Documentation
¶
Index ¶
- type APIAction
- type AuthResult
- type AuthorizeRequest
- type ConnectionStatus
- type CreateRoleRequest
- type CreateSessionRequest
- type CreateSessionResponse
- type CreateUserRequest
- type DesktopSession
- type DesktopSessionStatus
- type DesktopSessionsResponse
- type FileStat
- type JWTClaims
- type LoginRequest
- type MFAResponse
- type ResourceGetter
- type RolesGetter
- type SessionResponse
- type StatDesktopFileResponse
- type TemplatesGetter
- type UpdateMFARequest
- type UpdateRoleRequest
- type UpdateUserRequest
- type UserMFAStatus
- type UsersGetter
- type VDIUser
- type VDIUserRole
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type APIAction ¶
type APIAction struct {
// The verb type of the action
Verb rbacv1.Verb `json:"verb"`
// The resource type of the action
ResourceType rbacv1.Resource `json:"resourceType"`
// The name of the targeted resource
ResourceName string `json:"resourceName"`
// The namespace of the targeted resource
ResourceNamespace string `json:"resourceNamespace,omitempty"`
}
APIAction represents an API action to evaluate against a user's roles.
func (*APIAction) ResourceNameString ¶
ResourceNameString returns a user friendly resource name string
type AuthResult ¶
type AuthResult struct {
// The authenticated user and their roles
User *VDIUser
// The provider can populate this field to signify a redirect is required,
// e.g. for OIDC.
RedirectURL string
// The provider can supply additional data to encode into the generated JWT.
Data map[string]string
// In the case of OIDC, the refresh tokens cannot be used. Because when the user
// tries to use them, there is no way to query the provider for the user's information
// without initializing a new auth flow. For now, the provider can set this to false to
// signal to the server that a refresh is not possible.
RefreshNotSupported bool
}
AuthResult represents a response from an authentication attempt to a provider. It contains user information, roles, and any other auth requirements.
type AuthorizeRequest ¶
type AuthorizeRequest struct {
// The one-time password
OTP string `json:"otp"`
// The state secret for the request flow
State string `json:"state"`
}
AuthorizeRequest is a request with an OTP for receiving an authorized token.
func (*AuthorizeRequest) GetOTP ¶
func (a *AuthorizeRequest) GetOTP() string
GetOTP returns the OTP from the request.
func (*AuthorizeRequest) GetState ¶
func (a *AuthorizeRequest) GetState() string
GetState returns the state from the request.
type ConnectionStatus ¶
type ConnectionStatus struct {
// Whether or not a client is connected to the stream.
Connected bool `json:"connected"`
// The address of the client connected to the stream.
ClientAddr string `json:"clientAddr,omitempty"`
// The app instance handling the proxy for this stream.
ProxyPod string `json:"proxyPod,omitempty"`
}
ConnectionStatus describes the connection status of a desktop's display or audio.
type CreateRoleRequest ¶
type CreateRoleRequest struct {
// The name of the new role
Name string `json:"name"`
// Annotations to apply to the role
Annotations map[string]string `json:"annotations"`
// Rules to apply to the new role.
Rules []rbacv1.Rule `json:"rules"`
}
CreateRoleRequest represents a request for a new role.
func (*CreateRoleRequest) GetAnnotations ¶
func (r *CreateRoleRequest) GetAnnotations() map[string]string
GetAnnotations returns the annotations provided in the request
func (*CreateRoleRequest) GetName ¶
func (r *CreateRoleRequest) GetName() string
GetName returns the name of the new role
func (*CreateRoleRequest) GetRules ¶
func (r *CreateRoleRequest) GetRules() []rbacv1.Rule
GetRules returns the rules for a new role request, or a single-element slice with a deny-all rule if none are provided.
func (*CreateRoleRequest) Validate ¶
func (r *CreateRoleRequest) Validate() error
Validate the CreateRoleRequest
type CreateSessionRequest ¶
type CreateSessionRequest struct {
// The template to create the session from.
Template string `json:"template"`
// The namespace to launch the template in. Defaults to default.
Namespace string `json:"namespace,omitempty"`
// A service account to tie to the desktop session. Defaults to none.
ServiceAccount string `json:"serviceAccount,omitempty"`
}
CreateSessionRequest requests a new desktop session with the givin parameters.
func (*CreateSessionRequest) GetNamespace ¶
func (r *CreateSessionRequest) GetNamespace() string
GetNamespace returns the namspace for this request, or the default namespace if not provided.
func (*CreateSessionRequest) GetServiceAccount ¶
func (r *CreateSessionRequest) GetServiceAccount() string
GetServiceAccount returns the service account for this request.
func (*CreateSessionRequest) GetTemplate ¶
func (r *CreateSessionRequest) GetTemplate() string
GetTemplate returns the template for this request
func (*CreateSessionRequest) Validate ¶
func (r *CreateSessionRequest) Validate() error
Validate the CreateSessionRequest
type CreateSessionResponse ¶
CreateSessionResponse returns the name of the Desktop and what namespace it is running in.
type CreateUserRequest ¶
type CreateUserRequest struct {
// The user name for the new user.
Username string `json:"username"`
// The password for the new user.
Password string `json:"password"`
// Roles to assign the new user. These are the names of VDIRoles in the cluster.
Roles []string `json:"roles"`
}
CreateUserRequest represents a request to create a new user. Not all auth providers will be able to implement this route and can instead return an error describing why.
func (*CreateUserRequest) Validate ¶
func (r *CreateUserRequest) Validate() error
Validate validates a new user request
type DesktopSession ¶
type DesktopSession struct {
// The name of the desktop session.
Name string `json:"name"`
// The namespace of the desktop session.
Namespace string `json:"namespace"`
// The username of the user who owns this session.
User string `json:"user"`
// The service account being used by this session.
ServiceAccount string `json:"serviceAccount"`
// The template this session is booted from.
Template string `json:"template"`
// Connection status for the session.
Status *DesktopSessionStatus `json:"status"`
}
DesktopSession describes the properties and status of a desktop session.
func (*DesktopSession) NamespacedName ¶
func (d *DesktopSession) NamespacedName() string
NamespacedName returns the namespaced-name representation of this session.
type DesktopSessionStatus ¶
type DesktopSessionStatus struct {
// Connection status for the desktop's display.
Display *ConnectionStatus `json:"display"`
// Connection status for the desktop's audio.
Audio *ConnectionStatus `json:"audio"`
}
DesktopSessionStatus contains information about the connection status for a session's display and audio.
type DesktopSessionsResponse ¶
type DesktopSessionsResponse struct {
// A list of desktop sessions.
Sessions []*DesktopSession `json:"sessions"`
}
DesktopSessionsResponse contains a list of desktop sessions and information about their statuses.
type FileStat ¶
type FileStat struct {
// The name of the file or directory
Name string `json:"name"`
// True if the file is a directory
IsDirectory bool `json:"isDirectory"`
// The size of the file when IsDirectory is false
Size int64 `json:"size"`
// When IsDirectory is true, the contents of the directory
Contents []*FileStat `json:"contents,omitempty"`
}
FileStat contains information about a queried file. Contents will only contain nested FileStat objects when this object represents the root of the query.
type JWTClaims ¶
type JWTClaims struct {
// The user with their permissions when the token was generated
User *VDIUser `json:"user"`
// Whether the user is fully authorized
Authorized bool `json:"authorized"`
// Whether a refresh token was issued with the claims
Renewable bool `json:"renewable"`
// Additional data that was provided by the authentication provider
Data map[string]string `json:"data"`
// The standard JWT claims
jwt.StandardClaims
}
JWTClaims represents the claims used when issuing JWT tokens.
type LoginRequest ¶
type LoginRequest struct {
// Username
Username string `json:"username"`
// Password
Password string `json:"password"`
// State generated by requesting client to prevent CSRF and retrieve tokens
// from an oidc flow
State string `json:"state"`
// contains filtered or unexported fields
}
LoginRequest represents a request for a session token. Different auth providers may not always need this request, and can instead redirect /api/login as needed. All the auth provider needs to do in the end is return a JWT token that contains a fulfilled VDIUser. +k8s:deepcopy-gen=false
func (*LoginRequest) GetPassword ¶
func (l *LoginRequest) GetPassword() string
GetPassword returns the password in the request.
func (*LoginRequest) GetRequest ¶
func (l *LoginRequest) GetRequest() *http.Request
GetRequest returns the request object in the LoginRequest.
func (*LoginRequest) GetState ¶
func (l *LoginRequest) GetState() string
GetState returns the state secret in the request.
func (*LoginRequest) GetUsername ¶
func (l *LoginRequest) GetUsername() string
GetUsername returns the username in the request. Providers should use this and the other getters instead.
func (*LoginRequest) SetRequest ¶
func (l *LoginRequest) SetRequest(r *http.Request)
SetRequest sets the request object in the LoginRequest.
type MFAResponse ¶
type MFAResponse struct {
// Whether MFA is enabled for the user
Enabled bool `json:"enabled"`
// If enabled is set, a provisioning URI is also returned.
ProvisioningURI string `json:"provisioningURI"`
// If enabled is set, whether or not the user has verified their MFA setup
Verified bool `json:"verified"`
}
MFAResponse contains the response to an UpdateMFARequest or GetMFARequest.
type ResourceGetter ¶
type ResourceGetter interface {
// Retrieves DesktopTemplates
TemplatesGetter
// Retrieves VDIUsers
UsersGetter
// Retrieves VDIRoles
RolesGetter
}
ResourceGetter is an interface for retrieving lists of kVDI related resources. Its primary purpose is to pass an interface to rbac evaluations so they can check permissions against present resources.
type RolesGetter ¶
type RolesGetter interface {
GetRoles() ([]VDIUserRole, error)
}
RolesGetter is an interface that can be used to retrieve available roles while checking user permissions.
type SessionResponse ¶
type SessionResponse struct {
// The X-Session-Token to use for future requests.
Token string `json:"token"`
// The time the token expires.
ExpiresAt int64 `json:"expiresAt"`
// Whether an HttpOnly was sent back with the request enabling token refresh.
Renewable bool `json:"renewable"`
// Information about the authenticated user and their permissions.
User *VDIUser `json:"user"`
// Whether the user is fully authorized (e.g. false if MFA is required but not provided yet)
Authorized bool `json:"authorized"`
// The state secret generated by the client
State string `json:"state"`
}
SessionResponse represents a response with a new session token
type StatDesktopFileResponse ¶
type StatDesktopFileResponse struct {
Stat *FileStat `json:"stat"`
}
StatDesktopFileResponse contains the info for a queried file inside a desktop dession.
type TemplatesGetter ¶
TemplatesGetter is an interface that can be used to retrieve available templates while checking user permissions.
type UpdateMFARequest ¶
type UpdateMFARequest struct {
// When set, will enable MFA for the given user. If false, will disable MFA.
Enabled bool `json:"enabled"`
}
UpdateMFARequest sets the MFA configuration for the user. If enabling, a provisioning URI will be returned.
type UpdateRoleRequest ¶
type UpdateRoleRequest struct {
// The new annotations for the role
Annotations map[string]string `json:"annotations"`
// The new rules for the role.
Rules []rbacv1.Rule `json:"rules"`
}
UpdateRoleRequest requests updates to an existing role. The existing attributes will be entirely replaced with those supplied in the payload.
func (*UpdateRoleRequest) GetAnnotations ¶
func (r *UpdateRoleRequest) GetAnnotations() map[string]string
GetAnnotations returns the annotations provided in the request
func (*UpdateRoleRequest) GetRules ¶
func (r *UpdateRoleRequest) GetRules() []rbacv1.Rule
GetRules returns the rules for an update role request, or a single-element slice with a deny-all rule if none are provided.
func (*UpdateRoleRequest) Validate ¶
func (r *UpdateRoleRequest) Validate() error
Validate the UpdateRoleRequest
type UpdateUserRequest ¶
type UpdateUserRequest struct {
// When populated, will change the password for the user.
Password string `json:"password"`
// When populated will change the roles for the user.
Roles []string `json:"roles"`
}
UpdateUserRequest requests updates to an existing user. Not all auth providers will be able to implement this route and can instead return an error describing why.
func (*UpdateUserRequest) Validate ¶
func (r *UpdateUserRequest) Validate() error
Validate the UpdateUserRequest
type UserMFAStatus ¶
UserMFAStatus contains information about the MFA configurations for the user.
type UsersGetter ¶
UsersGetter is an interface that can be used to retrieve available users while checking user permissions.
type VDIUser ¶
type VDIUser struct {
// A unique name for the user
Name string `json:"name"`
// A list of roles applide to the user. The grants associated with each user
// are embedded in the JWT signed when authenticating.
Roles []*VDIUserRole `json:"roles"`
// MFA status for the user
MFA *UserMFAStatus `json:"mfa"`
// Any active sessions for the user - new field that is only populated on a
// /api/whoami request.
Sessions []*DesktopSession `json:"sessions,omitempty"`
}
VDIUser represents a user in kVDI. It is the auth providers responsibility to take an authentication request and generate a JWT with claims defining this object.
type VDIUserRole ¶
type VDIUserRole struct {
// The name of the role, this must match the VDIRole from which this object
// derives.
Name string `json:"name"`
// The rules for this role.
Rules []rbacv1.Rule `json:"rules"`
}
VDIUserRole represents a VDIRole, but only with the data that is to be embedded in the JWT. Primarily, leaving out useless metadata that will inflate the token.
func (*VDIUserRole) GetName ¶
func (r *VDIUserRole) GetName() string
GetName returns the name of the role
Source Files