Documentation ¶
Overview ¶
Package api kVDI API.
The purpose of this API is to provide resources to the user frontend of kVDI, however it can also be used for programatic management of the cluster.
Schemes: https BasePath: / License: GNU GENERAL PUBLIC LICENSE Version 3, 29 June 2007 Consumes: - application/json Produces: - application/json Security: - api_key: SecurityDefinitions: api_key: type: apiKey name: X-Session-Token in: head
swagger:meta
Index ¶
- Constants
- Variables
- func DecodeRequest(next http.Handler) http.Handler
- func NewResourceGetter(d *desktopAPI) types.ResourceGetter
- func NewTestAPI() (srvr *http.Server, addr, adminPass string, err error)
- type ActionTemplate
- type AuditResult
- type DesktopAPI
- type ExtraCheckFunc
- type MethodPermissions
- type OverrideFunc
- type ResourceGetter
- type ResourceValueFunc
Constants ¶
const RefreshTokenCookie = "refreshToken"
RefreshTokenCookie is the cookie used to store a user's refresh token
const TokenHeader = "X-Session-Token"
TokenHeader is the HTTP header containing the user's access token
Variables ¶
var Decoders = map[string]map[string]interface{}{ "/api/authorize": { "POST": types.AuthorizeRequest{}, }, "/api/sessions": { "POST": types.CreateSessionRequest{}, }, "/api/users": { "POST": types.CreateUserRequest{}, }, "/api/users/{user}": { "PUT": types.UpdateUserRequest{}, }, "/api/users/{user}/mfa": { "PUT": types.UpdateMFARequest{}, }, "/api/users/{user}/mfa/verify": { "PUT": types.AuthorizeRequest{}, }, "/api/roles": { "POST": types.CreateRoleRequest{}, }, "/api/templates": { "POST": desktopsv1.Template{}, }, "/api/roles/{role}": { "PUT": types.UpdateRoleRequest{}, }, "/api/login": { "POST": types.LoginRequest{}, }, }
Decoders is a map of request paths/methods to the request object that should be used for deserialization.
var RouterGrantRequirements = map[string]map[string]MethodPermissions{ "/api/whoami": { "GET": { OverrideFunc: allowAll, }, }, "/api/authorize": { "POST": { OverrideFunc: allowAll, }, }, "/api/logout": { "POST": { OverrideFunc: allowAll, }, }, "/api/config": { "GET": { OverrideFunc: allowAll, }, }, "/api/config/reload": { "POST": { OverrideFunc: allowAll, }, }, "/api/namespaces": { "GET": { OverrideFunc: allowAll, }, }, "/api/serviceaccounts/{namespace}": { "GET": { OverrideFunc: allowAll, }, }, "/api/users": { "GET": { Actions: []ActionTemplate{ { APIAction: types.APIAction{ Verb: rbacv1.VerbRead, ResourceType: rbacv1.ResourceUsers, }, }, }, }, "POST": { Actions: []ActionTemplate{ { APIAction: types.APIAction{ Verb: rbacv1.VerbCreate, ResourceType: rbacv1.ResourceUsers, }, }, }, ExtraCheckFunc: denyUserElevatePerms, }, }, "/api/users/{user}": { "GET": { Actions: []ActionTemplate{ { APIAction: types.APIAction{ Verb: rbacv1.VerbRead, ResourceType: rbacv1.ResourceUsers, }, ResourceNameFunc: apiutil.GetUserFromRequest, }, }, OverrideFunc: allowSameUser, }, "PUT": { Actions: []ActionTemplate{ { APIAction: types.APIAction{ Verb: rbacv1.VerbUpdate, ResourceType: rbacv1.ResourceUsers, }, ResourceNameFunc: apiutil.GetUserFromRequest, }, }, OverrideFunc: allowSameUser, ExtraCheckFunc: denyUserElevatePerms, }, "DELETE": { Actions: []ActionTemplate{ { APIAction: types.APIAction{ Verb: rbacv1.VerbDelete, ResourceType: rbacv1.ResourceUsers, }, ResourceNameFunc: apiutil.GetUserFromRequest, }, }, }, }, "/api/users/{user}/mfa": { "GET": { Actions: []ActionTemplate{ { APIAction: types.APIAction{ Verb: rbacv1.VerbRead, ResourceType: rbacv1.ResourceUsers, }, ResourceNameFunc: apiutil.GetUserFromRequest, }, }, OverrideFunc: allowSameUser, }, "PUT": { Actions: []ActionTemplate{ { APIAction: types.APIAction{ Verb: rbacv1.VerbUpdate, ResourceType: rbacv1.ResourceUsers, }, ResourceNameFunc: apiutil.GetUserFromRequest, }, }, OverrideFunc: allowSameUser, }, }, "/api/users/{user}/mfa/verify": { "PUT": { Actions: []ActionTemplate{ { APIAction: types.APIAction{ Verb: rbacv1.VerbUpdate, ResourceType: rbacv1.ResourceUsers, }, ResourceNameFunc: apiutil.GetUserFromRequest, }, }, OverrideFunc: allowSameUser, }, }, "/api/roles": { "GET": { Actions: []ActionTemplate{ { APIAction: types.APIAction{ Verb: rbacv1.VerbRead, ResourceType: rbacv1.ResourceRoles, }, }, }, }, "POST": { Actions: []ActionTemplate{ { APIAction: types.APIAction{ Verb: rbacv1.VerbCreate, ResourceType: rbacv1.ResourceRoles, }, }, }, ExtraCheckFunc: denyUserElevatePerms, }, }, "/api/roles/{role}": { "GET": { Actions: []ActionTemplate{ { APIAction: types.APIAction{ Verb: rbacv1.VerbRead, ResourceType: rbacv1.ResourceRoles, }, ResourceNameFunc: apiutil.GetRoleFromRequest, }, }, }, "PUT": { Actions: []ActionTemplate{ { APIAction: types.APIAction{ Verb: rbacv1.VerbUpdate, ResourceType: rbacv1.ResourceRoles, }, ResourceNameFunc: apiutil.GetRoleFromRequest, }, }, ExtraCheckFunc: denyUserElevatePerms, }, "DELETE": { Actions: []ActionTemplate{ { APIAction: types.APIAction{ Verb: rbacv1.VerbDelete, ResourceType: rbacv1.ResourceRoles, }, ResourceNameFunc: apiutil.GetRoleFromRequest, }, }, }, }, "/api/templates": { "GET": { Actions: []ActionTemplate{ { APIAction: types.APIAction{ Verb: rbacv1.VerbRead, ResourceType: rbacv1.ResourceTemplates, }, }, }, }, "POST": { Actions: []ActionTemplate{ { APIAction: types.APIAction{ Verb: rbacv1.VerbCreate, ResourceType: rbacv1.ResourceTemplates, }, }, }, }, }, "/api/templates/{template}": { "GET": { Actions: []ActionTemplate{ { APIAction: types.APIAction{ Verb: rbacv1.VerbRead, ResourceType: rbacv1.ResourceTemplates, }, ResourceNameFunc: apiutil.GetTemplateFromRequest, }, }, }, "PUT": { Actions: []ActionTemplate{ { APIAction: types.APIAction{ Verb: rbacv1.VerbUpdate, ResourceType: rbacv1.ResourceTemplates, }, ResourceNameFunc: apiutil.GetTemplateFromRequest, }, }, }, "DELETE": { Actions: []ActionTemplate{ { APIAction: types.APIAction{ Verb: rbacv1.VerbDelete, ResourceType: rbacv1.ResourceTemplates, }, ResourceNameFunc: apiutil.GetTemplateFromRequest, }, }, }, }, "/api/sessions": { "GET": { Actions: []ActionTemplate{ { APIAction: types.APIAction{ Verb: rbacv1.VerbRead, ResourceType: rbacv1.ResourceTemplates, }, }, { APIAction: types.APIAction{ Verb: rbacv1.VerbRead, ResourceType: rbacv1.ResourceUsers, }, }, }, }, "POST": { Actions: []ActionTemplate{ { APIAction: types.APIAction{ Verb: rbacv1.VerbLaunch, ResourceType: rbacv1.ResourceTemplates, }, ResourceNameFunc: func(r *http.Request) string { req := apiutil.GetRequestObject(r).(*types.CreateSessionRequest) return req.GetTemplate() }, ResourceNamespaceFunc: func(r *http.Request) string { req := apiutil.GetRequestObject(r).(*types.CreateSessionRequest) return req.GetNamespace() }, }, { APIAction: types.APIAction{ Verb: rbacv1.VerbUse, ResourceType: rbacv1.ResourceServiceAccounts, }, ResourceNameFunc: func(r *http.Request) string { req := apiutil.GetRequestObject(r).(*types.CreateSessionRequest) return req.GetServiceAccount() }, ResourceNamespaceFunc: func(r *http.Request) string { req := apiutil.GetRequestObject(r).(*types.CreateSessionRequest) return req.GetNamespace() }, }, }, }, }, "/api/sessions/{namespace}/{name}": { "GET": { Actions: []ActionTemplate{ { APIAction: types.APIAction{ Verb: rbacv1.VerbRead, ResourceType: rbacv1.ResourceTemplates, }, ResourceNameFunc: apiutil.GetNameFromRequest, ResourceNamespaceFunc: apiutil.GetNamespaceFromRequest, }, }, OverrideFunc: allowSessionOwner, }, "DELETE": { Actions: []ActionTemplate{ { APIAction: types.APIAction{ Verb: rbacv1.VerbDelete, ResourceType: rbacv1.ResourceTemplates, }, ResourceNameFunc: apiutil.GetNameFromRequest, ResourceNamespaceFunc: apiutil.GetNamespaceFromRequest, }, }, OverrideFunc: allowSessionOwner, }, }, "/api/desktops/{namespace}/{name}/logs/{container}": { "GET": { Actions: []ActionTemplate{ { APIAction: types.APIAction{ Verb: rbacv1.VerbUse, ResourceType: rbacv1.ResourceTemplates, }, ResourceNameFunc: apiutil.GetNameFromRequest, ResourceNamespaceFunc: apiutil.GetNamespaceFromRequest, }, }, OverrideFunc: allowSessionOwner, }, }, "/api/desktops/ws/{namespace}/{name}/logs/{container}": { "GET": { Actions: []ActionTemplate{ { APIAction: types.APIAction{ Verb: rbacv1.VerbUse, ResourceType: rbacv1.ResourceTemplates, }, ResourceNameFunc: apiutil.GetNameFromRequest, ResourceNamespaceFunc: apiutil.GetNamespaceFromRequest, }, }, OverrideFunc: allowSessionOwner, }, }, "/api/desktops/ws/{namespace}/{name}/display": { "GET": { Actions: []ActionTemplate{ { APIAction: types.APIAction{ Verb: rbacv1.VerbUse, ResourceType: rbacv1.ResourceTemplates, }, ResourceNameFunc: apiutil.GetNameFromRequest, ResourceNamespaceFunc: apiutil.GetNamespaceFromRequest, }, }, OverrideFunc: allowSessionOwner, }, }, "/api/desktops/ws/{namespace}/{name}/audio": { "GET": { Actions: []ActionTemplate{ { APIAction: types.APIAction{ Verb: rbacv1.VerbUse, ResourceType: rbacv1.ResourceTemplates, }, ResourceNameFunc: apiutil.GetNameFromRequest, ResourceNamespaceFunc: apiutil.GetNamespaceFromRequest, }, }, OverrideFunc: allowSessionOwner, }, }, "/api/desktops/ws/{namespace}/{name}/status": { "GET": { Actions: []ActionTemplate{ { APIAction: types.APIAction{ Verb: rbacv1.VerbRead, ResourceType: rbacv1.ResourceTemplates, }, ResourceNameFunc: apiutil.GetNameFromRequest, ResourceNamespaceFunc: apiutil.GetNamespaceFromRequest, }, }, OverrideFunc: allowSessionOwner, }, }, "/api/desktops/fs/{namespace}/{name}/stat/": { "GET": { Actions: []ActionTemplate{ { APIAction: types.APIAction{ Verb: rbacv1.VerbUse, ResourceType: rbacv1.ResourceTemplates, }, ResourceNameFunc: apiutil.GetNameFromRequest, ResourceNamespaceFunc: apiutil.GetNamespaceFromRequest, }, }, OverrideFunc: allowSessionOwner, }, }, "/api/desktops/fs/{namespace}/{name}/get/": { "GET": { Actions: []ActionTemplate{ { APIAction: types.APIAction{ Verb: rbacv1.VerbUse, ResourceType: rbacv1.ResourceTemplates, }, ResourceNameFunc: apiutil.GetNameFromRequest, ResourceNamespaceFunc: apiutil.GetNamespaceFromRequest, }, }, OverrideFunc: allowSessionOwner, }, }, "/api/desktops/fs/{namespace}/{name}/put": { "PUT": { Actions: []ActionTemplate{ { APIAction: types.APIAction{ Verb: rbacv1.VerbUse, ResourceType: rbacv1.ResourceTemplates, }, ResourceNameFunc: apiutil.GetNameFromRequest, ResourceNamespaceFunc: apiutil.GetNamespaceFromRequest, }, }, OverrideFunc: allowSessionOwner, }, }, }
RouterGrantRequirements defines all the methods that are protected, and what rules should be evaluated for them.
Functions ¶
func DecodeRequest ¶
DecodeRequest will inspect the request object for the type of object to deserialize the request to, and then apply the object to the request context.
func NewResourceGetter ¶
func NewResourceGetter(d *desktopAPI) types.ResourceGetter
NewResourceGetter returns a new ResourceGetter
Types ¶
type ActionTemplate ¶
type ActionTemplate struct { types.APIAction ResourceNameFunc ResourceValueFunc ResourceNamespaceFunc ResourceValueFunc }
ActionTemplate contains an action as well as functions for populating their respective values during the request context.
type AuditResult ¶
type AuditResult struct { Allowed bool FromOwner bool Actions []*types.APIAction Resource string UserSession *types.JWTClaims Request *http.Request }
AuditResult contains information about an audit event from the API router.
type DesktopAPI ¶
type DesktopAPI interface {
ServeHTTP(http.ResponseWriter, *http.Request)
}
DesktopAPI serves HTTP requests for the /api resource
func NewFromConfig ¶
func NewFromConfig(cfg *rest.Config, vdiCluster string) (DesktopAPI, error)
NewFromConfig builds a new API router from the given kubernetes client configuration and vdi cluster name.
type ExtraCheckFunc ¶
type ExtraCheckFunc func(d *desktopAPI, reqUser *types.VDIUser, r *http.Request) (allowed bool, reason string, err error)
ExtraCheckFunc is a function that fires after the action itself has been evaluated. Allowed being false or any errors are considered forbidden.
type MethodPermissions ¶
type MethodPermissions struct { OverrideFunc OverrideFunc Actions []ActionTemplate ExtraCheckFunc ExtraCheckFunc }
MethodPermissions represents a set of checks to run for an API method.
type OverrideFunc ¶
type OverrideFunc func(d *desktopAPI, reqUser *types.VDIUser, r *http.Request) (allowed, owner bool, err error)
OverrideFunc is a function that takes precedence over any other action evaluations. If it returns false for allowed, the next rules in the chain will be considered. Errors are considered forbidden.
type ResourceGetter ¶
type ResourceGetter struct { types.ResourceGetter // contains filtered or unexported fields }
ResourceGetter satisfies the v1alpha1.ResourceGetter interface for retrieving available resources during a privilege check.
func (*ResourceGetter) GetRoles ¶
func (r *ResourceGetter) GetRoles() ([]types.VDIUserRole, error)
GetRoles returns a list of all the VDIRolse for this cluster.
func (*ResourceGetter) GetTemplates ¶
func (r *ResourceGetter) GetTemplates() ([]string, error)
GetTemplates returns a list of desktop templates for this cluster.
type ResourceValueFunc ¶
ResourceValueFunc returns the name of a requested resource based off the contents of a request.
Source Files ¶
- api.go
- api_audit.go
- api_common.go
- api_decoder.go
- api_health.go
- api_metrics.go
- api_router.go
- api_validate_perms.go
- api_validate_perms_helpers.go
- api_validate_privilege_escalation.go
- api_validate_user_session.go
- delete_desktop_session.go
- delete_role.go
- delete_template.go
- delete_user.go
- get_config.go
- get_desktop_file.go
- get_desktop_logs.go
- get_desktop_session.go
- get_desktop_sessions.go
- get_namespaces.go
- get_refresh_token.go
- get_roles.go
- get_service_accounts.go
- get_templates.go
- get_user_mfa.go
- get_users.go
- get_websockify.go
- get_whoami.go
- meta.go
- post_authorize.go
- post_login.go
- post_logout.go
- post_role.go
- post_sessions.go
- post_templates.go
- post_user.go
- put_desktop_file.go
- put_role.go
- put_template.go
- put_user.go
- put_user_mfa.go
- put_user_mfa_verify.go
- resource_getter.go