configv2

package
v0.11.0-rc.2 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Dec 24, 2020 License: MIT Imports: 30 Imported by: 0

Documentation

Index

Constants

View Source
const (
	EmbedEtcdUrlFilename = "embed_etcd_url"
)

Variables

View Source
var SystemRPCPermission = &RPCPermission{
	Name: "system:proxy",
	Allow: []string{
		"proxy.rpc.certificateauthority.watchrevokedcert",
		"proxy.rpc.certificateauthority.newservercert",
		"proxy.rpc.cluster.defragmentdatastore",
		"proxy.rpc.authority.signrequest",
		"proxy.rpc.authority.getpublickey",
	},
}
View Source
var SystemRole = &Role{
	Name: "system:proxy",
	Bindings: []*Binding{
		{RPC: "system:proxy"},
	},
	System: true,
}

Functions

This section is empty.

Types

type AccessProxy

type AccessProxy struct {
	ProxyFile string `json:"proxy_file,omitempty"`

	HTTP       *AuthProxyHTTP `json:"http,omitempty"`
	RPCServer  string         `json:"rpc_server,omitempty"`
	Credential *Credential    `json:"credential,omitempty"`

	Backends []*Backend `json:"-"`

	AuthEndpoint   string `json:"-"`
	TokenEndpoint  string `json:"-"`
	ServerNameHost string `json:"-"`
	// contains filtered or unexported fields
}

func (*AccessProxy) GetAllBackends

func (g *AccessProxy) GetAllBackends() []*Backend

func (*AccessProxy) GetBackend

func (g *AccessProxy) GetBackend(name string) (*Backend, bool)

func (*AccessProxy) GetBackendByHost

func (g *AccessProxy) GetBackendByHost(host string) (*Backend, bool)

GetBackendByHost is finding Backend by Host header

func (*AccessProxy) GetBackendByHostname

func (g *AccessProxy) GetBackendByHostname(hostname string) (*Backend, bool)

func (*AccessProxy) GetBackendsByRole

func (g *AccessProxy) GetBackendsByRole(role *Role) ([]*Backend, error)

func (*AccessProxy) Load

func (g *AccessProxy) Load(dir string) error

func (*AccessProxy) ReloadConfig added in v0.11.0

func (g *AccessProxy) ReloadConfig() error

func (*AccessProxy) Setup

func (g *AccessProxy) Setup(backends []*Backend) error

type AuthProxyHTTP

type AuthProxyHTTP struct {
	Bind            string       `json:"bind,omitempty"`
	BindHttp        string       `json:"bind_http,omitempty"`
	BindInternalApi string       `json:"bind_internal_api,omitempty"`
	ServerName      string       `json:"server_name,omitempty"`
	Certificate     *Certificate `json:"certificate,omitempty"`
	ExpectCT        bool         `json:"expect_ct,omitempty"`
	Session         *Session     `json:"session,omitempty"`
}

type AuthorizationEngine

type AuthorizationEngine struct {
	RoleFile          string   `json:"role_file,omitempty"`
	RPCPermissionFile string   `json:"rpc_permission_file,omitempty"`
	RootUsers         []string `json:"root_users,omitempty"`

	Roles          []*Role          `json:"-"`
	RPCPermissions []*RPCPermission `json:"-"`
	// contains filtered or unexported fields
}

func (*AuthorizationEngine) GetAllRoles

func (a *AuthorizationEngine) GetAllRoles() []*Role

func (*AuthorizationEngine) GetRPCPermission

func (a *AuthorizationEngine) GetRPCPermission(name string) (*RPCPermission, bool)

func (*AuthorizationEngine) GetRole

func (a *AuthorizationEngine) GetRole(name string) (*Role, error)

func (*AuthorizationEngine) Load

func (a *AuthorizationEngine) Load(dir string) error

func (*AuthorizationEngine) ReloadConfig added in v0.11.0

func (a *AuthorizationEngine) ReloadConfig() error

func (*AuthorizationEngine) Setup

func (a *AuthorizationEngine) Setup(roles []*Role, rpcPermissions []*RPCPermission) error

type Backend

type Backend struct {
	Name string         `json:"name"` // Name is an identifier
	FQDN string         `json:"fqdn,omitempty"`
	HTTP []*HTTPBackend `json:"http,omitempty"`
	// Deprecated
	Agent bool `json:"agent,omitempty"`

	Permissions   []*Permission `json:"permissions"`
	AllowRootUser bool          `json:"allow_root_user,omitempty"`
	DisableAuthn  bool          `json:"disable_authn,omitempty"`
	// MaxSessionDuration is a maximum duration before session expire for specify backend.
	// When MaxSessionDuration is not empty, OIDC authentication is required even if the user submits a client certificate.
	MaxSessionDuration *Duration `json:"max_session_duration,omitempty"`

	AllowHttp bool           `json:"allow_http,omitempty"`
	Socket    *SocketBackend `json:"socket,omitempty"`

	BackendSelector *HTTPBackendSelector `json:"-"`
}

func (*Backend) MatchList

func (b *Backend) MatchList(req *http.Request) map[string]struct{}

type Binding

type Binding struct {
	RPC        string `json:"rpc,omitempty"`
	Backend    string `json:"backend,omitempty"`    // Backend is Backend.Name
	Permission string `json:"permission,omitempty"` // Permission is Permission.Name
}

type Certificate

type Certificate struct {
	CertFile string `json:"cert_file"`
	KeyFile  string `json:"key_file"`
	// contains filtered or unexported fields
}

func (*Certificate) GetCertificate

func (c *Certificate) GetCertificate(_ *tls.ClientHelloInfo) (*tls.Certificate, error)

func (*Certificate) Load

func (c *Certificate) Load(dir string) error

func (*Certificate) ReloadCertificate added in v0.11.0

func (c *Certificate) ReloadCertificate() error

type CertificateAuthority

type CertificateAuthority struct {
	Local *CertificateAuthorityLocal `json:"local"`
}

func (*CertificateAuthority) Load

func (ca *CertificateAuthority) Load(dir string) error

type CertificateAuthorityLocal

type CertificateAuthorityLocal struct {
	CertFile         string `json:"cert_file"`
	KeyFile          string `json:"key_file"`
	Organization     string `json:"organization"`
	OrganizationUnit string `json:"organization_unit"`
	Country          string `json:"country"`

	Subject     pkix.Name         `json:"-"`
	Certificate *x509.Certificate `json:"-"`
	PrivateKey  crypto.PrivateKey `json:"-"`
	CertPool    *x509.CertPool    `json:"-"`
}

type Config

type Config struct {
	AccessProxy          *AccessProxy          `json:"access_proxy,omitempty"`
	AuthorizationEngine  *AuthorizationEngine  `json:"authorization_engine,omitempty"`
	RPCServer            *RPCServer            `json:"rpc_server,omitempty"`
	Dashboard            *Dashboard            `json:"dashboard,omitempty"`
	IdentityProvider     *IdentityProvider     `json:"identity_provider,omitempty"`
	Datastore            *Datastore            `json:"datastore,omitempty"`
	CertificateAuthority *CertificateAuthority `json:"certificate_authority,omitempty"`
	Logger               *Logger               `json:"logger,omitempty"`
}

type Credential

type Credential struct {
	SigningPrivateKeyFile   string `json:"signing_private_key_file,omitempty"`
	InternalTokenFile       string `json:"internal_token_file,omitempty"`
	GithubWebHookSecretFile string `json:"github_webhook_secret_file,omitempty"`

	SigningPrivateKey   *ecdsa.PrivateKey `json:"-"`
	SigningPublicKey    ecdsa.PublicKey   `json:"-"`
	InternalToken       string            `json:"-"`
	GithubWebhookSecret []byte            `json:"-"`
}

func (*Credential) Load

func (c *Credential) Load(dir string) error

type Dashboard

type Dashboard struct {
	Bind      string    `json:"bind,omitempty"`
	RPCServer string    `json:"rpc_server,omitempty"`
	TokenFile string    `json:"token_file,omitempty"`
	Template  *Template `json:"template,omitempty"`

	InternalToken string `json:"-"`
}

func (*Dashboard) Load

func (d *Dashboard) Load(dir string) error

type Datastore

type Datastore struct {
	*DatastoreEtcd  `json:"etcd,omitempty"`
	*DatastoreMySQL `json:"mysql,omitempty"`
}

func (*Datastore) GetEtcdClient

func (d *Datastore) GetEtcdClient(loggerConf *Logger) (*clientv3.Client, error)

func (*Datastore) GetMySQLConn

func (d *Datastore) GetMySQLConn() (*sql.DB, error)

func (*Datastore) Load

func (d *Datastore) Load(dir string) error

type DatastoreEtcd

type DatastoreEtcd struct {
	RawUrl     string `json:"url"`
	DataDir    string `json:"data_dir,omitempty"`  // use only embed etcd
	Namespace  string `json:"namespace,omitempty"` // use only etcd
	CACertFile string `json:"ca_cert_file,omitempty"`
	CertFile   string `json:"cert_file,omitempty"`
	KeyFile    string `json:"key_file,omitempty"`

	Url         *url.URL        `json:"-"`
	Embed       bool            `json:"-"`
	EtcdUrl     *url.URL        `json:"-"`
	Certificate tls.Certificate `json:"-"`
	CertPool    *x509.CertPool  `json:"-"`
	// contains filtered or unexported fields
}

type DatastoreMySQL

type DatastoreMySQL struct {
	RawUrl string `json:"url"`

	DSN *mysql.Config `json:"-"`
}

type Duration

type Duration struct {
	time.Duration
}

func (*Duration) MarshalJSON

func (d *Duration) MarshalJSON() ([]byte, error)

func (*Duration) UnmarshalJSON

func (d *Duration) UnmarshalJSON(b []byte) error

type HTTPBackend added in v0.11.0

type HTTPBackend struct {
	Path     string `json:"path"`
	Default  bool   `json:"default,omitempty"`
	Upstream string `json:"upstream,omitempty"`
	Insecure bool   `json:"insecure,omitempty"`
	Agent    bool   `json:"agent,omitempty"`

	Name      string          `json:"-"`
	Url       *url.URL        `json:"-"`
	Transport *http.Transport `json:"-"`
}

type HTTPBackendSelector added in v0.11.0

type HTTPBackendSelector struct {
	// contains filtered or unexported fields
}

func NewHTTPBackendSelector added in v0.11.0

func NewHTTPBackendSelector() *HTTPBackendSelector

func (*HTTPBackendSelector) Add added in v0.11.0

func (s *HTTPBackendSelector) Add(b *HTTPBackend)

func (*HTTPBackendSelector) Find added in v0.11.0

func (s *HTTPBackendSelector) Find(path string) *HTTPBackend

type IdentityProvider

type IdentityProvider struct {
	Provider         string   `json:"provider"`         // "google", "okta", "azure" or "custom"
	Issuer           string   `json:"issuer,omitempty"` // for "custom"
	ClientId         string   `json:"client_id"`
	ClientSecretFile string   `json:"client_secret_file"`
	ExtraScopes      []string `json:"extra_scopes,omitempty"`
	Domain           string   `json:"domain,omitempty"` // for Okta and AzureAD
	RedirectUrl      string   `json:"redirect_url"`

	ClientSecret string `json:"-"`
}

func (*IdentityProvider) Load

func (idp *IdentityProvider) Load(dir string) error

type Location

type Location struct {
	Any     string `json:"any,omitempty"`
	Get     string `json:"get,omitempty"`
	Post    string `json:"post,omitempty"`
	Put     string `json:"put,omitempty"`
	Delete  string `json:"delete,omitempty"`
	Head    string `json:"head,omitempty"`
	Connect string `json:"connect,omitempty"`
	Options string `json:"options,omitempty"`
	Trace   string `json:"trace,omitempty"`
	Patch   string `json:"patch,omitempty"`
}

func (*Location) AddRouter

func (l *Location) AddRouter(r *mux.Router)

type Logger

type Logger struct {
	Level    string `json:"level"`
	Encoding string `json:"encoding"` // json or console
}

func (*Logger) ZapConfig

func (l *Logger) ZapConfig(encoder zapcore.EncoderConfig) *zap.Config

type Permission

type Permission struct {
	Name      string     `json:"name"`              // Name is an identifier
	WebHook   string     `json:"webhook,omitempty"` // name of webhook provider (e.g. github)
	Locations []Location `json:"locations"`
	// contains filtered or unexported fields
}

func (*Permission) Match added in v0.11.0

func (p *Permission) Match(req *http.Request) bool

type RPCPermission

type RPCPermission struct {
	Name  string   `json:"name"`
	Allow []string `json:"allow"`
}

type RPCServer

type RPCServer struct {
	Bind        string `json:"bind,omitempty"`
	MetricsBind string `json:"metrics_bind,omitempty"`
}

type Role

type Role struct {
	Name        string     `json:"name"`
	Title       string     `json:"title"`
	Description string     `json:"description,omitempty"`
	Bindings    []*Binding `json:"bindings"`

	RPCMethodMatcher *rpc.MethodMatcher `json:"-"`
	System           bool               `json:"-"`
}

type Session

type Session struct {
	Type    string   `json:"type"` // secure_cookie or memcached
	KeyFile string   `json:"key_file,omitempty"`
	Servers []string `json:"servers,omitempty"`

	HashKey  []byte `json:"-"`
	BlockKey []byte `json:"-"`
}

func (*Session) Load

func (s *Session) Load(dir string) error

type SocketBackend added in v0.11.0

type SocketBackend struct {
	Upstream string    `json:"upstream,omitempty"`
	Timeout  *Duration `json:"timeout,omitempty"`
	Agent    bool      `json:"agent,omitempty"`

	Url *url.URL `json:"-"`
}

type Template

type Template struct {
	Loader string `json:"loader"` // shotgun or embed
	Dir    string `json:"dir"`
}

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL