Documentation ¶
Index ¶
- Constants
- func AuthHandler(auth Auth, whitelist []string, handler http.HandlerFunc) http.HandlerFunc
- func LogRequest(handler http.HandlerFunc) http.HandlerFunc
- func Serve(c *cli.Context) error
- type AWSSigner
- type Auth
- type BasicAuth
- type JwtAuth
- type NamespaceClaim
- type ReversePrometheusRoundTripper
Constants ¶
const ( // AwsRegionEnvVar is the environment variable that specifies the AWS region AwsRegionEnvVar = "AWS_REGION" // AwsServiceEnvVar is the environment variable that specifies the AWS service AwsServiceEnvVar = "AWS_SERVICE_NAME" // AwsRegionDefault is the default AWS region used for signing AwsRegionDefault = "us-east-1" // AwsServiceDefault is the default AWS service used for signing AwsServiceDefault = "aps" )
const ( //Namespaces Key used to pass prometheus tenant id though the middleware context Namespaces key = iota //Labels Key used to pass prometheus additional labels though the middleware context Labels key = iota )
Variables ¶
This section is empty.
Functions ¶
func AuthHandler ¶ added in v1.6.0
func AuthHandler(auth Auth, whitelist []string, handler http.HandlerFunc) http.HandlerFunc
AuthHandler returns au authentication middleware handler
func LogRequest ¶
func LogRequest(handler http.HandlerFunc) http.HandlerFunc
LogRequest can be used as a middleware chain to log every request before proxying the request
Types ¶
type AWSSigner ¶ added in v1.8.0
type AWSSigner struct {
// contains filtered or unexported fields
}
AWSSigner is a wrapper around the AWS SDK's Signer Signing is required to use the proxy against an AWS prometheus service endpoint. HTTP requests will be signed using the AWS credentials from the environment and the AWS_DEFAULT_REGION (default=us-east-1) and AWS_SERVICE_NAME (default=aps). See https://docs.aws.amazon.com/AmazonS3/latest/API/sig-v4-header-based-auth.html and https://docs.aws.amazon.com/sdk-for-go/api/service/signer for more details.
func NewAWSSigner ¶ added in v1.8.0
func NewAWSSigner() *AWSSigner
NewAWSSigner creates a new AWS Signer using credentials from environment variables.
func (*AWSSigner) Sign ¶ added in v1.8.0
Sign signs the HTTP request using the AWS Signer, meaning it adds the proper Authorization header using signature v4. See https://docs.aws.amazon.com/AmazonS3/latest/API/sig-v4-header-based-auth.html
func (*AWSSigner) SignAfter ¶ added in v1.8.0
SignAfter wraps an existing Director function (see https://pkg.go.dev/net/http/httputil#ReverseProxy). The request will be signed after the transformation by the original director.
type Auth ¶ added in v1.6.0
type Auth interface { // IsAuthorized authenticates a request and returns the list of namespaces the user has access to IsAuthorized(r *http.Request) (bool, []string, map[string]string) WriteUnauthorisedResponse(w http.ResponseWriter) // Load loads or reloads the configuration Load() bool }
Auth implements an authentication middleware
type BasicAuth ¶
type BasicAuth struct {
// contains filtered or unexported fields
}
BasicAuth can be used as a middleware chain to authenticate users with Basic authentication before proxying a request
func NewBasicAuth ¶ added in v1.6.0
NewBasicAuth creates a BasicAuth, loading the Authn from configLocation
func (*BasicAuth) IsAuthorized ¶ added in v1.6.0
IsAuthorized uses the basic authentication and the Authn file to authenticate a user and return the namespace he has access to
func (*BasicAuth) WriteUnauthorisedResponse ¶ added in v1.6.0
func (auth *BasicAuth) WriteUnauthorisedResponse(w http.ResponseWriter)
WriteUnauthorisedResponse writes a 401 Unauthorized HTTP response with a redirect to basic authentication
type JwtAuth ¶ added in v1.6.0
type JwtAuth struct {
// contains filtered or unexported fields
}
JwtAuth can be used as a middleware chain to authenticate users using a JWT token before proxying a request
func NewJwtAuth ¶ added in v1.6.0
NewJwtAuth creates a JwtAuth by loaded a JWKS from either a file or an URL
func (*JwtAuth) IsAuthorized ¶ added in v1.6.0
IsAuthorized validates the user by verifying the JWT token in the request and returning the namespaces claim found in token the payload.
func (*JwtAuth) Load ¶ added in v1.6.0
Load loads or reloads the JWKS from its config location (file or URL).
func (*JwtAuth) WriteUnauthorisedResponse ¶ added in v1.6.0
func (auth *JwtAuth) WriteUnauthorisedResponse(w http.ResponseWriter)
WriteUnauthorisedResponse writes a 401 Unauthorized HTTP response
type NamespaceClaim ¶ added in v1.6.0
type NamespaceClaim struct { // Namespaces contains the list of namespaces a user has access to Namespaces []string `json:"namespaces"` // Labels contains a map of labels that will be injected for the user Labels map[string]string `json:"labels"` jwt.RegisteredClaims }
NamespaceClaim expected structure of the JWT token payload
type ReversePrometheusRoundTripper ¶ added in v1.3.0
type ReversePrometheusRoundTripper struct {
// contains filtered or unexported fields
}
func (*ReversePrometheusRoundTripper) Director ¶ added in v1.3.0
func (r *ReversePrometheusRoundTripper) Director(req *http.Request)