auth

package
v0.10.2 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Nov 10, 2022 License: MPL-2.0 Imports: 24 Imported by: 13

Documentation

Index

Constants

View Source 
const (
	// StateCookieName is the name of the cookie that holds state during auth flow.
	StateCookieName = "state"
	// IDTokenCookieName is the name of the cookie that holds the ID Token once
	// the user has authenticated successfully with the OIDC Provider.
	IDTokenCookieName = "id_token"
	// AccessTokenCookieName is the name of the cookie that holds the access token once
	// the user has authenticated successfully with the OIDC Provider. It's used for further
	// resource requests from the provider.
	AccessTokenCookieName = "access_token"
	// AuthorizationTokenHeaderName is the name of the header that holds the bearer token
	// used for token passthrough authentication.
	AuthorizationTokenHeaderName = "Authorization"
)
View Source 
const (
	LoginOIDC                  string = "oidc"
	LoginUsername              string = "username"
	ClusterUserAuthSecretName  string = "cluster-user-auth"
	DefaultOIDCAuthSecretName  string = "oidc-auth"
	FeatureFlagClusterUser     string = "CLUSTER_USER_AUTH"
	FeatureFlagOIDCAuth        string = "OIDC_AUTH"
	FeatureFlagOIDCPassthrough string = "WEAVE_GITOPS_FEATURE_OIDC_AUTH_PASSTHROUGH"
	FeatureFlagSet             string = "true"
)

Variables

This section is empty.

Functions

func DefaultAuthMethodStrings added in v0.9.2 

func DefaultAuthMethodStrings() []string

func Groups added in v0.9.4 

func Groups(groups []string) func(*UserPrincipal)

Groups is an option func for NewUserPrincipal that configures the groups.

func ID added in v0.9.4 

func ID(id string) func(*UserPrincipal)

ID is an option func for NewUserPrincipal that configures the groups.

func IsPublicRoute added in v0.7.0 

func IsPublicRoute(u *url.URL, publicRoutes []string) bool

func JSONError added in v0.7.0 

func JSONError(log logr.Logger, w http.ResponseWriter, errStr string, code int)

func ParseAuthMethodArray added in v0.9.2 

func ParseAuthMethodArray(authStrings []string) (map[AuthMethod]bool, error)

func RegisterAuthServer 

func RegisterAuthServer(mux *http.ServeMux, prefix string, srv *AuthServer, loginRequestRateLimit uint64) error

RegisterAuthServer registers the /callback route under a specified prefix. This route is called by the OIDC Provider in order to pass back state after the authentication flow completes.

func Token added in v0.9.4 

func Token(tok string) func(*UserPrincipal)

Token is an option func for NewUserPrincipal that sets the token.

func WithAPIAuth 

func WithAPIAuth(next http.Handler, srv *AuthServer, publicRoutes []string) http.Handler

WithAPIAuth middleware adds auth validation to API handlers.

Unauthorized requests will be denied with a 401 status code.

func WithPrincipal 

func WithPrincipal(ctx context.Context, p *UserPrincipal) context.Context

WithPrincipal sets the principal into the context.

Types

type AdminClaims added in v0.7.0 

type AdminClaims struct {
	jwt.RegisteredClaims
}

type AuthConfig 

type AuthConfig struct {
	Log logr.Logger
	// contains filtered or unexported fields
}

AuthConfig is used to configure an AuthServer.

func NewAuthServerConfig added in v0.7.0 

func NewAuthServerConfig(log logr.Logger, oidcCfg OIDCConfig, kubernetesClient ctrlclient.Client, tsv TokenSignerVerifier, namespace string, authMethods map[AuthMethod]bool) (AuthConfig, error)

type AuthMethod added in v0.9.2 

type AuthMethod uint8
const (
	// User & password read from a secret
	UserAccount AuthMethod = iota
	// OIDC authentication (recommended)
	OIDC
	// EE CLI tokens
	TokenPassthrough
)

func DefaultAuthMethods added in v0.9.2 

func DefaultAuthMethods() []AuthMethod

This is a function to mimic a const slice

func ParseAuthMethod added in v0.9.2 

func ParseAuthMethod(text string) (AuthMethod, error)

func (*AuthMethod) String added in v0.9.2 

func (am *AuthMethod) String() string

func (*AuthMethod) UnmarshalText added in v0.9.2 

func (am *AuthMethod) UnmarshalText(text []byte) error

type AuthServer 

type AuthServer struct {
	AuthConfig
	// contains filtered or unexported fields
}

AuthServer interacts with an OIDC issuer to handle the OAuth2 process flow.

func InitAuthServer added in v0.9.2 

func InitAuthServer(ctx context.Context, log logr.Logger, rawKubernetesClient ctrlclient.Client, oidcConfig OIDCConfig, oidcSecret string, namespace string, authMethodStrings []string) (*AuthServer, error)

func NewAuthServer 

func NewAuthServer(ctx context.Context, cfg AuthConfig) (*AuthServer, error)

NewAuthServer creates a new AuthServer object.

func (*AuthServer) Callback added in v0.7.0 

func (s *AuthServer) Callback() http.HandlerFunc

func (*AuthServer) Logout added in v0.7.0 

func (s *AuthServer) Logout() http.HandlerFunc

func (*AuthServer) OAuth2Flow added in v0.7.0 

func (s *AuthServer) OAuth2Flow() http.HandlerFunc

func (*AuthServer) SetRedirectURL 

func (s *AuthServer) SetRedirectURL(url string)

SetRedirectURL is used to set the redirect URL. This is meant to be used in unit tests only.

func (*AuthServer) SignIn added in v0.7.0 

func (s *AuthServer) SignIn() http.HandlerFunc

func (*AuthServer) UserInfo added in v0.7.0 

func (s *AuthServer) UserInfo(rw http.ResponseWriter, r *http.Request)

UserInfo inspects the cookie and attempts to verify it as an admin token. If successful, it returns a UserInfo object with the email set to the admin token subject. Otherwise it uses the token to query the OIDC provider's user info endpoint and return a UserInfo object back or a 401 status in any other case.

type BearerTokenPassthroughPrincipalGetter added in v0.9.1 

type BearerTokenPassthroughPrincipalGetter struct {
	// contains filtered or unexported fields
}

BearerTokenPassthroughPrincipalGetter inspects the Authorization header (bearer token) and returns it within a principal object.

func (*BearerTokenPassthroughPrincipalGetter) Principal added in v0.9.1 

func (pg *BearerTokenPassthroughPrincipalGetter) Principal(r *http.Request) (*UserPrincipal, error)

Principal is an implementation of the PrincipalGetter interface.

Headers of the form Authorization: Bearer <token> are stored within a UserPrincipal. The token is not verified, and no ID or Group information will be available.

type HMACTokenSignerVerifier added in v0.7.0 

type HMACTokenSignerVerifier struct {
	// contains filtered or unexported fields
}

func NewHMACTokenSignerVerifier added in v0.7.0 

func NewHMACTokenSignerVerifier(expireAfter time.Duration) (*HMACTokenSignerVerifier, error)

func (*HMACTokenSignerVerifier) SetDevMode added in v0.7.0 

func (sv *HMACTokenSignerVerifier) SetDevMode(enabled bool)

func (*HMACTokenSignerVerifier) Sign added in v0.7.0 

func (sv *HMACTokenSignerVerifier) Sign(subject string) (string, error)

func (*HMACTokenSignerVerifier) Verify added in v0.7.0 

func (sv *HMACTokenSignerVerifier) Verify(tokenString string) (*AdminClaims, error)

type JWTAdminCookiePrincipalGetter added in v0.7.0 

type JWTAdminCookiePrincipalGetter struct {
	// contains filtered or unexported fields
}

func (*JWTAdminCookiePrincipalGetter) Principal added in v0.7.0 

func (pg *JWTAdminCookiePrincipalGetter) Principal(r *http.Request) (*UserPrincipal, error)

type JWTAuthorizationHeaderPrincipalGetter 

type JWTAuthorizationHeaderPrincipalGetter struct {
	// contains filtered or unexported fields
}

JWTAuthorizationHeaderPrincipalGetter inspects the Authorization header (bearer token) for a JWT token and returns a principal object.

func (*JWTAuthorizationHeaderPrincipalGetter) Principal 

func (pg *JWTAuthorizationHeaderPrincipalGetter) Principal(r *http.Request) (*UserPrincipal, error)

type JWTCookiePrincipalGetter 

type JWTCookiePrincipalGetter struct {
	// contains filtered or unexported fields
}

JWTCookiePrincipalGetter inspects a cookie for a JWT token and returns a principal object.

func (*JWTCookiePrincipalGetter) Principal 

func (pg *JWTCookiePrincipalGetter) Principal(r *http.Request) (*UserPrincipal, error)

type JWTPassthroughCookiePrincipalGetter added in v0.9.4 

type JWTPassthroughCookiePrincipalGetter struct {
	// contains filtered or unexported fields
}

JWTPassthroughCookiePrincipalGetter inspects a cookie for a JWT token and returns a principal value.

The JWT Token is parsed, and the token and user/groups are available.

func (*JWTPassthroughCookiePrincipalGetter) Principal added in v0.9.4 

func (pg *JWTPassthroughCookiePrincipalGetter) Principal(r *http.Request) (*UserPrincipal, error)

Principal implements the PrincipalGetter by pasing the cookie, and if it's valid, it stores the token and user details on the principal.

type LoginRequest added in v0.7.0 

type LoginRequest struct {
	Username string `json:"username"`
	Password string `json:"password"`
}

LoginRequest represents the data submitted by client when the auth flow (non-OIDC) is used.

type MultiAuthPrincipal 

type MultiAuthPrincipal struct {
	Log     logr.Logger
	Getters []PrincipalGetter
}

MultiAuthPrincipal looks for a principal in an array of principal getters and if it finds an error or a principal it returns, otherwise it returns (nil,nil).

func (MultiAuthPrincipal) Principal 

func (m MultiAuthPrincipal) Principal(r *http.Request) (*UserPrincipal, error)

type OIDCConfig 

type OIDCConfig struct {
	IssuerURL     string
	ClientID      string
	ClientSecret  string
	RedirectURL   string
	TokenDuration time.Duration
}

OIDCConfig is used to configure an AuthServer to interact with an OIDC issuer.

func NewOIDCConfigFromSecret added in v0.7.0 

func NewOIDCConfigFromSecret(secret corev1.Secret) OIDCConfig

type PrincipalGetter 

type PrincipalGetter interface {
	// Principal extracts a principal from the http.Request.
	// It's not an error for there to be no principal in the request.
	Principal(r *http.Request) (*UserPrincipal, error)
}

PrincipalGetter implementations are responsible for extracting a named principal from an HTTP request.

func NewBearerTokenPassthroughPrincipalGetter added in v0.9.1 

func NewBearerTokenPassthroughPrincipalGetter(log logr.Logger, verifier *oidc.IDTokenVerifier, headerName string, kubernetesClient client.Client) PrincipalGetter

NewBearerTokenPassthroughPrincipalGetter creates a new implementation of the PrincipalGetter interface that can decode and verify OIDC Bearer tokens from a named request header.

func NewJWTAdminCookiePrincipalGetter added in v0.7.0 

func NewJWTAdminCookiePrincipalGetter(log logr.Logger, verifier TokenSignerVerifier, cookieName string) PrincipalGetter

func NewJWTAuthorizationHeaderPrincipalGetter 

func NewJWTAuthorizationHeaderPrincipalGetter(log logr.Logger, verifier *oidc.IDTokenVerifier) PrincipalGetter

func NewJWTCookiePrincipalGetter 

func NewJWTCookiePrincipalGetter(log logr.Logger, verifier *oidc.IDTokenVerifier, cookieName string) PrincipalGetter

func NewJWTPassthroughCookiePrincipalGetter added in v0.9.4 

func NewJWTPassthroughCookiePrincipalGetter(log logr.Logger, verifier *oidc.IDTokenVerifier, cookieName string) PrincipalGetter

NewJWTPassthroughCookiePrincipalGetter creates and returns a new JWTPassthroughCookiePrincipalGetter.

type SessionState 

type SessionState struct {
	Nonce     string `json:"n"`
	ReturnURL string `json:"return_url"`
}

SessionState represents the state that needs to be persisted between the AuthN request from the Relying Party (RP) to the authorization endpoint of the OpenID Provider (OP) and the AuthN response back from the OP to the RP's callback URL. This state could be persisted server-side in a data store such as Redis but we prefer to operate stateless so we store this in a cookie instead. The cookie value and the value of the "state" parameter passed in the AuthN request are identical and set to the base64-encoded, JSON serialised state.

https://openid.net/specs/openid-connect-core-1_0.html#Overview https://auth0.com/docs/configure/attack-protection/state-parameters#alternate-redirect-method https://community.auth0.com/t/state-parameter-and-user-redirection/8387/2

type TokenSigner added in v0.7.0 

type TokenSigner interface {
	Sign(subject string) (string, error)
}

type TokenSignerVerifier added in v0.7.0 

type TokenSignerVerifier interface {
	TokenSigner
	TokenVerifier
}

type TokenVerifier added in v0.7.0 

type TokenVerifier interface {
	Verify(token string) (*AdminClaims, error)
}

type UserInfo added in v0.7.0 

type UserInfo struct {
	Email  string   `json:"email"`
	Groups []string `json:"groups"`
}

UserInfo represents the response returned from the user info handler.

type UserPrincipal 

type UserPrincipal struct {
	ID     string   `json:"id"`
	Groups []string `json:"groups"`
	// contains filtered or unexported fields
}

UserPrincipal is a simple model for the user, including their ID and Groups.

func NewUserPrincipal added in v0.9.4 

func NewUserPrincipal(opts ...func(*UserPrincipal)) *UserPrincipal

NewUserPrincipal creates a new Principal and applies the configuration options.

func Principal 

func Principal(ctx context.Context) *UserPrincipal

Principal gets the principal from the context.

func (*UserPrincipal) SetToken added in v0.9.4 

func (p *UserPrincipal) SetToken(t string)

SetToken allows setting of the private access token.

func (*UserPrincipal) String added in v0.9.1 

func (p *UserPrincipal) String() string

String returns the Principal ID and Groups as a string.

func (UserPrincipal) Token added in v0.9.1 

func (p UserPrincipal) Token() string

Token returns the private access token for this principal.

func (*UserPrincipal) Valid added in v0.9.4 

func (p *UserPrincipal) Valid() bool

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.