auth

package
v1.24.1 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Feb 26, 2024 License: MIT Imports: 27 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	HeaderUserName  = "author-name"
	HeaderUserEmail = "author-email"
	HeaderUserRole  = "author-role"
)

The frontend-service now defines the default author for git commits. The frontend-service also allows overwriting the default values, see function `getRequestAuthorFromGoogleIAP`. The cd-service generally expects these headers, either in the grpc context or the http headers.

View Source 
const (
	PermissionCreateLock                   = "CreateLock"
	PermissionDeleteLock                   = "DeleteLock"
	PermissionCreateRelease                = "CreateRelease"
	PermissionDeployRelease                = "DeployRelease"
	PermissionCreateUndeploy               = "CreateUndeploy"
	PermissionDeployUndeploy               = "DeployUndeploy"
	PermissionCreateEnvironment            = "CreateEnvironment"
	PermissionDeleteEnvironmentApplication = "DeleteEnvironmentApplication"
	PermissionDeployReleaseTrain           = "DeployReleaseTrain"
	// The default permission template.
	PermissionTemplate = "%s,%s,%s:%s,%s,allow"
)
View Source 
const (

	// Kuberpult login path.
	LoginPATH = "/login"
)

Variables

This section is empty.

Functions

func AllowBypassingAzureAuth 

func AllowBypassingAzureAuth(allowedPaths []string, requestUrlPath string, requestMethod string, allowedPrefixes []string) bool

func CheckUserPermissions 

func CheckUserPermissions(rbacConfig RBACConfig, user *User, env, team, envGroup, application, action string) error

Checks user permissions on the RBAC policy.

func Decode64 

func Decode64(s string) (string, error)

func Encode64 

func Encode64(s string) string

func HttpAuthMiddleWare 

func HttpAuthMiddleWare(resp http.ResponseWriter, req *http.Request, jwks *keyfunc.JWKS, clientId string, tenantId string, allowedPaths []string, allowedPrefixes []string) error

func JWKSInitAzure 

func JWKSInitAzure(ctx context.Context) (*keyfunc.JWKS, error)

func JWKSInitAzureFromJson 

func JWKSInitAzureFromJson() (*keyfunc.JWKS, error)

func NewDexReverseProxy 

func NewDexReverseProxy(serverAddr string) func(writer http.ResponseWriter, request *http.Request)

NewDexReverseProxy returns a reverse proxy to the Dex server.

func ReadRbacPolicy 

func ReadRbacPolicy(dexEnabled bool, DexRbacPolicyPath string) (policy map[string]*Permission, err error)

func ReadScopes 

func ReadScopes(s string) (scopes []string)

Helper function to parse the scopes

func ValidateOIDCToken 

func ValidateOIDCToken(ctx context.Context, issuerURL, rawToken string, allowedAudience string) (token *oidc.IDToken, err error)

func ValidateToken 

func ValidateToken(jwtB64 string, jwks *keyfunc.JWKS, clientId string, tenantId string) (jwt.MapClaims, error)

func VerifyToken 

func VerifyToken(ctx context.Context, r *http.Request, clientID, baseURL string) (group string, err error)

Verifies if the user is authenticated.

func WriteUserRoleToGrpcContext 

func WriteUserRoleToGrpcContext(ctx context.Context, userRole string) context.Context

WriteUserRoleToGrpcContext adds the user role to the GRPC context. Only used when RBAC is enabled.

func WriteUserRoleToHttpHeader 

func WriteUserRoleToHttpHeader(r *http.Request, role string)

WriteUserRoleToHttpHeader should only be used in the frontend-service WriteUserRoleToHttpHeader writes the user role into http headers it is used for requests like /release and managing locks which are delegated from frontend-service to cd-service

func WriteUserToContext 

func WriteUserToContext(ctx context.Context, u User) context.Context

WriteUserToContext should be used in both frontend-service and cd-service. WriteUserToContext adds the User to the context for extraction later. The user must not be nil. Returning the new context that has been created.

func WriteUserToGrpcContext 

func WriteUserToGrpcContext(ctx context.Context, u User) context.Context

func WriteUserToHttpHeader 

func WriteUserToHttpHeader(r *http.Request, user User)

WriteUserToHttpHeader should only be used in the frontend-service WriteUserToHttpHeader writes the user into http headers it is used for requests like /release which are delegated from frontend-service to cd-service

Types

type DexAppClient 

type DexAppClient struct {
	// The Dex issuer URL. Needs to be match the dex issuer helm config.
	IssuerURL string
	// The host Kuberpult is running on.
	BaseURL string
	// The Kuberpult client ID. Needs to match the dex staticClients.id helm configuration.
	ClientID string
	// The Kuberpult client secret. Needs to match the dex staticClients.secret helm configuration.
	ClientSecret string
	// The Dex redirect callback. Needs to match the dex staticClients.redirectURIs helm configuration.
	RedirectURI string
	// The available scopes.
	Scopes []string
	// The http client used.
	Client *http.Client
}

Dex App Client.

func NewDexAppClient 

func NewDexAppClient(clientID, clientSecret, baseURL string, scopes []string) (*DexAppClient, error)

NewDexAppClient a Dex Client.

type DexAuthContext 

type DexAuthContext struct {
	// The user role extracted from the Cookie.
	Role string
}

Extracted information from JWT/Cookie.

type DexGrpcContextReader 

type DexGrpcContextReader struct {
	DexEnabled bool
}

func (*DexGrpcContextReader) ReadUserFromGrpcContext 

func (x *DexGrpcContextReader) ReadUserFromGrpcContext(ctx context.Context) (*User, error)

ReadUserFromGrpcContext should only be used in the cd-service. ReadUserFromGrpcContext takes the User from middleware (context). It returns a User or an error if the user is not found.

type DexRewriteURLRoundTripper 

type DexRewriteURLRoundTripper struct {
	DexURL *url.URL
	T      http.RoundTripper
}

DexRewriteURLRoundTripper creates a new DexRewriteURLRoundTripper. The round tripper is configured to avoid exposing the dex server via a virtual service. Since Kuberpult and dex are running on the same cluster, a reverse proxy is configured to redirect all dex calls internally.

func (DexRewriteURLRoundTripper) RoundTrip 

func (s DexRewriteURLRoundTripper) RoundTrip(r *http.Request) (*http.Response, error)

type DummyGrpcContextReader 

type DummyGrpcContextReader struct {
	Role string
}

func (*DummyGrpcContextReader) ReadUserFromGrpcContext 

func (x *DummyGrpcContextReader) ReadUserFromGrpcContext(ctx context.Context) (*User, error)

type GrpcContextReader 

type GrpcContextReader interface {
	ReadUserFromGrpcContext(ctx context.Context) (*User, error)
}

type Permission 

type Permission struct {
	Role        string
	Application string
	Environment string
	Action      string
}

Struct to store an RBAC permission.

func ValidateRbacPermission 

func ValidateRbacPermission(line string) (p *Permission, err error)

type RBACConfig 

type RBACConfig struct {
	// Indicates if Dex is enabled.
	DexEnabled bool
	// The RBAC policy. A key is a permission, for example: "Developer, CreateLock, development:development, *, allow"
	Policy map[string]*Permission
}

All static rbac information that is required to check authentication of a given user.

type User 

type User struct {
	Email string
	Name  string
	// Optional. User role, only used if RBAC is enabled.
	DexAuthContext *DexAuthContext
}

func GetUserOrDefault 

func GetUserOrDefault(u *User, defaultUser User) User

func ReadUserFromContext 

func ReadUserFromContext(ctx context.Context) (*User, error)

ReadUserFromContext returns a user from the ctx or an error if none was found, or it is invalid

func ReadUserFromHttpHeader 

func ReadUserFromHttpHeader(ctx context.Context, r *http.Request) (*User, error)

ReadUserFromHttpHeader should only be used in the cd-service. ReadUserFromHttpHeader takes the User from the http request. It returns a User or an error if the user is not found.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.