider for calls to Athenz
	AthenzClientAuthnx509Mode bool               // enable/disable x509 mode for Identity athenz x509
	Mapper                    ResourceMapper     // the resource mapper
}

AuthorizationConfig is the authorization configuration

type AuthzError 

type AuthzError struct {
	// contains filtered or unexported fields
}

AuthzError is an error implementation that can provide custom messages for the reason field in the SubjectAccessReviewStatus object.

func NewAuthzError 

func NewAuthzError(delegate error, reason string) *AuthzError

NewAuthzError returns an error implementation whose reason member is copied into the returned status object.

func (*AuthzError) Reason 

func (a *AuthzError) Reason() string

Reason returns the string that should be copied into the `reason` field of the status object.

type Cache 

type Cache struct {
	// contains filtered or unexported fields
}

Cache - cache for athenzdomains CR

func NewZpeClient 

func NewZpeClient(crIndexInformer cache.SharedIndexInformer, cmIndexInformer cache.SharedIndexInformer, maxContactTime time.Duration, log Logger) *Cache

NewZpeClient - generate new athenzdomains cr cache

func (*Cache) SetCacheEnabledStatus 

func (c *Cache) SetCacheEnabledStatus(enabled bool)

SetCacheEnabledStatus - sets cacheEnabled value when cacheEnabled is set to true, cache will be used in the request flow.

type Config 

type Config struct {
	ZMSEndpoint string                     // ZMS endpoint including version specific (e.g. /v1) path
	ZTSEndpoint string                     // ZTS endpoint including version specific (e.g. /v1) path
	AuthHeader  string                     // header name for ntoken in Athenz requests
	Timeout     time.Duration              // timeout for all Athenz requests
	LogProvider LogProvider                // the log provider
	LogFlags    LogFlags                   // logging flags
	Validator   zmssvctoken.TokenValidator // token validator
	Cache       *Cache                     // AthenzDomain Cache
	UseCache    bool                       // UseCache flag
	DryRun      bool                       // DryRun mode flag
}

Config is the common configuration for authn and authz

type Cron 

type Cron struct {
	// contains filtered or unexported fields
}

Cron type for cache status updates, after a sync interval, compare last update time stored in the cache and current time, update the cache status

func NewCron 

func NewCron(syncInterval time.Duration, cache *Cache, log Logger) *Cron

NewCron - creates new cron object

func (*Cron) CronSync 

func (c *Cron) CronSync(stopCh <-chan struct{})

CronSync - for every sync interval, update the cache status to ensure it is up to date

type IdentityAthenzX509 

type IdentityAthenzX509 func() (*tls.Config, error)

IdentityAthenzX509 provides x509 certs for Athenz access

type IdentityToken 

type IdentityToken func() (string, error)

IdentityToken provides an ntoken for Athenz access for the authorization handler itself.

type LogFlags 

type LogFlags int

LogFlags is a bitwise mask of additional logging that is required. The zero value produces standard logs that produce one line of the outcome for both authn and authz. 

const (
	LogVerboseMapping LogFlags // user mapping code can use this for verbosity
	LogTraceServer             // log details of server requests, insecure
	LogTraceAthenz             // log details of Athenz HTTP calls, insecure
)

Log flag constants

type LogProvider 

type LogProvider func(requestID string) Logger

LogProvider produces a Logger given a request identifier.

type Logger 

type Logger interface {
	// Println has the same semantics as the log package.
	Println(args ...interface{})
	// Printf has the same semantics as the log package.
	Printf(format string, args ...interface{})
}

Logger is the minimal logging interface required by the API.

func GetLogger 

func GetLogger(ctx context.Context) Logger

GetLogger returns the logger for the supplied context.

type ResourceMapper 

type ResourceMapper interface {
	// MapResource maps a subject review spec into a principal and a list of Athenz
	// authz checks at least one of which must succeed. An empty list implies no
	// authorization. An error must be returned  if the mapper is not able or
	// unwilling to map the supplied spec into Athenz checks.
	// Returning multiple items allows the implementor to add a secondary
	// authz request for superuser access, for example.
	MapResource(ctx context.Context, spec authz.SubjectAccessReviewSpec) (principal string, checks []AthenzAccessCheck, err error)
}

ResourceMapper allows for mapping from an authorization request to Athenz entities.

type UserMapper 

type UserMapper interface {
	// MapUser maps an Athenz principal to a user info object.
	// Returning an error will cause an authentication failure.
	MapUser(ctx context.Context, domain, service string) (authn.UserInfo, error)
}

UserMapper allows for mapping from Athenz principals to k8s objects.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.