Documentation
¶
Overview ¶
Package api kVDI API.
The purpose of this API is to provide resources to the user frontend of kVDI, however it can also be used for programatic management of the cluster.
Schemes: https
BasePath: /
License: GNU GENERAL PUBLIC LICENSE Version 3, 29 June 2007
Consumes:
- application/json
Produces:
- application/json
Security:
- api_key:
SecurityDefinitions:
api_key:
type: apiKey
name: X-Session-Token
in: head
swagger:meta
Index ¶
- Constants
- Variables
- func DecodeRequest(next http.Handler) http.Handler
- func NewResourceGetter(d *desktopAPI) types.ResourceGetter
- func NewTestAPI() (srvr *http.Server, addr, adminPass string, err error)
- type ActionTemplate
- type AuditResult
- type DesktopAPI
- type ExtraCheckFunc
- type MethodPermissions
- type OverrideFunc
- type ResourceGetter
- type ResourceValueFunc
Constants ¶
View Source
const RefreshTokenCookie = "refreshToken"
RefreshTokenCookie is the cookie used to store a user's refresh token
View Source
const TokenHeader = "X-Session-Token"
TokenHeader is the HTTP header containing the user's access token
Variables ¶
View Source
var Decoders = map[string]map[string]interface{}{ "/api/authorize": { "POST": types.AuthorizeRequest{}, }, "/api/sessions": { "POST": types.CreateSessionRequest{}, }, "/api/users": { "POST": types.CreateUserRequest{}, }, "/api/users/{user}": { "PUT": types.UpdateUserRequest{}, }, "/api/users/{user}/mfa": { "PUT": types.UpdateMFARequest{}, }, "/api/users/{user}/mfa/verify": { "PUT": types.AuthorizeRequest{}, }, "/api/roles": { "POST": types.CreateRoleRequest{}, }, "/api/templates": { "POST": desktopsv1.Template{}, }, "/api/roles/{role}": { "PUT": types.UpdateRoleRequest{}, }, "/api/login": { "POST": types.LoginRequest{}, }, }
Decoders is a map of request paths/methods to the request object that should be used for deserialization.
View Source
var RouterGrantRequirements = map[string]map[string]MethodPermissions{ "/api/whoami": { "GET": { OverrideFunc: allowAll, }, }, "/api/authorize": { "POST": { OverrideFunc: allowAll, }, }, "/api/logout": { "POST": { OverrideFunc: allowAll, }, }, "/api/config": { "GET": { OverrideFunc: allowAll, }, }, "/api/config/reload": { "POST": { OverrideFunc: allowAll, }, }, "/api/namespaces": { "GET": { OverrideFunc: allowAll, }, }, "/api/serviceaccounts/{namespace}": { "GET": { OverrideFunc: allowAll, }, }, "/api/users": { "GET": { Actions: []ActionTemplate{ { APIAction: types.APIAction{ Verb: rbacv1.VerbRead, ResourceType: rbacv1.ResourceUsers, }, }, }, }, "POST": { Actions: []ActionTemplate{ { APIAction: types.APIAction{ Verb: rbacv1.VerbCreate, ResourceType: rbacv1.ResourceUsers, }, }, }, ExtraCheckFunc: denyUserElevatePerms, }, }, "/api/users/{user}": { "GET": { Actions: []ActionTemplate{ { APIAction: types.APIAction{ Verb: rbacv1.VerbRead, ResourceType: rbacv1.ResourceUsers, }, ResourceNameFunc: apiutil.GetUserFromRequest, }, }, OverrideFunc: allowSameUser, }, "PUT": { Actions: []ActionTemplate{ { APIAction: types.APIAction{ Verb: rbacv1.VerbUpdate, ResourceType: rbacv1.ResourceUsers, }, ResourceNameFunc: apiutil.GetUserFromRequest, }, }, OverrideFunc: allowSameUser, ExtraCheckFunc: denyUserElevatePerms, }, "DELETE": { Actions: []ActionTemplate{ { APIAction: types.APIAction{ Verb: rbacv1.VerbDelete, ResourceType: rbacv1.ResourceUsers, }, ResourceNameFunc: apiutil.GetUserFromRequest, }, }, }, }, "/api/users/{user}/mfa": { "GET": { Actions: []ActionTemplate{ { APIAction: types.APIAction{ Verb: rbacv1.VerbRead, ResourceType: rbacv1.ResourceUsers, }, ResourceNameFunc: apiutil.GetUserFromRequest, }, }, OverrideFunc: allowSameUser, }, "PUT": { Actions: []ActionTemplate{ { APIAction: types.APIAction{ Verb: rbacv1.VerbUpdate, ResourceType: rbacv1.ResourceUsers, }, ResourceNameFunc: apiutil.GetUserFromRequest, }, }, OverrideFunc: allowSameUser, }, }, "/api/users/{user}/mfa/verify": { "PUT": { Actions: []ActionTemplate{ { APIAction: types.APIAction{ Verb: rbacv1.VerbUpdate, ResourceType: rbacv1.ResourceUsers, }, ResourceNameFunc: apiutil.GetUserFromRequest, }, }, OverrideFunc: allowSameUser, }, }, "/api/roles": { "GET": { Actions: []ActionTemplate{ { APIAction: types.APIAction{ Verb: rbacv1.VerbRead, ResourceType: rbacv1.ResourceRoles, }, }, }, }, "POST": { Actions: []ActionTemplate{ { APIAction: types.APIAction{ Verb: rbacv1.VerbCreate, ResourceType: rbacv1.ResourceRoles, }, }, }, ExtraCheckFunc: denyUserElevatePerms, }, }, "/api/roles/{role}": { "GET": { Actions: []ActionTemplate{ { APIAction: types.APIAction{ Verb: rbacv1.VerbRead, ResourceType: rbacv1.ResourceRoles, }, ResourceNameFunc: apiutil.GetRoleFromRequest, }, }, }, "PUT": { Actions: []ActionTemplate{ { APIAction: types.APIAction{ Verb: rbacv1.VerbUpdate, ResourceType: rbacv1.ResourceRoles, }, ResourceNameFunc: apiutil.GetRoleFromRequest, }, }, ExtraCheckFunc: denyUserElevatePerms, }, "DELETE": { Actions: []ActionTemplate{ { APIAction: types.APIAction{ Verb: rbacv1.VerbDelete, ResourceType: rbacv1.ResourceRoles, }, ResourceNameFunc: apiutil.GetRoleFromRequest, }, }, }, }, "/api/templates": { "GET": { Actions: []ActionTemplate{ { APIAction: types.APIAction{ Verb: rbacv1.VerbRead, ResourceType: rbacv1.ResourceTemplates, }, }, }, }, "POST": { Actions: []ActionTemplate{ { APIAction: types.APIAction{ Verb: rbacv1.VerbCreate, ResourceType: rbacv1.ResourceTemplates, }, }, }, }, }, "/api/templates/{template}": { "GET": { Actions: []ActionTemplate{ { APIAction: types.APIAction{ Verb: rbacv1.VerbRead, ResourceType: rbacv1.ResourceTemplates, }, ResourceNameFunc: apiutil.GetTemplateFromRequest, }, }, }, "PUT": { Actions: []ActionTemplate{ { APIAction: types.APIAction{ Verb: rbacv1.VerbUpdate, ResourceType: rbacv1.ResourceTemplates, }, ResourceNameFunc: apiutil.GetTemplateFromRequest, }, }, }, "DELETE": { Actions: []ActionTemplate{ { APIAction: types.APIAction{ Verb: rbacv1.VerbDelete, ResourceType: rbacv1.ResourceTemplates, }, ResourceNameFunc: apiutil.GetTemplateFromRequest, }, }, }, }, "/api/sessions": { "GET": { Actions: []ActionTemplate{ { APIAction: types.APIAction{ Verb: rbacv1.VerbRead, ResourceType: rbacv1.ResourceTemplates, }, }, { APIAction: types.APIAction{ Verb: rbacv1.VerbRead, ResourceType: rbacv1.ResourceUsers, }, }, }, }, "POST": { Actions: []ActionTemplate{ { APIAction: types.APIAction{ Verb: rbacv1.VerbLaunch, ResourceType: rbacv1.ResourceTemplates, }, ResourceNameFunc: func(r *http.Request) string { req := apiutil.GetRequestObject(r).(*types.CreateSessionRequest) return req.GetTemplate() }, ResourceNamespaceFunc: func(r *http.Request) string { req := apiutil.GetRequestObject(r).(*types.CreateSessionRequest) return req.GetNamespace() }, }, { APIAction: types.APIAction{ Verb: rbacv1.VerbUse, ResourceType: rbacv1.ResourceServiceAccounts, }, ResourceNameFunc: func(r *http.Request) string { req := apiutil.GetRequestObject(r).(*types.CreateSessionRequest) return req.GetServiceAccount() }, ResourceNamespaceFunc: func(r *http.Request) string { req := apiutil.GetRequestObject(r).(*types.CreateSessionRequest) return req.GetNamespace() }, }, }, }, }, "/api/sessions/{namespace}/{name}": { "GET": { Actions: []ActionTemplate{ { APIAction: types.APIAction{ Verb: rbacv1.VerbRead, ResourceType: rbacv1.ResourceTemplates, }, ResourceNameFunc: apiutil.GetNameFromRequest, ResourceNamespaceFunc: apiutil.GetNamespaceFromRequest, }, }, OverrideFunc: allowSessionOwner, }, "DELETE": { Actions: []ActionTemplate{ { APIAction: types.APIAction{ Verb: rbacv1.VerbDelete, ResourceType: rbacv1.ResourceTemplates, }, ResourceNameFunc: apiutil.GetNameFromRequest, ResourceNamespaceFunc: apiutil.GetNamespaceFromRequest, }, }, OverrideFunc: allowSessionOwner, }, }, "/api/desktops/{namespace}/{name}/logs/{container}": { "GET": { Actions: []ActionTemplate{ { APIAction: types.APIAction{ Verb: rbacv1.VerbUse, ResourceType: rbacv1.ResourceTemplates, }, ResourceNameFunc: apiutil.GetNameFromRequest, ResourceNamespaceFunc: apiutil.GetNamespaceFromRequest, }, }, OverrideFunc: allowSessionOwner, }, }, "/api/desktops/ws/{namespace}/{name}/logs/{container}": { "GET": { Actions: []ActionTemplate{ { APIAction: types.APIAction{ Verb: rbacv1.VerbUse, ResourceType: rbacv1.ResourceTemplates, }, ResourceNameFunc: apiutil.GetNameFromRequest, ResourceNamespaceFunc: apiutil.GetNamespaceFromRequest, }, }, OverrideFunc: allowSessionOwner, }, }, "/api/desktops/ws/{namespace}/{name}/display": { "GET": { Actions: []ActionTemplate{ { APIAction: types.APIAction{ Verb: rbacv1.VerbUse, ResourceType: rbacv1.ResourceTemplates, }, ResourceNameFunc: apiutil.GetNameFromRequest, ResourceNamespaceFunc: apiutil.GetNamespaceFromRequest, }, }, OverrideFunc: allowSessionOwner, }, }, "/api/desktops/ws/{namespace}/{name}/audio": { "GET": { Actions: []ActionTemplate{ { APIAction: types.APIAction{ Verb: rbacv1.VerbUse, ResourceType: rbacv1.ResourceTemplates, }, ResourceNameFunc: apiutil.GetNameFromRequest, ResourceNamespaceFunc: apiutil.GetNamespaceFromRequest, }, }, OverrideFunc: allowSessionOwner, }, }, "/api/desktops/ws/{namespace}/{name}/status": { "GET": { Actions: []ActionTemplate{ { APIAction: types.APIAction{ Verb: rbacv1.VerbRead, ResourceType: rbacv1.ResourceTemplates, }, ResourceNameFunc: apiutil.GetNameFromRequest, ResourceNamespaceFunc: apiutil.GetNamespaceFromRequest, }, }, OverrideFunc: allowSessionOwner, }, }, "/api/desktops/fs/{namespace}/{name}/stat/": { "GET": { Actions: []ActionTemplate{ { APIAction: types.APIAction{ Verb: rbacv1.VerbUse, ResourceType: rbacv1.ResourceTemplates, }, ResourceNameFunc: apiutil.GetNameFromRequest, ResourceNamespaceFunc: apiutil.GetNamespaceFromRequest, }, }, OverrideFunc: allowSessionOwner, }, }, "/api/desktops/fs/{namespace}/{name}/get/": { "GET": { Actions: []ActionTemplate{ { APIAction: types.APIAction{ Verb: rbacv1.VerbUse, ResourceType: rbacv1.ResourceTemplates, }, ResourceNameFunc: apiutil.GetNameFromRequest, ResourceNamespaceFunc: apiutil.GetNamespaceFromRequest, }, }, OverrideFunc: allowSessionOwner, }, }, "/api/desktops/fs/{namespace}/{name}/put": { "PUT": { Actions: []ActionTemplate{ { APIAction: types.APIAction{ Verb: rbacv1.VerbUse, ResourceType: rbacv1.ResourceTemplates, }, ResourceNameFunc: apiutil.GetNameFromRequest, ResourceNamespaceFunc: apiutil.GetNamespaceFromRequest, }, }, OverrideFunc: allowSessionOwner, }, }, }
RouterGrantRequirements defines all the methods that are protected, and what rules should be evaluated for them.
Functions ¶
func DecodeRequest ¶
DecodeRequest will inspect the request object for the type of object to deserialize the request to, and then apply the object to the request context.
func NewResourceGetter ¶
func NewResourceGetter(d *desktopAPI) types.ResourceGetter
NewResourceGetter returns a new ResourceGetter
Types ¶
type ActionTemplate ¶ added in v0.2.0
type ActionTemplate struct {
types.APIAction
ResourceNameFunc ResourceValueFunc
ResourceNamespaceFunc ResourceValueFunc
}
ActionTemplate contains an action as well as functions for populating their respective values during the request context.
type AuditResult ¶
type AuditResult struct {
Allowed bool
FromOwner bool
Actions []*types.APIAction
Resource string
UserSession *types.JWTClaims
Request *http.Request
}
AuditResult contains information about an audit event from the API router.
type DesktopAPI ¶
type DesktopAPI interface {
ServeHTTP(http.ResponseWriter, *http.Request)
}
DesktopAPI serves HTTP requests for the /api resource
func NewFromConfig ¶
func NewFromConfig(cfg *rest.Config, vdiCluster string) (DesktopAPI, error)
NewFromConfig builds a new API router from the given kubernetes client configuration and vdi cluster name.
type ExtraCheckFunc ¶
type ExtraCheckFunc func(d *desktopAPI, reqUser *types.VDIUser, r *http.Request) (allowed bool, reason string, err error)
ExtraCheckFunc is a function that fires after the action itself has been evaluated. Allowed being false or any errors are considered forbidden.
type MethodPermissions ¶
type MethodPermissions struct {
OverrideFunc OverrideFunc
Actions []ActionTemplate
ExtraCheckFunc ExtraCheckFunc
}
MethodPermissions represents a set of checks to run for an API method.
type OverrideFunc ¶
type OverrideFunc func(d *desktopAPI, reqUser *types.VDIUser, r *http.Request) (allowed, owner bool, err error)
OverrideFunc is a function that takes precedence over any other action evaluations. If it returns false for allowed, the next rules in the chain will be considered. Errors are considered forbidden.
type ResourceGetter ¶
type ResourceGetter struct {
types.ResourceGetter
// contains filtered or unexported fields
}
ResourceGetter satisfies the v1alpha1.ResourceGetter interface for retrieving available resources during a privilege check.
func (*ResourceGetter) GetRoles ¶
func (r *ResourceGetter) GetRoles() ([]types.VDIUserRole, error)
GetRoles returns a list of all the VDIRolse for this cluster.
func (*ResourceGetter) GetTemplates ¶
func (r *ResourceGetter) GetTemplates() ([]string, error)
GetTemplates returns a list of desktop templates for this cluster.
type ResourceValueFunc ¶
ResourceValueFunc returns the name of a requested resource based off the contents of a request.
Source Files
¶
- api.go
- api_audit.go
- api_common.go
- api_decoder.go
- api_health.go
- api_metrics.go
- api_router.go
- api_validate_perms.go
- api_validate_perms_helpers.go
- api_validate_privilege_escalation.go
- api_validate_user_session.go
- delete_desktop_session.go
- delete_role.go
- delete_template.go
- delete_user.go
- get_config.go
- get_desktop_file.go
- get_desktop_logs.go
- get_desktop_session.go
- get_desktop_sessions.go
- get_namespaces.go
- get_refresh_token.go
- get_roles.go
- get_service_accounts.go
- get_templates.go
- get_user_mfa.go
- get_users.go
- get_websockify.go
- get_whoami.go
- meta.go
- post_authorize.go
- post_login.go
- post_logout.go
- post_role.go
- post_sessions.go
- post_templates.go
- post_user.go
- put_desktop_file.go
- put_role.go
- put_template.go
- put_user.go
- put_user_mfa.go
- put_user_mfa_verify.go
- resource_getter.go
Directories
Click to show internal directories.
Click to hide internal directories.